As financial institutions enter 2026, one topic continues to surface in payments, risk, and compliance conversations: Nacha’s new Fraud Monitoring Rules. Most institutions know the Rules are coming. Fewer feel confident they fully understand what the Rules practically require—or whether their current tools are sufficient.
If that sounds familiar, you’re not alone.
We’ve spent the past year in deep conversations with banks and credit unions of all sizes, and a consistent theme emerges: the Rules are dense, role-based, and incorporate multiple articles, FAQs, and guidance. They don’t map neatly to a single technical solution or system.
And yet, when examiners or auditors come knocking, the expectation is clear: you must be able to demonstrate (with records) that you and your customers are taking action.
The goal of this post is to simplify the problem without oversimplifying the Rules.
A useful way to think about Nacha’s fraud monitoring requirements is as four distinct “boxes” that must be checked. Each box represents a different role in the ACH ecosystem and a different set of expectations.
No single tool checks all four—and that’s okay. Compliance is about having the right toolkit, not a silver bullet.
Let’s walk through the four boxes, what Nacha is asking in each, and how FI’s are approaching readiness.
Why the Rules Feel Different This Time
Before diving into the boxes, it’s worth acknowledging why these Rules feel heavier than prior updates.
At their core, the new Rules focus on identifying unauthorized transactions and transactions authorized under false pretenses—including business email compromise, vendor impersonation, payroll fraud, and account takeover.
But the most significant shift is where Nacha places responsibility.
For the first time, the Rules explicitly recognize that fraud prevention cannot live solely inside the bank. Fraudsters increasingly target non-consumer bank customers because they can manipulate human behavior and make fraudulent transactions appear legitimate to legacy monitoring systems.
As Nacha has made clear, this framework only works if “all participants” play an active role—including Originators and Third-Party Senders.
That reality fundamentally changes what FIs must be prepared to demonstrate.
The 4-Box Framework: A Practical Way to Think About Compliance Under the New Rules
Box 1: ODFI Responsibilities — Monitoring Outbound ACH Entries
What Nacha expects
For outbound ACH entries, Nacha expects ODFIs to establish and implement risk-based processes and procedures designed to identify and prevent the transmission of fraudulent entries. These processes must be reviewed at least annually and updated to address evolving risks.
Importantly, the Rules do not require banks to scrutinize every transaction equally. Risk-based means focusing more attention on higher-risk transactions, customers, or patterns.
How banks are approaching this
For many banks, this box is familiar territory. Transaction monitoring became standard during the rise of debit fraud, and most institutions already have tools and processes in place. The key question is whether those tools have been enhanced to address credit fraud patterns, not just debit fraud.
For many institutions, Box 1 is less about acquiring new technology and more about validating and documenting that existing monitoring aligns with the new expectations. (Documentation is key to demonstrating compliance.)
Box 2: Originators — Authorization and Human-Factor Risk
What Nacha expects
This is where the new Rules introduce the greatest challenge.
Originators are responsible for establishing risk-based procedures to:
- Prevent transactions that are unauthorized (e.g. account takeover) and
- Identify/stop transactions that are authorized under false pretenses (e.g. BEC, payee impersonations)—in other words., scenarios specifically designed to bypass bank-side transaction monitoring.
While Nacha does not regulate Originators directly, the Rules make clear that banks are responsible for ensuring their Originators are meeting these expectations, through their origination agreements and oversight practices.
Crucially, Nacha has articulated a standard here: Originator compliance is expected to be “verified by appropriate oversight” by the ODFI.
Why this box is hard to check
Unlike transaction monitoring, this risk largely lives in human behavior. There is no plug-in that can stop an employee from being tricked into changing vendor payment instructions or approving a fraudulent payroll file.
Historically, many banks relied on:
- Static questionnaires to inquire about customer operations
- One-time onboarding reviews with new customers
- Sending customers the rulebook or policy language
- Posting general rule guidance on bank website (not customer specific)
Under the New Rules, those approaches are increasingly difficult to defend. Auditors and examiners are looking for evidence that banks have:
- Empowered customers to understand rules that are actually applicable to them
- Assessed whether appropriate controls are actually in place within a customer’s unique environment and remote operations
- Maintained records that demonstrate that they are actively doing the above 2 points with each non-consumer Originator.
This is where many banks realize they have a gap—not because they aren’t trying, but because manual approaches don’t scale across a large commercial customer base. (But good news – there is a solution!)
