ACH Rule Changes

As part of our commitment to keeping our ACH origination customers informed of ACH rule changes, we are providing you the following summary of upcoming changes to the Nacha Operating Rules (“Rules”). The rules below are intended to improve Risk Management in the Network for all parties, and your organization may not be directly affected by some or all of these changes. This summary details the impacts of these rule changes on the most common types of corporate origination services but is not intended to replace the detailed analysis needed to determine the impact these changes have on your specific organization.

 1. Minor Rules Topics

Effective June 21, 2024

Summary

There will be several minor rule changes to address minor issues.

Details

• The definition of “Originator” will now identify the Originator “as the party authorized by the Receiver to credit or debit the Receiver’s account at the RDFI.”
• Originators will now have the discretion to make changes when they receive a Notification of Change (“NOC”) of any single entry.
• Nacha’s security requirements will now clearly state they apply to Originators exceeding more than two million entries annually. Originators that cross that threshold for the first time must comply with the Rules by June 30 of the following year.
• The Rules will clearly state Originators are allowed to use prenotifications to revalidate accounts, even if they have already transmitted entries to the Receiver’s
• The Rules previously used the term “subsequent entry,” which is now a term with a specific definition in the Rules in some instances. The Rules will no longer use the term except for instances where it meets the new definition.

Impact

These rule changes will have little or no impact on your organization.

2. Minor Risk Management Topics

October 1, 2024

Summary

Several rule updates will attempt to codify common industry practices and address minor network issues.

Details

• The Rules will allow RDFIs to use the R17 return reason code to return entries that they identify as potentially fraudulent. RDFIs are not responsible for detecting fraudulent entries, but this change will give RDFIs directions for action when they do so, which may improve the return of fraudulent entries.
• ODFIs will be able to request RDFIs return entries for any reason and require RDFIs to respond to the ODFI within ten banking days. This will also help recover fraudulent entries and provide greater visibility into the request status. However, RDFIs will not be required to comply with the return request.
• RDFIs will have additional exceptions to delay posting funds to Receiver accounts if they reasonably suspect a received entry is fraudulent. There may be instances in which Receivers experience a delay in their deposits as the RDFI investigates an issue.
• RDFIs will be able to return a fraudulent debit entry prior to the settlement date. Originators may receive returns quicker in these instances, though the volume will likely be low.
• The Rules will require RDFIs to return debits by the sixth banking day after the RDFI reviews a Receiver’s WSUD. This will have little impact but may enable quicker return of fraudulent entries.

Impact

These will likely have little impact on your organization but may lead to small changes.

 3. Origination Fraud Monitoring

Phase 1 – Effective March 20, 2026, for all ODFIs, Originators, Third-Party Service Providers, and Third-Party Senders with ACH volume greater than 6 million in 2023

Phase 2 – Effective June 19, 2026, this will apply to all ODFIs, Originators, Third-Party Services Providers, and Third-Party Senders

Summary

This rule will require all parties on the origination side of entries to have risk-based processes to identify fraudulently originated ACH entries.

Details

The Rules do not currently require Originators to have fraud monitoring processes, except for WEB debit entries. This rule will have requirements for all entries with the goal of detecting and preventing fraud from scams such as business email compromise and fake invoices.

Impact

Originators may already have processes such as anomaly detection or other “flags” that detect and prevent fraudulent entries. Each organization will need to review its processes and procedures to determine if it needs to make updates to meet these new requirements.

4. RDFI Fraud Monitoring

Phase 1 – Effective March 20, 2026, for all RDFIs with ACH receipt volume greater than 10 million in 2023

Phase 2 – Effective June 19, 2026, for all RDFIs

Summary

This rule will require RDFIs to have processes to review received credit entries to identify potential fraud.

Details

The Rules will not prescribe how RDFIs review entries and will not require RDFIs to review each entry; each RDFI will determine how to comply with this requirement based on its environment.

Originator and Third-Party Sender Impact

This rule, along with the additional exception for funds availability and use of the R17 return reason code, will likely result in more returns of fraudulent entries, reducing losses for Originators, Third-Party Senders, and ODFIs.

5. Company Entry Descriptions

March 20, 2026

Summary

The Rules will require specific company entry descriptions for payroll entries and online purchases of goods.

Details

Originators will be required to use the description “PAYROLL” for PPD credits to pay wages, salaries, and other compensation.

Originators will be required to use the description “PURCHASE” for e-commerce purchases, which will be defined as “a debit Entry authorized by a consumer Receiver for the online purchase of goods”

Originator and Third-Party Sender Impact

Originators will need to review the company entry descriptions they use in ACH files and ensure they update these descriptions as required by the Rules. These standardized descriptions will help improve processes to monitor entries for potential fraud. Originators can begin using this description anytime but must comply with the requirements by the implementation date.