Compliance · Urgent
Nacha Phase 2 goes live June 22, 2026 — what happens if you miss it
Published Jun 3, 2026 · About 7 min read
Deadline: June 22, 2026
Nacha Phase 2 — the ACH fraud monitoring rule that covers all non-consumer originators — is effective June 22, 2026. If your bookkeeping firm or vCFO practice processes ACH payments for clients and doesn't have a documented fraud monitoring program by this date, you are out of compliance.
The Nacha Phase 2 effective date is June 22, 2026 — and based on how little coverage this rule has received for outsourced bookkeeping firms, a significant number of practices are going to hit that date unprepared. This post covers exactly what Phase 2 requires, who is in scope, and what the exposure looks like if your firm misses it.
What changed on June 22: Phase 1 vs Phase 2
Nacha rolled out its fraud monitoring rule in two phases:
| Phase | Effective Date | Who it covers |
|---|---|---|
| Phase 1 | March 20, 2026 | Originators processing >$1M ACH volume/year |
| Phase 2 | June 22, 2026 | All non-consumer ACH originators — including small firms and Third-Party Senders regardless of volume |
Phase 1 was aimed at enterprise treasury and corporate AP teams. Phase 2 is the one that catches everyone else — including outsourced bookkeeping firms and vCFO practices that originate ACH on behalf of clients.
What Nacha Phase 2 actually requires
Three requirements under Phase 2:
- A documented fraud detection program.Not just informal vigilance — a written procedure that describes how your firm monitors ACH transactions for fraud risk. “We check suspicious things” is not a program. A written SOP is.
- Pre-release transaction review. Suspicious transactions must be investigated before the ACH file releases — not after a return or dispute. This is the core operational change: your review happens upstream of payment, not downstream.
- Audit documentation. You must be able to demonstrate that your fraud monitoring program runs and that reviews are performed. A timestamped log of what was reviewed, by whom, and what decision was made.
Why bookkeeping firms are directly in scope
This is the part most coverage glosses over. When your firm logs into a client's QuickBooks Online and initiates an ACH payment — payroll, a vendor payment, a tax deposit — you are the party originating that instruction. You are a Third-Party Senderunder Nacha's rules.
Third-Party Senders are explicitly in scope for Phase 2. Your client's bank is the ODFI, but your firm is the one holding the fraud monitoring obligation for the instructions you're creating. If a fraudulent ACH payment processes because you didn't have a program that would have caught it, the liability sits with you.
For a full breakdown of why Third-Party Sender classification matters for bookkeeping firms, see Nacha 2026 fraud monitoring rules for accounting firms.
What happens if you miss the June 22 deadline
Nacha does not send compliance notices to individual originators on a schedule. The deadline is not enforced the way a tax filing is — there is no immediate fine on June 23. But there are three real consequences:
1. Liability exposure on every ACH you process
If a fraudulent ACH payment processes after June 22 — a vendor account change scam, a payroll redirect, a fake invoice payment — and your firm didn't have a documented fraud monitoring program, you are liable for a payment that a compliant program would have flagged. That exposure is per-transaction, not capped at a fixed amount. One six-figure wire fraud incident without a defensible program is a firm-ending event.
2. ODFI enforcement exposure
Nacha rules are enforced through ODFIs (the originating banks). If your ODFI discovers that a Third-Party Sender in their network — your firm — is processing ACH without a compliant fraud monitoring program, they can suspend your ACH origination access. For a bookkeeping firm, that means your clients lose their payment processing capability until you come into compliance.
3. Cyber insurance claim denial
Most commercial crime and cyber insurance policies require that the insured followed applicable payment security standards. A claim on an ACH fraud loss filed after June 22 without a documented Nacha-compliant program is grounds for partial or full claim denial — exactly when you need the coverage most.
What minimum compliance looks like
Nacha does not prescribe a specific technology stack. The requirement is a functioning and documented program. At minimum, for a bookkeeping firm:
Write it down
A one-page SOP describing your review process. What triggers a review, who performs it, how it is documented. Written procedures that you actually follow satisfy the documentation requirement.
Vendor bank change verification protocol
Any change to vendor banking details must be verified by phone to a number on file — not a number in the change request. Documented with timestamp and reviewer name. This single control satisfies the highest-risk scenario Nacha is designed to address.
New vendor scrutiny
First ACH payment to any vendor added in the prior 30 days should be held for secondary review before release.
Anomaly flag and review
Payments that deviate significantly from a vendor's normal amount or frequency get a hold-and-confirm step before release.
Audit log
A timestamped record of every review performed — who reviewed, what they checked, what decision was made. This is the evidence in a dispute or audit.
For a complete compliance checklist mapped to each Nacha requirement, see the Nacha 2026 ACH fraud monitoring checklist.
The manual problem: why most bookkeeping firms aren't ready
Most outsourced bookkeeping firms managing 15-40 clients cannot execute this program manually at scale. If you have 25 clients with 20 active vendors each, that's 500 vendor relationships to monitor. Every week there are vendor changes, new vendors, and anomalous payments across that portfolio. A manual review of every ACH before release — across 25 clients — requires headcount you don't have.
That's not a reason to skip compliance — it's the reason automated monitoring exists. Vantirs connects to QBO and Xero across your entire client portfolio, flags vendor bank changes the moment they happen, holds first payments to new accounts for review, and generates the timestamped audit trail Nacha requires. Your team reviews flags — not every transaction.
Frequently asked questions about Nacha Phase 2
When does Nacha Phase 2 go into effect?
Nacha Phase 2 — the ACH fraud monitoring rule — became effective June 22, 2026. It applies to all non-consumer ACH originators, including outsourced bookkeeping firms and vCFO practices that process ACH payments for clients.
What is the Nacha Phase 2 rule?
Nacha Phase 2 requires Originators and Third-Party Senders to implement a documented fraud detection program for ACH transactions. This includes monitoring for suspicious payment patterns, scrutinizing vendor bank account changes, and maintaining an audit trail of fraud review activities.
What happens if my firm misses the Nacha Phase 2 deadline?
Firms that miss the Nacha Phase 2 deadline operate without a documented fraud detection program, which exposes them to liability for fraudulent ACH transactions a reasonable program would have caught. Nacha can also assess fines through the ODFIs (Originating Depository Financial Institutions) for non-compliant participants.
Does Nacha Phase 2 apply to outsourced bookkeeping firms?
Yes. If your bookkeeping firm initiates ACH payments on behalf of clients — payroll, vendor payments, tax deposits — you are classified as a Third-Party Sender under Nacha's framework and are directly in scope for Phase 2 requirements.
What is the difference between Nacha Phase 1 and Phase 2?
Nacha Phase 1 (effective March 20, 2026) applied to large originators processing over $1 million in ACH volume annually. Phase 2 (effective June 22, 2026) extended the requirements to all non-consumer ACH originators regardless of volume — including small bookkeeping firms and vCFO practices.
Get Nacha-compliant before June 22
Vantirs gives outsourced bookkeeping firms a documented, automated fraud monitoring program that satisfies Nacha Phase 2 — with real-time vendor change alerts, pre-release payment review, and a timestamped audit trail across your entire QBO and Xero client portfolio.
Nacha's Operating Rules are administered by Nacha (National Automated Clearing House Association). This post is for informational purposes and does not constitute legal or compliance advice. Consult your ODFI or a qualified compliance professional for guidance specific to your firm.