Box 3: Third-Party Senders — Oversight and Proof
What Nacha expects
Not every bank has Third-Party Senders—but many discover them through closer review of their customer base. In some cases, an Originator may effectively be operating as a Third-Party Sender over time.
For Third-Party Senders, Nacha expects risk-based controls to identify and prevent fraudulent entries, similar to ODFI expectations. The difference is in oversight and evidence.
Fortunately for FIs, the Rules already require TPS to do an annual audit, similar to the ODFI responsibility. ODFI are expected to assess completion of those audits and, when requested, attest to them. However, recent Nacha guidance has emphasized not just attestation of compliance, but proof of audit, implying that attestation is grounded in a review of evidence—and banks are expected to review and retain that proof.
For this box, then, it will be important for banks to demonstrate that the review of TPS annual audits included compliance with the new Fraud Monitoring Rules: that the TPS is doing something, commensurate with their risk, to detect and stop unauthorized or fraudulently authorized transactions. (Again, good news – there is a solution for this too!)
Why this matters
Even when Third-Party Senders are low-volume or lower-risk, banks remain responsible for demonstrating oversight. If a TPS is involved in fraud, examiners will ask:
- How did you assess their controls?
- What records show you reviewed their compliance?
- How do you know their risk-based approach is appropriate?
This box is often overlooked until late in the readiness process, but it can quickly become a point of examiner focus.
Box 4: RDFI Responsibilities — Monitoring Inbound Credit Entries
What Nacha expects
On the receiving side, RDFIs must establish risk-based processes to identify suspicious incoming credit entries and respond appropriately. Nacha has provided examples of patterns that warrant attention, including:
- SEC code mismatches
- Atypical transaction amounts
- Rapid series of similar credits
- Activity involving new, dormant, or mule-like accounts
As with other boxes, these processes must be reviewed annually and updated as risks evolve.
How banks are approaching this
Like Box 1, many banks already have tools or procedures that address inbound monitoring. The work here often involves:
- Confirming patterns covered by existing systems
- Documenting response procedures
- Ensuring annual review is explicit and recorded
Why No Single Tool Checks All Four Boxes
One of the most important takeaways from the new Rules is this: compliance requires a toolkit approach.
Each box reflects a different role, a different risk profile, and often a different operational owner. Expecting one system to cover outbound monitoring, customer behavior, third-party oversight, and inbound detection is unrealistic—and Nacha does not require that.
What regulators do expect is that banks:
- Understand each obligation clearly
- Align tools and processes to each box
- Can produce records showing how each expectation is met
This framing often brings relief. It allows banks to stop searching for a mythical “end-to-end compliance solution” and instead focus on closing specific gaps.
Where LexAlign Fits: Checks Boxes 2 and 3
Across institutions, the most persistent challenges tend to live in Boxes 2 and 3:
- Originator controls and human-factor risk
- Oversight records that demonstrate compliance
LexAlign was built specifically to address these challenges.
LexAlign provides a structured, automated way for banks to:
- Guide customers through tailored, rule-aware diagnostic interviews (not generic questionnaires)
- Educate customers on applicable requirements in context
- Identify gaps and produce actionable remediation plans
- Maintain audit-ready records that demonstrate “verified by appropriate oversight”
- Support risk-based prioritization across the customer portfolio
By focusing on the customer side of remote operations—where many of today’s fraud risks originate—LexAlign complements, rather than replaces, existing monitoring systems.
You’re Not Behind—You’re Right on Time
If you’re still evaluating what the Nacha Rules require, or whether your current tools are sufficient, it’s worth saying this clearly: most banks are in the same place.
These Rules are complex by necessity: they reflect a changing fraud landscape and a recognition that prevention requires shared responsibility. The institutions that will navigate this most effectively are not those who rush to buy technology, but those who take the time to:
- Understand each obligation
- Assess your toolkit honestly
- Address gaps deliberately
A Simple Next Step
If Boxes 2 and 3 feel like the hardest pieces of the puzzle—and for many banks, they are—we invite you to start a conversation.
The LexAlign team works with banks every day to map the four boxes, identify exposure, and determine whether LexAlign is the right fit for supporting Originator and Third-Party Sender oversight.
Connect with us to explore how LexAlign can help you confidently check Boxes 2 and 3—at scale, with clarity, and with audit-ready confidence.