Nacha 2026 · Self-Assessment

Am I Nacha 2026 compliant?

Updated June 2026 · Applies to Nacha Phase 2 effective June 22, 2026

Nacha Phase 2 is effective June 22, 2026. If you originate ACH payments — paying vendors, running payroll, or initiating bank transfers for clients — you need a documented fraud monitoring program. Answer these 7 questions to find out where you stand.

The 7-question Nacha compliance check

1

Do you originate ACH payments — paying vendors, running payroll, or initiating bank transfers for yourself or clients?

Yes → In scope for Nacha Phase 2
No → Likely not in scope

If you only receive ACH payments and never send them, Phase 2 probably does not apply to you. Confirm with your ODFI.

2

Do you have a written ACH fraud monitoring procedure — a documented SOP describing what you check and how?

Yes → ✓ Meets written program requirement
No → ✗ Gap: written SOP required

A verbal or informal practice does not satisfy Nacha. You need a document — even one page — describing your review process.

3

Before releasing ACH payments, do you check whether any vendors have changed their bank account details since the last payment cycle?

Yes → ✓ Vendor change check covered
No → ✗ Gap: vendor change verification required

Vendor bank account changes are the most common ACH fraud vector. Nacha requires verification (typically a phone call to a number from your existing records) before releasing payment to changed accounts.

4

Do you apply extra scrutiny to the first ACH payment to any new vendor — confirming the vendor is legitimate before the payment releases?

Yes → ✓ New vendor scrutiny covered
No → ✗ Gap: new vendor review required

New vendors with no payment history are a common fraud entry point. Phase 2 requires review of first payments before release.

5

Do you review anomalous payments — amounts significantly above that vendor's historical average — before releasing them?

Yes → ✓ Anomaly review covered
No → ✗ Gap: anomaly review required

A sudden increase in invoice amount from a familiar vendor is a common fraud signal. Nacha requires a process for identifying and reviewing these before payment.

6

Do you maintain a timestamped log of fraud reviews performed — recording what was reviewed, when, by whom, and what was decided?

Yes → ✓ Audit trail covered
No → ✗ Gap: timestamped audit trail required

The audit trail is how you prove your program is running. Without it, compliance cannot be demonstrated to your ODFI, an insurer, or in a dispute.

7

If you are an outsourced bookkeeping firm or accounting practice: have you determined whether your firm qualifies as a Nacha Third-Party Sender (TPS)?

Yes → ✓ TPS status confirmed
No → ✗ Clarify TPS status with your ODFI

TPS classification triggers additional obligations including possible ODFI registration. If you originate ACH on behalf of clients, call your bank and ask directly.

Reading your results

All yes

Your program meets the core Phase 2 requirements. Make sure your SOP is current, your log is consistent, and you brief your team on emerging fraud patterns quarterly.

1–2 gaps

You have most of the program in place but have specific gaps. Address the missing items in your next payment cycle. Prioritize the audit trail and vendor change check — these are the most commonly cited deficiencies.

3+ gaps

Your program is not compliant. Start with the written SOP and the audit trail today — these are prerequisites for everything else. Then add vendor change checks before your next ACH run.

How to fix each gap

Gap

No written SOP

Write a 1-3 page document today. Describe: what triggers a review, who performs it, how it is conducted, how decisions are logged.

30 min
Gap

No vendor change check

Before your next ACH run: pull the vendor audit log in QBO or Xero. Note any bank detail changes. Call each changed vendor at a number from your existing records to verify. Log the call.

15–60 min per cycle
Gap

No new vendor scrutiny

Identify vendors added in the last 30 days. For each one with a pending first ACH payment: confirm with your client or internal approver that the vendor and payment are authorized before releasing.

5–15 min per new vendor
Gap

No anomaly review

For any invoice more than 50% above that vendor's average, flag it for confirmation with the approver before payment. Can be a simple email or verbal confirmation — but log it.

As needed
Gap

No audit trail

Start a spreadsheet today: columns for Date, Vendor, Client, Change Type, Review Method, Reviewer, Decision, Notes. One row per review. This is retroactively non-fixable — start now for future cycles.

5 min to set up

FAQ

How do I know if I am in scope for Nacha Phase 2?

You are in scope if you originate ACH transactions — meaning you initiate bank transfers (payments out) using ACH. This includes paying vendors, running payroll via direct deposit, or initiating any ACH debit or credit on behalf of yourself or a client. If you only receive ACH payments and never initiate them, you are not in scope.

What counts as a "written fraud monitoring procedure" for Nacha?

A written procedure must describe: (1) what triggers a fraud review (vendor bank changes, new vendors, anomalous amounts), (2) who performs the review, (3) how the review is conducted (e.g., phone verification at a known number), (4) how decisions are recorded. It does not need to be long — one to three pages is sufficient. It must exist in writing, not just as an informal practice.

Does having a cyber insurance policy mean I am Nacha compliant?

No. Cyber insurance is a financial safety net — it does not substitute for a Nacha-compliant fraud monitoring program. In fact, the reverse is increasingly true: insurers are requiring evidence of documented AP fraud controls as a condition of coverage. A missing or undocumented Nacha program can be used to deny a claim for ACH fraud losses.

Can I become compliant quickly after the June 22 deadline?

Yes — Nacha compliance is a program you implement, not a certification you wait for. The critical step is to document your current or intended process today (the written SOP), start running vendor change checks before your next ACH cycle, and begin logging results. You cannot retroactively create audit trail entries for past cycles, but you can become compliant going forward starting with your next payment run.

More Nacha 2026 resources

Nacha June 22: what to do right now

Immediate steps for businesses and accounting firms

Complete Nacha 2026 compliance guide

Phase 1 vs Phase 2, TPS classification, full requirements

ACH fraud monitoring checklist

Print-ready compliance checklist for every payment cycle

Are you a Third-Party Sender?

TPS classification for accounting firms

Skip the manual checks — automate compliance

Vantirs runs vendor change detection, new vendor scrutiny, and anomaly review automatically before every payment cycle — and produces the audit trail without a spreadsheet.

Start free trialSee how it works

This self-assessment is for informational purposes only and does not constitute legal or compliance advice. Nacha Operating Rules are administered by Nacha. Consult your ODFI or a qualified compliance professional for guidance specific to your situation.