ACH has long served as a foundational bank-to-bank payment rail in the United States, and its continued growth in volume and value has heightened focus on fraud risk. It's responsible for moving billions of payments a month and trillions of dollars each quarter. In the fourth quarter of 2025, the ACH Network processed 9.1 billion payments valued at $24.4 trillion, a volume increase of 5.1% and a value increase of 8.9% over the fourth quarter of 2024.
As payment volumes and values rise, effective fraud monitoring and return rate management become increasingly critical. That is why Nacha, the independent rulemaking and governance body for the ACH network, is raising expectations in 2026. New rules have a clear focus: monitoring of ACH activity and suspicious patterns before origination isn’t just a best practice; it's an operational requirement for companies that move money via the network.
This article is designed to help your organization prepare for the new Nacha fraud monitoring rules. First, we’ll cover what the Rule changes mean, then provide a checklist to help ensure your business is on the right track. Finally, we’ll outline how Plaid can help your organization adjust to the upcoming changes.
2026 Nacha rule changes and what they mean for fraud monitoring
The 2026 Nacha updates focus on one core theme: stronger, more consistent fraud monitoring prior to ACH origination. With a phased rollout, the Rules reinforce that fraud risk management is not discretionary — it is a mandatory condition of ACH network participation.
Nacha’s updated rules will roll out in two phases, with implementation timelines tied to ACH transaction volume to ensure operational readiness.
Phase 1 becomes effective on March 20, 2026, and applies to:
All Originating Depository Financial Institutions (ODFIs)
Other participants (non-ODFIs) that originated at least $6 million in ACH payments in 2023
Receiving Depository Financial Institutions (RDFIs) that received $10 million or more in ACH transactions in 2023.
Phase 2, effective June 19, 2026, extends the requirements to all remaining non-consumer Originators, including:
Third-Party Senders (TPSs)
Third-Party Service Providers (TPSPs)
All other non-consumer Originators and RDFIs.
This volume-based, phased approach is designed to prioritize larger participants—who account for the majority of ACH activity—while providing additional time for smaller institutions and service providers to prepare for compliance.
What This Means for ACH Originators
The biggest impact for companies running ACH programs is new fraud monitoring requirements. Timing depends on your ACH volume.
March 20, 2026 (Phase 1):
If you originated $6 million or more in ACH payments in 2023, you’ll need documented, proactive fraud monitoring in place. This includes monitoring transactions and user activity, and not just reacting to returns.
June 19, 2026 (Phase 2):
These fraud monitoring requirements expand to all remaining ACH originators and payment service providers, regardless of size.
September 18, 2026:
Updates to International ACH Transaction (IAT) definitions and new funds availability timing requirements take effect, which may impact cross-border payments and credit timing expectations.
Several additional requirements apply directly to banks (ODFIs and RDFIs). While those sit with financial institutions, they may lead to increased oversight for originators or service providers.
Quick 2026 Nacha checklist
As Nacha moves to stronger risk-based control requirements, it’s important for companies that use ACH payments to be prepared. This checklist is designed to help organizations understand what changes apply to them and what controls need to be in place.
1. Are you impacted by NACHA rule changes?
Any business that initiates ACH credit or debit payments, either directly or through a processor, is impacted.
Does your organization:
Send money via ACH (payouts, payroll, refunds)?
Pull money via ACH (subscriptions, bill pay, account funding)?
Connect user bank accounts and move money in/out of them?
If yes to any of the above, you need fraud monitoring in place.
2. Are you following basic precautions?
These are the foundational best practices every company should use, no matter what industry they’re in or their ACH use case.
Confirm user identity: Verify that the person initiating or receiving payments is who they claim to be.
Confirm bank account ownership: Make sure the bank account actually belongs to that user.
Monitor transactions for red flags like:
Sudden spikes in activity
Repeated failed payments or returns
One user or bank account connected to many profiles
Track return rates: Monitoring ACH return rates, especially unauthorized return categories, is essential for identifying potential fraud and control gaps.
Review fraud processes annually: Nacha expects ongoing documented reviews, not “set it and forget it.”
3. Can your organization answer the following questions?
If you don’t know or can’t quickly find the answers to these questions, you likely have a gap in Nacha compliance:
How do you check for fraud before sending ACH payments?
Do you verify user identity and bank account ownership?
What signals do you use to flag risky users or transactions?
What are your ACH return rates, and are you monitoring trends?
When was the last time you reviewed or updated your fraud controls?
4. Are you using stronger controls?
Most compliant programs follow these common market practices. While they are not guarantees of compliance, they indicate alignment with Nacha’s risk-based expectations.
Identity checks at onboarding (and when details change)
Account ownership verification before money moves
Ongoing monitoring of user behavior and transaction velocity
Automated signals instead of manual-only reviews
Extra safeguards for higher-risk flows or elevated return rates
How Plaid Helps Strengthen ACH Fraud Controls
Nacha’s 2026 rule requires ACH participants to implement risk-based fraud detection across both credits and debits, with controls that scale to transaction risk and are reviewed regularly. Plaid helps teams operationalize that approach without building complex systems in-house. Here’s how:
1. Confirm Account Ownership
Confirming that a bank account belongs to the person authorizing or receiving a payment is a foundational control, especially in user-not-present scenarios.
Plaid’s identity tools compare information a user submits during onboarding against their connected bank account data to help validate ownership.
When paired with KYC or user verification tools, this strengthens fraud prevention at onboarding and when account details change.
2. Monitor Transactions Proactively
The 2026 Nacha rule raises monitoring expectations beyond reactive, after-the-fact review.
Plaid Signal evaluates ACH transactions for elevated fraud and return risk before funds move.
This supports real-time oversight and helps reduce losses and return rate exposure.
Preparing for what’s next
Nacha has indicated that fraud risk management will remain a priority as ACH volumes grow and payment activity becomes more digital.
The most effective way to prepare isn’t to react to each rule in isolation, but to build durable, risk-based fraud systems that can adapt as requirements evolve. That means verifying users and accounts upfront, continuously monitoring activity, and reviewing metrics like return rates on an ongoing basis.
Plaid provides support to companies during this shift by helping strengthen ACH controls today and preparing for future changes.
A Modern Guide to ACH
How to add ACH to your platform and reduce losses and risks
Find out how Plaid can help your business grow
Learn more
Recommended reading
AI in financial services: The rise of intelligent finance
Payment processing costs: 5 ways businesses can reduce them
Three types of generative AI fraud and how to stop them