A Simple Explanation of the Nacha Fraud Monitoring Rule for your Originators
Explaining the Nacha Fraud Monitoring Rule to your ACH Originators.
The first step to Originator compliance.
Interpreting the new Nacha Fraud Monitoring Rules can be challenging, even for compliance professionals who work with the Rules every day. For your business and commercial customers – your non-consumer Originators – it is often entirely new territory.
In focusing on the Originator, we're specifically talking about the Rule in subsection 2.2.4 (the "New Rule"). 2.2.4 requires them to do something, but it doesn’t specify what that is, as there is no effective one-size-fits-all approach to fraud prevention. Particularly now that Phase 2 is in effect, your auditors and examiners may reasonably ask you to show them how you sensitized and empowered your Originators to comply.
Explaining the New Fraud Monitoring Rules and motivating their compliance by enlightening them on the risks they face are necessary first steps. Lexalign does this for Originators every day – helping them understand the Rules that specifically apply, where they have gaps in compliance, and how to remediate. This is how we sensitize them to the New Rule.
For your Originators:
The New Fraud Monitoring Rule
In a well-respected annual survey, 3 out of 4 organizations said they experienced actual or attempted fraud in 2025. Fraudsters are targeting deposit accounts like yours, using account takeover and/or pretenses. Nationally, losses in fraud are growing across payment channels, including ACH. Nacha has said that in order to combat this fraud, "all participants" have a role to play.
“All participants” includes you.
Nacha has introduced new rules and guidelines designed to protect you, while also requiring you to do more.
Nacha is the organization that governs the ACH Network, including by issuing and enforcing the Nacha Operating Rules that all ACH Network participants (including you) must follow.
One very important new Rule is titled, "Identification of Unauthorized Entries or Entries Authorized Under False Pretenses." More commonly, it's called the "Fraud Monitoring Rule."
Under this Rule, "each non-consumer Originator” – including you – “must establish and implement risk-based processes and procedures...that are reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses; and …at least annually review these processes and procedures and make appropriate updates to address evolving risks.”
Your compliance with the New Rule is already enforceable. This means failure to have relevant processes and procedures may affect your access to ACH starting very soon.
But it's important to note that the New Rule was created to protect you based on significant new risks. It's therefore prudent to implement relevant safeguards as soon as practical, and not just for compliance reasons.
Why do we need a new Rule and new fraud prevention?
Nacha adds Rules from time to time when new fraud patterns emerge that existing practices don’t adequately contain. Up until now, most Rules have focused on preventing debit fraud (debits that aren't properly authorized). Today, credit fraud has begun to eclipse debit fraud as the number one threat to deposit account holders (including you).
Credit fraud occurs when a bad actor causes money in your deposit account to be "pushed out" and sent to an account at another financial institution, from which the money is often sent on rather rapidly, before you can pull them back. (The technical name is "Credit-Push Fraud.")
While not as numerically common as debit fraud, a Credit-Push Fraud attack is particularly bad, as it often involves removing all the funds from the account in an irretrievable way, leading in many cases to the sudden inability to continue normal operations. The New Rule is intended to address this fraud.
What the New Rule requires
Basically, the New Rule requires each non-consumer Originator to create and implement practices designed to detect signals of attempted Credit-Push Fraud, in order to prevent it from happening – and to review the adequacy of those practices at least annually, to address emerging forms of fraud. Your participation is vital as you may see signals that are invisible to your financial institution.
In particular, the required practices should ferret out signals of transactions that are either “unauthorized” or “authorized under False Pretenses.” Let’s unpack what is reasonably intended by those terms, so that you can determine the practices that make sense for the types of ACH transactions you originate.
What an "unauthorized” Entry means in the New Rule
In the New Rule, an "unauthorized" Credit Entry is one where:
- Someone who is not actually authorized by your organization to submit the payment instruction
- has gained access to your online account (whether you gave them your credentials or not) and
- sent an instruction to your financial institution to transfer funds from your deposit account to a third-party account (the “Credit Entry”).
In many cases, such scenarios relate to either (a) inadequate oversight of persons who have valid access to your online account, or (b) to some kind of breach of your security where an unauthorized insider or an outsider has gained access to your account credentials.
(It's important for you to know that to your financial institution this is a valid Entry under your banking agreements, as you are responsible for securing your credentials and managing both access to and use of your banking accounts. This is a general rule in the US banking system, so switching banks would not change this. Even though Entries submitted for your account in such scenarios are your responsibility, your financial institution provides helpful guidance like this because it cares about your resilience and account security.)
What “False Pretenses” means in the New Rule
Nacha defines “False Pretenses” as
“the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
In other words, the Rule requires you to have systems that reasonably enable you to detect when someone is trying to get you to send money via ACH by:
- Misrepresenting who they are (such as by impersonating one of your regular vendors or employees),
- Falsely claiming that they have the right to act for a legitimate payee (such as by faking a legal relationship), or
- Masking the true owner of the receiving account (such as by claiming it's a new account for an existing vendor or employee, when it's really owned by a fraudulent entity).
While the New Rule requires monitoring, it does not require you to screen every ACH Entry individually. The Rule requires “risk-based processes and procedures,” meaning you may determine which types of transactions present more or less risk, and apply a different level of scrutiny depending on the associated risk.
A specific expectation if you use ACH for payroll or vendor payments
One particular area of fraud that Nacha has called for your assistance is fraud that involves changes in payment instructions for otherwise legitimate payments. Nacha has said:
“Originators may be best placed to implement procedures to protect against account takeover or other ... unauthorized transactions. Such procedures could include change controls regarding payment information and instructions for vendor and payroll payments.”
If you use ACH for payroll (“direct deposit”) or vendor payments, the expectation is that you establish procedures for your staff to follow upon receiving instructions to alter a payee's account information, to ensure they are properly authorized and valid before making the change. That means, at a minimum, not making the change until you’ve taken the necessary steps to be sure that the party requesting the change in payment information is who they say they are (identity verification).
Notes for Financial Institutions:
One size does not fit all
What the New Rule requires of each Originator depends on the types of Entries they are actually originating – not simply the SEC codes they use.
Using PPD as an SEC code, for example, does not determine which fraud risks attach to a transaction. An Originator using PPD may be running payroll credits, which Nacha has specifically called out as a fraud vector requiring change control procedures.
An Originator using CCD for vendor payments faces different false pretense risks than one using it for intercompany transfers.
These examples are necessarily general. Nacha's expectations are specific to what your Originators are actually doing. Supplementing this general framework with guidance tailored to each Originator's actual ACH activity is precisely where a structured assessment matters – and where Lexalign can help.
Why the conversation is only the first step
Sharing a downloadable flyer with your Originators, or explaining the Rule in an email, helps them understand what is required. However, this is only the first step: Auditors and examiners could reasonably request records showing more than that your Originators received an explanation and acknowledged the New Rule. They could expect records showing that you assessed your Originators’ compliance with the New Rule and other applicable Rules, that you informed each of them of the Rules that actually apply, and where they have compliance gaps; that you empowered them with clear instructions on how to comply; and that you tracked their remediation as part of enforcing the agreement (under 2.2.3 of the Nacha Rules).
This is where Lexalign can help, with an automated solution that enables you to show records that you did all that, without the need to hire additional staff. If you’d like a demo, please contact us.
How Originator Operational Compliance Impacts Your Financial Institution
Regulators Only Have Eyes for You
Phase 2 of Nacha's 2026 Fraud Monitoring Rules is now in effect. The Rule requires your Originators to detect signals of fraud: unauthorized transactions and transactions authorized under “False Pretenses.” That obligation lands on them.
But when the auditor or examiner arrives, they will not audit your Originators, they will audit you. Understanding that distinction is where compliance preparation has to start.
The Fraud Monitoring Rule Covers Multiple Parties — by Role
Subsection 2.2.4, the new Fraud Monitoring Rule (the "New Rule"), applies to each non-consumer Originator, each Third-Party Sender, each ODFI, and each Third-Party Service Provider that performs ACH processing functions. Each party's obligation tracks its role in the authorization or transmission of entries.
Your role as the ODFI is transmission. Your Originators' role is authorization. Those are different roles, and it takes different evidence to demonstrate compliance with their obligations under the New Rule.
Your existing transaction monitoring addresses your transmission-side obligation by watching entries for fraudulent patterns, credit push anomalies, and return rate signals. That is Box 1 of the four compliance boxes the Rules now require. Most institutions have been focused on this aspect of the New Rule for some time.
The New Rule's harder question concerns Box 2: what does your Originator's authorization-related obligation mean for you?
Nacha Has No Authority Over Your Originators. But You Do.
Nacha does not (and has no legal basis to) audit your commercial customers. It has no regulatory or contractual power over them. It cannot require them to do anything without your involvement. Instead, the Rules reach your Originators through the origination agreement they signed with you, governed by Subsection 2.2.2, and through your enforcement of that agreement as required by Subsection 2.2.3.
