How FIs Can Get Ready for Nacha’s Upcoming New Rule

As fraudsters become more innovative in their schemes, Nacha is rolling out new rules to address emerging fraud risks, particularly scams involving business email compromise, vendor impersonation, and the increasing use of money mules.

These key changes, centered around the ACH rules, began rolling out in October and will continue through 2026.

In a recent PaymentsJournal podcast, Glenn Fratangelo, Head of Fraud Prevention Product Strategy and Marketing at NICE Actimize, and Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research, discussed what financial institutions need to do to enhance their fraud detection programs to better protect both banks and customers.

The Growing Threat

There’s no doubt that authorized fraud is on the rise. Fraud threats have increased in both volume and complexity, especially as payment innovations evolve to keep up with advancements in technology, as well as consumer and business needs.

“Javelin has noted these increases over the last few years in terms of imposter scams, fraud, and other new activity,” said Sando. “Anecdotally, we’re hearing so much about imposter activity, which is becoming more sophisticated and convincing. It relies on that sense of urgency for the unsuspecting customer to act, and it’s not going to go away anytime soon. The digital and fast-paced nature of payments has really emphasized the importance of dealing with the problem.”

In the past, Receiving Depository Financial Institutions (RDFIs) managing ACH transactions on behalf of their customers could take a more reactive approach, handling each transaction as it came through. The responsibility for detecting fraud primarily rested with the originating institution, or ODFI. However, the new rules now hold RDFIs accountable for catching fraud in real time—or as close to real time as possible.

This shift means actively reviewing suspicious activity, flagging transactions that seem off, and taking the initiative in returning funds that do not belong in certain accounts. RDFIs can now return questionable transactions, and ODFIs have more leeway \to request returns when issues arise on their end. Starting in 2026, these monitoring requirements will become even more stringent.

Increasing the Burden

In terms of operational burden, RDFIs will now bear greater responsibility for real-time fraud detection and case management to effectively identify and prevent fraud.

“Traditionally, that fell under the purview of the ODFI, but with the shift RDFIs will have to dedicate resources to monitor suspicious transactions and potentially fraudulent activity that is incoming, something they previously did not have to do,” said Fratangelo. “That’s going to create increased workloads for an already stretched operations team, which will now be required to flag and investigate suspicious incoming transactions in real-time.”

Larger financial institutions will need to implement new machine learning models, which will require additional governance time and introduce another layer of complexity to their existing fraud detection systems.

“Larger institutions may have the capacity and ability to scale their teams, but we all know quality investigators are hard to find,” Fratangelo said. That’s why there’s a ramp up period to train analysts and investigators and get them up to speed.”

Smaller institutions will face even more difficulty, as they often lack effective automation. As their transaction volumes grow and new alerts are added, scaling up their workforce can be cost-prohibitive. These costs are sometimes passed on to customers in the form of lower interest rates or higher fees.

Maintaining Business As Usual

Generative AI and deep fakes are making this situation e