On March 18, Nacha, the organization that governs the ACH network, announced that its members approved a new set of rules aimed at reducing the incidence of frauds, such as business email compromise (BEC), that exploit credit-push payments. These rules establish a base level of ACH payment monitoring for all parties in the ACH Network, excluding consumers. While these rules do not alter the liability for ACH payments, they do, for the first time, assign a defined role to receiving depository financial institutions (RDFIs) in monitoring the ACH payments they receive.

BEC, vendor impersonation, and payroll impersonation are among the frauds that result in payments being “pushed” from a payer’s account to a fraudster’s account. The FBI’s Internet Crime Complaint Center’s 2023 annual report found that there were 21,489 BEC complaints in 2023, totaling $2.9 billion in reported losses, making it the second-costliest type of cyber-crime.

Jane Larimer, Nacha President and CEO, applauded the members for this significant step towards self-governance. “All participants in the ACH Network have a part to play in reducing the incidence of fraud, and recovering when fraud has occurred.”

The “risk management package” issued by Nacha is comprised of multiple rule amendments.

The first amendment becomes effective October 1, 2024 and does the following:

  • Allows an RDFI to use return reason code R17 to return an entry that it thinks is fraudulent.
  • Expands the use of request for return (R06) for the originating depository financial institution (ODFI) to request a return from the RDFI for any reason.
  • Provides RDFIs with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses.
  • Provides that a written statement of unauthorized debit (WSUD) may be signed and dated by the receiver on or after the date on which the entry is presented to the receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account.
  • Requires the RDFI to return a consumer debit that has been claimed to be unauthorized by the opening of the sixth banking day following the completion of its review of the consumer’s signed WSUD.

The second phase of amendments, which Nacha calls “Fraud Monitoring Phase 1,” becomes effective on March 20, 2026, and includes:

  • ODFIs, and each non-consumer originator, third-party service provider, and third-party sender with annual ACH origination volume in 2023 of 6 million or greater, must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud.
  • RDFIs with annual ACH receipt volume of 10 million or greater in 2023 must establish and implement risk-based processes and procedures designed to identify credit entries initiated due to fraud.

With the same March 20, 2026 deadline, Nacha will require implementation of two new company entry descriptions:

  • Originators must use the standard company entry description “PAYROLL” for payroll entries. Originators may begin using the description as soon as practical.
  • Originators must use the standard company entry description “PURCHASE” to describe e-commerce purchases. Originators may begin using the description as soon as practical.

The last phase of the package becomes effective on June 19, 2026. This will implement “Fraud Monitoring Phase 2.” 

  • All non-consumer originators, third-party service providers, and third-party senders that did not fall under the requirement threshold for Phase 1, will be required to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
  • All RDFIs that did not meet the requirement threshold for Phase 1, will be required to establish and implement risk-based processes and procedures designed to identify credit entries initiated due to fraud.

The new rules follow the flow of a credit-push payment to promote the detection of fraud from the point of origination through the point of receipt at an account at the RDFI. When fraud is detected, the rules empower the ODFI to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim. Additionally, a standard transaction description for ACH credits used in payroll payments has been added to help RDFIs monitor transactions.

In her statement, Nacha President Larimer reflected on the changing landscape of payment fraud. “Not long ago, credit-push fraud wasn’t something you heard payments professionals discussing. That it quickly became part of today’s lexicon shows the importance of keeping our risk management strategies current,” she said. The new rules fit together like pieces of a puzzle, working towards the goals of reducing and recovering from credit-push fraud.