If your organization sends ACH payments to vendors, payroll, or contractors, 2026 brings the most significant expansion of fraud monitoring obligations in the history of the ACH network - and those changes are live.
Last year, Eftsure partnered with Nacha to run a dedicated webinar briefing for finance and AP leaders on exactly what's changing, why it matters, and how to get compliant. Here's what every team sending ACH payments needs to know.
The scale of what's at stake
To understand why Nacha is making these changes now, it helps to understand the size of the network they are protecting. In Q1 2026 alone, the ACH network processed 8.9 billion transactions. B2B payments have seen double-digit growth for five consecutive years.
"As we see growing volume on the network, we know that's because of innovation, and we love that, but we also have to balance that with the risk management aspect as well."
Amy Morris, Senior Director ACH Network Rules, Nacha
The scale of that network makes it an increasingly attractive target. A survey referenced in the webinar found that 79% of businesses reported experiencing a fraud attempt in the last year. And the threats have become more sophisticated, more scalable, and cheaper to execute.
"There are automated tools that you can purchase for as little as fifty dollars on the dark web, and they essentially automate the process of creating very realistic invoices swapping fake invoices into email systems that have already been hacked."
Ramesh Menon, Chief Product Officer, Eftsure
The people behind these attacks are not lone hackers. They are organized.
"They are run like corporations — like well-run corporations. They literally have HR departments that are recruiting. They've got finance departments. They bring in the best possible people with university degrees in technology and accounting, including entire cybersecurity teams."
Ramesh Menon, Chief Product Officer, Eftsure
What Nacha is actually changing
Until now, Nacha's fraud detection rules only required Originators to use a "commercially reasonable" fraud detection system for two specific scenarios: WEB debits and Micro-Entries. That left the majority of ACH transactions — and critically ACH credits — without formal monitoring obligations.
The new Fraud Monitoring Rule changes this fundamentally. All ODFIs and non-Consumer Originators, Third-Party Service Providers, and Third-Party Senders are now required to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
"The ACH network has been very thorough over the years in updating our risk management rules around debit transactions, but the risks around credits are different."
Amy Morris, Senior Director ACH Network Rules, Nacha
The new rules address that gap, specifically targeting credit-push fraud — the category that includes business email compromise, vendor impersonation, and payroll fraud.
The new 'False Pretenses' definition
Alongside the monitoring requirements, Nacha has introduced a formal definition of "False Pretenses" into its rulebook:
"The inducement of a payment by a party that's misrepresenting their identity, or their association with another entity, or their ownership of an account to be credited."
Nacha Rules Amendment
This definition formally covers the fraud types that have been causing the most damage to finance teams: business email compromise, vendor impersonation, and payroll impersonation. By naming them explicitly, Nacha is making clear that failing to monitor these scenarios is now a compliance failure, not just a security gap.
"Previously, we've primarily seen the industry work in a reactive space. What would be wonderful is if we start to use our analysis power and computing power to try to be a little bit more proactive and narrow down some of those gaps where fraudsters may be able to exploit us. That's part of the reason for these rules."
Amy Morris, Senior Director ACH Network Rules, Nacha
Who is affected and when
Phase 1, effective March 20, 2026
- All ODFIs
- Non-Consumer Originators, TPSPs and Third-Party Senders with annual ACH origination volume of 6 million or greater in 2023
- RDFIs with annual ACH receipt volume of 10 million or greater in 2023
Phase 2, effective June 19, 2026
- All other non-Consumer Originators, TPSPs, and Third-Party Senders
- All other RDFIs
"This truly does cover everybody except for consumers in the payment creation cycle."
Amy Morris, Senior Director ACH Network Rules, Nacha
If your company originated more than 6 million ACH transactions in 2023, your deadline is March 20, not June.
What 'risk-based processes' means in practice
Nacha has deliberately kept its language principles-based, which can feel frustratingly open-ended for AP teams looking for a checklist. But the expectation is clear: you need to understand your normal activity, so you can identify when something falls outside it.
"An organization needs to understand their risk. That's the very first step. You need to identify which transactions are higher risk, which are lower risk, and then start sizing what that impact would be to your organization to create a hierarchy. Then start developing your processes and procedures around that."
Amy Morris, Senior Director ACH Network Rules, Nacha
1. Monitor volume, value, and velocity
Establish a baseline of what normal payment activity looks like — volumes, values, accounts, and frequency. When activity deviates from that baseline, it should trigger a review.
2. Change verification procedures
Any change to an established payment — particularly a change to an account number you've been paying for some time — should trigger an out-of-band verification.
3. Account validation
This has been a Nacha best practice for years across all payment types, but it is now formalized.
4. Monitor returns
Regularly review your return codes. What does a return tell you about the payment or the party? This data should feed back into your risk processes. Overpayments are also a red flag.
5. This is not set it and forget it
Your risk assessment is a living document. Internal changes, new products, new platforms, and new services all change your risk profile and must update your processes.
The ownership gap finance teams need to close
One of the most important insights from the webinar was around who is responsible for payment fraud within most organizations.
"When we think cybersecurity, we think about the IT organization or the CISO. But payment fraud is not typically addressed in that same fashion — really being left to the finance departments. And finance professionals are not cybersecurity specialists."
Ramesh Menon, Chief Product Officer, Eftsure
The consequence is that the teams fighting payment fraud are not always equipped with the right tools, the right processes, or the right expertise. Only half of organizations, one survey found, have documented processes for verifying payment details when a vendor submits changes.
"I've become a victim of vendor impersonation fraud. I thought I paid my vendor, but I didn't. Now all of a sudden, my contracts are at risk. The work I thought was going to be getting done is not going to be getting done and that is going to have downstream effects."
Amy Morris, Senior Director ACH Network Rules, Nacha
How Eftsure helps finance teams meet these requirements
As a Nacha Preferred Partner across Account Validation, Fraud Monitoring, and Risk and Fraud Prevention, Eftsure is built specifically to address the gaps these rules are targeting.
The multi-layered approach includes:
- Secure onboarding portal: vendors submit and update details outside of email, eliminating the channel most commonly exploited by BEC attackers
- Business identity verification: TIN and EIN confirmation against government databases, state registration checks, and synthetic identity detection
- Bank account verification and ownership matching against multiple authoritative data sources, not just one database
- Community data: with over 4,000 customers globally, Eftsure surfaces risk signals across its entire network. If one customer flags a bank account as compromised, that intelligence is shared across the community
- Fraud signal detection: geographic consistency, domain registration age, VPN usage, and other technical signals that reveal suspicious onboarding activity
"You cannot be reactive in this world. You have to be on offense and not defense."
Ramesh Menon, Chief Product Officer, Eftsure
Eftsure protects over $288 billion in B2B payments annually and backs that protection with a guarantee providing indemnity of up to $1 million against payment fraud losses caused by social engineering and impersonation fraud.
