Compliance

What outsourced bookkeeping firms need to know about Nacha's 2026 fraud monitoring rules

Published Jun 2, 2026 · About 8 min read

You process ACH payments for clients every week — payroll runs, vendor payments, owner distributions. It feels routine. Nacha's updated fraud monitoring rules are now in effect for 2026, and nearly every article on them is aimed at corporate treasury teams and enterprise AP directors. Almost no one is talking about what these rules mean for outsourced bookkeeping firms and vCFO practices — the firms that actually originate ACH transactions on behalf of their clients.

If your firm manages QBO or Xero for 10 or more clients, you may be classified as a Third-Party Sender under Nacha's rules. That classification comes with compliance obligations — and personal liability exposure — that the enterprise-focused coverage isn't addressing.

What Nacha's 2026 fraud monitoring rules actually require

Nacha — the organization governing the ACH network — updated its Operating Rules to require Originators and Third-Party Senders to implement fraud detection programs for ACH transactions.

The key requirements:

  • Monitor ACH transactions for patterns consistent with fraud — unusual payee activity, new vendors, and changes to bank account information.
  • Investigate suspicious transactions before releasing the ACH file, not after a return or dispute.
  • Maintain documentation of your fraud monitoring procedures and the reviews you perform, in case of an audit or dispute.

Nacha's rules have always required ACH participants to act in good faith. What's new in 2026 is that “good faith” now has a defined minimum: a documented, functioning fraud detection program — not just good intentions. Phase 2 of the rule took effect June 22, 2026, covering all non-consumer ACH originators.

Why outsourced bookkeeping firms are directly in scope

Here is the part most Nacha coverage gets wrong by omission.

When your firm logs into a client's QBO account and initiates an ACH payment — payroll, a vendor payment, a tax deposit — you are acting as a Third-Party Senderunder Nacha's framework. The originating bank is your client's bank, but your firm is the party that originated the instruction.

That means:

  • You are in scopefor Nacha's fraud monitoring requirements, not just your clients.
  • You carry the liability if a fraudulent ACH transaction is processed that a reasonable fraud monitoring program would have caught.
  • You are the last line of defense— your client is unlikely to have independent controls over the transactions you're initiating on their behalf.

This is not hypothetical. The AFP's 2026 Payments Fraud and Control Survey found that 76% of organizations experienced attempted or actual payment fraud in 2025. Business Email Compromise — the attack most commonly used to manipulate ACH payments — affected 74% of organizations in the same period. Bookkeeping firms are a high-value target precisely because one compromised firm exposes every client in their portfolio.

The fraud scenario Nacha is designed to stop

Understanding the rule is easier once you understand the attack it's designed to prevent. The most common ACH fraud pattern targeting bookkeeping firms looks like this:

  1. A fraudster compromises a vendor's email account — or builds a convincing look-alike domain.
  2. They email your firm a “bank account update” request for that vendor: a new routing number and account number, with a plausible explanation.
  3. Your firm updates the vendor record in QBO and processes the next payment to the new account.
  4. The money leaves. The real vendor never receives it. By the time anyone notices, the funds are gone.

This is Vendor Email Compromise (VEC), and it now represents 61% of all BEC attacks. It doesn't require hacking your firm's systems — it exploits the workflow. Nacha's fraud monitoring rules require you to have a process to catch this before the ACH releases. That means scrutinizing new vendor records, flagging changes to bank account information, and verifying changes through a channel other than the one used to request them. For a deeper breakdown of how VEC works, see our guide on BEC vs. VEC for accounting firms.

What a compliant program looks like for a bookkeeping firm

For an outsourced bookkeeping firm, Nacha compliance doesn't require elaborate infrastructure. It requires a documented, functioning process. At minimum:

1. Vendor change verification

Any change to a vendor's bank account must be verified via phone call to a number on file — not a number provided in the change request email. Document the call with a timestamp and reviewer name. This is the single highest-impact control for both fraud prevention and compliance.

2. New vendor scrutiny

New vendors added within 30 days of a payment should receive secondary review before the ACH releases. Flag first payments to new beneficiary accounts for client confirmation.

3. Transaction anomaly review

Payments that deviate significantly from a vendor's normal amount or frequency should be held for client confirmation before release.

4. Documented audit trail

Write it down. Even a one-page SOP describing your review process — with records of who reviewed what and when — is evidence of a functioning program. This is what's needed in an audit, a bank dispute, or a cyber insurance claim.

The problem for most bookkeeping firms: this is nearly impossible to execute manually at scale. If you're managing 20 clients with 15 active vendors each, you cannot manually review every payment and vendor change without consuming your entire team. That's where automated monitoring closes the gap.

How automated monitoring closes the compliance gap

Vantirs monitors every vendor payment, invoice, and bank account change across your client portfolio in real time. When a vendor's bank account details change, Vantirs flags it. When a payment goes to an account that's never been used before, Vantirs flags it. When an invoice amount is inconsistent with a vendor's historical pattern, Vantirs flags it — with a timestamped, reviewable record that satisfies Nacha's documentation requirement.

Your team reviews flags, not every transaction. You maintain the oversight Nacha requires without the manual overhead that would make it unworkable across a portfolio of clients.

For the full technical breakdown of what Nacha Phase 2 requires and the specific controls that satisfy each requirement, see Nacha 2026 ACH fraud monitoring compliance: what AP teams must do.

What to do this week

If your firm processes ACH for clients and doesn't have a documented fraud monitoring program:

  1. Confirm your classification.Talk to your ODFI and ask whether your firm is classified as a Third-Party Sender. Many bookkeeping firms are and don't know it.
  2. Document your current process. Even if your current process is informal, write it down. A documented procedure you actually follow is better than no procedure.
  3. Add a vendor bank change verification step. Require a phone verification for any change to vendor payment details before the next ACH releases. This is the single highest-leverage control you can implement today.
  4. Evaluate monitoring tools.Manual review doesn't scale across a portfolio. See how Vantirs works for outsourced bookkeeping firms.

Nacha-compliant fraud monitoring built for bookkeeping firms

Vantirs connects to QBO and Xero across your entire client portfolio — flagging vendor bank changes, anomalous payments, and new vendor risk before the ACH releases. With a timestamped audit trail that satisfies Nacha's documentation requirements.

Get started freeSee how it works for firms

Nacha's Operating Rules apply to all ACH network participants, including Third-Party Senders. This post is for informational purposes and does not constitute legal or compliance advice. Consult your ODFI or a compliance professional for guidance specific to your firm.