Nacha’s Upcoming Rule Change: What You Need to Know
Nacha’s Upcoming Rule Change: What You Need to Know
If you’re in charge of vendor payments, treasury, or compliance, you’ve probably heard the buzz: Nacha is rolling out significant updates to the ACH Operating Rules, with full compliance expected by June 22, 2026.
But what does this mean for you? In short, it’s time to get serious about your ACH risk assessment processes and procedures.
In this article, we’ll break down what an ACH risk assessment entails, why it matters, and how to prepare for the upcoming changes—all in plain English.
Nacha Rule Changes in Plain English
What is Nacha?
The National Automated Clearing House Association (Nacha) is the governing body of the Automated Clearing House (ACH) network.
Why did Nacha amend the rules?
The rise in sophisticated fraud schemes that rely on “false pretenses” (yes, that’s now an official Nacha term)—especially Business Email Compromise (BEC) and vendor impersonation—has led to significant financial losses across industries. Recognizing this, Nacha is updating its rules to require organizations to proactively assess and manage ACH-related risks. The emphasis is on implementing “risk-based processes” to detect and prevent fraudulent activities before they cause harm.
You can find the new rules here.
Who is impacted by the rule change?
NACHA has publicly stated that these are “the most significant rule changes in twenty years”.
Below is a framework for each of the participants in the ACH network, along with their new responsibilities.

What to Know About Compliance With Nacha’s Risk-Based Processes
Alright, now that we’ve covered the “why” behind Nacha’s new rules, let’s get into the “what.” Because yes, there are actual requirements—and they’re not just suggestions.
Starting in June 2026, every business and public sector organization that sends ACH payments will be expected to follow a new set of standards around verifying bank account information. The days of casually updating payment details via email and calling it “good enough”? Those are officially over.
At the heart of the update is a big concept with a somewhat vague name: “risk-based process.” It’s Nacha’s way of saying: “You know your organization better than we do, so build a fraud-prevention process that makes sense for you—but make sure it actually works.”
So, what does a risk-based process really involve? How do you comply? And is automation the only way to stay sane while doing it all?
Let’s break it down.
So, what is the rule change?
Non Consumer Originators (i.e., all companies and public sector institutions) are required to implement a “risk-based” process to ensure bank information is verified through a validated source.
What does a “Risk-Based Process” mean?
Nacha understands there is no “one size fits all” solution. Rather, each organization must establish processes and controls that are unique to the nature of the organization and the nature of the payments it makes.
What is required to comply with the new rules?
The bare minimum for meeting the rules is the following:
- Complete a risk analysis by segmenting outbound payment transactions into low/high risk categories and identify potential gaps in the process/controls.
- Establish a formal process to ensure bank information for high-risk transactions are verified through a validated source and implement controls to ensure those processes are being consistently performed.
Is automation required to comply?
Technically, no. However, depending on the size and complexity of an organization, applying human effort may not be scalable and sustainable. Also, because manual-based processes & controls are generally ineffective against increasingly sophisticated bad actors, Nacha strongly encourages originators to automate both: 1) payee onboarding and 2) ongoing transaction monitoring.
Examples of systematic controls recommended by Nacha:
Multi-layered identity verification
- Name, Address, Phone number, and Email validity
- SSN / TIN verification against government databases
- Sanction and Watchlist Screening
- Device intelligence and geolocation checks
- Real-time MFA authentication to ensure you know who you are talking to
Account Ownership and Payment Information Matching
- Deploy bank account verification processes to confirm the account details match the entity’s legal registration.
Behavioural & Predictive Analytics
- Use machine learning to detect patterns of unusual/suspicious activity.
Ongoing Payment Monitoring
- Segment high-value transactions at the time of payment to ensure the necessary safeguards and controls (above) have been performed.
When do non-consumer originators need to comply?
That depends. If your organization originated more than 6 million ACH transactions or received more than 10 million in 2023, you’re on the hook by March 20, 2026. Everyone else? You’ve got until June 22nd, 2026.
With both compliance deadlines approaching, it’s crucial to start your ACH risk assessment process now. Early preparation allows ample time to identify vulnerabilities, implement necessary controls, and ensure your organization meets Nacha’s updated requirements.
What happens if my organization doesn’t comply?
Non-Consumer Originators can be denied access to the ACH network by their ODFI as well as be subject to the normal rules violation process and potentially incur fines or penalty fees.
Why will most organizations comply with the rule changes?
Prior to these rule changes, Non-consumer originators that experienced fraud were unwitting victims of bad actors (“shame on them”).
After the rule changes, those same organizations will be considered delinquent for ignoring / not complying with the new rules (“shame on you”).
If you’d like to download this guide on the new rule changes, you can grab a copy here.
PaymentWorks: Your Partner in ACH Risk Assessments, Protection, and Indemnification
Good news! Organizations can use third parties like PaymentWorks to comply. Platforms like PaymentWorks not only streamline ACH onboarding and verification—they provide the ongoing fraud monitoring capabilities Nacha expects, with built-in alerts and analytics. Plus, our payments security platform is the first (and only) of its kind to indemnify customers from fraudulent payments, so you get peace of mind and protection.
How we enable your organization to comply
PaymentWorks:
- Is the definition of a “risk-based process” to eliminate BEC / Social Engineering / Vendor Impersonation fraud
- Provides an out-of-the-box solution to meet all the new (and existing) Nacha requirements
- Offers ACH risk assessment templates
- Stands behind the platform by providing fraud indemnification to customers

