2026-2028 NACHA Rules Updates
Upcoming NACHA Rules Updates (as of January 15, 2026)
Effective March 20, 2026 – Risk Management Topics (Company Entry Descriptions)
These two Rule amendments on Company Entry Descriptions are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
The effective date of March 20, 2026 for both amendments is a “no later than” date; Originators may begin using the descriptions as soon as practical.
Standardized uses of the Company Entry Description can help parties in the ACH Network identify, monitor and count the volume of payments for specific purposes; and can help manage risk.
Included in this portion of the Risk Management Rule amendments are two new, defined Company Entry Descriptions, PAYROLL and PURCHASE.
Standard Company Entry Description – PAYROLL
This rule establishes a new standard description for PPD Credits for payment of wages, salaries and similar types of compensation. The Company Entry Description field must contain the description PAYROLL.
• RDFIs that monitor inbound ACH credits will have better information regarding new or multiple payroll payments to an account.
• A standard description for payroll payments can help support RDFI logic to provide or suppress early funds availability.
• The amendment is intended to reduce the incidence of fraud involving payroll redirections.
Standard Company Entry Description – PURCHASE
This amendment establishes a new standard description for e-commerce purchases; the Company Entry Description field must contain the description PURCHASE.
Language for the definition of e-commerce purchases: “For this purpose, an e-commerce purchase is a debit Entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. An e-commerce purchase uses the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Code.”
Language has also been added to disclaim obligation on the part of ODFIs to “police” Originators’ correct use: “The ODFI has no obligation to verify the presence or accuracy of the word “PURCHASE” as a description of purpose.”
Effective March 20, 2026 – Risk Management Topics (Fraud Monitoring Phase 1)
These Rule amendments related to monitoring for fraud are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Included in this portion of the Risk Management Rule amendments are the Phase One requirements related to:
• Fraud Monitoring by Originators, Third-Party Service Providers (TPSPs)/Third Party Senders (TPSs) and ODFIs; and
• ACH Credit Monitoring by RDFIs.
Fraud Monitoring by Originators, TPSPs and ODFIs
(Effective date – Phase 1: March 20, 2026 for all ODFIs and non-Consumer Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023.)
This rule amendment will require all ODFIs, and each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender with annual ACH origination volume in 2023 of 6 million or greater, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
• The amendment is intended to reduce the incidence of successful fraud attempts.
• Regular fraud detection monitoring can establish baselines of typical activity, making atypical activity easier to identify.
The NACHA Rules currently require Originators to use a commercially-reasonable fraudulent transaction detection system to screen WEB debits and when using Micro-Entries. These rules are intended to reduce the incidence of unauthorized debits resulting from transactions initiated online, which can experience increased volume and velocity.
These current requirements do not encompass any other transaction types, and so do not currently apply to other types of debits or to any credits other than Micro-Entries. However, the existing NACHA Board policy statement “urges that all participants implement adequate control systems to detect and prevent fraud.”
Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.
• Eliminates use of “commercially reasonable” as a standard.
• Replaces “detection system” with “processes and procedures.”
• Provides a next-level description of requirements – i.e., “reasonably intended to identify…”
• Provides that the requirements apply “to the extent relevant to the role the entity plays.”
• Allows an ODFI to expressly consider steps that other participants in origination are taking to monitor for fraud in designing its own processes and procedures.
• Clarifies that monitoring is not required pre-processing.
• Requires a review of processes and procedures “at least annually.”
RDFI ACH Credit Monitoring
(Effective date – Phase 1: March 20, 2026 for RDFIs with annual ACH receipt volume of 10 million or greater in 2023.)
The rule amendment will require RDFIs with annual ACH receipt volume of 10 million or greater in 2023 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.
• RDFIs have a view of incoming transactions as well as account profile information and historic activity on Receivers’ accounts.
• A risk-based approach to monitoring can consider factors such as transactional velocity, anomalies (e.g., SEC Code mismatch with account type), and account characteristics (e.g., age of account, average balance, etc.). This aligns with AML monitoring practices in place today.
