Breaking Regulatory Compliance
Nacha ACH Fraud Monitoring Phase 2: The June 22 Compliance Deadline Every Financial Institution Is Treating as Optional (It Isn't)
Nacha's Phase 2 ACH fraud monitoring rules take effect June 19, 2026, eliminating the volume threshold and covering every non-consumer originator, TPSP, third-party sender, and RDFI. Here's who's covered, what's required, and the documentation checklist before the deadline.
Table of Contents
TL;DR
- Nacha Phase 2 fraud monitoring rules take effect June 19, 2026 — practical deadline June 22, 2026 (Juneteenth is a federal holiday)
- Phase 2 eliminates the volume threshold: ALL non-consumer Originators, TPSPs, Third-Party Senders, and ALL RDFIs are covered regardless of ACH volume
- Requirements: risk-based written processes and procedures to identify fraudulent ACH entries — covering both unauthorized transfers and false pretenses
- RDFIs separately required: risk-based processes to identify inbound credit entries initiated due to fraud
- Documentation minimum: written fraud risk assessment by payment type, monitoring procedures, exception handling, annual review evidence
Nine days. That is how much time you have before Nacha’s Phase 2 ACH fraud monitoring rules become enforceable. The rule’s effective date is June 19, 2026 — and because June 19 is Juneteenth, a federal holiday, the practical enforcement start is Monday, June 22, 2026.
Phase 1 went live March 20. If your organization originated more than 6 million ACH entries in 2023, you have been subject to fraud monitoring requirements for three months. If you came in below that threshold — whether you’re a community bank, credit union, small fintech, payment facilitator, payroll processor, or software company that initiates business payments — Phase 2 changes your situation entirely.
Phase 2 removes the volume threshold. Every non-consumer Originator, every Third-Party Service Provider (TPSP), and every Third-Party Sender (TPS) is now covered. Every RDFI has ACH credit monitoring obligations. Nacha published its Phase 2 guidance alongside Phase 1, and the June 22 compliance date has been confirmed. The gap in most compliance calendars is real.
Phase 1 vs. Phase 2: Who’s Covered and When
Nacha structured the rollout in phases specifically to give smaller organizations time to build programs. The division looks like this:
| Participant | Phase 1 (March 20, 2026) | Phase 2 (June 19/22, 2026) |
|---|---|---|
| ODFIs | Covered | Already covered |
| Originators/TPSPs/TPS with >6M entries (2023) | Covered | Already covered |
| All other non-consumer Originators, TPSPs, TPS | Not required | Now required |
| All RDFIs (ACH credit monitoring) | >6M threshold only | Now required regardless of volume |
The critical qualifier: non-consumer Originator. The rule targets organizations that initiate ACH payments on behalf of businesses — B2B payroll, vendor disbursements, tax payments, insurance premiums, account-to-account transfers. If your platform facilitates business payments, Phase 2 applies.
One clarification that trips up smaller organizations: being an Originator includes companies that initiate ACH credits or debits through their bank, not just banks themselves. A payroll software company initiating payroll ACH on behalf of its clients is a Third-Party Sender. A company pulling receivables payments via ACH is an Originator. If you touch the ACH origination chain on the business side, Phase 2 covers you.
What “Fraud Monitoring” Actually Requires
The rule language is intentionally flexible: covered entities must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Nacha doesn’t require a specific vendor solution, alert platform, or scoring methodology. But “risk-based” doesn’t mean informal, undocumented, or optional.
The floor of compliance includes five elements.
1. Written fraud risk assessment
Document where ACH fraud risk is most likely to arise for your specific business and customer base. This means categorizing your payment types and assessing the fraud exposure in each. Common categories:
- Payroll ACH — primary target for business email compromise, where fraudsters impersonate HR or finance staff to redirect payroll to a fraudulent account
- Vendor/supplier payments — invoice fraud and account-swap schemes, where attackers intercept payment instructions or impersonate vendors
- Tax and government disbursements — refund fraud targeting high-volume, predictable payment flows
- Account-to-account transfers — authorized push payment fraud, where account holders are tricked into initiating transfers
- Consumer refunds and rebates — synthetic identity fraud targeting businesses with high-volume outbound credits
The assessment doesn’t require a consultant. It needs to be written, specific to your business, and updated annually.
