Blogs

By either March 20 or June 19 of 2026, depending on transaction volumes, ACH Originators will be required to establish and implement risk-based processes and procedures tailored to their role in authorizing and transmitting entries. These updates are part of Nacha’s new Origination Fraud Monitoring Rule, and apply specifically to fraud prevention requirements. For a full picture of what’s changing, refer to our article, ACH Rules Update for Corporate Originators and Third-Party Senders. These processes must be designed to reasonably identify entries suspected of being unauthorized or made under false pretenses and must be reviewed and updated at least annually to address evolving risks. A common question we hear is: what practical steps should Originators, large or small, take to comply, and how can the ODFI effectively enforce this new Rule?

To keep it simple, most ACH transactions are sent to the same Receivers, whether for payroll, utility payments, vendor invoices or accounts payable. So, it makes sense to focus on transactions that are unusual or non-recurring.

There are two key scenarios where Originators should focus on their processes and procedures:

• Brand-New Receivers: A new relationship needs to be established before sending an ACH credit. First, Originators should perform best practice due diligence reviews to ensure the individual or business is legitimate through verifying identification, performing background checks and ensuring that the proper signers and authorized personnel represent a real entity. Then, Originators should securely store the account information in an encrypted fashion and obtain a valid contact number on file for any future verification.
• Existing Receivers Who Suddenly Change Account Information: If a long-time Receiver unexpectedly sends new account details (especially via email, text or fax), treat it as a red flag. The Originator should use the contact on file (NOT through the requested account change message) to verify account changes.  Apply Know-Your-Customer (KYC) practices to confirm the request is legitimate before proceeding. 

For an Originator, it makes sense to focus procedures on atypical situations, because most baseline activity involves sending to the same Receivers repeatedly. When a brand-new Receiver is added or when an existing Receiver unexpectedly changes account information, those are the moments to trigger and apply your verification procedures.

The Origination Fraud Monitoring Rule coming in 2026 emphasizes the importance of procedures “relevant to the role [the Originator] plays in the authorization and transmission of entries.” Let’s break that down:

• Point of Transmission: According to Section 1.7 of the ACH Rules, sensitive account information, such as the routing transit numbers, account numbers or the entries themselves, must be securely transmitted via encryption. Thus, any Originator who is receiving account information via clear-text or unencrypted email is in violation of this Rule and is being exposed to business email compromise fraud. Since Originators have direct relationships with Receivers, they are best positioned to spot red flags (like new account setups or unexpected changes) and should have escalation processes in place to investigate before transmitting any entries. To help Originators better protect account data and comply with encryption requirements, check out our recent article on tokenization and how it can reduce risk at the point of transmission.
• Point of Authorization: Subsection 2.3.1 of the ACH Rules states, “Originators must obtain authorization from the Receiver to originate one or more entries to the Receiver’s account.” This authorization must also “comply with applicable legal requirements,” meaning it must clearly link the Receiver to the consent provided. Common, easily spoofed methods like email do not meet this standard. Instead, secure and traceable authorization methods, such as HR portals or written authorizations or voided checks could be used to protect both parties and ensure compliance.

Business email compromise ranked as the second most common fraud type in the FBI IC3’s 2024 report, while the Center for Payments Spring 2024 survey identified “Authorized User was Manipulated” as the top fraud threat. Regardless of size, ACH Originators need a strong, documented authorization process. Whether setting up new Receivers or verifying changes to existing Receiver account details, having clear procedures in place can help meet the 2026 ACH Rules requirements and protect against evolving fraud threats.

Also, as an ACH Originator, are you taking advantage of your financial institution’s security features such as step-up authentication or dual control? For dual control, a secondary person could question what the was entered or uploaded that is atypical to normal activity of the Originator. It’s harder for a fraudster to persuade two people versus just one. 

An ODFI’s Responsibilities

It’s the ODFI’s responsibility to ensure each Originator is contractually bound to comply with the ACH Rules, as outlined in Subsection 2.2.2.1 of the minimum ACH Origination Agreement.  The ODFI also has the right to audit the Originator’s compliance to the ACH Rules, and if necessary, suspend or terminate the agreement If the ODFI fails to enforce these requirements, including those tied to the upcoming Rules for 2026, the ODFI will be held responsible for any fraud-related losses experienced by the Originator. 

Auditing is one of the most effective tools an ODFI has to ensure Originator compliance with the ACH Rules. It’s especially critical as you prepare for 2026 Rules changes to take effect. To hold Originators accountable, ODFIs should consider reviewing:

• Whether the Originator has documented, risk-based processes or procedures in place.
• Account information transmitted between Originator and Receivers is secure and/or encrypted, per Section 1.7 of the ACH Rules.
• The Originator’s due diligence and authorization processes for new Receivers.
• The Originator’s procedures for an existing Receiver suddenly changing account information.
• Whether dual control or verification steps are built into the Originator’s processes.
• If the Originator retains authorizations from the Receiver for at least two years following termination or revocation.
• What the Originator does annually, such as employee training and updating procedures to address evolving risks or rule changes.

For ODFIs, risk-based processes and procedures should include monitoring for entries to new Receivers and new routing and account number combinations tied to existing Receiver names. These changes should trigger a red flag and prompt a review with the Originator using a verified contact. If performing a callback, go beyond confirming the entry and ask how the Originator obtained the account information.

As you talk internally at your financial institution to determine the best way for you to ensure you and your Originators are aligned with these new changes, here are a few questions to ask:

• Do you have a method to identify transactions being sent to a new routing and account number?
• How can you provide advice and guidance to help your Originators strengthen their authorization process when they have a new Receiver?
• What should be addressed when dealing with a new Receiver vs. an existing Receiver?
• Should there be different processes depending on the dollar value or volume of an Originator?

Getting the Originator to comply with the Rules to come in 2026 creates a strong first line of defense against fraud. If both the Originator and the ODFI have strong risk-based processes and procedures in place, the fraudster’s chances of success will be reduced significantly.

Ready to take your ACH Origination program to the next level? Our Advisory Team is here to help you build a strong foundation with tailored support for policy development, program setup, risk mitigation and ongoing compliance. Visit our website to discover how our consulting services can move your program forward with confidence.