Nacha 2026 · Complete Guide
Nacha 2026 compliance for accounting firms
Everything outsourced bookkeeping firms and vCFO practices need to know about Nacha's Phase 2 ACH fraud monitoring rule — what's required, who's in scope, and how to build a defensible program before the June 22, 2026 deadline.
Phase 2 is now in effect: June 22, 2026
Nacha Phase 2 covers all non-consumer ACH originators — including outsourced bookkeeping firms and vCFO practices. If your firm processes ACH for clients and doesn't have a documented fraud monitoring program, you are out of compliance.
What Nacha Phase 2 requires
Nacha — the organization that governs the ACH network — updated its Operating Rules to require ACH originators to implement formal fraud detection programs. The rule rolled out in two phases: Phase 1 (March 20, 2026) covered large-volume originators; Phase 2 (June 22, 2026) extended requirements to all non-consumer originators.
The three requirements:
- Documented fraud monitoring program. A written procedure describing how your firm detects and responds to ACH fraud risk. Not informal vigilance — a documented program you can show an ODFI or insurance adjuster.
- Pre-release transaction review. Suspicious transactions — vendor bank changes, new vendor first payments, anomalous amounts — must be reviewed and cleared before the ACH file releases. Not after the payment processes.
- Audit trail. A timestamped log of every fraud review performed: who reviewed it, what was checked, what decision was made.
Who is in scope: Third-Party Senders
Most Nacha coverage focuses on corporate treasury and enterprise AP teams. The audience that is underserved by that coverage: outsourced bookkeeping firms and vCFO practices.
When your firm logs into a client's QuickBooks Online or Xero account and initiates an ACH payment — payroll, a vendor payment, a tax deposit — you are a Third-Party Sender. Third-Party Senders are explicitly in scope for Phase 2. The compliance obligation sits with your firm, not your client.
Your firm is likely a Third-Party Sender if:
- • You log into client QBO or Xero accounts and initiate ACH payments
- • You process payroll on behalf of clients
- • You pay client vendors via ACH
- • You submit tax deposits or estimated payments for clients
Confirm with your ODFI. Ask whether your firm is registered as a Third-Party Sender in the Nacha Registry. Full guide: Are you a Nacha Third-Party Sender?
What a compliant program looks like
For an outsourced bookkeeping firm, the minimum compliant program has five components:
Written SOP
A 1-3 page document describing your fraud review process. What triggers a review, who performs it, how decisions are documented. Updated at least annually.
Vendor bank change verification
Any vendor routing/account change in QBO or Xero requires a phone call to a number on file — not a number in the change email — before the next ACH to that vendor releases. Documented with timestamp and reviewer name.
New vendor first-payment review
First ACH to any vendor added in the last 30 days is held for secondary review — client confirmation plus cross-check of vendor legitimacy.
Anomaly review
Payments significantly above a vendor's historical average or to dormant vendors require client confirmation before release.
Fraud review log
A timestamped record of every review — date, client, vendor, what was checked, reviewer, decision. Retain for minimum 2 years.
For a printable version of this as a working checklist, see the Nacha 2026 ACH fraud monitoring checklist.
Deadline and consequences
| Phase | Effective Date | Scope |
|---|---|---|
| Phase 1 | March 20, 2026 | Originators > $1M ACH volume/year |
| Phase 2 | June 22, 2026 | All non-consumer originators including bookkeeping firms |
Missing the deadline does not trigger an immediate fine. It creates ongoing liability exposure: every fraudulent ACH that a compliant program would have caught is now your firm's liability. ODFI enforcement (including ACH origination suspension) and cyber insurance claim denial are the material consequences. For the full breakdown, see Nacha Phase 2 deadline: what happens if you miss it.
How Vantirs automates Nacha compliance
Manual compliance execution doesn't scale across a portfolio of 15-40 clients. Vantirs connects to QBO and Xero across your entire client base and automates the weekly fraud review cycle:
Vendor bank change alerts
Every time a vendor's routing number or account number changes in any client's QBO or Xero, Vantirs flags it before the next payment releases.
New vendor first-payment holds
First payment to any vendor added in the last 30 days is automatically flagged for review before release.
Anomaly detection
Payments that deviate from a vendor's historical pattern are surfaced for review before they go out.
Timestamped audit trail
Every flag and review decision is logged with timestamp and reviewer — the documentation Nacha Phase 2 requires.
Detailed guides by topic
Nacha Phase 2 goes live June 22 — what happens if you miss it
Phase 1 vs Phase 2, what the deadline means, and the liability consequences.
ClassificationAre you a Nacha Third-Party Sender?
How to determine whether your bookkeeping firm qualifies and what it means.
Accounting firmsNacha 2026 fraud monitoring rules for bookkeeping firms
What the rule requires specifically for outsourced bookkeeping practices.
ChecklistNacha 2026 ACH fraud monitoring checklist
Step-by-step program setup, weekly review cycle, and quarterly maintenance.
QuickBooksNacha 2026 compliance for QBO users
What QBO-based bookkeeping firms must do — and what QBO does not handle.
Deep diveNacha 2026 ACH fraud monitoring compliance guide
Full technical breakdown of each requirement and the controls that satisfy it.
SoftwareNacha compliance software for accounting firms
How automated monitoring works — and why enterprise tools don't fit the bookkeeping model.
Frequently asked questions
What is Nacha Phase 2 and when did it go into effect?
Nacha Phase 2 is the extension of the ACH fraud monitoring rule to all non-consumer ACH originators, effective June 22, 2026. It requires Originators and Third-Party Senders to implement a documented fraud detection program, investigate suspicious transactions before releasing ACH files, and maintain an audit trail.
Do outsourced bookkeeping firms have to comply with Nacha 2026?
Yes. Outsourced bookkeeping firms and vCFO practices that initiate ACH payments on behalf of clients are classified as Third-Party Senders under Nacha's rules. Third-Party Senders are directly in scope for Phase 2 compliance requirements — the obligation belongs to your firm, not just your clients.
What does a Nacha-compliant fraud monitoring program require?
A compliant program under Phase 2 requires: (1) a written fraud monitoring procedure, (2) verification of vendor bank account changes before any ACH releases to changed accounts, (3) scrutiny of first payments to new vendors, (4) review of anomalous payment patterns, and (5) a timestamped audit trail documenting every review performed.
Does QuickBooks Online handle Nacha 2026 compliance automatically?
No. QuickBooks Online processes ACH transactions but does not implement Nacha's fraud monitoring requirements. The compliance obligation — fraud review, vendor change verification, audit documentation — is your firm's responsibility, not Intuit's.
What happens if my firm is not Nacha Phase 2 compliant?
Non-compliant firms face liability for fraudulent ACH transactions that a reasonable program would have caught, potential ODFI enforcement (including suspension of ACH origination access), and exposure to cyber insurance claim denial on ACH fraud losses.
How does Vantirs help with Nacha 2026 compliance?
Vantirs connects to QBO and Xero across your entire client portfolio and automatically flags vendor bank account changes, first payments to new vendors, and anomalous payment amounts before each ACH release. Every flag generates a timestamped review record that satisfies Nacha's audit documentation requirement.
Nacha Operating Rules are administered by Nacha (National Automated Clearing House Association). This guide is for informational purposes only and does not constitute legal or compliance advice. Consult your ODFI or a qualified compliance professional for guidance specific to your firm.