2. Processes and procedures for identifying fraudulent entries
Written documentation of your monitoring approach. A risk-based monitoring program can include:
- Transactional velocity monitoring — unusual increases in frequency, dollar amount, or recipient count
- SEC Code validation — is the payment type consistent with the receiving account type?
- Account characteristic checks — account age, average balance, prior ACH history
- Anomaly detection against customer behavioral baseline — deviations from established patterns
- Return rate monitoring — elevated return reason codes can signal fraud patterns before losses materialize
No specific technology is required. What the rule requires: a written description of your monitoring system calibrated to your actual payment risk profile. A one-paragraph policy statement is not sufficient. Your procedures need to describe the system.
3. RDFI ACH credit monitoring
Phase 2 adds a separate receiving-side obligation that many RDFIs overlooked in Phase 1. All RDFIs must now establish risk-based processes to identify inbound credit entries initiated due to fraud.
In practice, this means your bank or credit union needs procedures for:
- Reviewing large, unusual, or pattern-anomalous inbound ACH credits
- Identifying potential money mule account patterns — accounts receiving and quickly disbursing large ACH credits from unfamiliar originators
- Handling customer disputes about unexpected inbound credits
- Procedures for Nacha-compliant return of fraudulent credit entries
The credit-side obligation addresses a longstanding gap in ACH fraud management. Most controls were originator-facing, leaving receiving institutions without a systematic framework for catching fraud on the inbound side. Phase 2 closes that gap.
4. Exception handling and escalation procedures
When your monitoring flags a suspicious entry, what happens next? The rules require written procedures for exception handling: who reviews alerts, what thresholds trigger escalation, who has authority to delay or return an ACH entry, and how decisions are documented.
Most organizations have an informal process that works. The problem is it isn’t written down. Before June 22, it needs to be documented — even if the documentation describes what you already do.
5. Annual review
The rule explicitly requires annual review of fraud monitoring processes and procedures. This produces documented evidence that you assessed whether monitoring was effective and whether thresholds, procedures, or coverage needed updating as your business and payment volumes evolved.
The annual review requirement is the one that catches organizations off guard in subsequent years. Build it into your compliance calendar now.
The Documentation Package: What ODFIs and Examiners Are Looking For
Nacha’s audit and enforcement mechanism works through ODFIs. Your originating bank is responsible for its originator relationships, which creates a direct compliance interest in your documentation. Some banks have begun asking for fraud monitoring documentation as part of ACH origination agreement renewals — particularly after the payment fraud enforcement environment tightened in 2025.
The documentation package you need:
| Document | Required Contents |
|---|---|
| Fraud risk assessment | Payment types, fraud scenarios by category, risk factors specific to your business |
| Monitoring procedures | How alerts are generated, reviewed, and by whom |
| Exception log | Entry, review, disposition, approval chain |
| Annual review evidence | Date, scope of review, findings, any changes made |
| Training records | Staff with ACH fraud monitoring responsibilities |
A one-page policy asserting “we monitor for ACH fraud” does not satisfy the rule. The documentation needs to describe the system — inputs, review process, thresholds, escalation, and annual update cadence.
False Pretenses Is the Coverage Category Most Programs Miss
The fraud categories covered by Nacha’s rules extend beyond obvious unauthorized ACH transfers. Phase 1 clarified and Phase 2 extends: monitoring must cover entries initiated under false pretenses — where the account holder technically authorized the transfer but was manipulated into doing so.
BEC fraud, vendor impersonation, and social engineering scenarios all fall here. The account holder received a convincing communication instructing them to change payment routing or authorize a transfer. They did so. The authorization is technically valid. The entry is still fraudulent.
