Understanding NACHA’s new 2026 fraud and risk management requirements

New fraud-monitoring requirements are taking effect in 2026, with credit unions facing needed changes to comply. America’s Credit Unions recently hosted a members only webinar—moderated by Marilyn Barker, Head of Compliance—to discuss significant upcoming changes to the ACH Network. Joining the panel were Devon Marsh, APRP, Managing Director of ACH Network Rules and Risk Management at NACHA, and Carlin McCrory, Associate at Troutman Pepper Locke.

What’s Changing in 2026

Beginning March 20, 2026, NACHA will require financial institutions to adopt proactive, risk based fraud monitoring for ACH transactions. This marks a shift from primarily reactive monitoring to a more comprehensive, forward looking approach.

The new requirements include:

• By March 20, 2026, Receiving Depository Financial Institutions (RDFIs) with 10 million or more annual ACH receipts must implement risk based processes and procedures to detect fraudulent credit entries. Originating Depository Financial Institutions (ODFIs), Third Party Senders (TPSs), and Third Party Service Providers (TPSPs) must also implement fraud monitoring processes to identify entries initiated under fraud or false pretenses on the same date.
• All other RDFIs, TPSs, and TPSPs must comply by June 22, 2026, regardless of ACH volume.

The rule changes require institutions to strengthen their fraud detection capabilities, including:

• Establishing monitoring systems capable of detecting atypical transaction patterns.
• Comparing current activity against historical baselines to identify anomalies.
• Updating fraud controls regularly to keep pace with evolving schemes.

These enhanced expectations are part of NACHA’s broader initiative to reduce successful fraud attempts and improve post fraud fund recovery across the ACH Network.

Members of America’s Credit Unions can view the full recording in the Compliance Resource Library under Compliance 101 Topics, “Risk Management.”