ACH Readiness Briefings Q&A

If you've missed our two previous ACH Readiness Briefings, here were some of the questions and answers that were discussed regarding the upcoming NACHA rule changes.

1. Does the Rule apply to all ODFIs for Phase 1?

Yes.

Fraud Monitoring by Originators, TPSPs and ODFIs

Effective dates

Phase 1 – March 20, 2026

• The rule will apply to all ODFIs
• The rule will apply to non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with annual ACH origination volume of 6 million or greater in 2023

Phase 2 – June 19, 2026

• The rule will apply to all other non-Consumer Originators, TPSP, and TPS
• The rule will apply to RDFIs with annual ACH receipt volume of 10 million or greater in 2023.
• The rule will apply to all other RDFIs.

RDFI ACH Credit Monitoring

Effective dates

Phase 1 – March 20, 2026

Phase 2 – June 19, 2026

2. Is there a requirement to screen individual ACH entries?

No, the rule requires a risk-based approach to fraud monitoring. You should apply resources and take extra measures to detect fraud in transactions that are determined to have elevated risks, Allows taking only basic precautions where it has determined that risks are lower. Cannot be used to conclude that no monitoring is necessary In other words, you must do something!

3. Are you required to monitor transactions prior to processing?

No, it is not required; however, this provides the greatest opportunity for preventing potential fraud. Proactive measures could be reserved for Originators deemed high risk. Reactive measures may be acceptable for lower-risk Originators

4. What action should an ODFI consider taking if an entry is identified as suspect?

For transactions that monitoring identifies as suspect, the ODFI can consider a number of actions. Actions may include, but are not limited to:

• stopping further processing of a flagged transaction;
• consulting with the Originator to determine the validity of the transaction;
• consulting with other internal monitoring teams or systems to determine if the transaction raises other flags; and
• contacting the RDFI to determine if characteristics of the Receiver’s account raise additional red flags, or requesting the freeze or the return of funds.

With respect to debits, a robust return and return rate monitoring program in with existing Rules (as well as any required compliance with other specific fraud detection Rules for WEB debits and Micro-Entries) is sufficient as a minimum level of fraud monitoring.

5. Phase 1 for March is based on volume of 2023. Is the volume based on dollar amount or number of ACH transactions?

It is based on number of ACH transactions originated in 2023 and not total dollar amounts.

Fraud Monitoring: ODFIs, Originators, Third-Party Service Providers and Third-Party Senders

Effective date - Phase 1: March 20, 2026, for all ODFIs and non-Consumer Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023.

This rule amendment will require all ODFIs, and each non-Consumer Originator, Third- Party Service Provider, and Third-Party Sender with annual ACH origination volume in 2023 of 6 million or greater, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud

Phase 2 – June 19, 2026

The rule will apply to all other non-Consumer Originators, Third-Party Service Provider, and Third-Party Sender.

RDFI ACH Credit Monitoring

Effective date - Phase 1: March 20, 2026, for RDFIs with annual ACH receipt volume of 10 million or greater in 2023.

The proposal will require RDFIs with annual ACH receipt volume of 10 million or greater in 2023 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.

Phase 2 – June 19, 2026

The rule will apply to all other RDFIs.

6. Other than the institution requirements to determine if a financial institution falls under March or June dates, are there any different requirements for each date.

Example: Due to the volume, my institution falls under March but are there any additional requirements that I will need to follow in June. Are the March and June requirements the same?

There will not be any additional requirements for Phase 2, once you have complied with Phase 1. The monitoring process will be ongoing based on the initial Risk Assessment. The Rules will require a review of processes and procedures “at least annually.”

The fight against payment fraud is NEVER done. Your plan to comply with the new Nacha Rules requires continual evaluation. The threat of fraud is constantly evolving, and your fraud prevention needs to do the same.

ODFI Potential Impacts:

• Implementing or updating fraud-detection processes and procedures, particularly by organizations that are not currently performing fraud monitoring.
• Less impact for those who have already implemented a monitoring system for WEB Debits or Micro-Entries.
• RDFIs will need to either establish processes and procedures reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses or ensure that existing processes and procedures are satisfactory for this requirement, including updating such systems and their alerting processes, if necessary.
• RDFIs may need to enable information sharing internally between teams that monitor transactions for suspicious activity and operations, product, and relationship teams.
• While potentially significant, these impacts are intended to reduce the incidence of

RDFI Potential Impacts:

Fraud that uses ACH payments.

7. Does NACHA have any templates for updates to existing agreements?

We are not aware of any Nacha sample templates, sample agreements, or sample addendums for ODFIs to use for any changes to their ODFI/Originator Agreements.

We recommend you consult with your legal department, legal retainer, for any agreement you establish with another party.

Watch the webinar recaps here and learn more about Finovifi's solution ACH RiskLens here!