• Based on its monitoring of incoming credits, an RDFI may decide to return an entry or contact the ODFI to determine the validity of a transaction.
This rule is intended to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred.
• The rule aligns with an institution’s regulatory obligation to monitor for suspicious transactions.
• The rule does not require pre-posting monitoring of credit entries.
ACH transaction monitoring may be happening currently within RDFIs. This amendment encourages the necessary communication between compliance monitoring, operations, product management, and relationship staff. Solutions may be developed in-house. Vendor solutions have emerged on the market to assist in monitoring received payment activity.
Similar to Third-Party Senders, any entity that performs a function of an RDFI in delivering transactions to a Receiver should implement monitoring and detection controls based on the functions performed.
Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.
• Eliminates use of “commercially reasonable” as a standard.
• Replaces “detection system” with “processes and procedures.”
• A risk-based approach to fraud monitoring enables RDFIs to apply resources based on risk assessment for various types of transactions.
• Provides a next level description of requirements – i.e., “reasonably intended to identify…”
• Clarifies that monitoring is not required pre-processing.
• Requires a review of processes and procedures “at least annually.”
False Pretenses
These new Rules also include references to a newly-defined term, False Pretenses: “the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services.
Effective June 19, 2026 – Risk Management Topics (Fraud Monitoring Phase 2)
Included in this portion of the Risk Management Rule amendments are the Phase Two requirements related to:
• Fraud Monitoring by Originators, Third-Party Service Providers (TPSPs)/Third Party Senders (TPSs) and ODFIs; and
• ACH Credit Monitoring by RDFIs.
Fraud Monitoring by Originators, TPSPs and ODFIs
(Effective date – Phase 2: June 19, 2026 for all non-Consumer Originators, TPSPs, and TPSs that did not fall under the requirement threshold for Phase 1.)
This rule amendment will require all non-Consumer Originators, Third-Party Service Providers, and Third-Party Senders that did not fall under the requirement threshold for Phase 1, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
RDFI ACH Credit Monitoring
(Effective date – Phase 2: June 19, 2026 for all RDFIs that did not meet the threshold requirement for Phase 1.)
The amendment will require all RDFIs that did not meet the requirement threshold for Phase 1 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.
This rule is intended to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred.
• The rule aligns with an institution’s regulatory obligation to monitor for suspicious transactions.
• The rule does not require pre-posting monitoring of credit entries.
Effective September 18, 2026 – Funds Availability Requirements for Non-Same Day ACH Credit Entries
This rule will eliminate the 5 p.m. local time receipt condition, so that funds availability will be required at 9 a.m. (in the RDFI’s local time) on Settlement Date for all non-Same Day ACH credits.
Effective September 18, 2026 – Definition of International ACH Transactions (IAT) Entries
Some industry participants have indicated difficulty in understanding the existing definition of an international ACH transaction (that is, a transaction using the IAT standard entry class or SEC code). To address this, this new rule provides more clarity for users when making IAT determinations.
This new language will replace the existing definition of IAT with the following:
SECTION 8.55 “International ACH Transaction” or “IAT Entry” or “IAT”
“an Entry that is the U.S. ACH network component of an international payment transaction.
For purposes of this definition, an international payment transaction is a transfer of funds or monetary value that (a) originates with, transits through, or is delivered to an account at an office of a financial agency located outside of the U.S., or (b) otherwise is received from a sender or delivered to a receiver, in each case, via a facility of a financial agency located outside of the U.S.
For purposes of this definition, financial agency means an entity that is authorized by applicable Legal Requirements to provide financial asset accounts, including deposits, or to conduct the business of issuing general purpose payment instruments or transferring funds or other monetary value for third parties.
An IAT Entry cannot be a Same Day Entry.”
Effective January 1, 2017 – Registration of IAT Contacts in the ACH Contact Registry
This Rule will require a Participating DFI to register their IAT- handling contact with either:
• The name, title, email address, and phone number for at least one primary and one secondary contact person for the area of responsibility; or
• Department contact information that includes an email address and a working telephone number.
