ACH Rule Changes
As part of our commitment to keeping our ACH origination customers informed of ACH rule changes, we are providing you the following summary of upcoming changes to the Nacha Operating Rules (“Rules”). The rules below are intended to improve Risk Management in the Network for all parties, and your organization may not be directly affected by some or all of these changes. This summary details the impacts of these rule changes on the most common types of corporate origination services but is not intended to replace the detailed analysis needed to determine the impact these changes have on your specific organization.
1. Minor Rules Topics
Effective June 21, 2024
Summary
There will be several minor rule changes to address minor issues.
Details
- The definition of “Originator” will now identify the Originator “as the party authorized by the Receiver to credit or debit the Receiver’s account at the RDFI.”
- Originators will now have the discretion to make changes when they receive a Notification of Change (“NOC”) of any single entry.
- Nacha’s security requirements will now clearly state they apply to Originators exceeding more than two million entries annually. Originators that cross that threshold for the first time must comply with the Rules by June 30 of the following year.
- The Rules will clearly state Originators are allowed to use prenotifications to revalidate accounts, even if they have already transmitted entries to the Receiver’s
- The Rules previously used the term “subsequent entry,” which is now a term with a specific definition in the Rules in some instances. The Rules will no longer use the term except for instances where it meets the new definition.
Impact
These rule changes will have little or no impact on your organization.
2. Minor Risk Management Topics
October 1, 2024
Summary
Several rule updates will attempt to codify common industry practices and address minor network issues.
Details
- The Rules will allow RDFIs to use the R17 return reason code to return entries that they identify as potentially fraudulent. RDFIs are not responsible for detecting fraudulent entries, but this change will give RDFIs directions for action when they do so, which may improve the return of fraudulent entries.
- ODFIs will be able to request RDFIs return entries for any reason and require RDFIs to respond to the ODFI within ten banking days. This will also help recover fraudulent entries and provide greater visibility into the request status. However, RDFIs will not be required to comply with the return request.
- RDFIs will have additional exceptions to delay posting funds to Receiver accounts if they reasonably suspect a received entry is fraudulent. There may be instances in which Receivers experience a delay in their deposits as the RDFI investigates an issue.
- RDFIs will be able to return a fraudulent debit entry prior to the settlement date. Originators may receive returns quicker in these instances, though the volume will likely be low.
- The Rules will require RDFIs to return debits by the sixth banking day after the RDFI reviews a Receiver’s WSUD. This will have little impact but may enable quicker return of fraudulent entries.
Impact
These will likely have little impact on your organization but may lead to small changes.
3. Origination Fraud Monitoring
Phase 1 – Effective March 20, 2026, for all ODFIs, Originators, Third-Party Service Providers, and Third-Party Senders with ACH volume greater than 6 million in 2023
Phase 2 – Effective June 19, 2026, this will apply to all ODFIs, Originators, Third-Party Services Providers, and Third-Party Senders
Summary
This rule will require all parties on the origination side of entries to have risk-based processes to identify fraudulently originated ACH entries.
Details
The Rules do not currently require Originators to have fraud monitoring processes, except for WEB debit entries. This rule will have requirements for all entries with the goal of detecting and preventing fraud from scams such as business email compromise and fake invoices.
Impact
Originators may already have processes such as anomaly detection or other “flags” that detect and prevent fraudulent entries. Each organization will need to review its processes and procedures to determine if it needs to make updates to meet these new requirements.
4. RDFI Fraud Monitoring
Phase 1 – Effective March 20, 2026, for all RDFIs with ACH receipt volume greater than 10 million in 2023
Phase 2 – Effective June 19, 2026, for all RDFIs
Summary
This rule will require RDFIs to have processes to review received credit entries to identify potential fraud.
Details
The Rules will not prescribe how RDFIs review entries and will not require RDFIs to review each entry; each RDFI will determine how to comply with this requirement based on its environment.
Originator and Third-Party Sender Impact
This rule, along with the additional exception for funds availability and use of the R17 return reason code, will likely result in more returns of fraudulent entries, reducing losses for Originators, Third-Party Senders, and ODFIs.
5. Company Entry Descriptions
March 20, 2026
Summary
The Rules will require specific company entry descriptions for payroll entries and online purchases of goods.
Details
Originators will be required to use the description “PAYROLL” for PPD credits to pay wages, salaries, and other compensation.
Originators will be required to use the description “PURCHASE” for e-commerce purchases, which will be defined as “a debit Entry authorized by a consumer Receiver for the online purchase of goods”
Originator and Third-Party Sender Impact
Originators will need to review the company entry descriptions they use in ACH files and ensure they update these descriptions as required by the Rules. These standardized descriptions will help improve processes to monitor entries for potential fraud. Originators can begin using this description anytime but must comply with the requirements by the implementation date.
Micro-Entries
Phase 2 – March 17, 2023
This rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH originators as a method of account validation.
Increasing the Same Day ACH Dollar Limit
Effective March 18, 2022
This rule will increase the Same Day ACH Dollar Limit to $1,000,000 per payment. This rule will apply to all Same Day ACH entries; consumer and business payments, credits and debits.
Supplementing Data Security Requirements (Phase 2)
Effective June 3, 2022 – Phase 2
This rule supplements previous ACH Security Framework data protection requirements by explicitly requiring large, non-FI Originators, Third Party Service Providers and Third-Party Senders to protect deposit account information by rendering it unreadable when it is stored electronically. Phase 2 reduces the volume threshold to those who exceed 2 million entries in calendar year 2020, requiring Originators and Third-Party Senders to comply no later than June 30, 2022.
.
Micro-Entries
Phase 1 – September 16, 2022
This Rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.
This Rule will become effective in Two Phases:
Phase 1 – September 16, 2022
The term Micro-Entry will be defined, and Originators will be required to use the standard Company Entry Description and follow other origination practices.
Phase 2 – March 17, 2023
Originators of Micro-Entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.
Third-Party Sender Roles and Responsibilities
Implemented September 30, 2022
This rule change will clarify the roles and responsibilities of third-party senders in the ACH network. The rule change addresses the practice of using nested third-party senders, and explicitly requires the third-party sender to conduct a risk assessment.

Treasury Management
Ensuring customer satisfaction is important to you, and us. Here's to making your business run with precision!