Nacha's General Rule, Section 2.1, makes the ODFI responsible for every Entry it transmits and for its Originators' compliance with the Rules. When an auditor or examiner reviews your ACH program, they call on you. They ask you to produce records demonstrating your Originators' compliance. That is the most natural reading of the Rules and the one an auditor or examiner would reasonably apply.
The ODFI functions as the regulator for its Originators. As it relates to your Originators, your auditor and examiners will audit you as their regulator.
Will the Origination Agreement Be Enough?
A reasonable first question is whether the origination agreement alone satisfies the audit standard. Your Originators signed it. They agreed to be bound by the Rules, including Rules enacted after they signed. If your agreements already say that, making them sign a new agreement will not enhance the obligation. It may be counted as an acknowledgement, but that alone is not sufficient, as we’ll see.
The agreement is only one of two required pieces. Nacha's FAQs articulate the standard directly: an ODFI may reasonably rely on its Originators' fraud prevention (that is, may reasonably make a statement about its Originators’ compliance) when it can show its Originators’ compliance is "allocated by contract and verified by appropriate oversight."
That "and" means both. Verified by appropriate oversight sits alongside the contract as a co-equal requirement, not an alternative to it. One refers to Subsection 2.2.2, the agreement. The other to Subsection 2.2.3, the enforcement of the agreement, including the Originators’ compliance.
The verbs in Subsection 2.2.3 are where we look to understand audit exposure. The Rule requires the ODFI to perform due diligence with respect to each Originator's capacity for compliance, to assess the nature of their ACH activity and the risks it presents, to monitor their origination and return activity, and to enforce restrictions on the types of entries in the agreement.
Each verb implies action. Each action implies a record. Your auditors and examiners will read for those verbs and ask whether you have records demonstrating you acted on them. For a deeper analysis of how Subsections 2.2.3 and 2.2.4 work together and what "verified" means in practice, see our article, Preparing for June 22: How Forward-Looking Banks Are Reading Nacha's New Fraud Monitoring Rule.
What "Verified" Means and What It Does Not
"Verified" does not mean proved beyond doubt. It does not require an on-site audit of your customers' operations. The law imposes a duty of honesty on the customer, and, absent clear reason not to, the ODFI may rely on its Originators' statements, provided it asks in a way reasonably likely to reveal compliance and noncompliance.
That last clause carries the weight. Asking an Originator "are you complying with the New Rule?" does not constitute verification. An auditor or examiner would reasonably dismiss it, particularly given the emphasis Nacha has placed on Originators’ active contribution to fraud prevention in the New Rule and statements about it. That question presumes the Originator knows what compliance means for their specific operations, which is precisely what the assessment is meant to determine.
Sending a mailer about the New Rules does not produce records of assessment. Posting a resource on your website does not produce records of oversight. Verification requires a structured process that asks the right questions of each Originator based on the types of entries they actually originate, how they obtain authorization, and whether they’re complying with the related fraud prevention safeguards that Nacha has articulated.
What the Records Need to Show
Reading Subsections 2.2.3 and 2.2.4 together with Nacha's guidance, a defensible oversight program produces six categories of records:
- Records demonstrating you assessed each Originator's compliance, or obtained their structured self-assessment, against the rules that apply to their specific ACH activity.
- Records showing you alerted each Originator to the Rules and risks that apply to them individually, not rules in the abstract.
- Records identifying where each Originator has gaps.
- Records showing you empowered each Originator to understand what compliance means for the types of entries they originate and what remediation looks like.
- Records of what entry types each Originator is originating, to enforce the restrictions in the agreement.
- Records showing you monitored each Originator's remediation and followed through where risk remained unaddressed.
The four-step framework of Assess, Sensitize, Empower, and Enforce corresponds directly to this record set. For a full walkthrough of each step, see Nacha's Phase 2 Is Here: What Changed on June 22.
With Lexalign, you can build all six categories of records across your full Originator portfolio without adding staff. The platform runs the assessment, generates the records, tracks remediation, and produces the documentation an auditor or examiner could reasonably ask to see.
If you want to see how it fits alongside your existing tools, we would be glad to walk you through it. Book a demo with Lexalign to see the oversight program in practice.
This blog is for educational and informational purposes only. It does not constitute legal, compliance, or regulatory advice and should not be relied upon as such. The materials reference Nacha Operating Rules and related guidance as of the date of this blog. Rules and guidance may change, and their application depends on the specific facts and circumstances of each financial institution and its Originators. Lexalign does not speak for Nacha. Financial institutions should consult their own legal counsel, compliance professionals, and Nacha directly for guidance on their specific obligations.
Nacha's Phase 2 Is Here: What Changed on June 22 and What Your ACH Program Needs Now
What Financial Institutions Will Need for Audits and Exams.
Written by Trevor Lain, JD | Founder & CEO, Lexalign
The effective date for Phase 2 of Nacha’s 2026 Fraud Monitoring Rules, June 22nd, has finally arrived. What does this mean in a nutshell? Auditors and examiners can request records of compliance dating back to that date. If you’re not in compliance yet, your “compliance deficit” is rising each day. Here’s what to do….
On our enforcement-day webinar with financial institutions from across the country, we opened with a simple observation: the compliance burden your institution carried on Friday is not the one you bear today. That shift is structural, not incremental. It is worth understanding.
What did Nacha’s Fraud Monitoring Rule Phase 2 change on June 22?
The question compliance teams are asking right now deserves a direct answer.
Before June 22: Nacha’s new fraud monitoring requirements applied only to Originators, Third-Party Senders, and Third-Party Service Providers that originated or transmitted more than 6 million ACH entries in 2023. Phase 1 took effect March 20, 2026, and covered that group.
As of June 22, 2026: The volume threshold is gone. Subsection 2.2.4 now covers every non-consumer Originator, every Third-Party Sender, every ODFI, and every Third-Party Service Provider that performs ACH processing functions, regardless of volume. The Rule reads “each non-consumer Originator,” and each means every one. The small business running payroll once a month, the commercial contractor paying subcontractors, the school district collecting receivables – all are now in scope.
The perimeter of fraud monitoring has expanded beyond your institution’s walls and into your customers’ operations.
Why the Rule Was Written This Way
Fraudsters target your customers directly at origination. Those organizations’ operations (and their staff’s sophistication regarding risks, security and Nacha requirements) are the actual point of vulnerability and the point of entry.
A business email compromise scheme does not need to defeat your fraud detection if it can convince your customer’s AP team to update a vendor payment account. An account takeover does not look suspicious when it uses your customer’s own stolen credentials to initiate a normal-looking ACH credit. Fraudsters design these transactions to appear authorized and fit the pattern.
That is why Nacha has, since 2022, called for “every participant” in the ACH network to play a role. The new Fraud Monitoring Rule in Article 2 (2.2.4) (the “New Rule”) codifies that call: it’s no longer an appeal – it’s now a requirement.
But Nacha has no direct authority over your Originators: it cannot directly require them to do something. Instead, Nacha’s Rules reach your Originators through the origination agreement they signed with you (2.2.2) and your required enforcement of that agreement (2.2.3). In other words, the burden of the New Rule, as it applies to your customers, actually falls on you, as the ODFI. Nacha’s General Rule (2.1) makes the ODFI responsible for each entry it transmits and for its Originators’ compliance with the Rules. The new Rule depends on you for effect. So, what records should you have?

What “Verified by Appropriate Oversight” Requires of You
Most basically, you need records reflecting your customers’ compliance – that is, that they are doing something to detect and prevent unauthorized entries or entries authorized under False Pretenses. But what do you need to show in order to make that statement?
Nacha’s FAQs articulate a standard: an ODFI may reasonably rely on its Originators’ fraud prevention (that is, state that they are compliant) when that compliance is “allocated by contract and verified by appropriate oversight.”
“Allocated by contract” is easy: your origination agreements most likely already handle this. Your customers have agreed to be bound by the Rules, including Rules enacted after they signed. You do not need new contracts.
It’s the second part that’s the key: “verified by appropriate oversight.” It is not an alternative to the contract. It is not superfluous. It is a co-equal requirement alongside it.
“Verified by appropriate oversight” is what the agreement alone does not satisfy. But if “allocated by contract” refers back to Rule 2.2.2, where does “verified by appropriate oversight” sit in the Rule book? It’s the next Rule: 2.2.3. That Rule sets forth how you’re required to enforce the agreement. It’s the verbs in that Rule that auditors will read in formulating requests for records. Do you have records demonstrating that you: “perform[ed] due diligence” with respect to the Originator’s capacity for compliance; “assess[ed]” the nature of the Originator’s activity and the risks it presents (as distinct from – and in addition to – “monitor[ing]” their transaction activity or “enforc[ing]” exposure limits); and “enforce[d]” the restrictions in the agreement. Sending a mailer, posting a webpage, or distributing the Rulebook do not produce records of this kind.
