ACH Readiness Briefings

Yes. ODFIs are central participants in the ACH network and are expected to maintain fraud monitoring processes designed to identify suspicious ACH origination activity. Under the 2026 Nacha changes, institutions involved in ACH origination should review controls, customer due diligence, transaction monitoring, and escalation workflows.

ODFIs are often viewed as the first line of defense because they introduce transactions into the ACH network.

Practical Focus Areas

• New originators
• Sudden ACH volume growth
• Unusual payment timing
• Elevated unauthorized returns
• High-risk industries

No. Most institutions interpret the updated rules as requiring a risk-based fraud monitoring program, not manual review of every ACH transaction. Banks should implement reasonable processes to identify suspicious activity based on customer risk, behavior, and anomalies.

Better Approach

• Risk scoring
• Alert thresholds
• Return code reviews
• Originator segmentation
• Historical behavior comparisons

isk-based ACH monitoring means applying stronger oversight where fraud exposure is higher rather than treating all transactions equally. This allows institutions to focus resources on higher-risk activity while maintaining efficient operations.

High-Risk Examples

• Newly onboarded businesses
• Large first-time files
• Unusual counterparties
• Sharp volume spikes
• High return rates

Why It Matters

Risk-based monitoring is often more practical and defensible than blanket manual review.

Yes. RDFIs should evaluate inbound ACH credit activity for suspicious behavior and fraud indicators. Updated expectations expand focus beyond origination risk alone.

RDFI Monitoring Examples

• New account incoming credits
• Mule account behavior
• Immediate cash-out patterns
• Elder exploitation indicators
• Unusual inbound transaction spikes

Banks commonly monitor return codes tied to unauthorized or problematic activity.

Common Examples

• R05 Unauthorized debit to consumer account
• R07 Authorization revoked
• R10 Unauthorized / customer advises not authorized
• R11 Error in authorization terms
• Administrative return trends

Return activity can reveal fraud, onboarding weaknesses, or customer dissatisfaction.

Banks often risk rate ACH originators based on operational, financial, and behavioral factors.

Typical Inputs

• Business type
• Monthly volume
• Average file size
• Return history
• Years in business
• Prior fraud issues
• Ownership transparency

Example

A stable local payroll company may rate lower than a new online merchant with fast-growing debit activity.

Banks typically detect ACH fraud through layered controls that combine data, behavior, and exception monitoring.

Common Methods

• Velocity alerts
• New counterparty detection
• Dollar anomaly detection
• Return code trends
• Originator profile deviations
• Manual investigations

No single control is sufficient. Strong programs usually combine several methods.

False pretense ACH fraud generally involves transactions authorized because the customer was deceived. The customer may technically authorize payment, but the authorization was obtained through fraud.

Examples

• Impersonation scams
• Vendor payment diversion
• Romance scams
• Business email compromise
• Urgent fake invoice requests

This category has received increased attention in fraud monitoring discussions.

Banks should review inbound ACH credits for behavior inconsistent with customer history or known risk patterns.

Common Monitoring Triggers

• New account receives large credits
• Multiple credits followed by withdrawals
• Sudden activity after dormancy
• High-risk counterparties
• Elder customer unusual activity

Why It Matters

Inbound funds can be part of mule activity, scams, or first-party fraud schemes.

SFE has a Sample Originator’s Checklist available in our online store. Please visit SFE's Sample Originators Responsibilities Checklist. This is a document that can be tailored based on your originator portfolio. The document is complimentary to SFE members and only $15.00 for others.

This may be overkill but could be helpful. Not many people really understand the payment rails and exactly what ACH is.

We recommend financial institutions document basic procedures for monitoring fraud risks, focusing on simple reviews tailored to fraud trends, with a low compliance bar: complete periodic checks and update as needed.

Key Monitoring Requirements

What to review: Specify report names (e.g., ACH reports) and frequency (e.g., each ACH window or daily morning)

Who monitors: Identify the department or individuals responsible.

Sign-off process: Detail how reviewers initial or sign reports to confirm completion

Fraud trend adaptation: Adjust monitoring based on past institution fraud or common industry patterns; evaluate if it's sufficient to detect these.

Documentation Needs

Include write-ups for report items: Note if fraud was found, actions taken (e.g., for confirmed cases), and who reviewed (beyond just the signer)

Expect low detail overall: periodic reviews and changes suffice for compliance; deeper info may appear in early risk assessments tied to the FI's risk tolerance, not audits.

General Best Practices from Compliance Guides

Start with risk assessment to prioritize high-impact areas, then define policies, controls, and key performance indicators.

Use techniques like regular audits, automated tools, and self-assessments.

Document everything: test dates, results, testers, and fixes; conduct ongoing entity-level checks by operations staff.

Train staff, report to management, and improve based on findings.

Since the rules don’t say what needs to be done, we would recommend providing auditors with documentation that you are doing something. SFE’s ACH audit team shared they will ask what is being done and documentation. We are seeing Fis already updating ACH policies to indicate they are monitoring and including that an annual review will be performed and update(s) will be completed if needed.

Since the rules don’t say what needs to be done, we would recommend providing auditors with documentation that you are doing something. SFE’s ACH audit team shared they will ask what is being done and documentation. We are seeing Fis already updating ACH policies to indicate they are monitoring and including that an annual review will be performed and update(s) will be completed if needed.

