The Nacha Deadline Is Here. Now the Real Work Begins.
Are you ready?
by Ashley Poynter
Content Manager
PaymentWorksThe Nacha Deadline Is Here. Now the Real Work Begins.
Today, June 22, 2026, the second phase of Nacha’s ACH rule change takes effect. Every non-consumer ACH originator is now required to verify supplier bank account ownership before sending payments and implement risk-based fraud monitoring across their payment operations.
If your organization already completed that work: great. But compliance as of today is the baseline, not the finish line.
Here’s what that actually means for your AP team.
Table of Contents
Authenticated Once Is Not Authenticated Forever
Verification Meets the Rule. Authentication Exceeds It.
Risk-Based Monitoring Requires More Than Good Intentions
What “Ready” Actually Looks Like
Authenticated Once Is Not Authenticated Forever
The rule requires account ownership verification before first payments and whenever account details change. What it doesn’t do is manage the ongoing reality of vendor data: banks change, accounts close, and fraudsters don’t stop trying just because you passed an audit.
A vendor you onboarded last quarter with authenticated banking details can become a risk today if something changed and your team doesn’t know about it. That’s how ACH fraud works. The attack surface isn’t your new vendor pipeline; it’s your existing vendor file, sitting in your ERP, quietly aging.
Compliance built around point-in-time authentication will break down, but compliance built around continuous authentication won’t.
Verification Meets the Rule. Authentication Exceeds It.
There’s an important distinction buried in how organizations are approaching Nacha compliance, and it’s one that will separate the teams that stay protected from the ones that find themselves back at square one when the next regulatory update arrives.
Verification is a point-in-time check. It confirms that a bank account exists and that the routing and account numbers are valid at the moment you run the check. That’s what the Nacha rule requires. For many organizations, that’s where the work stops.
Authentication goes further. It establishes that the entity providing those banking details is who they claim to be, and it maintains that confidence over time. It ties bank account ownership to a verified business identity, cross-referenced against authoritative sources, and continuously evaluated as that data changes.
The difference matters because fraud doesn’t happen only at the moment of onboarding. It happens when an existing vendor’s banking details get changed via an email your AP team had no reason to question. It happens when a legitimate payee relationship is quietly hijacked months after the initial verification check cleared.
Vendor identity authentication treats every payee as a living record instead of a completed form. The business identity, tax information, and banking details are authenticated together. Moreover, the authentication doesn’t expire just because the onboarding workflow did.
The Audit Trail Question
Nacha now requires documentation. That means when your ODFI or a regulator asks how you verified bank account ownership for a payment that went out three months ago, you need a clear, timestamped answer. A spreadsheet someone assembled after the fact is not going to cut it.
If your current process can’t produce that evidence on demand, today is a good day to find out. The day of the audit? Not so much.
The organizations that will have the hardest time with this aren’t the ones that missed the deadline. It will be the ones who technically complied using manual or patchwork processes that can’t sustain the documentation burden over time.
Risk-Based Monitoring Requires More Than Good Intentions
Nacha’s fraud monitoring requirement is intentionally flexible. “Risk-based” means you define the controls, but that flexibility comes with accountability. You need to be able to demonstrate that your controls are proportional to actual risk, consistently applied, and documented.
That’s a harder standard than it looks on paper. A policy that says “we review high-risk vendors” needs to define what high-risk means, who reviews it, and what the review consists of. Without that specificity, you have a statement of intent without actual control.
If your risk-based monitoring framework is still being built, build it now — before a payment incident forces the conversation.
What “Ready” Actually Looks Like
Being ready for the Nacha ACH rule means more than having checked the boxes at go-live. It means:
- Your team can produce verification evidence for any payment, on request, without scrambling.
- Your payee data is continuously monitored, not just verified at onboarding.
- Your risk controls are documented and defensible, not ad hoc.
- Your process can scale, because account changes and new vendor requests don’t stop coming.
If any of those aren’t true yet, today is the right day to close the gap. The deadline passed. The requirement didn’t.
Interested in a comprehensive breakdown of the Nacha 2026 rule changes, what they mean for your organization, and how to prepare now to avoid risk and ensure compliance?
Fill out the form below to download our full white paper on the subject.
Get Ready For Vendor Management Appreciation Day
Vendor Management Appreciation Day (VMAD) returns this year—and we’d love to have you join the celebration. There’s never a wrong time to recognize one of the most essential yet often overlooked functions in every organization: vendor management.
We’re already preparing for this year’s festivities, and we want the entire community to be part of it. VMAD was created to bring vendor management professionals together, spotlight the innovation happening in the field, and give this important work the recognition it deserves.
As a reminder, throughout the year, we’re rolling out monthly gifts and resources to help elevate your vendor management practice. We’re also planning a series of events designed to spark connection, learning, and celebration across the profession.
So, while you wait for the big day, explore what’s new—and grab some free vendor management goodies.
Want Help Aligning Teams?
Explore our blogs below. They’re filled with action items you can implement right away.
Vendor Due Diligence in the Age of Deepfakes and AI Fraud: What You Need to Know
Vendor Account Compromise is On the Rise. Here’s How to Make Sure It Doesn’t Happen to You.
Are You at Risk for Accounts Payable Fraud?
A Complete Guide to Prevent Payments Fraud
Interested in More Tips?
Want Personalized Guidance?
Contact Us–we’d love to help you
Frequently Asked Questions
People Also Ask—Nacha Rule Change FAQs
Does my organization need to comply with the Nacha ACH rule change?
If you originate ACH payments to suppliers, yes. The rule now applies to all non-consumer ACH originators, regardless of payment volume.
What’s the difference between account verification and vendor identity authentication?
Verification confirms a bank account exists at a point in time. Authentication ties that account to a verified business identity and maintains confidence continuously.
What happens if our current process relies on email and PDFs to collect banking details?
That approach can’t produce the audit trail Nacha requires and leaves you exposed to payment diversion fraud. It doesn’t meet the standard.
We met the deadline. Do we need to do anything else?
Compliance at go-live is the baseline, not the finish line. Your vendor data changes constantly — authentication needs to keep pace with it.
