NACHA Rules on Credit-Push Fraud Risk Now Effective

NACHA News

Published March 20th, 2026

Detected April 7th, 2026

Summary

NACHA has implemented Phase 1 of new fraud monitoring rules for the ACH Network effective March 20, 2026. ODFIs of all sizes and non-consumer Originators, Third-Party Service Providers, and Third-Party Senders with 6 million+ annual ACH origination volume (2023) must now have risk-based processes to identify fraudulent ACH entries. RDFIs with 10 million+ annual ACH receipt volume (2023) must similarly implement fraud identification procedures. Phase 2 in June 2026 will extend these requirements to all entities regardless of volume.

View original document View source feed page

What changed

NACHA has activated Phase 1 of its Credit-Push Fraud Monitoring Rules, requiring ODFIs to implement risk-based processes to identify fraudulent ACH entries, and RDFIs to establish similar procedures for detecting fraudulent credit entries. For ODFIs, the requirement currently applies to all institutions regardless of size; for Originators and third parties, the threshold is 6 million+ annual ACH origination volume (based on 2023 data). RDFIs must comply if their 2023 annual ACH receipt volume reached 10 million or more.\n\nFinancial institutions on both sides of ACH transactions now have defined roles in fraud prevention—ODFIs and Originators monitor for fraud-initiated entries, while RDFIs can identify suspicious incoming payments based on accountholder profiles and either return entries or verify with the ODFI. Organizations that have not yet implemented these procedures should act immediately, as Nacha has indicated these rules are now in effect. Phase 2 in June 2026 will remove all volume thresholds, making the requirements universal for all ACH Network participants except consumers.

What to do next

Implement risk-based fraud monitoring procedures for ACH credit entries if your organization meets the Phase 1 volume thresholds
Prepare for Phase 2 expansion in June 2026 when requirements apply regardless of origination volume
Review and update fraud monitoring procedures periodically as fraud tactics evolve

Source document (simplified)

Posted on

March 20, 2026

Keeping the ACH Network safe—and constantly working to strengthen that security—is always top of mind for Nacha. Today, March 20, 2026, marks a milestone in those efforts as a major phase of new Nacha Rules on risk management and transaction monitoring is now in effect, with the next phase right behind in June.

It’s been three and a half years since Nacha released its “Risk Management Framework for the Era of Credit-Push Fraud.” Before that, the focus had been on unauthorized debits pulling money from accounts. But the Framework noted that had changed, with “the most significant fraud threats to bank account holders” now involving “fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards, and other instant and digital payments.”

Once these updated Rules are fully implemented later this year, everyone using the ACH Network (except consumers) will be contributing to risk management through risk‑based processes and procedures reasonably intended to identify fraudulent ACH activity.

“What’s particularly noteworthy is that for the first time, RDFIs have a role to play, alongside ODFIs, Originators and third parties,” said Devon Marsh, Nacha Managing Director, ACH Network Rules and Risk Management. “Because of the way credit-push frauds work, financial institutions on both sides of a payment need to be part of the monitoring solution.”

Today marks the start of Phase 1 for fraud monitoring, impacting all ODFIs, regardless of size. It also applies to any non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender whose 2023 annual ACH origination volume was 6 million or greater. They should have established and implemented risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. In Phase 2, coming in June, the requirement will apply regardless of origination volume.

RDFIs must establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud. Today, it applies to RDFIs with annual 2023 ACH receipt volume of 10 million or greater; in June, it applies to all RDFIs.

“Not only do RDFIs see incoming payments, they also know the profiles of their accountholders. This puts them in a unique position to identify certain unusual activities,” said Marsh. “RDFIs can help address a fraudulent transaction by either returning an entry or checking on its validity with the ODFI.”

Whatever steps your organization has taken to implement these new Rules, Nacha cautioned not to just set it and forget it.

“Fraudsters are always looking for the next big thing, so you should periodically check your procedures and update them as necessary,” said Marsh. “This should be an evolving process, not a ‘one and done.’”

And if your organization has yet to comply with the Rules, it’s not too late. Nacha has many resources to help, including our Credit-Push Fraud Monitoring Resource Center, which includes guidance from Nacha’s Risk Management Advisory Group (RMAG) and a list of third-party service vendors including Nacha Preferred Partners, Nacha Certified companies, and members of Nacha’s Payments Innovation Alliance.

Nacha Consulting can also help, and they offer a complimentary 15-minute consultation.