Compliance · Nacha
Are you a Nacha Third-Party Sender? What bookkeeping firms need to know
Published Jun 3, 2026 · About 8 min read
Most outsourced bookkeeping firms don't think of themselves as ACH originators. They think of themselves as firms that help clients pay bills, run payroll, and manage their books. But from Nacha's perspective, if your firm logs into a client's QuickBooks account and initiates an ACH payment, you are a Third-Party Sender — a regulated participant in the ACH network with direct compliance obligations.
This distinction matters because it means Nacha's 2026 fraud monitoring rules — specifically Phase 2, which took effect June 22, 2026 — apply to your firm, not just to your clients. Here is how to determine whether you're classified as a Third-Party Sender, what that means, and what to do about it.
What is a Nacha Third-Party Sender?
Nacha defines a Third-Party Sender (TPS) as a company that initiates ACH credit or debit entries on behalf of another company (called the Originator) through the ACH network. The key distinction is that the Third-Party Sender is not the company whose funds are being moved — it is the intermediary that creates and transmits the ACH instructions.
In practical terms for bookkeeping: your clients are the Originators (their money is moving). Your firm is the Third-Party Sender when you create and submit the ACH instructions on their behalf.
How to know if your firm qualifies
Run through this checklist:
You log into client accounting systems (QBO, Xero) and initiate payments on their behalf
You process payroll ACH for clients — approving and submitting payroll runs
You pay client vendors via ACH — entering payment details and releasing the payment
You submit tax payments (quarterly estimates, payroll taxes) on behalf of clients
You have signing authority or approval authority over client bank accounts
If any of these apply to your firm, you are likely a Third-Party Sender. The definitive answer comes from your ODFI — ask them directly whether your firm is registered as a TPS in their system and in the Nacha Registry.
What Third-Party Senders are required to do
As a Third-Party Sender, you have four categories of Nacha compliance obligations:
1. Register with your ODFI
Third-Party Senders must be registered by their ODFI in the Nacha Third-Party Sender Registry. If you are not registered, your ODFI may be in violation of Nacha rules, and you are operating without the oversight Nacha requires. Contact your ODFI and ask whether your firm is registered.
2. Implement a documented ACH fraud monitoring program
This is the Phase 2 requirement (effective June 22, 2026). You need a written procedure that describes how you monitor ACH transactions for fraud risk — including scrutiny of vendor bank changes, new vendor first payments, and anomalous payment patterns. The program must be documented, functioning, and produce an audit trail.
3. Investigate before releasing
Suspicious transactions must be reviewed and cleared (or held) before the ACH file releases — not after the payment processes and a return or dispute is filed. This is an operational change: fraud review moves upstream of payment.
4. Maintain audit documentation
A timestamped log of every fraud review performed — who reviewed, what was checked, what decision was made. This documentation satisfies both Nacha's requirement and provides your defense in a dispute or insurance claim.
The liability asymmetry: why this matters more for bookkeeping firms than for clients
Here is the part that gets underappreciated in most compliance coverage: as a Third-Party Sender, your liability for a fraudulent ACH payment is often greaterthan your client's.
Your client likely has no independent controls over the transactions your firm is originating on their behalf. They trust you to verify payment details. If a fraudulent ACH processes because a vendor bank change scam got past your firm, the client has a reasonable argument that they relied on your controls — and that your missing controls are the cause of the loss.
A Nacha-compliant fraud monitoring program is not just a regulatory checkbox. It is the documented evidence that your firm followed a reasonable standard of care — and the difference between a covered insurance claim and a firm-ending lawsuit.
The attack that Third-Party Sender classification makes you a target for
Fraudsters know that bookkeeping firms originate ACH on behalf of multiple clients. One compromised firm exposes an entire portfolio. The attack pattern:
- A fraudster emails your firm posing as a vendor, requesting a “bank account update.”
- Your firm updates the vendor record in QBO.
- The next ACH payment — which your firm originates — goes to the fraudster's account.
- The real vendor never receives payment. By the time anyone notices, the funds are gone.
This is Vendor Email Compromise, and it is currently the dominant vector in ACH fraud. Nacha's fraud monitoring rules are specifically designed to stop it. Your required vendor bank change verification protocol — a phone call to a number on file before any change is processed — catches this attack at step 2.
For a full breakdown of how Vendor Email Compromise works and why it's the specific scenario Nacha is addressing, see BEC vs. VEC: what accounting firms need to know.
Next steps: confirm your classification and build your program
- Call your ODFI today. Ask whether your firm is registered as a Third-Party Sender. If not, ask what the registration process requires.
- Draft a one-page fraud monitoring SOP. Describe how your firm handles vendor bank changes, new vendor first payments, and anomalous payment patterns. Written documentation is the minimum Nacha requires.
- Implement vendor bank change verification. Phone call to a number on file, documented with timestamp and reviewer. This is the single highest-impact control — both for fraud prevention and for Nacha compliance.
- Evaluate monitoring tools for scale.Manual compliance doesn't scale across a client portfolio. See how Vantirs automates Nacha compliance for bookkeeping firms.
FAQ: Nacha Third-Party Senders
What is a Nacha Third-Party Sender?
A Nacha Third-Party Sender is any company that initiates ACH transactions on behalf of another company (the Originator) — where the Third-Party Sender is not the company whose account the funds are being moved to or from. Outsourced bookkeeping firms and vCFO practices that process ACH for clients are typically classified as Third-Party Senders.
Does my bookkeeping firm qualify as a Nacha Third-Party Sender?
If your firm logs into client accounting systems (QuickBooks Online, Xero) and initiates ACH payments — payroll, vendor payments, tax deposits — you are acting as a Third-Party Sender under Nacha's rules. The test is whether you are originating ACH instructions on behalf of another business entity.
What are the Nacha compliance obligations for Third-Party Senders?
Third-Party Senders must implement a documented ACH fraud detection program (required as of June 22, 2026 under Phase 2), maintain audit documentation of fraud reviews, investigate suspicious transactions before releasing ACH files, and register as a Third-Party Sender with their ODFI.
How do I register as a Nacha Third-Party Sender?
Contact your ODFI (Originating Depository Financial Institution) — the bank your client uses for ACH origination. Your ODFI is required to register Third-Party Senders in the Nacha Registry. If your ODFI has not asked you to register, ask them directly whether your firm qualifies.
What is the difference between an Originator and a Third-Party Sender under Nacha?
An Originator is the company whose funds are being moved — your client. A Third-Party Sender is an intermediary that initiates ACH transactions on behalf of the Originator. Both have Nacha compliance obligations, but the Third-Party Sender carries the fraud monitoring obligation for the transactions it originates.
Nacha-compliant fraud monitoring for Third-Party Senders
Vantirs gives outsourced bookkeeping firms a documented, automated fraud monitoring program across their entire QBO and Xero client portfolio — vendor bank change alerts, pre-release payment review, and a timestamped audit trail that satisfies Nacha Phase 2.
This post is for informational purposes only and does not constitute legal or compliance advice. Consult your ODFI or a qualified compliance professional for guidance specific to your firm.