Nacha compliance for
accounting firms
If your firm originates ACH payments for clients, you are a Nacha Third-Party Sender. Phase 2 is live. Here is exactly what you are required to do — and how to build a program that satisfies the requirement without adding hours to your workflow.
Who needs to comply
Nacha Phase 2 applies to ACH Originators and Third-Party Senders. For accounting firms, the question is simple: does your firm initiate or direct ACH payments on behalf of clients? If yes, you are in scope.
Outsourced bookkeeping firms
Managing QBO or Xero for 10–40 SMB clients and initiating ACH bill payments on their behalf.
vCFO and fractional CFO practices
Overseeing client AP workflows, approving payments, or directing payment processing for client entities.
Accounting firms with client bill pay
Any CPA or bookkeeping firm that has staff submitting ACH payments through client QBO or Xero accounts.
Not sure if you qualify as a Third-Party Sender? Read the full Third-Party Sender explainer.
What Phase 2 requires
Nacha Phase 2 requires a documented, risk-based fraud monitoring program. There is no single prescribed format — but auditors and ODFIs expect to see three components:
Written fraud monitoring policy
A documented policy describing how your firm identifies, reviews, and responds to ACH fraud risk. This does not need to be a 50-page document — it needs to exist, be written down, and be followed consistently.
Active pre-payment monitoring
Before each ACH payment cycle, your firm must actively screen for fraud indicators: vendor bank account changes since the last payment, first payments to new vendors, and payment amounts significantly outside historical norms for that vendor.
Audit trail and documentation
A log of what was reviewed before each payment release: date, vendor, what was checked, who reviewed it, what the decision was, and what evidence supported it. This is what you produce if a payment is ever disputed.
For the complete checklist of what auditors expect, see the Nacha 2026 ACH fraud monitoring checklist.
QuickBooks Online does not cover this for you
QBO processes ACH payments. It does not run pre-payment fraud monitoring, flag vendor bank changes, or maintain a compliance audit trail. The monitoring obligation belongs to your firm — the Third-Party Sender — not to Intuit. If a payment is disputed or your ODFI asks for documentation of your fraud monitoring program, QBO cannot provide it.
See Nacha 2026 compliance for QuickBooks Online users for the full breakdown.
The False Pretenses rule adds liability on top of compliance
Nacha's March 2026 False Pretenses rule update established a return code for ACH payments obtained through misrepresentation — vendor impersonation, fake invoices, fraudulent bank change requests. When a False Pretenses return is filed, the question of who bears the loss comes down to whether the originating party exercised reasonable care.
A documented fraud monitoring program with pre-payment verification evidence is the concrete answer to "did you exercise reasonable care?" A firm without that documentation has a much harder conversation with their ODFI when a dispute arises.
Read the False Pretenses rule explainer for bookkeeping firms →
How Vantirs satisfies the requirement
Vantirs connects to QBO and Xero and runs the three core monitoring checks automatically before each payment cycle — across all your clients, not just one at a time.
Vendor bank change detection
Flags any vendor whose bank account or routing number has changed since the last successful payment. Requires confirmation before ACH release.
New vendor flagging
Identifies any first payment to a vendor with no prior payment history. Prompts out-of-band verification before the payment goes out.
Payment amount anomaly alerts
Compares each invoice amount to that vendor's historical baseline. Flags invoices significantly outside normal range for human review.
Every review is logged automatically — date, vendor, what was checked, outcome — producing the audit trail your ODFI can ask for at any time.
FAQ
Do outsourced bookkeeping firms need to comply with Nacha 2026?
Yes. If your firm initiates ACH payments on behalf of clients — through QuickBooks Online, Xero, or any payment processor — you are acting as a Third-Party Sender under Nacha rules. Third-Party Senders are in scope for Phase 2 fraud monitoring requirements, which went live June 22, 2026.
What does Nacha Phase 2 require accounting firms to do?
Nacha Phase 2 requires ACH Originators and Third-Party Senders to maintain a documented, risk-based fraud monitoring program. In practice, this means: (1) a written policy describing how your firm monitors for ACH fraud, (2) active monitoring that flags bank account changes, new vendors, and payment anomalies before ACH release, and (3) an audit trail documenting what was reviewed, when, and by whom.
What is a Third-Party Sender under Nacha rules?
A Third-Party Sender is any entity that transmits ACH entries on behalf of another Originator. Outsourced bookkeeping firms and vCFO practices that initiate ACH bill payments for clients qualify as Third-Party Senders. This is true even when using QuickBooks Online, which itself processes the ACH — the firm directing those payments is the Third-Party Sender.
Does QuickBooks Online handle Nacha compliance for my firm?
No. QuickBooks Online is the payment processor — it executes the ACH. The fraud monitoring obligation belongs to the Originator (your client) and Third-Party Sender (your firm). Intuit is not responsible for building or maintaining your fraud monitoring program. That is your firm's obligation.
What happens if my firm does not comply with Nacha Phase 2?
Non-compliance can result in ODFI sanctions, fines, and in egregious cases suspension from the ACH network. Beyond formal penalties, the Nacha False Pretenses return code (March 2026) creates liability exposure in payment disputes — firms without documented fraud monitoring have a weaker defense when a payment is disputed.
Get compliant before your ODFI asks
Vantirs gives accounting firms a Nacha-ready fraud monitoring program: automated monitoring, pre-payment verification, and a full audit trail — across every client, every payment cycle.