What is an ACH risk assessment?
An ACH risk assessment is like a health check-up for your payment processes. It involves evaluating your organization’s procedures for initiating ACH transactions to identify potential fraud risks.. The goal is to implement controls that mitigate these risks, ensuring the security and reliability of your ACH activities.
Key components of an ACH risk assessment
- Identify Risks: Start by mapping out your ACH processes and pinpointing areas where risks may arise. This includes evaluating the potential for unauthorized transactions due to social engineering or vendor impersonation fraud.
- Assess Risks: Determine the likelihood and potential impact of each identified risk. This helps prioritize which areas need immediate attention and resources.
- Implement Controls: Develop and enforce policies and procedures to mitigate the identified risks. This could involve multi-factor authentication, employee training, and regular audits.
- Monitor and Review: Continuously monitor your ACH activities to detect anomalies and review your risk assessment periodically to adapt to new threats or changes in operations.
Best practices for ACH risk management
- Segregation of Duties: Ensure that no single individual has control over all aspects of a financial transaction.
- Employee Training: Educate staff on recognizing phishing attempts and other social engineering tactics.
- Vendor Verification: Implement procedures to verify the legitimacy of vendors before initiating payments and confirming bank information against a verified source (phone calls to company switchboard or using Early Warning Systems)
- Use of Technology: Leverage software solutions that offer real-time monitoring and alerts for suspicious activities.
ACH Risk Assessments Underpin Compliance, Security
Navigating Nacha’s new rule changes and the complexities of ACH risk assessments may seem daunting, but with a structured approach and the right resources, your organization can enhance its payment security and comply with Nacha’s forthcoming rules. Nacha offers numerous resources that can be valuable as you prepare.
Remember, proactive risk management isn’t just about compliance—it’s about protecting your organization’s financial integrity and reputation.
If you need assistance with your ACH risk assessment or have questions about the upcoming changes, don’t hesitate to reach out. We’re here to help you every step of the way.
Get Ready For Vendor Management Appreciation Day
The Vendor Management Appreciation Day (#VMAD) celebration continues this year! And you should join us.
Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.
Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for this year’s celebration, and we want you to be a part of it!

VMAD is a new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
Moreover, we’ve released gifts each month to help you supercharge your vendor management efforts. Additionally, we’re planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
In the meantime, learn more here, and grab some free vendor management goodies.
Want Help Aligning Teams On Achieving “Business Identity Verified” Status?
Explore our blogs below. They’re filled with action items you can implement right away.
Vendor Verification – Get vendor data right, always
Vendor Verification Process: How NOT to Do it and What to Do Instead
The New Face of Vendor Fraud Cases
Interested in Regular Tips On Achieving “Business Identity Verified” Status?
Want Personalized Guidance On Achieving “Business Identity Verified” Status?
Let us show you how we can help
We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.
See How it Works