Phone numbers and email addresses must be those that are monitored and answered during normal business hours for financial institution inquiries.
These are the same as the existing requirements for required contact registration fields (ACH Operations and Fraud/Risk Management).
If the same parties handle multiple functions, the parties may be repeated as contacts in the database as applicable. For example, an FI may use the same contact for IAT as for ACH Operations if that accurately reflects its internal processes.
Additionally, if a DFI has a specialized task/contact, there is free-form space available for the FI to add that information.
Effective March 19, 2027 – International ACH Transactions (IAT)
This set of Rules includes two amendments: Optional Date of Birth Field for IAT Entries and Non-Bank Foreign Financial Agencies in IAT Entries. These new Rules align with NACHA’s strategies and objectives for the ACH Network to improve the ACH user experience, increase awareness and understanding of ACH capabilities, and improve data flows for ACH payments.
Optional Date of Birth Field for IAT Entries
This rule will designate an optional field for the known Date of Birth (DoB) of a natural person sender and/or receiver of an IAT Entry.
Industry participants report that the most requested piece of information to resolve IAT exceptions is the DoB for the party identified as a potential match in compliance screening. Industry input indicates that potentially 20% of received IATs must be reviewed manually for potential matches.
DofB information within the ACH Entry will be covered by current ACH Network data security requirements. This may be more secure than sharing this information through means outside of the ACH Network.
In June of 2025, the Financial Action Task Force (FATF) issued an update to its Standards on Recommendation 16 on Payment Transparency that would require cross-border payments over a de minimis amount to include the DoB for natural person originators. This rule change aligns the ACH Network with the FATF recommendation.
Other capabilities support the exchange of information related to IAT exceptions. NACHA’s Risk Management Portal includes a secure module for an FI to request information from another FI in order to process an IAT Entry exception. NACHA’s ACH Contact Registry currently includes the ability to voluntarily list IAT/OFAC-related contacts.
Non-Bank Foreign Financial Agencies in IAT Entries
This rule will expand several field descriptions that identify the Originating and Receiving DFIs in an IAT Entry to recognize the possibility that the financial agency outside the U.S. is a non-traditional account-holding institution or organization.
• Expands existing references to bank or financial institution to include a generic reference to financial agency.
• Incorporates an “other” option in the types of codes used to classify the financial agency’s identification number.
This rule will not affect the receipt of inbound IATs, which must continue to be received by domestic RDFIs, and does not apply to domestic ACH transactions.
Effective March 17, 2028 – New Return Reason Code for Sanctions Compliance Obligations
This rule will create a new return reason code (R90) to support an RDFI’s decision to return an entry in compliance with sanctions obligations. This rule also expands Article Three, Section 3.8 (RDFI’s Right to Transmit Return Entries) to adopt a unique return time frame for returns related to sanctions compliance obligations.
Currently, Return Reason Code R16 is defined for use as “Account Frozen/Entry Returned Per OFAC Instruction.” The meanings of these two reasons are only linked at the highest level because they may deal with potential legal actions. The interpretation by the ODFI/Originator matters when receiving an R16 return, as the resulting actions vary significantly.
• If the Entry is, in fact, being returned per sanctions screening obligations, then the ODFI must take action and determine further requirements for the entry and entity relationships, working with its client.
• By contrast, an RDFI’s action on the receiving account due to delinquency or garnishment, for example, does not require action by the ODFI, and necessitates different action by the Originator to collect payment.
This rule creates a new return reason code (R90) to support an RDFI’s decision to return an entry in compliance with sanctions obligations. This amendment also expands Article Three, Section 3.8 (RDFI’s Right to Transmit Return Entries) to adopt a unique return time frame for returns related to sanctions compliance obligations. “An RDFI transmitting a Return Entry to comply with its sanctions obligations must Transmit such a Return to its ACH Operator by the ACH Operator’s deposit deadline for the Return Entry to be made available to the ODFI no later than the opening of business on the second Banking Day following the RDFI’s sanctions compliance determination.”