Nacha is introducing new fraud monitoring requirements in 2026 that apply to all non-consumer ACH originators and third-party senders. These updates focus on strengthening risk-based monitoring and enhancing controls around authorizations and payment instruction changes.
- ACH Originator Responsibilities
- What’s Changing
- Requirement Checklist
ACH Originator Responsibilities
As stated within the ACH Originator Agreement signed between you (Originator) and Core Bank (your ODFI), each company that originates ACH entries through the bank must comply with the Nacha Operating Rules & Guidelines.
- The National Automated Clearing House Association (NACHA) is the rule-making body that governs the ACH network, and all participants must comply with its Rules.
- As an Originator, you are responsible for understanding both the existing Rules and any upcoming changes. Purchasing an updated copy of the Nacha Operating Rules & Guidelines each year is strongly recommended.
Disclaimer: This is not intended to replace or substitute the Nacha Rules. It does not provide warranties or legal advice and is offered for educational purposes only.
What’s Changing?
Beginning in 2026, organizations must use risk-based processes to identify and prevent fraudulent outgoing ACH entries. This means monitoring transactions more proactively and validating activity that appears unusual or inconsistent.
New Company Entry Description Requirements
Effective March 20, 2026, two standardized Company Entry Descriptions must be used for specific ACH transactions:
- PAYROLL – Required for all PPD credit entries used to pay wages, salaries, or similar types of compensation. The Company Entry Description field must contain PAYROLL.
- PURCHASE – Required for all e-commerce purchases.
An e-commerce purchase is defined as a debit entry authorized by a consumer receiver for the online purchase of goods, including recurring purchases first authorized online
Compliance Dates
Phase 1: March 20, 2026
For organizations and third parties with six million or more originated ACH entries in 2023.
Phase 2: June 19, 2026
For all other non-consumer originators and third-party senders.
Requirement Checklist
Strengthen Authorization Practices
Strong authorization processes remain essential under the new rules.
- Maintain complete and compliant authorizations for all entries
• Ensure authorizations are retained, easy to retrieve, and consistently documented
• Monitor for unusual authorization activity that may signal risk
Verify Changes to Account Details
Changes to payment instructions are a common path for fraud. Tightening verification processes help protect your business and your customers.
- Independently verify any change to account or routing details
• Use callback procedures through trusted contact information
• Add extra confirmation steps for higher risk or high dollar updates
• Document each verification step for clear audit trails
Prepare Now
- Review current fraud monitoring tools and identify gaps
• Assess whether your technology supports risk-based monitoring
• Update internal procedures and train staff on new expectations
• Confirm vendor and partner processes align with the upcoming rules
• Establish a process for ongoing review and updates
In Summary,
Preparing now will make the 2026 transition smoother and help ensure your organization has strong, proactive controls in place. These updates support safer payments, better protection for your clients, and a more secure ACH environment overall.
Questions? Please contract Treasury Services at TreasuryServices@CoreBank.com
