Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Breaking Regulatory Compliance

Nacha ACH Fraud Monitoring Phase 2: The June 22 Compliance Deadline Every Financial Institution Is Treating as Optional (It Isn't)

Nacha's Phase 2 ACH fraud monitoring rules take effect June 19, 2026, eliminating the volume threshold and covering every non-consumer originator, TPSP, third-party sender, and RDFI. Here's who's covered, what's required, and the documentation checklist before the deadline.

By Rebecca Leung · June 9, 2026 ·
Table of Contents

TL;DR

  • Nacha Phase 2 fraud monitoring rules take effect June 19, 2026 — practical deadline June 22, 2026 (Juneteenth is a federal holiday)
  • Phase 2 eliminates the volume threshold: ALL non-consumer Originators, TPSPs, Third-Party Senders, and ALL RDFIs are covered regardless of ACH volume
  • Requirements: risk-based written processes and procedures to identify fraudulent ACH entries — covering both unauthorized transfers and false pretenses
  • RDFIs separately required: risk-based processes to identify inbound credit entries initiated due to fraud
  • Documentation minimum: written fraud risk assessment by payment type, monitoring procedures, exception handling, annual review evidence

Nine days. That is how much time you have before Nacha’s Phase 2 ACH fraud monitoring rules become enforceable. The rule’s effective date is June 19, 2026 — and because June 19 is Juneteenth, a federal holiday, the practical enforcement start is Monday, June 22, 2026.

Phase 1 went live March 20. If your organization originated more than 6 million ACH entries in 2023, you have been subject to fraud monitoring requirements for three months. If you came in below that threshold — whether you’re a community bank, credit union, small fintech, payment facilitator, payroll processor, or software company that initiates business payments — Phase 2 changes your situation entirely.

Phase 2 removes the volume threshold. Every non-consumer Originator, every Third-Party Service Provider (TPSP), and every Third-Party Sender (TPS) is now covered. Every RDFI has ACH credit monitoring obligations. Nacha published its Phase 2 guidance alongside Phase 1, and the June 22 compliance date has been confirmed. The gap in most compliance calendars is real.

Phase 1 vs. Phase 2: Who’s Covered and When

Nacha structured the rollout in phases specifically to give smaller organizations time to build programs. The division looks like this:

ParticipantPhase 1 (March 20, 2026)Phase 2 (June 19/22, 2026)
ODFIsCoveredAlready covered
Originators/TPSPs/TPS with >6M entries (2023)CoveredAlready covered
All other non-consumer Originators, TPSPs, TPSNot requiredNow required
All RDFIs (ACH credit monitoring)>6M threshold onlyNow required regardless of volume

The critical qualifier: non-consumer Originator. The rule targets organizations that initiate ACH payments on behalf of businesses — B2B payroll, vendor disbursements, tax payments, insurance premiums, account-to-account transfers. If your platform facilitates business payments, Phase 2 applies.

One clarification that trips up smaller organizations: being an Originator includes companies that initiate ACH credits or debits through their bank, not just banks themselves. A payroll software company initiating payroll ACH on behalf of its clients is a Third-Party Sender. A company pulling receivables payments via ACH is an Originator. If you touch the ACH origination chain on the business side, Phase 2 covers you.

What “Fraud Monitoring” Actually Requires

The rule language is intentionally flexible: covered entities must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Nacha doesn’t require a specific vendor solution, alert platform, or scoring methodology. But “risk-based” doesn’t mean informal, undocumented, or optional.

The floor of compliance includes five elements.

1. Written fraud risk assessment

Document where ACH fraud risk is most likely to arise for your specific business and customer base. This means categorizing your payment types and assessing the fraud exposure in each. Common categories:

  • Payroll ACH — primary target for business email compromise, where fraudsters impersonate HR or finance staff to redirect payroll to a fraudulent account
  • Vendor/supplier payments — invoice fraud and account-swap schemes, where attackers intercept payment instructions or impersonate vendors
  • Tax and government disbursements — refund fraud targeting high-volume, predictable payment flows
  • Account-to-account transfers — authorized push payment fraud, where account holders are tricked into initiating transfers
  • Consumer refunds and rebates — synthetic identity fraud targeting businesses with high-volume outbound credits

The assessment doesn’t require a consultant. It needs to be written, specific to your business, and updated annually.

2. Processes and procedures for identifying fraudulent entries

Written documentation of your monitoring approach. A risk-based monitoring program can include:

  • Transactional velocity monitoring — unusual increases in frequency, dollar amount, or recipient count
  • SEC Code validation — is the payment type consistent with the receiving account type?
  • Account characteristic checks — account age, average balance, prior ACH history
  • Anomaly detection against customer behavioral baseline — deviations from established patterns
  • Return rate monitoring — elevated return reason codes can signal fraud patterns before losses materialize

No specific technology is required. What the rule requires: a written description of your monitoring system calibrated to your actual payment risk profile. A one-paragraph policy statement is not sufficient. Your procedures need to describe the system.

