As the deadline for implementation of Nacha’s new fraud monitoring rules arrives, financial institutions are expected to have a more consistent framework for addressing credit-push fraud on the ACH network.
Nacha’s new approach is intended to reduce scams that induce consumers or employees to send money to accounts controlled by criminals. The rules require all parties involved in an ACH transaction — including receiving financial institutions, third parties, and originators — to proactively monitor for fraud, rather than react once a fraudulent transaction has been detected.
“The new rules will improve fraud monitoring and management on the ACH network,” said Trace Fooshée, a strategic advisor for Datos Insights. “It is likely other payment networks will adopt similar approaches.”
Nacha, which approved the rules in 2024, set two implementation deadlines.
The deadline for the first wave of implementation, which covered all originating depository institutions, larger-volume originators, larger receiving depository financial institutions, and third-party senders, was March 20, 2026.
Implementation for the remaining pool of ACH users was to be completed by Monday, June 22. The deadline was originally June 19, but because that date was a U.S. bank holiday, the deadline was extended.
The new rules are focused on processes and procedures, as opposed to mandating specific technologies, and require all financial institutions involved in an ACH transaction to monitor transactions for fraud from the point of origination through receipt of funds.
The rules also empower a financial institution originating the transaction to request the return of a payment and financial institutions receiving the transaction to delay the availability of funds for any suspect transaction.
Receiving institutions can also return a suspicious transaction without waiting for a fraud claim. It is the first time receiving financial institutions will have a defined role in monitoring the ACH payments they receive, Devon Marsh, managing director of ACH network rules and risk management for Nacha, the rules-setting organization for the ACH network, said by email.
Prior to implementation of the rules, financial institutions developed fraud detection programs based on their individual risk profiles and business needs.
“The rules establish a consistent baseline expectation that participants in the ACH network maintain risk-based processes and procedures designed to identify potentially fraudulent ACH activity,” Marsh said. “By expanding fraud monitoring responsibilities across the payment life cycle, the rules create additional opportunities to identify and reduce the incidence of fraud.”
One of the most common instances of ACH fraud is push-credit fraud in which a payment is pushed from a payer’s account to an account controlled by a fraudster.
Business email compromise, in which fraudsters impersonate executives or vendors to authorize fraudulent payments to an account they control, is one of the most common push-credit scams. There were 24,768 complaints of business email compromises totaling more than $3 billion in losses, according to the FBI’s Internet Crime Complaint Center's 2025 Annual Report. In comparison, BEC complaints totaled 21,442 and generated $2.7 billion in losses in 2024, according to the federal agency’s prior year’s report.
Similarly, the Association for Financial Professionals' 2026 Payments Fraud and Control Survey found BEC affected 70% of organizations. “Fraud schemes that use credit-push payments have become a growing concern across the payments industry,” Marsh added.
Helping fuel the rise in credit-push fraud is the increasing sophistication of scams designed to gain a victim’s trust to convince them to send money, the use of artificial intelligence, and impersonation techniques that make it harder for businesses to distinguish legitimate payment requests from fraudulent ones.
In addition, once a payment is authorized and sent over the ACH and other instant or same-day payment networks, they are hard to reverse, which makes those networks attractive to fraudsters.
“ACH fraud is a significant problem and is most likely being underreported,” Fooshée said in an interview. While Nacha’s rules provide the framework to strengthen financial institutions’ ability to address fraud, they are “not prescriptive” and do not provide specifics on how to monitor ACH fraud, which leaves them open to interpretation, according to Fooshée.
“Fraud detection is a matter of risk appetite and financial institutions are as vigilant with fraud as they need to be to strike the right balance” of fraud protection and customer satisfaction, Fooshée said. “It’s going to take a few months to begin to see the effectiveness and boundaries of Nacha’s rules.”
Some fraud prevention experts also argue that Nacha’s rules alone will not eliminate credit-push fraud as it is driven by authorized transactions. “The solution must combine policy with more advanced analytics, cross-channel visibility and stronger authentication,” Ron Miller, group product manager, payments efficiency, for LexisNexis Risk Solutions, said by email. “Financial institutions that pair Nacha compliance with behavioral analytics and risk-based controls will see the greatest impact.”
Nacha opted to focus the rules on risk-based processes and procedures rather than mandating specific technologies or solutions, because financial institutions have “varying risk profiles, transaction volumes and operational structures,” that made flexibility in how they combat ACH fraud important, Marsh said.
Also influencing the development of the rules is that effective fraud monitoring often depends on sharing information across multiple departments within an organization, such as compliance, operations, fraud, product, and relationship management teams.
“Implementation discussions have reinforced that successful fraud prevention is most effective when organizations take a holistic approach to payments risk management,” Marsh said.
