Nacha Updates

Updates to NACHA Rules

Fraud Monitoring Phase 1 – Nacha Rule Amendments

Effective: March 20, 2026

These rule amendments are focused on fraud monitoring and are part of a broader Risk Management initiative designed to reduce the incidence of successful fraud attempts and improve the recovery of funds following a fraud event.

New ACH Company Entry Descriptions for Payroll and Purchases

Effective: March 20, 2026

Two new standardized Company Entry Descriptions PAYROLL and PURCHASE will be introduced to improve fraud prevention and fund recovery in ACH transactions:

• PAYROLL: This description will be used for PPD Credits related to wages and compensation, helping financial institutions better identify payroll payments and reduce fraud risks.
• PURCHASE: This description will apply to e-commerce debit transactions, particularly those authorized online, to help distinguish these transactions from others.

These changes are part of a larger Risk Management initiative aimed at enhancing monitoring and reducing fraudulent activities within the ACH network. However, ODFIs will not be responsible for verifying the accuracy of these descriptions.

Minor Topics Rule Changes

Effective: January 1, 2026

These minor rule changes will have minimal to no impact on ACH participants and are not expected to cause any significant processing or financial changes.

Risk Management Topic

Effective: April 1, 2025

This amendment requires an RDFI to notify the ODFI about the status of a Request for Return within ten (10) banking days of receiving the ODFI’s request. 

Risk Management Topics

Effective: October 1, 2024

These Rule amendments are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.

ACH Rules and Risk Management

Effective: October 1, 2024

The ACH Rules and Risk Management provisions clarify that the use of certain rules by RDFIs is optional, and there is no compliance obligation for them by the implementation date. The amendments specifically allow—but do not require—an RDFI to use R17 to return an entry suspected of fraud at the RDFI's sole discretion.

Additionally, the existing requirement to include the descriptor QUESTIONABLE in the return addenda record remains in effect for such cases. The amendments also allow the use of the return code that most accurately reflects the reason for the return. These updates are intended to enhance the recovery of funds associated with fraudulent transactions.

Expanded Use of ODFI Request for Return-R06

Effective: October 1, 2024

This rule expands the permissible uses of the Request for Return, allowing an ODFI to request a return from an RDFI for any reason. The ODFI indemnifies the RDFI for compliance with the request, and RDFI compliance remains optional. The RDFI’s only obligation is to respond to the ODFI’s request within ten banking days of receipt. This change is designed to improve the recovery of funds in cases of fraud.

Additional Funds Availability Exceptions

Effective: October 1, 2024

The use of this exemption is optional for RDFIs, meaning there is no implementation or compliance obligation by the effective date. The rule introduces new language to clarify use cases:

"An RDFI that reasonably suspects that a credit Entry is unauthorized or was authorized by the Originator under false pretenses is exempt from the funds availability requirements of Subsection 3.3.1. An RDFI invoking this exemption must promptly notify the ODFI."

The inclusion of "reasonable steps" acknowledges that, in certain circumstances, it may not be reasonable for an RDFI to promptly notify the ODFI—such as in situations involving a high volume of entries.

Importantly, the rule does not alter the RDFI’s obligation to promptly make funds available as required by the Rules. While an RDFI cannot delay funds availability simply because it has not screened an ACH credit, it can delay availability if its fraud detection processes identify suspicious activity.

This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations. It also complements existing language concerning "unauthorized credits" in account takeover cases. However, it does not cover scams involving fake, non-existent, or subpar goods or services.

Timing of Written Statement of Unauthorized Debit (WSUD)

Effective: October 1, 2024

This rule allows a Receiver to sign and date a Written Statement of Unauthorized Debit (WSUD) on or after the date the entry is presented to the Receiver. This applies whether the entry is posted to the account or pending, even if the debit has not yet posted.

Through digital notifications and alerts, consumers may report an unauthorized debit before it posts to their account, potentially reducing harm caused by unauthorized debits.

Currently, the Rules require that the WSUD be dated on or after the Settlement Date of the Entry. This rule aims to improve the process and experience when consumers make claims of unauthorized debits.

Minor Rules Topics

Effective: June 21, 2024

These changes will amend the Nacha Operating Rules to address a variety of minor issues.

Notification of Change

Effective: June 21, 2024

Originators may, at their discretion, make changes to a Notice of Change (NOC) related to a Single Entry, regardless of the SEC Code.

• The previously required flag to identify certain TEL and WEB entries as Single Entries is no longer required by the rules.

Data Security Requirements

Effective: June 21, 2024

Each non-consumer Originator, each Third-Party Service Provider and each Third-Party Sender must render account numbers unreadable when stored electronically.

• This applies to entities whose annual ACH origination volume exceeds 2 million entries
• Newly covered entities must comply by June 30th of the year following the first time they exceed the 2 million threshold.
• The grace period does not apply to entities already covered by the rule.