UPDATE NOTICE | March 27, 2026
This article has been updated to include the full scope of the 2026 NACHA rules, including the June 22, 2026 Phase 2 deadline for all non-consumer originators, new standardized Company Entry Description requirements (PAYROLL), guidance on handling R17 returns, and additional practical clarifications for AP teams.

NACHA 2026 Rules Update: Fraud Monitoring, PAYROLL Descriptor & What AP Teams Must Do Now

NACHA 2026 rules written in script on a cracked parchment with a red wax seal melted in the center, Accounts Payable professional verifying vendor bank changes to prevent ACH fraud

Fraud is getting smarter. Now the rules are getting stricter.

NACHA, the organization that governs the ACH network in the United States, has strengthened its rules with a new Fraud Monitoring Rule and related changes. While written for banks and payment originators, these updates directly affect companies that send ACH payments, especially Accounts Payable teams.

These changes come directly from the NACHA Operating Rules, which govern the ACH Network used by every major U.S. bank and payment processor.

Key Deadlines for AP Teams

Phase 1 (March 20, 2026): Already in effect for large originators (6 million+ items annually), banks (ODFIs), and certain third-party senders and service providers.
Phase 2 (June 22, 2026): Applies to all non-consumer originators, which includes most AP departments sending vendor, supplier, or contractor payments.

Most AP teams fall under the June 22 deadline, but implementing strong processes now is considered a best practice and will help during bank audits.

What Is the ACH Fraud Monitoring Rule?

As a non-consumer originator, your AP department must establish and implement risk-based processes and procedures reasonably designed to identify ACH entries suspected of being unauthorized or authorized under false pretenses.

For example, a fraudster posing as a vendor and requesting a bank change would qualify as authorization obtained under false pretenses.

You are not required to screen every single transaction individually. Batch monitoring, anomaly detection, and payment history tracking are acceptable.

Banks will review whether originators, including AP teams, have reasonable controls in place.

Why This Matters to AP

Most ACH fraud targeting AP starts with vendor impersonation or business email compromise (BEC):

A fraudster poses as a vendor and requests a bank account change. The vendor master file is updated. The legitimate invoice is paid to the fraudster.

By the time the real vendor calls, the damage is done. The new rules also place monitoring responsibilities on receiving banks (RDFIs).

If you use a third-party payment provider, AP automation platform, or supplier portal, confirm how their controls align with these requirements. Responsibility may be shared, but it is not fully transferred.

Are Confirmation Calls Enough?

Confirmation calls are a strong control. But if the contact information comes from the request itself, the control fails. Independence is now the key standard.

What a Strong Process Looks Like

Independent Verification

Call a trusted number from your established vendor file. Never use contact details provided in the suspicious request.

Separation of Duties

The person who updates vendor banking details should not release the payment.

Risk Assessment & Documentation

Document how fraudsters could redirect payments in your environment. You cannot simply conclude there is “no risk.”

Additional Tools

Consider account validation services (micro-deposits or third-party tools), multi-factor authentication for vendor master changes, staff training on BEC and vendor impersonation, and dual controls.

R17 Returns

If your bank receives an R17 return (“suspicious transaction”), investigate promptly. Do not automatically reissue the payment by check, the fraudster may accept either method.

New Standardized Company Entry Descriptions (Effective March 20, 2026)

NACHA also introduced standardized descriptions to help receiving banks detect anomalies, such as payroll diversion fraud.

PAYROLL | Must be used at the beginning of the 10-character Company Entry Description field for PPD credit entries that represent compensation payments (wages, salaries, or similar). This applies regardless of employment status, including contractors and 1099-NEC recipients when the payment is for services or compensation.
Not required for reimbursements (such as travel), pensions, or routine supplier invoices.
PURCHASE | Applies mainly to certain consumer e-commerce debit transactions and is generally not relevant to standard AP vendor credits paid via CCD.

Practical AP Impact: Standard business-to-business vendor invoice payments (CCD) typically require no change. However, if your AP team pays 1099 contractors or independent consultants as compensation, update your ACH file templates so the Company Entry Description begins with PAYROLL where applicable. Bundled payments mixing compensation and non-compensation items may require clarification with your bank.

To help translate these requirements into practical controls, use the checklist below as a quick readiness assessment.

12-Point ACH Fraud Readiness Checklist (AP Controls You Should Have in Place)

Confirmation calls required for all vendor banking changes
Calls made using trusted numbers from your vendor file (out-of-band)
Confirmation calls documented with who was spoken to, the date, and the outcome
Dual approval required for vendor master changes
Vendor master file access restricted
ACH returns, including R17, reviewed regularly
Unusual payment activity and patterns tracked
Written policy and risk assessment in place
Staff trained on vendor impersonation and BEC risks
Process ready to explain to your bank or auditor
ACH file formats updated for “PAYROLL” descriptor where required for compensation payments
Procedures documented for handling R17 suspicious returns

Download the ACH Fraud Readiness Checklist (Used by AP Teams)

Talk to Your Bank About This

Ask your bank:

How they will evaluate your fraud monitoring process
What documentation they expect to see
How they handle R17 suspicious returns

Final Thought

Fraud prevention is not about distrust. It is about structure and layered controls.

If your company pays vendors, suppliers, or contractors by ACH, now is the time to review and strengthen your processes. Strong controls protect your organization, your vendors, and the entire ACH network.

The June 22, 2026 deadline is approaching quickly for most AP teams. Discuss implementation with your treasury or banking partner and consider obtaining the latest NACHA Operating Rules & Guidelines for additional details.