Nacha's Phase 2 Is Here: What Changed on June 22 and What Your ACH Program Needs Now

Written by Trevor Lain, JD | Founder & CEO, Lexalign

The effective date for Phase 2 of Nacha’s 2026 Fraud Monitoring Rules, June 22nd, has finally arrived. What does this mean in a nutshell? Auditors and examiners can request records of compliance dating back to that date. If you’re not in compliance yet, your “compliance deficit” is rising each day. Here’s what to do….

On our enforcement-day webinar with financial institutions from across the country, we opened with a simple observation: the compliance burden your institution carried on Friday is not the one you bear today. That shift is structural, not incremental. It is worth understanding.

What did Nacha’s Fraud Monitoring Rule Phase 2 change on June 22?

The question compliance teams are asking right now deserves a direct answer.

Before June 22: Nacha’s new fraud monitoring requirements applied only to Originators, Third-Party Senders, and Third-Party Service Providers that originated or transmitted more than 6 million ACH entries in 2023. Phase 1 took effect March 20, 2026, and covered that group.

As of June 22, 2026: The volume threshold is gone. Subsection 2.2.4 now covers every non-consumer Originator, every Third-Party Sender, every ODFI, and every Third-Party Service Provider that performs ACH processing functions, regardless of volume. The Rule reads “each non-consumer Originator,” and each means every one. The small business running payroll once a month, the commercial contractor paying subcontractors, the school district collecting receivables – all are now in scope.

The perimeter of fraud monitoring has expanded beyond your institution’s walls and into your customers’ operations.

Why the Rule Was Written This Way

Fraudsters target your customers directly at origination. Those organizations’ operations (and their staff’s sophistication regarding risks, security and Nacha requirements) are the actual point of vulnerability and the point of entry.

A business email compromise scheme does not need to defeat your fraud detection if it can convince your customer’s AP team to update a vendor payment account. An account takeover does not look suspicious when it uses your customer’s own stolen credentials to initiate a normal-looking ACH credit. Fraudsters design these transactions to appear authorized and fit the pattern.  

That is why Nacha has, since 2022, called for “every participant” in the ACH network to play a role. The new Fraud Monitoring Rule in Article 2 (2.2.4) (the “New Rule”) codifies that call: it’s no longer an appeal – it’s now a requirement.  

But Nacha has no direct authority over your Originators: it cannot directly require them to do something. Instead, Nacha’s Rules reach your Originators through the origination agreement they signed with you (2.2.2) and your required enforcement of that agreement (2.2.3). In other words, the burden of the New Rule, as it applies to your customers, actually falls on you, as the ODFI. Nacha’s General Rule (2.1) makes the ODFI responsible for each entry it transmits and for its Originators’ compliance with the Rules. The new Rule depends on you for effect. So, what records should you have?

What “Verified by Appropriate Oversight” Requires of You

Most basically, you need records reflecting your customers’ compliance – that is, that they are doing something to detect and prevent unauthorized entries or entries authorized under False Pretenses.  But what do you need to show in order to make that statement?

Nacha’s FAQs articulate a standard: an ODFI may reasonably rely on its Originators’ fraud prevention (that is, state that they are compliant) when that compliance is “allocated by contract and verified by appropriate oversight.” 

“Allocated by contract” is easy: your origination agreements most likely already handle this. Your customers have agreed to be bound by the Rules, including Rules enacted after they signed. You do not need new contracts.

It’s the second part that’s the key: “verified by appropriate oversight.” It is not an alternative to the contract. It is not superfluous. It is a co-equal requirement alongside it.

“Verified by appropriate oversight” is what the agreement alone does not satisfy. But if “allocated by contract” refers back to Rule 2.2.2, where does “verified by appropriate oversight” sit in the Rule book? It’s the next Rule: 2.2.3. That Rule sets forth how you’re required to enforce the agreement. It’s the verbs in that Rule that auditors will read in formulating requests for records.  Do you have records demonstrating that you: “perform[ed] due diligence” with respect to the Originator’s capacity for compliance; “assess[ed]” the nature of the Originator’s activity and the risks it presents (as distinct from – and in addition to – “monitor[ing]” their transaction activity or “enforc[ing]” exposure limits); and “enforce[d]” the restrictions in the agreement. Sending a mailer, posting a webpage, or distributing the Rulebook do not produce records of this kind.

When fraud occurs – and, let’s face it, no program prevents 100% of fraud – the question auditors and examiners will ask is whether you acted on those verbs and whether you can show it.

What the Record Needs to Show, Starting Today

Auditors can request evidence dated back to June 22nd. Even if your exam is months away, this is the date the clock starts.

Reading the Rules only gets us so far. But if we read all the relevant Rules and Nacha’s related guidance together, we can deduce a program that is workable, that clicks the various buttons (shows action in accordance with those verbs), and builds records that auditors and examiners can reasonably (and at some point likely will) ask for. 

A defensible oversight program runs through four steps on an annual cycle: 

1. Assess each Originator against the rules and risks that apply to its specific activity, not SEC codes in the abstract but the actual entry types it originates, including how it actually obtains authorization, and where its controls have gaps. 
2. Sensitize each Originator to the rules that apply to it specifically, to the gaps your assessment identified, and to the risks of noncompliance. (“Sensitize” combines “inform” and “motivate.”)
3. Empower it with concrete instructions on how to remediate those gaps. 
4. Enforce by tracking follow-through, documenting improvements, and proactively intervening with Originators that present outsize, unremediated risk.

The cycle is annual because Rule 2.2.4 explicitly requires at least annual review of processes and procedures as fraud threats evolve. The ODFI’s oversight cadence needs to match it.

Your existing transaction monitoring addresses one of the four compliance boxes the Rules require. It watches entries on the ODFI side. Boxes 2 and 3, which cover Originator oversight and Third-Party Sender oversight, require visibility into customer operations that transaction monitoring is not designed to provide. No single tool checks all four boxes. That is not a criticism. It is a description of the scope of the problem. It requires a toolkit approach.  

Lexalign is a tool that was designed to check boxes 2 and 3, and operationalize the program laid out above.  Lexalign operationalizes the Nacha standard, “verified by appropriate oversight.”

Compliance is a journey, not a switch. Today is the right day to start building the records auditors and examiners will ask for. Start with these steps:

Download our 4-Box guide to see exactly where your existing tools fit and where the gaps are.

Take the 5-minute Readiness Quiz for a personalized snapshot of where your program stands. If you want to think through your next steps specifically, we are always happy to be a resource.

Book a demo with Lexalign to learn more.

Lexalign helps financial institutions build verified, audit-ready oversight of non-consumer Originators and Third-Party Senders at scale. Compliance you can measure. Oversight you can defend.