Regulators Only Have Eyes for You
Phase 2 of Nacha’s 2026 Fraud Monitoring Rules is now in effect. The Rule requires your Originators to detect signals of fraud: unauthorized transactions and transactions authorized under “False Pretenses.” That obligation lands on them.
But when the auditor or examiner arrives, they will not audit your Originators, they will audit you. Understanding that distinction is where compliance preparation has to start.
The Fraud Monitoring Rule Covers Multiple Parties — by Role
Subsection 2.2.4, the new Fraud Monitoring Rule (the “New Rule”), applies to each non-consumer Originator, each Third-Party Sender, each ODFI, and each Third-Party Service Provider that performs ACH processing functions. Each party’s obligation tracks its role in the authorization or transmission of entries.
Your role as the ODFI is transmission. Your Originators’ role is authorization. Those are different roles, and it takes different evidence to demonstrate compliance with their obligations under the New Rule.
Your existing transaction monitoring addresses your transmission-side obligation by watching entries for fraudulent patterns, credit push anomalies, and return rate signals. That is Box 1 of the four compliance boxes the Rules now require. Most institutions have been focused on this aspect of the New Rule for some time.
The New Rule’s harder question concerns Box 2: what does your Originator’s authorization-related obligation mean for you?
Nacha Has No Authority Over Your Originators. But You Do.
Nacha does not (and has no legal basis to) audit your commercial customers. It has no regulatory or contractual power over them. It cannot require them to do anything without your involvement. Instead, the Rules reach your Originators through the origination agreement they signed with you, governed by Subsection 2.2.2, and through your enforcement of that agreement as required by Subsection 2.2.3.
Nacha’s General Rule, Section 2.1, makes the ODFI responsible for every Entry it transmits and for its Originators’ compliance with the Rules. When an auditor or examiner reviews your ACH program, they call on you. They ask you to produce records demonstrating your Originators’ compliance. That is the most natural reading of the Rules and the one an auditor or examiner would reasonably apply.
The ODFI functions as the regulator for its Originators. As it relates to your Originators, your auditor and examiners will audit you as their regulator.
Will the Origination Agreement Be Enough?
A reasonable first question is whether the origination agreement alone satisfies the audit standard. Your Originators signed it. They agreed to be bound by the Rules, including Rules enacted after they signed. If your agreements already say that, making them sign a new agreement will not enhance the obligation. It may be counted as an acknowledgement, but that alone is not sufficient, as we’ll see.
The agreement is only one of two required pieces. Nacha’s FAQs articulate the standard directly: an ODFI may reasonably rely on its Originators’ fraud prevention (that is, may reasonably make a statement about its Originators’ compliance) when it can show its Originators’ compliance is “allocated by contract and verified by appropriate oversight.“
That “and” means both. Verified by appropriate oversight sits alongside the contract as a co-equal requirement, not an alternative to it. One refers to Subsection 2.2.2, the agreement. The other to Subsection 2.2.3, the enforcement of the agreement, including the Originators’ compliance.
The verbs in Subsection 2.2.3 are where we look to understand audit exposure. The Rule requires the ODFI to perform due diligence with respect to each Originator’s capacity for compliance, to assess the nature of their ACH activity and the risks it presents, to monitor their origination and return activity, and to enforce restrictions on the types of entries in the agreement.
Each verb implies action. Each action implies a record. Your auditors and examiners will read for those verbs and ask whether you have records demonstrating you acted on them. For a deeper analysis of how Subsections 2.2.3 and 2.2.4 work together and what “verified” means in practice, see our article, Preparing for June 22: How Forward-Looking Banks Are Reading Nacha’s New Fraud Monitoring Rule.
What “Verified” Means and What It Does Not
“Verified” does not mean proved beyond doubt. It does not require an on-site audit of your customers’ operations. The law imposes a duty of honesty on the customer, and, absent clear reason not to, the ODFI may rely on its Originators’ statements, provided it asks in a way reasonably likely to reveal compliance and noncompliance.
That last clause carries the weight. Asking an Originator “are you complying with the New Rule?” does not constitute verification. An auditor or examiner would reasonably dismiss it, particularly given the emphasis Nacha has placed on Originators’ active contribution to fraud prevention in the New Rule and statements about it. That question presumes the Originator knows what compliance means for their specific operations, which is precisely what the assessment is meant to determine.
Sending a mailer about the New Rules does not produce records of assessment. Posting a resource on your website does not produce records of oversight. Verification requires a structured process that asks the right questions of each Originator based on the types of entries they actually originate, how they obtain authorization, and whether they’re complying with the related fraud prevention safeguards that Nacha has articulated.
What the Records Need to Show
Reading Subsections 2.2.3 and 2.2.4 together with Nacha’s guidance, a defensible oversight program produces six categories of records:
- Records demonstrating you assessed each Originator’s compliance, or obtained their structured self-assessment, against the rules that apply to their specific ACH activity.
- Records showing you alerted each Originator to the Rules and risks that apply to them individually, not rules in the abstract.
- Records identifying where each Originator has gaps.
- Records showing you empowered each Originator to understand what compliance means for the types of entries they originate and what remediation looks like.
- Records of what entry types each Originator is originating, to enforce the restrictions in the agreement.
- Records showing you monitored each Originator’s remediation and followed through where risk remained unaddressed.
The four-step framework of Assess, Sensitize, Empower, and Enforce corresponds directly to this record set. For a full walkthrough of each step, see Nacha’s Phase 2 Is Here: What Changed on June 22.
With Lexalign, you can build all six categories of records across your full Originator portfolio without adding staff. The platform runs the assessment, generates the records, tracks remediation, and produces the documentation an auditor or examiner could reasonably ask to see.
If you want to see how it fits alongside your existing tools, we would be glad to walk you through it. Book a demo with Lexalign to see the oversight program in practice.
This blog is for educational and informational purposes only. It does not constitute legal, compliance, or regulatory advice and should not be relied upon as such. The materials reference Nacha Operating Rules and related guidance as of the date of this blog. Rules and guidance may change, and their application depends on the specific facts and circumstances of each financial institution and its Originators. Lexalign does not speak for Nacha. Financial institutions should consult their own legal counsel, compliance professionals, and Nacha directly for guidance on their specific obligations.