When fraud occurs – and, let’s face it, no program prevents 100% of fraud – the question auditors and examiners will ask is whether you acted on those verbs and whether you can show it.
What the Record Needs to Show, Starting Today
Auditors can request evidence dated back to June 22nd. Even if your exam is months away, this is the date the clock starts.
Reading the Rules only gets us so far. But if we read all the relevant Rules and Nacha’s related guidance together, we can deduce a program that is workable, that clicks the various buttons (shows action in accordance with those verbs), and builds records that auditors and examiners can reasonably (and at some point likely will) ask for.
A defensible oversight program runs through four steps on an annual cycle:
- Assess each Originator against the rules and risks that apply to its specific activity, not SEC codes in the abstract but the actual entry types it originates, including how it actually obtains authorization, and where its controls have gaps.
- Sensitize each Originator to the rules that apply to it specifically, to the gaps your assessment identified, and to the risks of noncompliance. (“Sensitize” combines “inform” and “motivate.”)
- Empower it with concrete instructions on how to remediate those gaps.
- Enforce by tracking follow-through, documenting improvements, and proactively intervening with Originators that present outsize, unremediated risk.
The cycle is annual because Rule 2.2.4 explicitly requires at least annual review of processes and procedures as fraud threats evolve. The ODFI’s oversight cadence needs to match it.

Your existing transaction monitoring addresses one of the four compliance boxes the Rules require. It watches entries on the ODFI side. Boxes 2 and 3, which cover Originator oversight and Third-Party Sender oversight, require visibility into customer operations that transaction monitoring is not designed to provide. No single tool checks all four boxes. That is not a criticism. It is a description of the scope of the problem. It requires a toolkit approach.
Lexalign is a tool that was designed to check boxes 2 and 3, and operationalize the program laid out above. Lexalign operationalizes the Nacha standard, “verified by appropriate oversight.”
Compliance is a journey, not a switch. Today is the right day to start building the records auditors and examiners will ask for. Start with these steps:
Download our 4-Box guide to see exactly where your existing tools fit and where the gaps are.
Take the 5-minute Readiness Quiz for a personalized snapshot of where your program stands. If you want to think through your next steps specifically, we are always happy to be a resource.
Book a demo with Lexalign to learn more.
Lexalign helps financial institutions build verified, audit-ready oversight of non-consumer Originators and Third-Party Senders at scale. Compliance you can measure. Oversight you can defend.
This blog is for educational and informational purposes only. It does not constitute legal, compliance, or regulatory advice and should not be relied upon as such. The materials reference Nacha Operating Rules and related guidance as of the date of this blog. Rules and guidance may change, and their application depends on the specific facts and circumstances of each financial institution and its Originators. Lexalign does not speak for Nacha. Financial institutions should consult their own legal counsel, compliance professionals, and Nacha directly for guidance on their specific obligations.
Preparing for June 22: How Forward Looking Banks Are Reading Nacha’s New Fraud Monitoring Rule
Over the past three months, the Lexalign team attended Nacha’s annual conference and several regional Payments Association events. The conversations at each returned to the same question: under the new Article 2 Fraud Monitoring Rule, where does the obligation sit, and what is enough to meet it?
The part of the Rule generating the most discussion is its opening provision: “Each non-consumer Originator; each Third-Party Sender…must establish and implement [risk- and role-based measures reasonably intended to detect Credit-Push Fraud attempts].” Subsection 2.2.4 codifies a principle Nacha has been signaling since 2022, when its Call for a New Risk Management Framework stated that all participants in the payments system have a role to play. Placement gives that principle primacy. Nacha has placed the new Rule among the prerequisites to origination, which signals that the Originator is expected to act first.
The ODFI’s position, however, has not changed. Nacha officials and RMAG members have repeatedly stated this spring that the ODFI “warrants” every Entry it transmits. That language traces to the General Rule (2.1), which makes the ODFI responsible for each Entry and for its Originators’ and Third-Party Senders’ compliance. The new Rule is placed just after the rules that govern the ODFI’s relationship with its Originators. Those preceding Rules frame what the ODFI is being asked to do.
How auditors and examiners will read the Rule
We can reasonably expect that auditors and examiners will read the new Rule alongside the Origination Rules and Nacha’s official guidance. They will look to Rule 2.2.3 and to the “reliance standard” in Nacha’s FAQs to identify what is testable. They will focus on the verbs that indicate what the ODFI is required to do, and they will request records that evidence the ODFI did it.
Four questions will drive the conversation. How did the ODFI form a reasonable belief about each Originator’s capacity for compliance? How did the ODFI assess the risk of each Originator’s activity, in a way that goes beyond return rate monitoring? How did the ODFI enforce the agreement? And how, in sum, did the ODFI operationalize the standard of “verified by appropriate oversight” that Nacha has articulated in its FAQs?
What the surrounding Rules require
Two Rules do the work. Rule 2.2.2 governs the origination agreement itself. Rule 2.2.3 governs what the ODFI does with it.
Under Rule 2.2.2, the origination agreement is the bedrock. The agreement must bind the Originator to the Rules and grant the ODFI the right to audit compliance. Because Nacha has no direct authority over Originators or Third-Party Senders, Rule 2.2.2 effectively deputizes the ODFI to act as the regulator of its customers’ compliance. The right to audit is not theoretical. It is the mechanism through which the Rules expect compliance to be enforced.
Rule 2.2.3 goes further. It requires the ODFI to act on the agreement, using three verbs the auditor will read for. The ODFI must perform due diligence with respect to the Originator’s capacity for Rules compliance. The ODFI must assess the nature of the Originator’s activity and the risks it presents. And the ODFI must enforce any restrictions on the types of Entries contained in the origination agreement. The due diligence in 2.2.3 concerns the Originator’s compliance ability, not transaction-level diligence.
The Reliance Standard: and “what verified by appropriate oversight” means
These verbs do not require the ODFI to verify the Originator’s day-to-day operations. Absent a clear reason not to, the ODFI may rely on the customer’s word, as under the law governing financial services each party has an enforceable duty of honesty and fair dealing. Nacha’s FAQs reinforce a reliance standard: an ODFI’s processes and procedures may consider those implemented by other parties in the origination process, provided the basis for reliance is “reasonable and clear (e.g. allocated by contract and verified by appropriate oversight).”
The second and is conjunctive. “Verified by appropriate oversight” sits alongside the contract as a co-equal requirement, not as an alternative to it. What that verification produces, and what it looks like in records, is the question FIs are starting to contend with in the run up to June 22.
Lexalign was built to solve that problem. What follows is how to think about it operationally.
What June 22 requires
June 22 applies to all customers, regardless of dollar size or transaction count. It is the deadline banks at recent payments events have been asking the most questions about, and it is tempting to read it as the Originator’s deadline. It is not. June 22 lands on the ODFI.
What makes this hard is the variety of entry types each ODFI handles. Different entry types call for different fraud prevention measures, and no single model fits them all. Bespoke strategies are not scalable. The ODFI has to account for oversight across the full variety of entries in its portfolio, and the records that demonstrate that oversight will reflect that variety.
The four-step cycle that addresses auditors’ anticipated requests
Lexalign frames the work as a four-step annual cycle. The first two steps are the prerequisites that make the requirements of 2.2.3 operable. The second two are the verbs themselves. Together, they produce the records that answer each question the auditor will ask.
Assess. Evaluate each Originator’s compliance with the rules, regulations and risks that actually pertain to the kinds of entries it actually originates (rather than the SEC Codes it uses).
Sensitize. Educate each Originator about the rules that apply to its specific activity, and where it has gaps. Motivate compliance by emphasizing the risks of non-compliance.
Empower. Instruct each Originator on the actions it could take to address its compliance gaps. Explain what remediation looks like. Enable it to achieve and maintain compliance (including fraud prevention) appropriate to the types of entries it actually originates.
Enforce. Act on the results. This includes enforcing (or updating) restrictions on the types of entries contained in the agreement, and it extends to enforcement of the Originator’s compliance with the Rules generally, including the new Fraud Monitoring Rule. As Nacha has increasingly made clear, nowadays “enforce” means remediate compliance gaps, rather than terminate agreements.
The cycle is annual because Rule 2.2.4 requires the Originator to assess the adequacy of its fraud prevention at least once a year as fraud evolves. The ODFI’s oversight needs to keep the same cadence.
What records would Nacha reasonably expect
Nacha has not published a checklist. What Nacha has said is that an ODFI’s reliance on its Originators’ fraud prevention is reasonable when “allocated by contract and verified by appropriate oversight.” The question is what verification produces, and what oversight looks like in records.