3. RDFI ACH credit monitoring

Phase 2 adds a separate receiving-side obligation that many RDFIs overlooked in Phase 1. All RDFIs must now establish risk-based processes to identify inbound credit entries initiated due to fraud.

In practice, this means your bank or credit union needs procedures for:

  • Reviewing large, unusual, or pattern-anomalous inbound ACH credits
  • Identifying potential money mule account patterns — accounts receiving and quickly disbursing large ACH credits from unfamiliar originators
  • Handling customer disputes about unexpected inbound credits
  • Procedures for Nacha-compliant return of fraudulent credit entries

The credit-side obligation addresses a longstanding gap in ACH fraud management. Most controls were originator-facing, leaving receiving institutions without a systematic framework for catching fraud on the inbound side. Phase 2 closes that gap.

4. Exception handling and escalation procedures

When your monitoring flags a suspicious entry, what happens next? The rules require written procedures for exception handling: who reviews alerts, what thresholds trigger escalation, who has authority to delay or return an ACH entry, and how decisions are documented.

Most organizations have an informal process that works. The problem is it isn’t written down. Before June 22, it needs to be documented — even if the documentation describes what you already do.

5. Annual review

The rule explicitly requires annual review of fraud monitoring processes and procedures. This produces documented evidence that you assessed whether monitoring was effective and whether thresholds, procedures, or coverage needed updating as your business and payment volumes evolved.

The annual review requirement is the one that catches organizations off guard in subsequent years. Build it into your compliance calendar now.

The Documentation Package: What ODFIs and Examiners Are Looking For

Nacha’s audit and enforcement mechanism works through ODFIs. Your originating bank is responsible for its originator relationships, which creates a direct compliance interest in your documentation. Some banks have begun asking for fraud monitoring documentation as part of ACH origination agreement renewals — particularly after the payment fraud enforcement environment tightened in 2025.

The documentation package you need:

DocumentRequired Contents
Fraud risk assessmentPayment types, fraud scenarios by category, risk factors specific to your business
Monitoring proceduresHow alerts are generated, reviewed, and by whom
Exception logEntry, review, disposition, approval chain
Annual review evidenceDate, scope of review, findings, any changes made
Training recordsStaff with ACH fraud monitoring responsibilities

A one-page policy asserting “we monitor for ACH fraud” does not satisfy the rule. The documentation needs to describe the system — inputs, review process, thresholds, escalation, and annual update cadence.

False Pretenses Is the Coverage Category Most Programs Miss

The fraud categories covered by Nacha’s rules extend beyond obvious unauthorized ACH transfers. Phase 1 clarified and Phase 2 extends: monitoring must cover entries initiated under false pretenses — where the account holder technically authorized the transfer but was manipulated into doing so.

BEC fraud, vendor impersonation, and social engineering scenarios all fall here. The account holder received a convincing communication instructing them to change payment routing or authorize a transfer. They did so. The authorization is technically valid. The entry is still fraudulent.

False-pretenses coverage is operationally harder because the authorization exists on paper. Your monitoring program needs to be designed to catch behavioral anomalies even when an authorization is present:

  • Unusual recipient account changes combined with recent authorization requests
  • New payee accounts added through out-of-band channels (email vs. normal system flow)
  • Payment timing inconsistencies that deviate from established vendor patterns
  • High-value transfers requested through unusual communication channels

Your transaction monitoring cannot catch every BEC scenario. But your documentation must demonstrate that you have thought about false-pretenses fraud for your specific customer base and payment types — and that your monitoring approach addresses it.

The ACH Fraud-to-Incident Pipeline

ACH fraud events that are not caught by monitoring become losses. Losses that affect customer accounts or meet materiality thresholds become incidents. Incidents that involve covered computer security events trigger notification obligations.

The CIRCIA notification matrix added a fourth regulatory reporting leg to the existing FFIEC 36-hour and NYDFS Part 500 frameworks. ACH fraud events that escalate to a “substantial cyber incident” (CIRCIA’s standard) now trigger a 72-hour notification clock to CISA alongside your existing banking regulator notifications.

The connection between Nacha fraud monitoring and incident response is direct: the faster your monitoring catches a fraudulent ACH entry, the less likely it escalates to a reportable incident. Building your Nacha fraud monitoring documentation alongside your incident response procedures — and ensuring your triage framework includes ACH fraud scenarios — closes the gap before an examiner has to identify it.

