- Services
- Products
- Compliance
- Markets
- Insights
- About
Updated June 2026
ACH Rules continue to evolve as fraud risks increase across the ACH Network. In 2026, Nacha introduced new ACH Rule changes focused on fraud monitoring, payment transparency, and risk management. Organizations that process ACH transactions should understand both the new requirements and the broader ACH Rules that govern electronic payments.
What are ACH Rules?
ACH Rules are the operating standards established by Nacha that govern electronic payments processed through the ACH Network. These rules help financial institutions, businesses, government agencies, and nonprofits securely send and receive electronic transactions while maintaining compliance, reducing fraud, and protecting consumer data.
Who Must Follow ACH Rules?
- Businesses
- Colleges and universities
- Healthcare organizations
- Government agencies
- Financial institutions
- Third-party service providers
In this article, we’re exploring how the ACH Rule changes in 2026 impact higher education, healthcare, government, and nonprofits.
For institutions that move large volumes of funds but aren’t traditional “payments companies,” these changes are less about technology mandates and more about process awareness.
Here’s what’s changing and what it looks like in real life for mission‑driven organizations.
-
Expanded ACH Fraud Monitoring Requirements
Effective March 20, 2026 (Phase 1)/June 19, 2026 (Phase 2)
What’s changing?
Certain originators, third‑party senders, third‑party service providers, and ODFIs must establish and maintain risk‑based processes reasonably intended to identify ACH entries initiated due to fraud.This is not a requirement to screen every transaction or deploy a specific tool. Instead, Nacha expects organizations to:
- Understand where fraud risk exists in their ACH activity
- Monitor for unusual patterns (volume, velocity, dollar amounts, timing)
- Review and update those processes at least annually
| Use Case #1 | Use Case #2 | |
|---|---|---|
| Higher Ed Use Cases |
Vendor Change & Refund Fraud
|
Payroll Redirection Attempts |
| Healthcare Use Cases |
Provider Payment Irregularities
|
Patient Refund Abuse
|
| Government Use Cases |
Benefits & Assistance Payments
|
Grant Disbursements |
| Not-for-Profit Use Cases |
Emergency Assistance Programs
|
Vendor & Partner Payments |
Why this matters
Many mission‑based organizations already have internal controls. This rule simply formalizes the expectation that ACH activity is part of fraud risk management, not separate from it.
-
New Standard Company Entry Description: PAYROLL
Effective March 20, 2026
What’s changing?
All PPD ACH credits used for wages, salaries, or similar compensation must include “PAYROLL” in the Company Entry Description field. This applies to:
- Employees
- Contract workers (1099s)
- Pre‑tax payroll components, such as HSA contributions
| Use Case #1 | Use Case #2 | |
|---|---|---|
| Higher Ed Use Cases |
Faculty & Staff Payroll |
Graduate Assistants & Stipends |
| Healthcare Use Cases |
Hospital Payroll |
Contract Clinicians |
| Government Use Cases |
Municipal Payroll |
Seasonal or Temporary Workers |
| Not-for-Profit Use Cases |
Staff Payroll |
Fellowship or Program Compensation |
3. New Standard Company Entry Description: PURCHASE
Effective March 20, 2026
What’s changing?
The PURCHASE Company Entry Description is required for consumer e-commerce ACH debits, defined as:
A debit entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. This applies to consumer (B2C) transactions only, not business-to-business ACH activity.
| Use Case #1 | Use Case #2 | |
|---|---|---|
| Higher Ed Use Cases |
Online Merchandise Sales |
Continuing Education Materials |
| Healthcare Use Cases |
Consumer Online Purchases |
Subscription Health Services |
| Government Use Cases |
Consumer Online Purchases |
Recreation or Permit Related Goods |
| Not-for-Profit Use Cases |
Online Gift Shop Sales |
Subscription Based Educational Content |
How Organizations Should Prepare
Organizations should review their ACH processing procedures, evaluate existing fraud monitoring controls, and ensure they can comply with the new Nacha requirements before the implementation deadlines.
Updating policies, training staff, and coordinating with financial institutions and third-party providers can help reduce compliance risks and support a smooth transition.
Common Implementation Mistakes
One of the most common mistakes is waiting until the compliance deadline to assess ACH processes and fraud monitoring capabilities. Organizations may also overlook employee training, fail to document compliance efforts, or underestimate the impact of the new requirements on existing workflows and third-party relationships.
Best Practices for ACH Fraud Monitoring
Effective ACH fraud monitoring includes establishing risk-based monitoring procedures, reviewing transactions for unusual activity, implementing strong access controls, and regularly evaluating fraud detection processes.
Organizations should also document monitoring activities and periodically assess controls to ensure they remain effective as fraud threats evolve.
Final Takeaway
These 2026 ACH rule changes aren’t about turning universities, hospitals, governments, or nonprofits into banks.
They’re about:
- Clearer payment purpose
- Stronger fraud awareness
- Better alignment between how ACH payments move and how risk is managed
Organizations that understand where these rules apply and where they don’t will avoid unnecessary changes while strengthening their overall payments posture.
If you need assistance with your ACH program, contact us to complete an ACH Rules Assessment. We’re here to assess your ACH environment and help your organization meet evolving Nacha requirements.