Over the past three months, the Lexalign team attended Nacha’s annual conference and several regional Payments Association events. The conversations at each returned to the same question: under the new Article 2 Fraud Monitoring Rule, where does the obligation sit, and what is enough to meet it?
The part of the Rule generating the most discussion is its opening provision: “Each non-consumer Originator; each Third-Party Sender…must establish and implement [risk- and role-based measures reasonably intended to detect Credit-Push Fraud attempts].” Subsection 2.2.4 codifies a principle Nacha has been signaling since 2022, when its Call for a New Risk Management Framework stated that all participants in the payments system have a role to play. Placement gives that principle primacy. Nacha has placed the new Rule among the prerequisites to origination, which signals that the Originator is expected to act first.
The ODFI’s position, however, has not changed. Nacha officials and RMAG members have repeatedly stated this spring that the ODFI “warrants” every Entry it transmits. That language traces to the General Rule (2.1), which makes the ODFI responsible for each Entry and for its Originators’ and Third-Party Senders’ compliance. The new Rule is placed just after the rules that govern the ODFI’s relationship with its Originators. Those preceding Rules frame what the ODFI is being asked to do.
How auditors and examiners will read the Rule
We can reasonably expect that auditors and examiners will read the new Rule alongside the Origination Rules and Nacha’s official guidance. They will look to Rule 2.2.3 and to the “reliance standard” in Nacha’s FAQs to identify what is testable. They will focus on the verbs that indicate what the ODFI is required to do, and they will request records that evidence the ODFI did it.
Four questions will drive the conversation. How did the ODFI form a reasonable belief about each Originator’s capacity for compliance? How did the ODFI assess the risk of each Originator’s activity, in a way that goes beyond return rate monitoring? How did the ODFI enforce the agreement? And how, in sum, did the ODFI operationalize the standard of “verified by appropriate oversight” that Nacha has articulated in its FAQs?
What the surrounding Rules require
Two Rules do the work. Rule 2.2.2 governs the origination agreement itself. Rule 2.2.3 governs what the ODFI does with it.
Under Rule 2.2.2, the origination agreement is the bedrock. The agreement must bind the Originator to the Rules and grant the ODFI the right to audit compliance. Because Nacha has no direct authority over Originators or Third-Party Senders, Rule 2.2.2 effectively deputizes the ODFI to act as the regulator of its customers’ compliance. The right to audit is not theoretical. It is the mechanism through which the Rules expect compliance to be enforced.
Rule 2.2.3 goes further. It requires the ODFI to act on the agreement, using three verbs the auditor will read for. The ODFI must perform due diligence with respect to the Originator’s capacity for Rules compliance. The ODFI must assess the nature of the Originator’s activity and the risks it presents. And the ODFI must enforce any restrictions on the types of Entries contained in the origination agreement. The due diligence in 2.2.3 concerns the Originator’s compliance ability, not transaction-level diligence.
The Reliance Standard: and “what verified by appropriate oversight” means
These verbs do not require the ODFI to verify the Originator’s day-to-day operations. Absent a clear reason not to, the ODFI may rely on the customer’s word, as under the law governing financial services each party has an enforceable duty of honesty and fair dealing. Nacha’s FAQs reinforce a reliance standard: an ODFI’s processes and procedures may consider those implemented by other parties in the origination process, provided the basis for reliance is “reasonable and clear (e.g. allocated by contract and verified by appropriate oversight).”
The second and is conjunctive. “Verified by appropriate oversight” sits alongside the contract as a co-equal requirement, not as an alternative to it. What that verification produces, and what it looks like in records, is the question FIs are starting to contend with in the run up to June 22.
Lexalign was built to solve that problem. What follows is how to think about it operationally.
What June 22 actually requires
June 22 applies to all customers, regardless of dollar size or transaction count. It is the deadline banks at recent payments events have been asking the most questions about, and it is tempting to read it as the Originator’s deadline. It is not. June 22 lands on the ODFI.