Conversations at recent events point to a clear answer. A Nacha auditor or examiner could reasonably expect to see, for each non-consumer Originator, records demonstrating each step of the cycle. Records that the Originator was sensitized to the risks and rules applicable to its activity. Records that the Originator was empowered with tools to comply. Records of the ODFI’s assessment of the Originator’s compliance. And records of the ODFI’s enforcement of the agreement where the assessment surfaced gaps.
A webpage notifying customers of the new Rule does not produce records of this kind. Neither does a single onboarding questionnaire. Nacha officials and regulators at recent events have been direct about the limits of those approaches. The records that demonstrate appropriate oversight are records of an ongoing process. They cover each Originator, on an annual cadence, and they show what the ODFI did and when.
On contracts
A common question from FIs at recent events: do existing origination agreements need to be updated? In most cases, probably not. If the agreement already binds the Originator to the Nacha Operating Rules (as required by Subsection 2.2.2), the contractual basis for reliance is in place. What is needed is the diligence the new Rule and Subsection 2.2.3 contemplate, and the records of enforcement that follow from it.
Why this calls for technology
At the scale most ODFIs face, the four-step cycle does not run by hand. Hundreds or thousands of Originators, each with a different activity profile, each requiring sensitization tailored to the rules that apply to its specific Entries, each producing data the ODFI then assesses, each generating records that have to be standardized, auditable, and produced annually. The function does not staff out at any reasonable headcount. Spreadsheets and email do not produce records of the kind the cycle requires.
Lexalign’s proprietary software automates the first three steps of the cycle, and enables the fourth. It assesses compliance by walking the Originator through an automated, online dynamic diagnostic interview. It sensitizes and empowers each Originator according to its activity: identifying gaps, specifying concrete remediation steps; delivering policies and procedures to train staff; and providing a dynamic remediation checklist. And it generates the structured records the ODFI needs to enforce the agreement and demonstrate appropriate oversight across the variety of entries its customers originate.
Forward-looking banks are preparing for June 22 by putting that cycle in place now. Lexalign was built to make it work at scale.
5 Fraud Facts Worth Knowing Right Now
The organizations you bank are under significant threat right now. The ones running payroll, paying vendors, and collecting receivables for their own account. Fraud tactics evolve fast, and your customers’ operations are the primary target for fraudsters.
Of course, this matters for your institution, too.
A threat that targets your high-value ACH, RDC, and Wires customer base without differentiation is a threat to your own soundness. Their exposure is your exposure.
As Nacha has recognized with the new Fraud Monitoring Rule, your own fraud detection solutions aren’t by themselves sufficient. By exploiting gaps in your customers’ controls or sophistication, fraudsters are patiently watching and then manipulating them or taking over their accounts to evade those filters, with increasing success. When fraud exploits a gap in a customer’s controls, it enters your network through a trusted channel.
The good news?
You can do something about it, without burdening your team.
We put together an overview of what the latest fraud data tells us and what it means for FIs and their Originators. It covers five data points from the most widely-cited 2025–2026 reports, including the real cost multiplier FIs face for every dollar of fraud, where the attacks land, and why the industry responds the way it does.

How to help your Originators?
1. Sensitize
Sensitize your ACH Originators to the threats they face and the fraud monitoring rules that apply to them. Most organizations don’t fully appreciate the threats and regulatory expectations, or know where they have gaps in security or operations that fraudsters exploit.
2. Empower
Empower your ACH Originators with clear guidance on where they have gaps in their operational security and compliance, and what regulators require, expect, or recommend they do.
3. Assess
Assess their compliance through structured diagnostics that create audit-ready records that demonstrate oversight, and enable risk-based rules enforcement at scale.
Lexalign automates this entire process.
With Lexalign, financial institutions help ACH Originators understand exactly which requirements apply to them. Covering the Nacha Rules & Guidelines (almost 500 pages!), along with other relevant regulations and official guidance, Lexalign walks customers through diagnostic interviews (designed to be completed in 30 minutes or less).
Each ACH Originator receives an audit report, gap analysis, action plan and dynamic remediation checklist tailored to their precise operational environment. You get risk scoring, oversight records, and actionable insight across your portfolio.
As fraud evolves and rules expand, FIs with real visibility into Originator operations will be best positioned to protect themselves. Empowering and equipping your ACH Originators to proactively and vigilantly monitor fraud is ultimately how your FI protects its safety and soundness against evolving fraud. Your customers’ protection is your endpoint protection.
The Nacha Fraud Monitoring Rules Apply to Every Non-Consumer Originator — Not Just Third-Party Senders
One of the most common questions we hear from financial institutions right now is some version of this: “Do these rules really apply to all of our commercial ACH Originators?” The answer is yes — and we’re here to help you navigate that.
The Nacha Fraud Monitoring Rules are broader in scope than many institutions initially expect. The good news is that with the right approach, meeting your responsibility as an ODFI is very manageable. Understanding who’s covered is the essential first step.
What the Rules Actually Say
The Nacha Fraud Monitoring Rules require that each non-consumer Originator establish and implement risk-based processes and procedures to identify ACH Entries that are “unauthorized” or “authorized under False Pretenses” — two distinct concepts that come directly from the Rule itself.
An unauthorized Entry is one that was never sanctioned by the account holder. An Entry authorized under False Pretenses is more nuanced: it’s a transaction that was technically authorized — but only because someone was deceived into authorizing it. Think vendor impersonation, payroll account hijacking, or business email compromise. The authorization happened, but it was obtained through fraud.
Each non-consumer Originator is covered. Not just Third-Party Senders. Not just payment processors. Not just high-volume treasury customers. Every treasury customer that originates ACH transactions — which includes not only companies, but governmental organizations, non-profits, and individuals acting in a commercial capacity — falls under these Rules.
It doesn’t matter what an organization calls itself or how it thinks of its role in the payment chain. If it’s a non-consumer Originator, the Rules apply. And because the Rules apply to your Originators, they create a corresponding responsibility for you as their ODFI — which we’ll get to in a moment.

Why This Scope Matters
Third-Party Senders have historically drawn the most regulatory attention in the ACH world, which is why many FIs and their customers have mentally filed fraud monitoring under “Third-Party Sender issues.” That’s a natural assumption given the history — but the Nacha Fraud Monitoring Rules intentionally expand the scope, and for good reason.
ACH fraud has shifted. Credit-push fraud, business email compromise, vendor impersonation, and payroll account hijacking are increasingly targeting everyday treasury customers — not just high-volume payment processors. Fraudsters have learned that if they can manipulate a legitimate Originator into sending a payment to a fraudulent account, they don’t need to breach the FI directly. The Originator becomes the point of entry.
Nacha recognized this shift and designed the Rules accordingly: all participants in the ACH network play a role in fraud prevention, and the Nacha Fraud Monitoring Rules make clear that role starts with the Originator.

Your Role as an ODFI — and How to Meet It
As an ODFI, you warrant the compliance of every Entry you transmit. The Nacha Fraud Monitoring Rules build on that foundation by making clear that your oversight responsibility extends to your Originators’ internal controls — not just the transactions themselves. That responsibility is rooted in the Nacha Operating Rules, which have always placed the ODFI at the center of ACH network accountability.
Think of it this way: regulators only have eyes for the financial institution, not your customers. When examiners review your ACH program, they’re looking at what you put in place to ensure your Originators are equipped to identify and prevent fraud. Your treasury customers won’t be in that conversation — you will.
That’s a straightforward responsibility to meet, and the Rules give you the framework to do it. The Nacha Fraud Monitoring Rules specifically address the risk of Entries authorized under False Pretenses — fraud that can evade traditional transaction monitoring precisely because it exploits the Originator’s own authorization process. That’s why oversight at the FI level alone isn’t sufficient. The Rules ask ODFIs to ensure their Originators have the internal controls in place to catch these schemes before a fraudulent Entry is ever initiated.
Lexalign is built to make that oversight scalable and defensible — and to genuinely empower your Originators in the process.
Here’s how we help you check those boxes:
Extend your oversight upstream — and empower your Originators. Lexalign delivers structured, conversational assessments directly to each of your Originators — walking them through a dynamic diagnostic interview to determine what they’re doing, which Rules actually apply to their specific organization, and how they measure up against those Rules — all drawn from the full range of authoritative sources, not just the Nacha Fraud Monitoring Rules alone. Every Originator comes away with meaningful, specific information about their own fraud risk and what they can do about it. It’s less like filling out a form and more like a conversation with a knowledgeable advisor.
Give your Originators something they can act on. Every Originator that completes an assessment receives a real-time audit report, a gap analysis, and a concrete action plan tailored to their organization. They leave the process understanding exactly where they stand and exactly what steps to take — informed and equipped to participate actively in fraud monitoring and fraud prevention, in the context of how their specific organization operates.
