Think You’re Ready for Nacha’s New Fraud Monitoring Rule? Think Again.
Your bank has implemented state-of-the-art transaction and behavior monitoring solutions for fraud detection. That’s a great first step. Unfortunately, you’re still about to be dinged under Nacha’s new Fraud Monitoring Rule (“New Rule”).
Don’t get us wrong: if you haven’t implemented modern fraud detection systems, you’re behind the times and need to catch up. The good news is that there are lots of great solutions you can choose from.
But that’s not sufficient under the New Rule. Because the Rule is not really about you.
Here’s what to know: with the New Rule, Nacha is signaling it’s going to start enforcing the bank’s (ODFI’s) responsibility for its Originators’ and Third Party Senders’ compliance, under the Article 2 “General Rule.”
How do we know this? Because Nacha forecasts new requirements in articles and blogs months or years in advance. To understand new ACH rules, you have to read the context.
In 2022, Nacha made a bold statement that got too little attention. In an article entitled, “A New Risk Management Framework for the Era of Credit-Push Fraud,” Jane Larimer, Nacha’s President and CEO, stated bluntly: “Fraud keeps changing. As it does, participants in the payments system need to understand and adapt to emerging fraud scenarios and develop counterstrategies to help protect their customers and themselves.”
She said, the problem is we’re focused on yesterday’s fraud. In the past, Debit Fraud —that is, unauthorized debits of consumer accounts— was the biggest threat, and the Network did a good job combatting that. Indeed, most of the “Prerequisites to Origination” covered in Article 2 of the Nacha Operating Rules were created to prevent Debit Fraud.
But, she said, “Now, however, the most significant fraud threats to bank account holders involve fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards, and other instant and digital payments” – that is, Credit-Push Fraud, which encompasses a range of schemes also known as Authorised Push Payment (APP) fraud, or “relationship and trust fraud,” including (but not limited to) vendor and employee impersonation fraud.
To combat this fraud, she said we need to change in two key ways: (1) more fraud information sharing, and (2) the involvement of “all participants” working together. (Specifically, she wrote: “All participants in the payment system, whether the ACH Network or elsewhere, have roles to play in working together to combat fraud.”)
“All participants” necessarily includes the parties doing origination – which obviously includes customers as Originators or Third-Party Senders. We tested this interpretation with Nacha back in 2023, and they said, “of course.”
But let’s face it, all too often banks rely on origination agreements, providing their customers a 700+ page book of rules, training at onboarding, and online explanations of Rule changes as the extent of their responsibility.
This has not pleased Nacha, as we learned when we interviewed Jordan Bennett in a webinar (available here). He stressed that ODFIs warrant the compliance of each Entry originated through it to the Network, that ACH usage evolves as organizations change over time, that agreements and Rules access don’t fully discharge the ODFI’s responsibility for that compliance, and that Nacha is raising fines so that they’re both too much to pass to a customer and too high to be treated as the cost of doing business.
So then, with the New Rule, Nacha codified its earlier call for “all participants” (or at least all non-consumer participants) to play a role. The New Rule doesn’t begin with “Each ODFI” but rather with “Each non-consumer Originator, each Third-Party Sender…
Nacha is clearly signaling that they’re serious about the “all participants “ emphasis, they’re serious about the need for the customer to manage their fraud risk, and they intend to enforce it. “Enforce it” means they’re looking to you for records demonstrating that your customers are meeting the New Rule requirements. Make no mistake: it’s your responsibility for your customers’ compliance they’re intending to enforce.
So how can you effectively recruit your customers into the risk management framework? And once successful, how can you demonstrate that your customers are compliant, and that you’re exercising your Article 2 responsibility? The team at Lexalign is here to help. Lexalign hosted a webinar with Nacha recently, where we covered the entirety of this New Rule and explained how to use our solution to help you demonstrate your customers’ compliance. And we’re here to help!
Download the Checklist below to learn more about how you can be ready for the New Rule by March 2026.