Are you fully prepared to comply with the fast-approaching new Nacha Risk Management Rules? While it may seem like there is still ample time, the truth is that you should already be well into your readiness process. The risks of non-compliance are not to be underestimated, so don’t let compliance paralysis hinder your organization. Act now to prevent these risks from escalating.  

What are the New Rules?  

For Originating Depository Financial Institutions (ODFIs) 

On March 20, 2026, Phase One of the risk management rules will go into effect. The essence of this new rule set is that ODFIs with 2023 origination volumes of 6 million or greater must establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.  

For Receiving Depository Financial Institutions (RDFIs) 

On March 20, 2026, RDFIs with an annual ACH receipt volume of 10 million or greater in 2023 will need to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.  

 The requirement to have policies and procedures in place extends to all participants, regardless of volume, on June 22, 2026. In addition, the Rules establish new Standard Company Entry Descriptions for PPD Credits, including payment of wages, salaries, and similar types of compensation, as well as e-commerce purchases. Nacha Operating Rules - New Rules | Nacha 

What is the Impact? 

For ODFIs 

ODFIs must review their processes for screening outbound ACH originations and determine whether their controls are adequate to identify and reduce the successful incidences of  Entries that may have originated under false pretenses, as well as other fraud scenarios. A key aspect of compliance for ODFIs is determining which transactions and activities pose the highest risk, and establishing baselines for transaction activity to identify unusual or anomalous activity. The ODFI role extends to all origination activity, including that of its Originators and Third-Party Senders, and the controls they have in place. This means that the ODFI is also responsible for ensuring its Originators’ and Third-Party Senders’ compliancewith these Rules The ODFI should also communicate any expectations it has, above and beyond the Rules, to these parties.  

Originators and Third-Party Senders should establish risk-based processes reasonably designed to identify potential fraud scenarios. Understanding the degree of risk associated with originating Entries, as well as establishing a baseline for normal activity, is a critical part of the process. In addition, control processes should be formalized and account for any potential area of risk. Originators and Third-Party Senders must also comply with any requirements imposed by their ODFI.  

For RDFIs 

RDFIs must review their processes for incoming credits, assess the risk of these Entries, evaluate current monitoring processes, and decide on additional monitoring and response activities.  

Complying with the new Rules will benefit from collaboration among multiple groups within the RDFI to ensure proactive action when a customer/member receives funds that may be part of a credit-push fraud scenario. Although there is no formal requirement for RDFIs to identify these scenarios before posting to the Receiver account, the intent is to increase the chance of recovery, so timely identification and RDFI action should be a critical part of compliance action plans.  

The new Rules also don’t require a formal name-matching process. However, institutions may want to use that scenario, along with other factors such as baseline deposit activity,  unusually large dollar amounts or an abnormally high number of deposits, Standard Entry Class Code (SEC) and account purpose mismatches, and immediate withdrawal of funds, transactions from higher risk Originators/industries, etc., to identify potential high-risk transactions.  

Additional research and internal collaboration, along with customer/member discussions, may be needed. The RDFI can also suspend ACH funds availability and default to Reg CC requirements if it feels that the Entries warrant additional time and research.  

How to Comply 

So, now that you know the what, how should you get started? And what is a risk-based process and procedure?  

The Nacha Rules are intentionally written to provide the industry with flexibility in their adoption. Not all organizations are the same; your processes should be as unique as your company. That said, some baseline activities can help your organization get started.  

Conduct a Risk Assessment – Risk assessments should be a mantra in financial services, and that’s because they are an essential and critical tool. Review your existing fraud monitoring processes. Are they proactive? Do they account for various degrees of transaction risk? Are they designed to be proactive versus reactive?