Based on familiarity with FDIC examiners:

We do not think the examiners will weigh in on any compliance components outside of reviewing the ACH audit to ensure it is being performed.

They typically identify monitoring programs they like and share that information with any FI’s they feel are deficient. The difficulty with most FDIC examiners is they don't typically tell you what you MUST do, just share what they see in the industry and let you guess what's needed.

Fraud monitoring includes more than OFAC Screening, KYC, and Anti-Money Laundering (AML). If you are performing these and utilizing technology software to identify suspect transactions, this is great – you are on the right path. This can be your foundation for fraud detection activity and will continue to be important. For RDFIs you are expected to monitor for ACH Credits.

Fraud monitoring should consist of reviewing out of norm or anomaly behavior. What is unusual activity to what you are normally seeing in the receipt of ACH entries. Suspect entries may be identified on characteristics of the Entry and the receiving account such as:

• SEC Code does not align with the type of receiving account (CCD entry to a consumer account)
• A high-dollar transaction that is atypical for the receiving account
• Series of similar credit Entries received within a short period of time (multiple payroll or benefit payments)
• Utilize the “PAYROLL” and “PURCHASE” standard Company/Entry Description Field

Any of the above to a:

New Account / Dormant Account / Account acting as a mule

Additional Guidance:

• Behavioral Tolerances and Pattern Recognition
• Name Matching (not a new rule)
• Dollar Tolerances

To investigate the appropriateness of the entry, an RDFI may delay funds availability

Nacha rules provide an exemption to funds availability requirements when the RDFI reasonably suspects fraud.

Communication is key to investigating suspected entries

• Internally with relationship managers

• Between RDFI and Receiver
• Between RDFI and ODFI
• Nacha’s Risk Management Portal and ACH Contact Registry for ODFI contact info to help in its determination

RDFI’s options to return entries:

• R06 - Per ODFI Request, when permission for the return has been granted
• R17 – QUESTIONABLE (Must be returned within two Banking Days)

Nacha and its Risk Management Advisory Group (RMAG) have previously published best practices and asked Originators to help protect themselves and their customers from fraudsters, but this is the first time Originators are required to implement fraud monitoring and detection under the Rules. The controls, processes, and procedures used should be risk based and scaled for the size and operational complexities of the organization. Originator controls can be developed internally, provided by an Originator’s financial institution, or created by third-party solution providers. Many of these controls can be used in concert to provide layered security.

Dual Controls – Dual control requires more than one individual to initiate a payment. One individual may authorize the creation of an ACH entry with another confirming the entry and releasing it to the financial institution. A fraudster may be able to get past one individual, but will have difficulty tricking two. Dual control is often offered by financial institutions to their corporate customers, and it may even be required.

Account Validation – Account validation tools are used to assess new accounts and changes on existing accounts. These tools can be used to confirm that, at a minimum, an account with that account number is open at the RDFI. Other account ownership verification tools may go beyond simple account validation and into Know Your Customer (KYC) identification. These tools provide much richer data about the account owner, including details such as the name, address, balance of the account, and even the IP address associated with the location of the account owner. These services are regularly offered by third parties.

Multi-factor Authentication - – Multi-factor authentication is considered more robust than password-only authentication. A second factor in addition to the password can be a second credential, operator intervention, or a biometric input. A fraudster can use social engineering to steal a username and password but cannot obtain the second factor required to access the system. A physical token or biometric solution is preferred to a solution using a code via text or email because fraudsters have developed tools to intercept the content of these channels.

Out-of-Band Authentication – Authenticate payment requests or changes to payment instructions by independently verifying the request/change using a method other than the method used by the original request. For example, if a vendor calls to request a change to their routing and account information for future payments, use contact information contained within your organization’s internal database to contact the vendor via phone or email.

Routine and Red Flag Reporting – Review and reconcile accounts daily. Generate regular reports that identify transactions to new relationships, transactions of existing customers to new accounts, or abnormal activity. Verify that these transactions were intentional.

Review User Rights – Review user rights to online banking systems regularly and promptly remove access for terminated or transferred employees who no longer require access.

Secure Systems and Applications – Ensure maintenance of firewalls and make sure antivirus software is up to date. Ensure all system components and software have the latest vendor-supplied security patches installed.

Credit-push fraud schemes rely on social engineering to trick victims into sending the fraudster money. Social engineering fraud isn’t complex; controls can be simple, but they must be utilized to be effective. Financial institutions should encourage their Originators to utilize services offered by their organization and to seek other tools to ensure payments are originated only by their employes for verified and authorized purposes.  

Six years is the retention timeframe for ACH entries originated and received. We would suggest that as a best practice for the fraud monitoring documentation. Some systems only retain it for 13 months, so we would suggest retaining the documentation for bank examiners to review. Some examiners are on an 18 month basis so 2 years may be sufficient.

Nacha enforces its operating rules through a structured system of fines, warnings, and escalated penalties designed to correct violations and protect the integrity of the ACH Network. Nacha rule noncompliance can lead to escalating fines (from hundreds to up to $500,000 per month for repeated or unresolved violations), suspension from originating ACH entries, operational disruption, and reputational damage with financial partners and customers.