Nacha Phase 2 — Effective June 22, 2026
If you originate ACH payments — directly or on behalf of clients — you must have a documented fraud monitoring program in place now. This page covers exactly what that requires.
Nacha June 22, 2026: what you need to do right now
Updated June 22, 2026 · About 7 min read
Nacha's Phase 2 fraud monitoring rule went live today. If you received an email from your bank, your payroll processor, or your accounting software about ACH compliance — this is why. Here is what the rule actually requires and what to do about it, whether you are a business owner, AP manager, CFO, or accounting firm.
Does this apply to you?
Nacha Phase 2 applies to you if any of these is true:
- !You pay vendors or contractors by ACH (bank transfer) from your business account
- !You run payroll via direct deposit
- !You are an outsourced bookkeeper or accounting firm that initiates ACH payments on behalf of clients
- !You process payments on behalf of other businesses (payroll processor, billing company)
- !Your bank has told you that you are a "Third-Party Sender" or need to register with Nacha
If none of these apply — you only receive ACH payments, never send them — you are not in scope for Phase 2.
The 4 things you must do to comply
Nacha does not require a specific software product. It requires a functioning, documented program. Here is what that looks like in practice.
Write your fraud monitoring SOP — today
Takes 30 minutesA one-page document: what triggers a review, who performs it, how decisions are recorded. This is your written program. It does not need to be long — it needs to exist.
Include: (a) what types of changes trigger a review (vendor bank change, new vendor, anomalous amount), (b) how you verify each (phone call to number from existing file, confirmation with the client contact), (c) who is responsible, (d) how you log decisions.
Check for vendor bank changes before your next ACH run
Before every payment cyclePull your vendor change log for every ACH-paying client. Any vendor that changed routing or account numbers since your last cycle must be verified before payment releases.
In QBO: Audit Log → filter by Vendor entity. Look for account number or routing changes. For any change: call the vendor at a number from your existing records (not the number in the change request email). Confirm account holder name, routing, and account number. Log the call.
Flag and verify new vendors before first payment
Before every payment cycleAny vendor added in the last 30 days who is about to receive a first ACH payment needs a secondary verification — confirm the vendor is real and authorized by the client.
Contact your client contact (not the vendor listed on the invoice) and confirm they authorized this vendor and the payment amount. Log the confirmation: date, who you spoke to, what was confirmed.
Start a fraud review log
Starting nowA spreadsheet with columns: Date, Client/Company, Vendor, Change Type, Review Method, Reviewer Name, Decision (cleared / held / escalated), Notes. One row per review.
This is the audit trail Nacha requires. Keep it for at least 2 years. If your ODFI, an insurer, or a client asks for your fraud monitoring documentation, this log — plus your SOP — is your evidence.
Manual compliance vs. automated monitoring
Manual (spreadsheet)
Viable for small operations — 1-2 companies, a handful of vendors. Requires discipline and a consistent pre-payment checklist. Works if you can commit 30–60 minutes per ACH cycle to running the checks and logging results.
Risk: gaps in the log = compliance gaps. Manual checks get skipped under deadline pressure.
Automated (Vantirs)
Connects to QBO and Xero. Before each payment cycle, flags vendor bank changes, new vendors, and anomalous amounts automatically — across every account. Reviewer works a short exception list instead of checking every vendor manually. Produces the timestamped audit trail automatically.
No gaps. No missed cycles. Audit trail always complete.
QuickBooks Online does not handle this for you
QBO processes ACH transactions but has no vendor change fraud detection, no new vendor scrutiny, and produces no Nacha-compliant audit trail. The compliance program is your responsibility — or your accounting firm's — regardless of what software you use to pay bills.
Common questions
Nacha Phase 2 is live — what does that mean for me?
It means any business or organization that initiates ACH payments — directly or through an accounting firm — must now have a documented ACH fraud monitoring program. This includes written procedures, vendor bank change verification before ACH release, scrutiny of first payments to new vendors, and a timestamped audit trail. If you don't have this in place, you are out of compliance as of June 22, 2026.
Does this apply to my business if I only send a few ACH payments a month?
Yes. Nacha Phase 2 removed the volume threshold. Phase 1 (March 2026) applied only to large originators. Phase 2 applies to ALL non-consumer Originators, all Third-Party Senders, and all Third-Party Payment Processors — regardless of how many ACH transactions you originate. If you pay vendors or employees via ACH, you are in scope.
I use QuickBooks Online — doesn't that handle this?
No. QuickBooks Online processes ACH transactions but does not implement Nacha's fraud monitoring requirements. QBO does not flag vendor bank account changes as suspicious, does not require review of first payments to new vendors, and does not produce the audit trail Nacha requires. The compliance program is your responsibility — your firm's or your accountant's — not Intuit's.
What is the minimum I need to be compliant right now?
Minimum viable compliance: (1) Write a one-page procedure describing how you review vendor bank changes and new vendors before ACH release. (2) Before your next ACH payment run, check whether any vendors have changed bank account details since your last cycle — verify by phone call to the vendor at a number from your existing records, not from the change request. (3) Log that review with a date, what you checked, and your decision. This is the beginning of an audit trail. Do this consistently for every payment cycle going forward.
What are the penalties for not complying?
Non-compliance with Nacha Phase 2 can result in: (1) ODFI enforcement — your bank can suspend or terminate your ACH origination access if they determine you lack a compliant fraud monitoring program. (2) Financial liability — if a fraudulent ACH transaction occurs that a reasonable monitoring program would have caught, liability transfers from the ODFI to you. (3) Fines up to $500,000 per violation for major breaches. (4) Insurance denial — cyber liability policies increasingly require documented AP fraud controls; a missing program can void coverage for ACH fraud losses.
What is a Third-Party Sender and am I one?
A Third-Party Sender (TPS) is any entity that initiates ACH entries on behalf of another company or individual. If you are an outsourced bookkeeper, accounting firm, or payroll processor that accesses client bank accounts to originate ACH — you are almost certainly a TPS. TPS entities are directly in scope for Phase 2 and may also need to register with the Nacha TPS Registry through their ODFI.
Go deeper
Complete Nacha 2026 compliance guide →
Everything — Phase 1 vs 2, TPS, program requirements, penalties
Print-ready compliance checklist →
Step-by-step: program setup, weekly checks, quarterly review
Are you a Third-Party Sender? →
TPS classification explained for bookkeeping and accounting firms
Nacha 2026 and QuickBooks Online →
What QBO handles and what your firm must add
Phase 2 deadline — what happens if you missed it →
Late compliance, enforcement timeline, how to catch up
Nacha compliance software →
How automated monitoring works vs. manual tracking
Get compliant today — automatically
Vantirs connects to your QBO and Xero accounts and runs the vendor change, new vendor, and anomaly checks before every payment cycle — with a timestamped audit trail that satisfies Phase 2 requirements.
This page is for informational purposes only and does not constitute legal or compliance advice. Nacha Operating Rules are administered by Nacha. Consult your ODFI or a qualified compliance professional for guidance specific to your situation.