Bring analysis and scoring back to the FI. Assessment responses are analyzed and scored, and that intelligence flows back to your dashboard — giving you the risk-based visibility you need to prioritize oversight, identify outliers, and demonstrate to examiners that your program is managed thoughtfully and deliberately.
Build your records as you go. Compliance documentation doesn’t have to be a separate project. Lexalign builds it automatically as your Originators complete their assessments, so when examiners ask to see your Originator oversight program, you can point to a dashboard that tells the whole story.
The Opportunity in Getting This Right
Most treasury customers have never been walked through what the Nacha Fraud Monitoring Rules mean for them. They don’t know the Rules apply to them. They may not have change control procedures for payroll or vendor payments. They may not know what False Pretenses fraud looks like or that they’re a potential target.
FIs that take the lead in educating and empowering their Originators aren’t just checking a compliance box — they’re showing up as a genuine resource for their customers’ resilience and security. When an Originator finishes a Lexalign assessment, they don’t just have a completed form. They have real knowledge about their specific fraud risks and a clear path to address them. That’s a relationship-deepening opportunity, and it happens naturally through the Lexalign process.
With the June 22, 2026 enforcement deadline on the horizon, there’s a clear path forward. The Rules tell us what’s required. Lexalign helps you deliver it — at scale, with documentation, and in a way your treasury customers will actually appreciate.
Ready to see how Lexalign works? We’d love to walk you through it. Contact us or schedule a demo to get started.
Nacha's Fraud Monitoring Rules Reframe the Fight: Your Customer Is Now the Front Door
Fraud in payments hasn't just increased—it has migrated.
For years, banks built defenses around the institution: tighter internal controls, better transaction monitoring, stronger back-office processes, and more sophisticated tools at the ODFI and RDFI. Those investments still matter. But Nacha is making something unavoidably clear in its new Fraud Monitoring Rules:
The primary target of fraud isn't the bank anymore. It's the bank's customer.
That's why these rules—while written as bank obligations—are effectively a mandate to recruit and equip customers as active participants in fraud prevention. This is the shift. And it's the reason "doing the same thing, but harder" won't be sufficient.
In this post, we'll break down:
- What Nacha is signaling about the fraud landscape
- The specific Rule elements that move the center of gravity from bank-only controls to customer controls
- Why regulators "route" customer requirements through banks
- What banks must operationalize now—especially on the origination side
- How to do it without burying teams in manual paperwork or follow-ups
The New Fraud Reality: From Unauthorized Debits to Unauthorized and Fraudulently Induced Credits
Historically, the primary ACH fraud threat to account holders was unauthorized debits—someone gained access to account information and pulled funds without the account holder's approval. Banks built robust controls around this threat, and the rules framework reflected it.
Nacha's 2026 Rules make clear that the threat landscape has fundamentally shifted. The dominant fraud pattern is no longer unauthorized debits—it's unauthorized or fraudulently induced credits. This shift takes two forms:
- Account takeover, where bad actors breach and gain unauthorized access to an Originator's ACH credentials and systems, then initiate credit transactions the Originator never authorized.
- Transactions authorized under False Pretenses, where the customer did approve the transaction, but only because they were deceived—think vendor impersonation, payroll impersonation, or business email compromise. This happens when a payer is tricked into making a payment by somebody who misrepresented who they are, who they work for, or ownership of an account.
This explains the "why" behind the Rule changes. Fraud has shifted from unauthorized debits to unauthorized or false-pretense credits. In both cases, the victim has been impersonated or duped into originating a transaction that, to the bank, looks entirely legitimate. The bank cannot solve it alone.
Why not? Because the bank does not sit inside:
- the customer's AP workflow,
- their vendor onboarding,
- their invoice approval chain,
- their payroll file creation process,
- their email security posture,
- their credential and system access controls,
- or the moment they change bank account details after an "urgent" email.
The customer does.
So the Rules don't just ask banks to detect fraud. They ask banks to ensure fraud prevention exists where the fraud is actually happening.

What Exactly Is Shifting in the Rules?
Nacha's fraud monitoring framework lands on two sides of the house:
1) The Sending Side: Originators, Third-Party Senders, and ODFIs (All ACH Entries)
Nacha states that each covered party must establish and implement risk-based processes and procedures intended to identify entries suspected of being:
- Unauthorized—meaning not actually authorized by the Originator. This is a fundamental shift from the traditional framework, which focused on authorization by the Receiver. Now, the Rules also address situations where bad actors gain access to an Originator's systems and credentials to initiate transactions the Originator never approved.
- Authorized under False Pretenses—where the Originator did authorize the transaction, but only because they were deceived.
...and to assess and keep those processes up to date as risks evolve ("at least annually").
So why does this shift focus to the customer?
Because on the origination side—the side of the Network where fraud is increasingly initiated—the critical gaps live outside the bank's walls.

2) The Receiving Side: RDFIs (Credit Monitoring)
RDFIs have parallel requirements focused on ACH credit monitoring, centered on recognizing mismatches or suspicious activity in incoming credits—not on assessing whether False Pretenses occurred upstream. Their responsibility is to identify red flags such as unusual patterns, velocity anomalies, and account-level signals that suggest something is wrong: there’s a mismatch between the incoming credit and the receiving account.
Where You Sit in the Payment Chain Determines What You're Responsible For
One of the clearest signals in the Rules: where the Party sits in the transaction chain dictates what they must do.
Originators sit at the critical juncture for both types of fraud:
- For False Pretenses fraud: Because Originators are the Parties taking in payment information and initiating changes—like adding or changing account numbers—they are now the ones deciding the procedures and careful controls under which these changes can be made.
- For unauthorized fraud: Because Originators control access to their credentials and systems—the security of their operations—they control the critical point of access that bad actors exploit.
Which means: because bad actors are mimicking authorized and normal transactions, it's not enough under the Rules to simply monitor for abnormal transaction behavior. Banks must monitor and oversee customer operational behavior—especially for higher-risk Originators and Third-Party Senders.
This is the heart of the shift:
Nacha's Rules reframe bank fraud monitoring as customer operations oversight.
Not "are we a safe bank?"
But "are our customers' payment operations safe, and do we have records that validate that?"
Why Regulators Place Customer Fraud Responsibilities on Banks
A common question banks are asking: Why is Nacha placing all this responsibility on us? Why not require it directly of Originators?
The answer is structural. Regulators and Network rule frameworks can mandate obligations for participating financial institutions, but they don't have the same direct authority over every SMB, corporate, nonprofit, school district, or other organization that originates ACH.
So the model becomes:
- Rules place obligations on banks (ODFIs/RDFIs and other participants)
- Banks, in turn, must:
- contract for expectations (origination agreements, third-party sender agreements),
- oversee performance (records), and
- build feedback loops that validate controls exist and evolve.
Can banks hire vendors to do this for them? Regulators have been clear when discussing vendor reliance: you can use vendors, but you can't "contract away your responsibility." If a responsibility is assigned to you in the Rules, you must ensure it's being done—even if a third party performs it.
That same logic applies to customer relationships. The bank is the obligated party. So the bank must operationalize customer operations oversight—at scale.
You Can Flag Abnormal Transactions—But You Can't See Broken Customer Workflows
Nacha repeatedly returns to one theme: understanding normal behavior vs. abnormal behavior.
They cite monitoring dimensions like:
- Volume and value (is this amount/volume expected?)
- Velocity (how often a routing/account number appears in a file; repeated names/accounts across multiple Originators)
- Returns patterns (use returns as a learning loop to stop the next event)
- Potential use of account validation and ownership validation as a best practice (encouraged, even if not explicitly mandated)
But here's the catch: while banks can see network-facing behavior, fraud is happening "upstream." If a customer's internal process is weak, "abnormal" becomes their new "normal."
That's why the Rules implicitly require banks to do more than watch transactions. Banks must understand:
- how a customer obtains authorization and verification for payment instructions
- how a customer protects access to ACH credentials and systems
- whether and how a customer verifies a Receiver’s identity, account ownership and account validation
- who can change account details
- how vendor changes are verified
- how payroll changes are approved
- what internal alerts exist
- what training and controls are in place
- and whether those controls evolve as threats evolve
This is not a one-time onboarding questionnaire. It's ongoing operational risk management.
The Compliance Trap: "Risk-Based" Does Not Mean "Minimal"
Another important signal in the Rules: Nacha says there is no risk-based approach that results in doing nothing.
Even low-volume Originators must have risk-based processes. And Nacha adds a practical truth: pre-processing is the only chance to stop something.
That's a direct challenge to banks that plan to rely only on after-the-fact investigation.
If your customer's process allows a false-pretense payment to be released, and the first time you learn about it is after settlement, you are now operating in a recovery world—not a prevention world.
