Preparing for the Nacha Operating Rule Changes

Disclaimer: This is for educational purposes only and does not provide a legal or official interpretation of the Nacha Operating Rules and Guidelines. Opinions are that of the author only.

Nanci McKenzie, JM, AAP, APRP Independent Consultant June 2024

The National Automated Clearing House (Nacha) has overseen the health and integrity of the most popular electronic payment, the ACH network, since 1974. Over the years, the ACH Network has grown to over 31 billion transactions equaling just over $80 trillion in 2023. With that kind of volume, it is understandable that adjusting for the changes in economy, technology, and the greed from fraudsters to steal money electronically has become a huge challenge for the ACH Network. Financial institutions are placed in the best position with monitoring and identifying electronic transactions. But trying to determine transactions which are legitimate and authorized and those which are not, especially when they are credits, has become a topic of concern which most, including myself, never thought we would be tackling! Who would question a credit coming into an account? Wouldn’t we all welcome extra money in our account(s)?

Nacha responded to the increase in credit push fraud the United States saw with stimulus payments, unemployment benefits, and Paycheck Protection Program (PPP) loans that we saw throughout the COVID-19 pandemic by announcing the “A New Risk Management Framework for the Era of Credit-Push Fraud”2 in September 2022. Along with the need for a revised risk management framework to include credit transactions, Nacha recognized the need for changes to the Operating Rules to help reduce and prevent the continued abuse of credit transactions financial crimes such as money laundering, account takeovers, romance scams, and the plethora of other fraudulent activity by sending a request for comment back in May of 2023 and approving revisions and new rules for ACH transactions within the financial industry.

Monitoring transactions has been an important part of risk management, anti-money laundering (AML) and fraud prevention programs for many years. Screening senders and receivers of electronic transactions for OFAC compliance and AML suspicions have been a part of financial institutions daily practices but buckle up! Monitoring transactions will require a much more robust flavor and includes all participants of an ACH entry except for the consumer or the “Receiver”.

I identify and summarize some of the changes and effective dates but want to stress the importance of enhanced monitoring responsibilities for financial institutions, non-financial institutions, and originators within their established risk management program(s) Now is the time to prepare for these changes because this is not something that is in practice today for much of the financial industry. For full details of the new and revised rules visit Nacha Operating Rules – New Rules | Nacha and access the complimentary webinar recording.

Effective March 20, 2026

Fraud monitoring will be required by:

  • All originating depository financial institutions (ODFI).
  • Non-consumer originators, Third-Party Service Providers, and Third-Party Senders originating ACH entries with volume of more than six million transactions in the year of 2023.
  • Credit monitoring for receiving depository financial institutions (RDFI) with more than ten million received transactions in 2023.

At least annually, processes and procedures established to meet these requirements must be reviewed and revised as appropriate to address evolving risks.

Effective June 19, 2026

Fraud monitoring will be required by:

  • All other Non-consumer originators, Third-Party Service Providers, and Third-Party Senders.
  • Credit monitoring for all RDFIs.

At least annually, processes and procedures established to meet these requirements must be reviewed and revised as appropriate to address evolving risks.

With these new responsibilities, I must ask you:

  • Are you prepared?
  • How are you going to monitor these transactions?
  • What are you looking for?
  • What are your processes and procedures?
  • What are you going to do if you find a transaction that might be suspicious?
  • Do you think a manual process will be effective?
  • What resources do you have available to manage these responsibilities?
  • Do you have Non-consumer originators, Third-Party Service Providers, and Third-Party Senders and how are they going to know about these new requirements? How are they going to monitor the transactions and have processes and procedures in place?

Prepare today! RembrandtAi® offers the tools to stay compliant and protect your customer/member from possible financial loss. With RembrandtAi®’s real-time fraud detection capabilities, financial institutions can efficiently monitor and manage transactions, ensuring compliance with Nacha’s new rules. Contact ToolCASE today for a demo and see how RembrandtAi® can safeguard your financial operations.

1 ACH Network Volume and Value Statistics | Nacha
2 Risk Management Framework | Nacha
3 Definition of Receiver can be found in the Nacha Operating Rules in Article Eight SECTION 8.84


About the Author

Nanci McKenzie, JM, AAP, APRP Nanci McKenzie is an experienced speaker and a recognized expert in the field of payment technology. She currently is an independent consultant. With over 38 years of experience in the payment technology industry, Nanci has a wealth of knowledge and expertise in payment processing, fraud prevention, and risk management.

Prior to consulting opportunities, Nanci was with Affirmative Technologies. Nanci held senior leadership positions at financial institutions and payment technology companies, where she oversaw product development, strategic planning, and deposit operations. Her experience has provided her with a deep understanding of the payment technology landscape and the challenges that financial institutions face in this rapidly evolving industry.

Nanci holds a B.S. in Business and Information Management from Seminole State College and a Juris Master’s degree in Financial Regulation & Compliance from Florida State University College of Law. She is currently working toward her Master of Legal Studies from Thomas R. Kline College of Law at Drexel University in two concentrations, Financial Regulatory Compliance and Cybersecurity and Data Privacy. She is also an Accredited ACH Professional (AAP) and an Accredited Payments Risk Professional (APRP).