Important Updates to the ACH Fraud Monitoring Rule

The Fraud Monitoring Rule has been in place for some time, but recent amendments bring important updates that all originators should be aware of. These changes will take effect in a two-phase rollout.

The amended rule requires non-consumer originators, third-party service providers (TPSPs), and third-party senders (TPSs) to establish and implement risk-based processes and procedures designed to identify ACH entries initiated as a result of fraud.

Key Compliance Dates:

Phase 1:  March 20, 2026

• The rule will apply to non-consumer originators, TPSPs, and TPSs with an annual ACH originator volume of 6 million or greater in 2023.
• Schools, healthcare facilities, and municipalities, among others, are considered non-consumer originators.

Phase 2:  June 19, 2026

• The rule will apply to all other non-consumer originators, TPSPs, and TPSs.

Let’s look into how this rule applies to originators and some suggested actions to take now:

What does the new rule require?

Each of these parties will be required to:

• Establish and implement risk-based processes and procedures, relevant to the role it plays in the authorization or transmission of entries, that are reasonably intended to identify entries that are suspected of being unauthorized or authorized under false pretenses; and
• Review (at least annually) these processes and procedures and make appropriate updates to address evolving risks.

How does this apply to originators?

If your business processed (originated) over six million ACH transactions in 2023, then you must comply with the ACH Fraud Monitoring Rule by March 20. As a reference, most organizations typically originate fewer than one million annual ACH transactions.

All originators not included in the March 20, 2026, compliance date will be expected to comply by the Phase 2 date of June 19, 2026.

What should originators do?

• Identify all areas sending, receiving, or processing ACH data.
  • Identify areas in your business that initiate ACH transactions, handle, or receive ACH data.  (i.e., Payroll, Student Services (tuition payments and refunds), Cashiering Office, Treasury Operations, Accounts Payable, Donor Development, COBRA payments, IT Financial Services, etc.).
• Consider what you do today in the event of unusual, fraudulent, or suspicious ACH activity.
  • Evaluate how you identify or recognize unusual ACH-related activities today and what actions you take.
• Identify “high-risk” transaction attributes.
  • At what reasonable transaction amount should dual approval be required for outgoing ACH transactions?
  • Determine if verifiable and reproducible ACH authorizations are obtained and retained.
• Conduct a thorough ACH risk assessment and ACH gap analysis.
  • Compare your ACH procedures and incident response plan to industry standards and best practices.
  • Identify and document any gaps.
• Develop policies and procedures tailored to address the identified gaps and risks.
  • Engage stakeholders and subject matter experts.
  • Consult with your originating depository financial institution (your bank).
  • Consider establishing ACH document classification, retention, and destruction protocols and timelines.
  • Document employee access controls to systems containing ACH data.
• Formalize current policies and procedures.
  • Incorporate any new policies or procedures created.
• Regularly review and update policies to ensure they remain effective.
  • Train and educate staff on the risks, policy, or procedure changes.

By following this checklist, you can enhance the effectiveness and security of your ACH origination and data security policies and procedures. We’re here to be your trusted partner in achieving ACH and Nacha compliance with confidence. Contact us if you have any questions or need further assistance.