Nacha 2026 ACH fraud monitoring checklist for accounting firms

Write a one-page ACH fraud monitoring SOP describing your review process

Describe what triggers a review, who performs it, and how decisions are documented. Must be in writing — verbal procedures do not satisfy Nacha.

Confirm your ODFI has you registered as a Third-Party Sender

Call your bank and ask whether your firm is registered in the Nacha TPS Registry. If not, ask about registration requirements.

Designate a primary reviewer for each client portfolio

Name the person responsible for fraud review on each client. This is the person who signs off on the audit trail.

Create a fraud review log template

A simple spreadsheet or document with columns: Date, Client, Vendor, Change Type, Review Method, Reviewer Name, Decision, Notes.

Pull the vendor change report for each client

In QBO: Audit Log filtered by "Vendor" entity changes. In Xero: equivalent audit trail. Note any vendor with a routing number, account number, or payment method change since the last cycle.

For each changed vendor: call the vendor to verify

Phone call only. Number must come from your existing file for the vendor — not from the change request email. Confirm: account holder name, routing number, account number. Log: date, time, number called, who you spoke to, what was confirmed.

For each changed vendor: hold the next ACH payment

Do not release ACH payments to a vendor with recently changed bank details until the phone verification is complete and logged.

Identify any vendors added in the last 30 days

Flag all new vendors. First ACH payment to each new vendor requires a secondary review before release.

For each new vendor: verify with the client before releasing first payment

Contact your client contact (not the vendor's contact on the invoice) and confirm they authorized this vendor and the payment. Log the confirmation.

Flag anomalous payments for client confirmation

Any payment more than 50% above that vendor's historical average, or to a vendor that hasn't been paid in 90+ days. Call or email your client contact to confirm authorization before release.

Log the completed reviews in your fraud review log

Date, client, what was reviewed, who reviewed it, outcome (cleared / held / escalated). This is the audit trail Nacha requires.

Note any holds or escalations for follow-up

If a payment was held pending verification, log when the verification is expected and who is responsible for clearing it.

Monitor for ACH returns that might indicate fraud

R02 (account closed), R03 (no account), R10 (unauthorized) return codes can indicate fraud that slipped through. Investigate immediately if returns appear on recently changed vendor accounts.

Review vendor roster for each client — remove inactive vendors

Dormant vendor records with payment details on file are fraud vectors. Archive or delete vendors that haven't been paid in 12+ months.

Audit your fraud review log for completeness

Confirm every vendor change in the quarter has a corresponding verification log entry. Gaps in the log are compliance gaps.

Update your SOP to reflect process changes

If your review process changed — new tools, new staff, new client onboarding steps — update the written procedure.

Brief your team on recent fraud patterns

What attack patterns are emerging in the bookkeeping space? VEC (Vendor Email Compromise), ISO 20022 migration scams, etc. Keep your team current.