What makes this hard is the variety of entry types each ODFI handles. Different entry types call for different fraud prevention measures, and no single model fits them all. Bespoke strategies are not scalable. The ODFI has to account for oversight across the full variety of entries in its portfolio, and the records that demonstrate that oversight will reflect that variety.
The four-step cycle that addresses auditors’ anticipated requests
Lexalign frames the work as a four-step annual cycle. The first two steps are the prerequisites that make the requirements of 2.2.3 operable. The second two are the verbs themselves. Together, they produce the records that answer each question the auditor will ask.
Assess. Evaluate each Originator’s compliance with the rules, regulations and risks that actually pertain to the kinds of entries it actually originates (rather than the SEC Codes it uses).
Sensitize. Educate each Originator about the rules that apply to its specific activity, and where it has gaps. Motivate compliance by emphasizing the risks of non-compliance.
Empower. Instruct each Originator on the actions it could take to address its compliance gaps. Explain what remediation looks like. Enable it to achieve and maintain compliance (including fraud prevention) appropriate to the types of entries it actually originates.
Enforce. Act on the results. This includes enforcing (or updating) restrictions on the types of entries contained in the agreement, and it extends to enforcement of the Originator’s compliance with the Rules generally, including the new Fraud Monitoring Rule. As Nacha has increasingly made clear, nowadays “enforce” means remediate compliance gaps, rather than terminate agreements.
The cycle is annual because Rule 2.2.4 requires the Originator to assess the adequacy of its fraud prevention at least once a year as fraud evolves. The ODFI’s oversight needs to keep the same cadence.
What records would Nacha reasonably expect
Nacha has not published a checklist. What Nacha has said is that an ODFI’s reliance on its Originators’ fraud prevention is reasonable when “allocated by contract and verified by appropriate oversight.” The question is what verification produces, and what oversight looks like in records.
Conversations at recent events point to a clear answer. A Nacha auditor or examiner could reasonably expect to see, for each non-consumer Originator, records demonstrating each step of the cycle. Records that the Originator was sensitized to the risks and rules applicable to its activity. Records that the Originator was empowered with tools to comply. Records of the ODFI’s assessment of the Originator’s compliance. And records of the ODFI’s enforcement of the agreement where the assessment surfaced gaps.
A webpage notifying customers of the new Rule does not produce records of this kind. Neither does a single onboarding questionnaire. Nacha officials and regulators at recent events have been direct about the limits of those approaches. The records that demonstrate appropriate oversight are records of an ongoing process. They cover each Originator, on an annual cadence, and they show what the ODFI did and when.
On contracts
A common question from FIs at recent events: do existing origination agreements need to be updated? In most cases, probably not. If the agreement already binds the Originator to the Nacha Operating Rules (as required by Subsection 2.2.2), the contractual basis for reliance is in place. What is needed is the diligence the new Rule and Subsection 2.2.3 contemplate, and the records of enforcement that follow from it.
Why this calls for technology
At the scale most ODFIs face, the four-step cycle does not run by hand. Hundreds or thousands of Originators, each with a different activity profile, each requiring sensitization tailored to the rules that apply to its specific Entries, each producing data the ODFI then assesses, each generating records that have to be standardized, auditable, and produced annually. The function does not staff out at any reasonable headcount. Spreadsheets and email do not produce records of the kind the cycle requires.
Lexalign’s proprietary software automates the first three steps of the cycle, and enables the fourth. It assesses compliance by walking the Originator through an automated, online dynamic diagnostic interview. It sensitizes and empowers each Originator according to its activity: identifying gaps, specifying concrete remediation steps; delivering policies and procedures to train staff; and providing a dynamic remediation checklist. And it generates the structured records the ODFI needs to enforce the agreement and demonstrate appropriate oversight across the variety of entries its customers originate.
Forward-looking banks are preparing for June 22 by putting that cycle in place now. Lexalign was built to make it work at scale.