BSA/AML KRI monitoring metrics overlap significantly with ACH fraud monitoring KRIs. Transaction monitoring false positive rates, SAR filing rates, and unusual transaction alert volumes are evidence artifacts that serve both your BSA/AML program and your Nacha fraud monitoring documentation. Don’t build two separate programs if one set of evidence serves both.

The 9-Day Checklist

Phase 2 effective date: June 22, 2026.

If you’re behind on documentation, the minimum before the deadline:

  1. Draft your fraud risk assessment — Map your payment types to fraud risk categories. Even a first draft that covers your top 3-4 payment categories is better than nothing. Refine it in the next quarter, but document it now.

  2. Write up your monitoring procedures — Describe what you currently do to detect fraudulent ACH entries. If you rely on your ODFI’s monitoring tools, document how you use them and who reviews alerts. Write down the process that exists.

  3. Document your exception handling — Who reviews suspicious entries? Who has authority to delay or return an ACH entry? One page is sufficient. Write it down.

  4. Schedule your annual review — Add ACH fraud monitoring review to your compliance calendar for Q2 2027. Evidence of having scheduled it is itself evidence of program governance.

  5. Confirm with your ODFI — If your bank has begun asking for fraud monitoring documentation as part of your ACH origination agreement, be prepared to provide it. The window to get ahead of that request is closing.

So What?

The Nacha fraud monitoring rules don’t carry the penalty range of CFPB enforcement or OCC consent orders. But they operate in a regulatory environment where payment fraud is escalating — the 2026 Nacha compliance guidance and Kyriba’s Phase 2 FAQ make clear that this is not a paper compliance exercise. Nacha’s risk management rules are a response to real losses from BEC, account takeover, and authorized push payment fraud in the ACH network.

More practically: your ODFI relationship has value. Banks that are already under heightened scrutiny for their originator programs — and many BaaS banks are, following the 2024-2025 consent order wave — are reviewing originator compliance documentation more carefully. Phase 2 non-compliance is an easy flag in an already-sensitive review.

Get the four documents in place before June 22. If you have an incident response program and you need help tightening the fraud response playbooks alongside your Nacha documentation, the Incident Response & Breach Notification Kit covers the classification framework, escalation procedures, and notification templates you need when ACH fraud escalates to something bigger.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does Phase 2 apply if my organization wasn't covered by Phase 1?
Almost certainly yes. Phase 1 (March 20, 2026) covered ODFIs and originators/TPSPs/TPSs with more than 6 million ACH entries in 2023. Phase 2 eliminates that volume threshold entirely, covering all non-consumer Originators, Third-Party Service Providers, Third-Party Senders, and all RDFIs regardless of volume. If you send or receive ACH payments on behalf of business customers, Phase 2 applies.
What does 'risk-based processes and procedures' actually mean under the rule?
It means written documentation of how your organization identifies ACH entries initiated due to fraud, calibrated to your specific payment types, volumes, and systems. A risk-based approach can consider transactional velocity, SEC Code mismatches with account type, account age and average balance, and customer behavior patterns. No specific technology is mandated. What is required: a written description of your monitoring system and annual review evidence.
What fraud categories must our monitoring cover?
Both unauthorized ACH entries and entries initiated under false pretenses. The false-pretenses coverage is the harder one — it covers scenarios where the account holder technically authorized the transfer but was manipulated into doing so, including business email compromise (BEC) and social engineering. Your monitoring needs to be designed to catch fraud patterns even when a technically valid authorization exists.
What enforcement risk comes with Phase 2 non-compliance?
Nacha's enforcement authority flows through ODFIs. A bank can be held responsible for its originators' non-compliance, which creates direct financial incentive for banks to verify their originators' fraud monitoring documentation. Additionally, ACH compliance gaps surface during bank examinations — FFIEC examiners evaluate originator oversight as part of payment systems reviews.
What documentation must be ready by June 22?
At minimum: (1) a written fraud risk assessment identifying where ACH fraud risk is most likely for your business by payment type; (2) written processes and procedures for identifying fraudulent ACH entries; (3) exception handling and escalation procedures; and (4) a schedule for annual review. Alert disposition records are also expected. The documentation needs to describe your monitoring system, not just assert that one exists.
Does Phase 2 replace Phase 1 or add to it?
Phase 2 adds to Phase 1. Organizations already subject to Phase 1 continue their existing obligations. Phase 2 brings in all organizations that fell below the Phase 1 volume threshold. Phase 2 also separately adds ACH credit monitoring obligations for all RDFIs, regardless of prior Phase 1 coverage.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

● Don't wait for your own enforcement action

Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.

Incident Response & Breach Notification Kit

Step-by-step incident response playbooks and breach notification templates for all 50 states.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.