The practical hub for Accounts Payable work, careers, and community

Process improvement, controls, automation, vendor management, and career development, written for people doing the work.

Popular topics: AP automation, fraud controls, close process, vendor management, career moves | Learn what APPG is about →

AP News Update

Nacha fraud monitoring rule begins March 20, 2026. The first phase starts for ODFIs and large Originators, TPSPs, and TPSs, putting more focus on risk-based ACH fraud monitoring. For AP teams, vendor bank change controls and payment review processes matter even more now. Read the full APPG update → | Official Nacha summary →

Thursday, March 19, 2026

NACHA 2026 Rules - Begin March 20th

What the Nacha ACH Fraud Monitoring Rule Means for Accounts Payable Teams

NACH 2026 rules written in script on a cracked parchment with a red wax seal melted in the center - Accounts Payable professional verifying vendor bank changes to prevent ACH fraud

Fraud is getting smarter. Now the rules are getting stricter.

Nacha, the organization that governs the ACH network in the United States, has strengthened its ACH Fraud Monitoring Rule. While the rule is written for banks and payment originators, it directly affects companies that send ACH payments. That includes Accounts Payable teams.

What Is the ACH Fraud Monitoring Rule?

Companies that originate ACH payments must now:

Monitor ACH activity for signs of fraud
Use a defined, risk-based process
Investigate suspicious transactions
Maintain documentation of monitoring procedures

Banks are expected to ensure their clients have reasonable controls in place. That means your process may be reviewed more closely than before.

Why This Matters to AP

Most ACH fraud starts with a vendor bank account change.

A fraudster pretends to be a vendor. They request a bank update. The vendor master file is changed. Payment is released. The money disappears.

By the time the real vendor calls, the damage is done.

Are Confirmation Calls Enough?

Many AP departments already make confirmation calls. That is good. But the strength of the process matters.

Are you calling a trusted number from your vendor file?
Are you documenting who you spoke with?
Is the update approved by someone else?
Is the same person restricted from releasing payment?

A confirmation call only works if it is independent and documented.

What a Strong Process Looks Like

Independent Verification

Call a phone number already on file. Never use contact information provided in the change request.

Separation of Duties

The person who updates vendor banking details should not be the same person who releases payment.

Written Procedures

Have a simple written policy that outlines your exact steps.

Monitoring Reports

Review ACH return codes and unusual activity patterns on a regular basis.

Documentation

Keep records of confirmation calls, approvals, and changes.

10-Point ACH Fraud Readiness Checklist

Confirmation calls required for bank changes
Calls made using trusted numbers
Calls documented
Dual approval required
Vendor master access restricted
ACH returns reviewed monthly
Unusual payment activity tracked
Written policy in place
Staff trained on vendor fraud risks
Process ready to explain to bank or auditor

Download the ACH Fraud Readiness Checklist

Final Thought

Fraud prevention is not about distrust. It is about structure.

If your company pays vendors by ACH, now is the time to review your process. Strong controls protect your organization, your vendors, and your reputation.