Last month, Nacha signaled another significant change in ACH compliance: in ACH Operations Bulletin 3-2025 (9/11/25), Nacha announced that ODFIs will be required to submit attestation of proof of annual rules compliance audits through Nacha’s new secure channel, as soon as this month (October 2025). This most recent development builds upon earlier recommendations from Nacha’s Risk Management Advisory Group (RMAG) and has direct implications for both banks and their Third-Party Senders (TPS).
Nacha’s Wording Implicates Records
The subtle but important requirement is that Nacha is requiring not just an attestation of audit but an attestation of “proof” of audit. Nacha clarifies that:
Proof of audit typically includes audit reports, internal review documentation, remediation plans for any identified deficiencies, and confirmation of management oversight.
While Nacha is not requiring that banks (ODFIs) submit more than an attestation, an attestation is a legal statement reflecting knowledge of certain facts. An attestation by an officer of a bank creates the risk of liability for both the officer and the bank. Though Nacha explicitly leaves it to the bank to determine if reliance on a TPS attestation of audit is sufficient under the bank’s policies, it could be risky to do so, as Nacha has previously signaled.
From “Check-the-Box” to Real Accountability
In February 2025, Nacha and RMAG raised concerns in a piece titled Should an ODFI Ask a TPS for Proof of a Rules Compliance Audit?. In that blog, they discussed their concerns that many TPS’s (across ODFIs) were simply signing attestations that they had performed an audit — without ever conducting one.
As Trevor Lain, CEO of Lexalign, explains:
“What RMAG members found is that customers were checking the box — attesting they’d completed an audit — but when asked for documentation, they had nothing to show. Banks were trusting, but not verifying. This isn’t sustainable from a legal or regulatory perspective.”
Because, under Article 2 of the Nacha Operating Rules, ODFIs are primarily responsible for their Originators’ and Third-Party Senders’ compliance, relying on unchecked promises leaves banks exposed.
In short, the liability ODFIs have long placed on their TPSs has officially shifted back to them – and it’s now time to upgrade their policies, procedures and operations to be ready.
What the New Nacha Bulletin Implicates
The new ACH Operations 3-2025 bulletin automates and enforces oversight:
- ODFIs will be required, upon request, to submit attestation of proof of audit through a secure Nacha channel
- By automating the outreach/response process, Nacha can now request many more ODFIs than previously to supply the attestations in a given year.
- This doubles down on the reality faced by large institutions which must demonstrate not just attestations, but documented audits.
- Nacha’s intent is clear: move the industry from self-certifications to reviewable, verifiable compliance audits.
As Lain notes, this reflects a broader trend:
“This isn’t just about ODFIs anymore. Each originator and each TPS now has a defined role in compliance and risk management. Nacha is saying: ‘We’re not kidding.’”
Why It Matters
- For ODFIs: You must ensure you can demonstrate not just your own compliance, but also that of your TPS customers.
- For TPS: You can no longer simply sign an attestation. You’ll need a real, documented rules compliance audit — and be ready to deliver it to your ODFI.
- For Regulators: The move shows Nacha’s increasing seriousness in pushing the Network toward proactive fraud prevention and risk monitoring.
How Lexalign Helps
Lexalign already equips ODFIs with automated, compliance diagnostic assessments for Originators, that is designed to empower their compliance and reveal hidden TPS. Now, we’re extending that capability to TPS. Our Third-Party Sender Audit Module enables:
- Risk-based compliance reviews of TPS activities in line with the Nacha Operating Rules and Guidelines
- Records and data that empower TPS compliance and enable ODFIs to demonstrate proof of audit, including audit reports with gap analyses and remediation plans, checklists, policies and procedures, attestations and acknowledgements – all designed to meet the Rules of Evidence.
- Efficiency and scalability, especially for banks with hundreds or thousands of TPS or originators.
As one senior banker recently described it, Lexalign’s TPS audit is “the wedge into the bank” — an accessible first step toward a broader compliance strategy.
Here’s The Good News
Nacha’s latest bulletin is more than a technical update. It’s a clear statement: the era of “check-the-box” compliance is over. Banks must be able to prove that audits are conducted, and TPS must be prepared to deliver them.
But here’s the good news: Lexalign provides the framework for doing just that — helping ODFIs and TPS move from promises to satisfactory proof, at scale.
Learn more about how Lexalign supports ODFI and TPS compliance, talk to our team!