To Banks: Your Customer Enablement Plan Is Your Fraud Prevention Plan
If your institution is preparing for the Fraud Monitoring Rules this year, the most important operational decision isn't "which monitoring system do we use?"
It's:
How do we operationalize customer oversight at scale—without creating an army of manual follow-ups?
Because the Rules are effectively asking banks to:
- Identify which customers present higher fraud risk
- Require risk-appropriate controls, validation, and security measures in customer payment operations (not just in the bank)—including stronger access protections to guard against unauthorized transactions
- Validate those controls exist (and stay current)
- Monitor behavior and signals over time
- Escalate and intervene when patterns indicate abnormal behavior or likely false pretenses
That's a strategic shift, not a project.
And it's why many banks are rethinking the traditional "annual questionnaire and scattered documents" approach. That approach struggles with consistency (different analysts interpret answers differently), defensibility (hard to show auditors a clear chain of evidence), and scalability (manual chasing doesn't improve as your Originator base grows).
How LexAlign Fits This Shift: Turning Customer Operations Oversight into Measurable, Defensible Compliance
LexAlign was built for this exact reality: banks needing reliable visibility into customer operational risk—at scale—without adding more manual work.
When the Rules require "risk-based processes and procedures" and the ability to keep them current, banks need three things:
- Structured, role-appropriate data collection from customers (not freeform narratives)
- Evidence and audit-ready artifacts that map back to Rule expectations
- Ongoing monitoring signals that help distinguish normal vs. abnormal behavior over time
LexAlign helps banks operationalize the customer side of fraud prevention by standardizing customer diagnostics around required control areas, collecting and organizing supporting documentation, creating consistent outputs that can be reviewed, escalated, and audited, and supporting ongoing oversight as risks evolve (rather than a once-a-year scramble).
Most importantly, it aligns with the Rules' central reality: you can't prevent false-pretense fraud without involving the customer.
A Simple Way to Explain the Shift
Need a one-paragraph internal explanation (for leadership, audit, or the board)? Here it is:
Nacha's Fraud Monitoring Rules reflect a fundamental change in fraud: bad actors are increasingly breaching and gaining unauthorized access to Originators' ACH credentials and systems, or tricking bank customers into initiating legitimate-looking payments ("authorized under false pretenses"). Because those decisions and vulnerabilities exist inside customer operations—not inside the bank—the Rules effectively require banks to recruit customers into fraud prevention. The bank remains the obligated party, so we must oversee customer controls, validate they exist, and monitor behavior over time. Our fraud monitoring program is therefore also a customer enablement and customer operations oversight program.
What to Do Next: 3 Smart Moves Banks Should Make Now
1) Understand what the Rules are really saying. The Fraud Monitoring Rules are not just about transaction alerts. They require risk-based processes that identify unauthorized activity and false-pretense fraud—including visibility into customer payment operations, not just bank systems.
2) Take inventory of your current tools and processes. Assess where you truly have oversight—and where you only have after-the-fact monitoring. Identify gaps in consistency, documentation, scalability, and your ability to demonstrate compliance.
3) Build a scalable oversight engine—not a heavier burden. Avoid layering on more manual reviews. Instead, implement structured, repeatable processes that standardize customer oversight, produce audit-ready evidence, and evolve as fraud threats evolve.
Bottom Line
The new Fraud Monitoring Rules don't just raise the bar for banks. They move the playing field.
Fraud is targeting customers because customers are now the easiest path to the money. Nacha's Rules respond by requiring banks to oversee and strengthen customer payment operations—because that's where the fraud is initiated and where prevention must start.
If you're preparing for enforcement this year, the question isn't whether you will involve customers.
It's whether you will do it in a way that's scalable, consistent, and defensible.
From Guidance to Enforcement: The Real Consequences of Not Preparing for Nacha’s Fraud Monitoring Rules
No bank wants to spend money on a new solution—especially in an environment where budgets are tight, headcount is constrained, and every investment must compete with growth initiatives.
That reluctance is understandable.
But as the Nacha Fraud Monitoring Rules move from guidance to enforcement, banks face a hard truth: doing nothing differently is not a neutral decision.
It is a decision to accept a growing—and compounding—risk.
This article explores what happens when banks rely on the status quo: manual questionnaires, limited customer visibility, and (inevitably) a reactive fraud response—after something goes wrong.
The New Reality: Bank Customers Are the Primary Targets of Fraud
Nacha has been explicit about why the new Fraud Monitoring Rules are essential: credit-push fraud is no longer an edge case—it is now the dominant fraud threat to the ACH Network.
That statement fundamentally reframes the risk landscape. Fraud is increasingly originating outside the bank’s perimeter, at customer sites where authorization is obtained, credentials are stored, and access controls vary widely.
Bad actors are arbitraging vulnerabilities by attacking the customers as the gateway to the bank.
That’s why the new Rules require (not just recommend) that banks look more closely at how their customers run their day-to-day operations (“verified by appropriate oversight”).
What Happens If Banks Change Nothing?
Manual questionnaires/surveys will come up short.
Many institutions have historically relied on periodic questionnaires or surveys to assess Originator or Third-Party Sender compliance.
These approaches tend to suffer from the same structural problems:
- Low completion rates
- Inconsistent answers
- Easy to game / minimal revelatory insight
- No standardized scoring or trend analysis
- Limited audit defensibility
- Heavy staff time spent chasing responses, let alone on compiling, analyzing and producing reports and remedial plans
- No tailored insights to help customers remediate gaps
The issue isn’t that questionnaires/surveys exist—it’s that they:
- don’t scale
- don’t produce consistent or often meaningful records
- don’t impactfully sensitive and empower customers to be active participants in fraud prevention (in the way the Rules are now asking banks to do)

When Fraud Happens First—and Questions Come Later
In a recent conversation, a community bank shared with us how they narrowly avoided a $1.6 million loss from a business email compromise (BEC) involving a valued commercial customer.
Unfortunately, stories like this are no longer rare—they’re now part of the day-to-day reality for banks across the U.S.
The payments in that near-miss example were technically authorized, so how could this happen?
The fraud occurred because a key employee of the customer was deceived by a savvy fraudster (human factor risk)—exactly the type of “False Pretenses” scenario Nacha’s new Rules were created to address.
The bank avoided the loss, but the aftermath raised uncomfortable questions:
- What visibility did the bank have into the customer’s actual authorization practices?
- What evidence existed that the customer had been educated or empowered to manage BEC risk?
- What records demonstrated the bank had oversight prior to the event?
Without that evidence and records an examiner might find that the bank is ultimately responsible under the Rules for any resulting loss, regardless of what’s in the origination agreement (under Rules Section 2.1 and the BSA and AML regulations). Near misses are warnings. The next incident may not end the same way.
Examiner Questions Banks Should Expect
The New Rules signal a regulatory (and audit) focus on how banks oversee customers’ compliance/risk management. Once enforcement begins, examiners will not only ask whether banks have oversight—but how banks’ reliance on customer compliance or fraud monitoring is verified and enforced.
Common questions are likely to include:
- How do you know your Originators understand and follow authorization requirements?
- What evidence shows you reviewed customer fraud controls annually?
- How do you identify higher-risk customers (based on operational compliance, not just the traditional factors like return rates) and adjust oversight accordingly?
- What does “appropriate oversight” look like in practice at your bank?
These are not theoretical questions. They ensue from the placement of the New ODFI Rule following Section 2.1 and Nacha’s stated standard for reliance on third-party operational compliance: “verified by appropriate oversight”—language that implies evidence, not intention.
What Happens If A Bank Is Non-Compliant?
A critical misconception persists: that Nacha violations primarily result in modest fines.
In reality, monetary penalties are often the smallest part of the impact.
If a bank is found non-compliant with Nacha Rules—particularly around customer authorization and Fraud Monitoring—the potential consequences include:
1. Regulatory escalation
Nacha Rules intersect with broader regulatory expectations around operational risk, third-party risk management, and safety and soundness. A Nacha compliance failure can quickly expand into broader supervisory scrutiny.
2. Reputational damage
Fraud events tied to weak oversight erode trust with customers, counterparties, and regulators—especially when losses fall on small businesses, nonprofits or municipalities.
3. Litigation risk
Even when banks are not legally at fault, customers harmed by fraud often seek recovery. Banks sometimes absorb losses simply to avoid reputational harm or prolonged disputes.
4. Growth constraints
Regulatory findings can limit:
- new product launches,
- onboarding of higher-risk customers,
- acquisitions or strategic expansion.
In short, a compliance failure can become a growth inhibitor.
The Concept of a “Compliance Deficit”
One of the most dangerous positions a bank can be in by June 2026 enforcement is running what can be described as a compliance deficit.
A compliance deficit occurs when:
- Regulatory expectations/rules have clearly shifted,
- Peer institutions have upgraded their approaches and solutions to comply,
- Regulators expect demonstrable evidence aligning with the new Rules
- But the bank lacks scalable systems, records, and oversight mechanisms.
