The NACHA Deadline You Already Missed
A new rule changed how AP teams have to fight ACH payment fraud. It is already in effect. If your team sends or collects ACH payments, it may now apply to you, no matter how small your volume is.
By Robert Ruhno, Executive Director, Accounts Payable Professionals Group (APPG)
Last reviewed: July 9, 2026
Here is the part most accounts payable teams have not caught yet: a major NACHA fraud monitoring rule is now in effect for smaller-volume ACH participants too.
The formal effective date for NACHA's Phase 2 fraud monitoring rule was June 19, 2026. Because June 19 was a federal holiday, NACHA's summary of upcoming rule changes lists the operational date as June 22, 2026.
If your team has not built anything for it yet, you are behind. The good news is that catching up is doable, and this article walks through the issue in plain AP terms.
First, what is NACHA, and why should AP care?
NACHA writes the rules for the ACH Network. ACH stands for Automated Clearing House. It is the system that moves many electronic payments between U.S. bank accounts, including direct deposit, vendor payments, and bill pay.
A few terms you will see below:
- Originator: The party that starts a payment. If your company sends ACH payments, your company may be an originator.
- ODFI: Originating Depository Financial Institution. This is usually your bank, the one that pushes the payment into the ACH Network.
- RDFI: Receiving Depository Financial Institution. This is the receiving bank, such as the vendor's bank.
- Third-Party Sender (TPS) or Third-Party Service Provider (TPSP): A company that handles ACH activity on your behalf, such as a payment processor or AP automation provider.
If your team pays vendors or collects money by ACH, you are part of this risk environment. The new rule makes fraud monitoring harder to ignore.
What actually changed
The change is part of NACHA's larger Risk Management package. It rolled out in two phases.
Phase 1, March 20, 2026: Applied to all ODFIs, plus non-consumer Originators, Third-Party Senders, and Third-Party Service Providers whose 2023 ACH volume exceeded 6 million entries.
Phase 2, June 22, 2026: The volume threshold is gone. Now all other non-consumer Originators, TPSPs, and TPSs must comply with the fraud monitoring rules, regardless of origination or transmission volume.
That second line is the one that catches teams off guard. Many AP departments assumed the rule was only for banks, giant processors, and high-volume ACH users. It is not that narrow anymore.
You can read NACHA's official Phase 2 rule summary here: NACHA Risk Management Topics, Fraud Monitoring Phase 2.
What the rule asks you to do
The rule does not hand AP teams one exact software tool or one exact checklist. Instead, it requires risk-based processes and procedures reasonably intended to identify ACH payments that may have been initiated because of fraud.
Two phrases matter:
- Risk-based means you put more effort where the risk is higher and less where it is lower. You do not have to treat a $50 payment the same way you treat a $500,000 payment.
- Technology-neutral means you choose the method. NACHA references approaches such as velocity checks, anomaly detection, pattern recognition, and behavioral tolerances.
In plain AP terms, you need a written, repeatable way to spot a payment that looks wrong before it goes out the door.
Meet false pretenses, the scam this rule is really about
NACHA added a named fraud type called false pretenses. This is a payment that appears authorized, but only because someone lied about who they were, what authority they had, or which account should receive the money.
For AP teams, the most familiar version is the vendor bank-change scam. A real supplier's payment details get swapped by an imposter. Everything looks normal, so the payment is approved, and the money lands in a criminal's account.
This is a form of credit-push fraud. The payer is tricked into pushing money out voluntarily. Your job now is to have a documented process that helps catch that lie before the payment is released.
The controls examiners will expect to see
You have some freedom in how you comply, but these are the controls your bank, auditors, and internal reviewers are likely to ask about:
- Dual control. Two people, not one, should release higher-risk payments. A fraudster may fool one person. Fooling two is harder.
- Account validation. Confirm that a vendor's bank account is real and open before you pay it, and re-check when the details change.
- Out-of-band verification. When a vendor asks to change bank details, confirm it using contact information you already have on file, through a different channel. Call a known number. Do not use the phone number or email address included in the change request.
- Multi-factor authentication. Require a second step beyond a password to access payment systems. An authentication app or physical token is usually stronger than a texted code.
- Written procedures and review. You need documented procedures, not just good habits. Plan to review them at least once a year, and whenever your payment process changes.
The hard truth about who pays
This is the first time fraud monitoring obligations have been expanded this broadly to non-consumer ACH Originators and related third parties. Before this package, fraud detection requirements were more limited, such as certain WEB debits and Micro-Entries.
Here is the part that stings for AP teams: these rules do not automatically shift the loss to your bank when your company is tricked into sending money to a criminal. In many credit-push fraud situations, the payer may still bear the loss.
That is why the controls above are not just compliance work. They are practical loss-prevention work.
One more change to keep on your radar
The Same Day ACH limit is scheduled to increase from $1 million to $10 million per payment on September 17, 2027.
That change is not here yet, but AP teams should pay attention now. Bigger payments moving faster can be useful for cash management, invoice payments, payroll funding, and tax payments. It also raises the stakes because faster money is harder to recover if a fraudulent payment slips through.
NACHA's official Same Day ACH rule update is available here: Increasing the Same Day ACH Dollar Limit to $10 Million.
Your 10-minute gut check
Run through these questions with your AP, Treasury, and Finance teams this week:
- Do we send or collect any ACH payments?
- Do we have a written fraud-monitoring procedure?
- Does every vendor bank-change request get an out-of-band callback?
- Do two people release high-value or higher-risk payments?
- Do we validate new vendor bank accounts before the first payment?
- Do we re-check vendor bank accounts when payment details change?
- When did we last review these steps?
APPG takeaway: If your team cannot point to a real, written, risk-based ACH fraud monitoring process today, that is this week's project. Start with vendor bank-change callbacks. It is one of the cheapest controls to add, and it can stop one of the most expensive fraud losses AP teams face.
Bottom line
The deadline is not coming. It is here.
The rule does not expect perfection. It expects a real, documented, risk-based process. If your team cannot show one today, start with the highest-risk step first: vendor bank-account changes.
Call the vendor using known contact information already on file. Document the verification. Require a second person for higher-risk changes and higher-value releases. Then build the rest of your monitoring process around that foundation.
Official sources
Editorial Note: This article was developed with the assistance of artificial intelligence and edited, reviewed, and approved by Robert Ruhno, Executive Director of the Accounts Payable Professionals Group (APPG).
Practical AP reporting, controls guidance, automation coverage, and career support for the accounts payable community.
