Compliance update

NACHA 2026 ACH fraud monitoring rules: what AP teams must do before June 22

Published Apr 13, 2026 · Updated May 15, 2026 · About 10 min read

NACHA's 2026 ACH fraud monitoring rule is not a future requirement. Phase 1 is already in effect. Phase 2 applies to all remaining non-consumer ACH originators on June 22, 2026 — fewer than six weeks away. If your AP team originates ACH payments for clients or your own business and you do not have documented, risk-based fraud monitoring controls in place, you have a compliance gap that needs to close now.

June 22, 2026 — Phase 2 deadline

All non-consumer ACH originators must have a risk-based fraud monitoring process documented and operating. This includes the majority of accounting firms and mid-market AP teams processing client or business ACH payments.

What the NACHA 2026 rule actually requires

The rule requires that Originators of non-consumer ACH entries implement a written, risk-based process for monitoring and responding to potential fraud. In plain terms, NACHA is requiring that you have:

  1. A documented fraud monitoring policythat defines what gets checked, at what point in the payment process, and by whom. Generic internal controls documentation does not satisfy this if it doesn't specifically address ACH fraud monitoring.
  2. Risk-based procedures — meaning your controls are calibrated to the actual fraud risk of each payment type. Higher-value transactions, new vendors, and bank-detail changes should receive more scrutiny than routine recurring payments.
  3. Detection capability for suspicious activity before ACH file submission. The rule is specifically pre-payment — it is not satisfied by detecting fraud after a return or dispute.
  4. A response process for when suspicious activity is identified, including who escalates, what gets reviewed, and how decisions are recorded.
  5. Audit evidence that the process is operating — not just written down. Reviewable records of fraud checks, reviewer decisions, and detected anomalies.

The most important thing to understand: NACHA is not mandating a specific technology. It is mandating that a process exists, is documented, and can be demonstrated. That said, teams relying on purely manual inbox checks and ad-hoc callbacks will struggle to meet the documentation and consistency standard that auditors will expect.

Who is in scope

If your organization is an Originator of non-consumer ACH entries — meaning you initiate ACH transactions for business-to-business payments — you are in scope for Phase 2.

If your firm is an outsourced bookkeeping practice or vCFO originating ACH for clients, see our dedicated guide: Nacha 2026 fraud monitoring rules for outsourced bookkeeping firms.

This applies to:

  • Accounting firms that originate ACH payments on behalf of clients — payroll, vendor payments, operating disbursements
  • AP teams at companies that send ACH payments to vendors, contractors, or service providers
  • Finance teams using QuickBooks, NetSuite, or other ERP systems to generate ACH payment files
  • Third-party payment processors sending ACH on behalf of originators

If you are a Receiving Depository Financial Institution (RDFI) rather than an Originator, Phase 2 does not apply to you — but NACHA has separate monitoring requirements for RDFIs under ongoing rule frameworks.

The highest-risk control point: vendor bank account changes

NACHA's rule is broad, but auditors and examiners will focus hardest on the AP control point where fraud is most prevalent and most damaging: vendor bank account changes.

Vendor email compromise (VEC) — where an attacker compromises a real vendor inbox and sends a fraudulent bank-detail update — now accounts for 61% of all business email compromise attacks (Q1 2026 data). The attack arrives as a routine payment instruction from a trusted address. Standard email security controls don't catch it because the email is authentic. Standard dual-approval policies don't catch it because both approvers see a legitimate vendor request.

For NACHA purposes, the risk-based control you need is this: any change to a vendor's beneficiary bank account should trigger an out-of-band verification step, documented and timestamped, before the ACH entry is originated. This is the single highest-impact control for both fraud prevention and NACHA compliance documentation.

For a detailed breakdown of how VEC attacks target this specific control point, read BEC vs. VEC: What Finance Teams Need to Know in 2026.

Seven AP controls to implement before June 22

This is a practical checklist, not a legal interpretation. Consult your compliance counsel for the specific requirements that apply to your organization.

1

Write and sign a fraud monitoring policy

Document your ACH fraud monitoring process specifically: what gets checked, when, by whom, and how deviations are escalated. This document needs to be current, signed by a responsible officer, and retrievable on demand for an audit. Existing cybersecurity policies don't satisfy this unless they explicitly address ACH origination fraud.

2

Implement out-of-band verification for all bank-detail changes

Any change to a vendor's beneficiary bank account must be verified by phone or a pre-established channel — never through contact information provided in the change request itself. This verification must be documented with a timestamp and reviewer name. This single control eliminates the majority of VEC attacks.

3

Risk-score your ACH payment queue before file release

Not every payment needs the same level of scrutiny — but your policy must define what triggers elevated review. Common risk factors: first payment to a new beneficiary account, payment amount significantly above historical range for this vendor, bank-detail change within 30 days of a large scheduled payment, and payments following urgency-framed communication.

4

Create a reviewable audit trail for every fraud check

NACHA compliance is demonstrated through evidence, not policy alone. Every fraud check needs a record: what anomaly was flagged (or not), who reviewed it, what they decided, and when. This record supports both NACHA audits and your cyber insurance documentation if a claim is ever filed.

5

Designate a fraud response owner

Your policy must identify who is responsible for escalating suspicious activity, who approves the decision to hold or reject a payment, and who notifies the bank if fraud is suspected. Without named owners, a response process exists on paper but not in practice.

6

Train your AP team on VEC and BEC recognition

Most AP staff have BEC awareness but have never heard of vendor email compromise — the attack variant that now dominates. A 30-minute team briefing on what VEC looks like, why it bypasses standard controls, and what to do when a bank-change request arrives costs nothing and meaningfully reduces risk before any technology is in place.

7

Run a weekly compliance gap review until June 22

Assign each open control gap an owner and a target close date. Review status weekly. Six weeks is enough time to close most policy and process gaps, but not if tracking is informal. A simple spreadsheet with gap, owner, status, and target date is sufficient — the goal is systematic progress, not a perfect tool.

What happens if you miss the June 22 deadline?

NACHA enforces compliance through its member financial institutions (ODFIs). If your ODFI identifies that you lack documented fraud monitoring controls, they may require remediation, restrict your ACH origination volume, or report violations to NACHA. Enforcement has historically been measured — but the rule creates a documented obligation, and the existence of a gap matters in the event of a fraud loss dispute with your bank or insurer.

More practically: a VEC attack that succeeds after June 22 will be scrutinized against whether your documented controls were in place. If they weren't, your ability to recover losses through insurance or dispute resolution is significantly weaker.

How automated fraud monitoring supports NACHA compliance

Manual processes can satisfy NACHA's requirements, but they create two problems: inconsistency (controls that work when staff is not overloaded, but fail during high-volume periods) and documentation gaps (verbal reviews with no timestamp or audit record).

Automated pre-payment verification addresses both. When Vantirs flags a suspicious ACH payment, it generates a timestamped record of the specific anomaly detected, which reviewer saw it, and what decision was made. That record is the audit evidence NACHA compliance requires — created automatically as part of your normal AP workflow rather than as a separate documentation exercise.

For the technical control most relevant to NACHA compliance, read vendor bank account change fraud controls. For the fraud pattern that most frequently exploits weak ACH controls, read BEC vs. VEC: What Finance Teams Need to Know in 2026.

Get NACHA-compliant ACH fraud controls in place before June 22

Vantirs adds risk-based, pre-payment vendor bank verification and fraud monitoring directly to your QuickBooks-driven AP workflow — with a timestamped audit trail that satisfies NACHA documentation requirements.

Book a compliance demoNACHA 2026 compliance overview