At that point, catching up is far more expensive than preparing early. A compliance deficit can lead to reactive spending, emergency remediation, and rushed implementations—often under examiner pressure. An examiner’s discovery of a compliance deficit may also entail a finding of a violation of a reporting duty.

What Happens When Fraud Hits?
Many institutions delay investment until something bad happens. That approach is risky for three reasons:
- Fraud impact is massive
A single event can erase years of building healthy cash reserves. - Post-incident scrutiny is harsher
Controls that might have been acceptable before an incident are judged more critically afterward. - Remediation under pressure is inefficient
Emergency fixes cost more, strain staff, and often miss strategic alignment.
“You can control compliance and therefore, to an extent, the resulting costs. Waiting removes that control.”
— Trevor Lain, JD, Founder & CEO, Lexalign
A Necessary Investment at a Critical Moment
No one wants to buy new technology, but here is the 2026 reality:
Fraud has shifted. Regulatory expectations have shifted. And responsibility now explicitly includes educating, sensitizing, and overseeing customers—the very place fraudsters are concentrating their efforts.
Banks that invest now are not just buying compliance. They are:
- protecting deposits,
- preserving customer trust,
- safeguarding growth plans,
- and avoiding compounding risk.
The question is no longer whether banks will need stronger tools to meet requirements under the new Rules.
The question is whether they will implement them before or after something goes wrong.
Doing nothing may feel cheaper today. But under the new Nacha Rules, inaction is far more expensive than having a strong, scalable solution in place on Day 1.
What “Risk-Based” Really Means Under Nacha’s Fraud Monitoring Rules
What “Risk-Based” Really Means Under Nacha’s Fraud Monitoring Rules
(And What It Doesn’t)
Written by Julie Goff, JD, Head of Operations, Lexalign
When Nacha introduced its new Fraud Monitoring Rules, one phrase immediately became central—and, for many banks, confusing: “risk-based” procedures.
The term appears straightforward, but in practice it isn’t always easy to interpret. Some institutions read it as permission to do less. Others assume it requires exhaustive, transaction-by-transaction monitoring of every ACH Entry.
Neither interpretation is correct.
To comply with the new Nacha Fraud Monitoring Rules—and to prepare for examiner expectations—banks need a clear, defensible understanding of what “risk-based” means, what it does not mean, and how it should inform planning under the Rules.
This article unpacks that definition using themes and guidance that have been consistently reinforced by Nacha officials and industry experts.
Where “Risk-Based” Appears in the Nacha Rules
The first fraud monitoring Rule appears in Article 2 (Prerequisites to Origination). It requires participants in the ACH Network—including ODFIs, Originators, and Third-Party Senders—to:
establish and implement risk-based processes and procedures, relevant to the role it plays in the authorization or Transmission of Entries, that are reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses.
Each part of that sentence is intentional and guides the interpretation. In this blog post I’ll focus on “risk-based.”

What Does Nacha Mean by “Risk-Based”?
In Nacha’s explanations of the Rule, “risk-based” is not used casually or as a catchall. It should be read in conjunction with the word “role” in the sentence: procedures should be aligned to each Party’s role in the ACH flow, and also to both their level of ACH activity, and their ability to detect fraud at that point in the process.
This allows us to infer three key implications:
1. Risk-based is role-based.
The Rule explicitly recognizes that different participants face different risks:
-
- ODFIs face risk by transmitting Entries they do not themselves originate and must manage the aggregate exposure of their Origination portfolio.
- Originators face risk at the point of initiation—where account takeover, social engineering, and impersonation schemes (including business email compromise and increasingly voice or video impersonation) exploit gaps in authorization and access controls.
- Third-Party Senders often face a combination of these risks, depending on how their TPS and TPSP roles are structured and how much control they exercise over origination.
Risk-based procedures must align to what each Party can reasonably see and control, not to risks that arise elsewhere in the flow.

2. Risk-based focuses on probability and impact—not perfection.
Understanding “risk-based” also requires distinguishing risk from compliance.
On an individual party level, risk refers to the probability of a costly disruption to normal operations or expectations—whether arising from fraud, cyber incidents, operational failures, or market events. As used in the Nacha Operating Rules, though, “risk” also means the risk to the Network–the impact a party’s actions or omissions might have on other parties active on or affected by activities on the Network.
Compliance, by contrast, refers to the records and evidence that demonstrate a covered party is satisfying applicable requirements and expectations.
The new Rule does not require banks—or their customers—to eliminate fraud entirely. That is neither realistic nor expected. Instead, it requires measures that are reasonably proportional to the risk a party presents to the Network, taking into account both role and transaction activity.
At the same time, the Rule makes clear that banks must be able to demonstrate risk-based compliance through records. When fraud occurs, the absence of records can have enormous effect—it can greatly amplify regulatory, legal, financial and reputational consequences.
3. Risk-based explicitly includes fraud induced under False Pretenses.
This is one of the most important evolutions in the Nacha Rules.
Nacha defines False Pretenses as the inducement of a payment by misrepresenting:
-
- a person’s identity,
- a person’s authority or association with another party, or
- ownership of the account to be credited.
In practical terms, False Pretenses captures impersonation-based fraud—including business email compromise, payee impersonation, and similar social-engineering schemes.
These transactions may appear authorized on their face, but they are fraudulent by definition. The Rule explicitly brings these scenarios within the scope of required fraud monitoring.
What “Risk-Based” Does Not Mean
Just as important as understanding what the Rules require is understanding what they do not require.
1. It does NOT mean monitoring every transaction in real time.
Nacha has been clear in its rulemaking and FAQs that screening every ACH Entry before posting is not required.
Transaction monitoring remains an important control, but it is not sufficient for credit-push fraud, which is intentionally engineered to look legitimate and evade bank-side filters.
2. It does NOT mean shifting responsibility to customers.
Another common misconception is that because Originators and Third-Party Senders now have explicit fraud-monitoring duties, responsibility has shifted away from banks.
That is not the case, as Nacha makes clear in the Rule itself and in the FAQs.
The “general rule” in Article 2 that ODFIs are responsible for Entries originated by their Originators and Third-Party Senders has not changed. Risk-based procedures do not alter Subsection 2.1 of the Rules or the ODFI’s ultimate responsibility for Entries, and for the compliance of those customers..
Origination agreements that specify customer obligations are necessary to bind the customer to the Rules—but they do not eliminate the bank’s responsibility for oversight. In effect, Nacha is imposing a supervisory duty on the ODFI with respect to its customers’ compliance. Indeed, in describing when a bank can rely on a third party’s (including a customer’s) origination controls, Nacha has specified a standard: “verified by appropriate oversight.”
3. It does NOT mean relying solely on attestations or disclosures.
Simply asking customers to certify compliance or complete a high-level questionnaire, without meaningful engagement or visibility into their operations, does not satisfy the intent of risk-based oversight.
In an article last year, Nacha described how its Risk Management Advisory Group found gaps they had relied on customer assurances on audits, where the customer could not supply records appropriate for an audit. Reliance solely on third party assurances or attestations can mean actual compliance gaps remain invisible and unaddressed—often revealed only after a fraud event.
What Risk-Based Does Mean in Practice
A practical, defensible risk-based approach centers on three foundational questions.
1. Where does fraud most likely enter the system?
For credit-push fraud, Nacha has consistently emphasized that customers are now a primary point of attack.
That means risk assessment must extend upstream into Originator and Third-Party Sender operations, not remain solely within bank-side transaction monitoring.
2. What controls are reasonable at that point of entry?
At origination, reasonable controls include:
-
- how counterparties are verified,
- how authorization is obtained and validated,
- whether and how Receiver accounts are validated,
- how access to payment systems is secured, and
- how unusual or high-risk activity is identified.
These are operational controls, not just analytical ones.
3. How does the bank demonstrate oversight?
This is where risk management and compliance converge.
Following risk-mitigating practices lowers the probability of fraud—but without records showing that those practices were implemented, reviewed, and maintained, banks lack compliance defensibility.
Risk-based management must therefore produce evidence, not just policy statements or intentions.
How Should Banks Think About Planning Under the New Rules?
When planning for compliance with the Nacha Fraud Monitoring Rules, banks should anchor on four principles:
-
- Layered, not singular: No single control addresses credit-push fraud.
- Customer-inclusive: Fraud monitoring explicitly involves Originators and Third-Party Senders.
- Proportionate: Higher-risk customers require greater scrutiny than lower-risk ones.
- Demonstrable: Examiners will expect evidence of assessment, action, and review.
Banks should avoid programs that are either over-engineered (unsustainable) or under-scoped (defensible only on paper).
Risk-based does not mean “do less,” and it does not mean “do everything.”