False-pretenses coverage is operationally harder because the authorization exists on paper. Your monitoring program needs to be designed to catch behavioral anomalies even when an authorization is present:
- Unusual recipient account changes combined with recent authorization requests
- New payee accounts added through out-of-band channels (email vs. normal system flow)
- Payment timing inconsistencies that deviate from established vendor patterns
- High-value transfers requested through unusual communication channels
Your transaction monitoring cannot catch every BEC scenario. But your documentation must demonstrate that you have thought about false-pretenses fraud for your specific customer base and payment types — and that your monitoring approach addresses it.
The ACH Fraud-to-Incident Pipeline
ACH fraud events that are not caught by monitoring become losses. Losses that affect customer accounts or meet materiality thresholds become incidents. Incidents that involve covered computer security events trigger notification obligations.
The CIRCIA notification matrix added a fourth regulatory reporting leg to the existing FFIEC 36-hour and NYDFS Part 500 frameworks. ACH fraud events that escalate to a “substantial cyber incident” (CIRCIA’s standard) now trigger a 72-hour notification clock to CISA alongside your existing banking regulator notifications.
The connection between Nacha fraud monitoring and incident response is direct: the faster your monitoring catches a fraudulent ACH entry, the less likely it escalates to a reportable incident. Building your Nacha fraud monitoring documentation alongside your incident response procedures — and ensuring your triage framework includes ACH fraud scenarios — closes the gap before an examiner has to identify it.
BSA/AML KRI monitoring metrics overlap significantly with ACH fraud monitoring KRIs. Transaction monitoring false positive rates, SAR filing rates, and unusual transaction alert volumes are evidence artifacts that serve both your BSA/AML program and your Nacha fraud monitoring documentation. Don’t build two separate programs if one set of evidence serves both.
The 9-Day Checklist
Phase 2 effective date: June 22, 2026.
If you’re behind on documentation, the minimum before the deadline:
-
Draft your fraud risk assessment — Map your payment types to fraud risk categories. Even a first draft that covers your top 3-4 payment categories is better than nothing. Refine it in the next quarter, but document it now.
-
Write up your monitoring procedures — Describe what you currently do to detect fraudulent ACH entries. If you rely on your ODFI’s monitoring tools, document how you use them and who reviews alerts. Write down the process that exists.
-
Document your exception handling — Who reviews suspicious entries? Who has authority to delay or return an ACH entry? One page is sufficient. Write it down.
-
Schedule your annual review — Add ACH fraud monitoring review to your compliance calendar for Q2 2027. Evidence of having scheduled it is itself evidence of program governance.
-
Confirm with your ODFI — If your bank has begun asking for fraud monitoring documentation as part of your ACH origination agreement, be prepared to provide it. The window to get ahead of that request is closing.
So What?
The Nacha fraud monitoring rules don’t carry the penalty range of CFPB enforcement or OCC consent orders. But they operate in a regulatory environment where payment fraud is escalating — the 2026 Nacha compliance guidance and Kyriba’s Phase 2 FAQ make clear that this is not a paper compliance exercise. Nacha’s risk management rules are a response to real losses from BEC, account takeover, and authorized push payment fraud in the ACH network.
More practically: your ODFI relationship has value. Banks that are already under heightened scrutiny for their originator programs — and many BaaS banks are, following the 2024-2025 consent order wave — are reviewing originator compliance documentation more carefully. Phase 2 non-compliance is an easy flag in an already-sensitive review.
Get the four documents in place before June 22. If you have an incident response program and you need help tightening the fraud response playbooks alongside your Nacha documentation, the Incident Response & Breach Notification Kit covers the classification framework, escalation procedures, and notification templates you need when ACH fraud escalates to something bigger.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does Phase 2 apply if my organization wasn't covered by Phase 1?
What does 'risk-based processes and procedures' actually mean under the rule?
What fraud categories must our monitoring cover?
What enforcement risk comes with Phase 2 non-compliance?
What documentation must be ready by June 22?
Does Phase 2 replace Phase 1 or add to it?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
● Don't wait for your own enforcement action
Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026