It means doing the right things, in the right places, for the right reasons—and being able to demonstrate that to examiners.
The "4 Boxes" to Check for Audit-Ready Compliance
As financial institutions enter 2026, one topic continues to surface in payments, risk, and compliance conversations: Nacha’s new Fraud Monitoring Rules. Most institutions know the Rules are coming. Fewer feel confident they fully understand what the Rules practically require—or whether their current tools are sufficient.
If that sounds familiar, you’re not alone.
We’ve spent the past year in deep conversations with banks and credit unions of all sizes, and a consistent theme emerges: the Rules are dense, role-based, and incorporate multiple articles, FAQs, and guidance. They don’t map neatly to a single technical solution or system.
And yet, when examiners or auditors come knocking, the expectation is clear: you must be able to demonstrate (with records) that you and your customers are taking action.
The goal of this post is to simplify the problem without oversimplifying the Rules.
A useful way to think about Nacha’s fraud monitoring requirements is as four distinct “boxes” that must be checked. Each box represents a different role in the ACH ecosystem and a different set of expectations.
No single tool checks all four—and that’s okay. Compliance is about having the right toolkit, not a silver bullet.
Let’s walk through the four boxes, what Nacha is asking in each, and how FI’s are approaching readiness.
Why the Rules Feel Different This Time
Before diving into the boxes, it’s worth acknowledging why these Rules feel heavier than prior updates.
At their core, the new Rules focus on identifying unauthorized transactions and transactions authorized under false pretenses—including business email compromise, vendor impersonation, payroll fraud, and account takeover.
But the most significant shift is where Nacha places responsibility.
For the first time, the Rules explicitly recognize that fraud prevention cannot live solely inside the bank. Fraudsters increasingly target non-consumer bank customers because they can manipulate human behavior and make fraudulent transactions appear legitimate to legacy monitoring systems.
As Nacha has made clear, this framework only works if “all participants” play an active role—including Originators and Third-Party Senders.
That reality fundamentally changes what FIs must be prepared to demonstrate.

The 4-Box Framework: A Practical Way to Think About Compliance Under the New Rules
Box 1: ODFI Responsibilities — Monitoring Outbound ACH Entries
What The Rules Require
For outbound ACH entries, Nacha expects ODFIs to establish and implement risk-based processes and procedures designed to identify and prevent the transmission of fraudulent entries. These processes must be reviewed at least annually and updated to address evolving risks.
Importantly, the Rules do not require banks to scrutinize every transaction equally. Risk-based means focusing more attention on higher-risk transactions, customers, or patterns.
How banks are approaching this
For many banks, this box is familiar territory. Transaction monitoring became standard during the rise of debit fraud, and most institutions already have tools and processes in place. The key question is whether those tools have been enhanced to address credit fraud patterns, not just debit fraud.
For many institutions, Box 1 is less about acquiring new technology and more about validating and documenting that existing monitoring aligns with the new expectations. (Documentation is key to demonstrating compliance.)
Box 2: Originators — Authorization and Human-Factor Risk
What The Rules Require
This is where the new Rules introduce the greatest challenge.
Originators are responsible for establishing risk-based procedures to:
- Prevent transactions that are unauthorized (e.g. account takeover) and
- Identify/stop transactions that are authorized under false pretenses (e.g. BEC, payee impersonations)—in other words., scenarios specifically designed to bypass bank-side transaction monitoring.
While Nacha does not regulate Originators directly, the Rules make clear that banks are responsible for ensuring their Originators are meeting these expectations, through their origination agreements and oversight practices.
Crucially, Nacha has articulated a standard here: Originator compliance is expected to be “verified by appropriate oversight” by the ODFI.
Why this box is hard to check
Unlike transaction monitoring, this risk largely lives in human behavior. There is no plug-in that can stop an employee from being tricked into changing vendor payment instructions or approving a fraudulent payroll file.
Historically, many banks relied on:
- Static questionnaires to inquire about customer operations
- One-time onboarding reviews with new customers
- Sending customers the rulebook or policy language
- Posting general rule guidance on bank website (not customer specific)
Under the New Rules, those approaches are increasingly difficult to defend. Auditors and examiners are looking for evidence that banks have:
- Empowered customers to understand rules that are actually applicable to them
- Assessed whether appropriate controls are actually in place within a customer’s unique environment and remote operations
- Maintained records that demonstrate that they are actively doing the above 2 points with each non-consumer Originator.
This is where many banks realize they have a gap—not because they aren’t trying, but because manual approaches don’t scale across a large commercial customer base. (But good news – there is a solution!)
Box 3: Third-Party Senders — Oversight and Proof
What The Rules Require
Not every bank has Third-Party Senders—but many discover them through closer review of their customer base. In some cases, an Originator may effectively be operating as a Third-Party Sender over time.
For Third-Party Senders, Nacha expects risk-based controls to identify and prevent fraudulent entries, similar to ODFI expectations. The difference is in oversight and evidence.
Fortunately for FIs, the Rules already require TPS to do an annual audit, similar to the ODFI responsibility. ODFI are expected to assess completion of those audits and, when requested, attest to them. However, recent Nacha guidance has emphasized not just attestation of compliance, but proof of audit, implying that attestation is grounded in a review of evidence—and banks are expected to review and retain that proof.
For this box, then, it will be important for banks to demonstrate that the review of TPS annual audits included compliance with the new Fraud Monitoring Rules: that the TPS is doing something, commensurate with their risk, to detect and stop unauthorized or fraudulently authorized transactions. (Again, good news – there is a solution for this too!)
Why this matters
Even when Third-Party Senders are low-volume or lower-risk, banks remain responsible for demonstrating oversight. If a TPS is involved in fraud, examiners will ask:
- How did you assess their controls?
- What records show you reviewed their compliance?
- How do you know their risk-based approach is appropriate?
This box is often overlooked until late in the readiness process, but it can quickly become a point of examiner focus.

Box 4: RDFI Responsibilities — Monitoring Inbound Credit Entries
What The Rules Require
On the receiving side, RDFIs must establish risk-based processes to identify suspicious incoming credit entries and respond appropriately. Nacha has provided examples of patterns that warrant attention, including:
- SEC code mismatches
- Atypical transaction amounts
- Rapid series of similar credits
- Activity involving new, dormant, or mule-like accounts
As with other boxes, these processes must be reviewed annually and updated as risks evolve.
How banks are approaching this
Like Box 1, many banks already have tools or procedures that address inbound monitoring. The work here often involves:
- Confirming patterns covered by existing systems
- Documenting response procedures
- Ensuring annual review is explicit and recorded
Why No Single Tool Checks All Four Boxes
One of the most important takeaways from the new Rules is this: compliance requires a toolkit approach.
Each box reflects a different role, a different risk profile, and often a different operational owner. Expecting one system to cover outbound monitoring, customer behavior, third-party oversight, and inbound detection is unrealistic—and Nacha does not require that.
What regulators do expect is that banks:
- Understand each obligation clearly
- Align tools and processes to each box
- Can produce records showing how each expectation is met
This framing often brings relief. It allows banks to stop searching for a mythical “end-to-end compliance solution” and instead focus on closing specific gaps.
Where Lexalign Fits: Checks Boxes 2 and 3
Across institutions, the most persistent challenges tend to live in Boxes 2 and 3:
- Originator controls and human-factor risk
- Oversight records that demonstrate compliance
Lexalign was built specifically to address these challenges.
Lexalign provides a structured, automated way for banks to:
- Guide customers through tailored, rule-aware diagnostic interviews (not generic questionnaires)
- Educate customers on applicable requirements in context
- Identify gaps and produce actionable remediation plans
- Maintain audit-ready records that demonstrate “verified by appropriate oversight”
- Support risk-based prioritization across the customer portfolio
By focusing on the customer side of remote operations—where many of today’s fraud risks originate—Lexalign complements, rather than replaces, existing monitoring systems.
You’re Not Behind—You’re Right on Time
If you’re still evaluating what the Nacha Rules require, or whether your current tools are sufficient, it’s worth saying this clearly: most banks are in the same place.
These Rules are complex by necessity: they reflect a changing fraud landscape and a recognition that prevention requires shared responsibility. The institutions that will navigate this most effectively are not those who rush to buy technology, but those who take the time to:
- Understand each obligation
- Assess your toolkit honestly
- Address gaps deliberately
A Simple Next Step
If Boxes 2 and 3 feel like the hardest pieces of the puzzle—and for many banks, they are—we invite you to start a conversation.
The Lexalign team works with banks every day to map the four boxes, identify exposure, and determine whether Lexalign is the right fit for supporting Originator and Third-Party Sender oversight.
Connect with us to explore how Lexalign can help you confidently check Boxes 2 and 3—at scale, with clarity, and with audit-ready confidence.












