What “Risk-Based” Really Means Under Nacha’s Fraud Monitoring Rules

What “Risk-Based” Really Means Under Nacha’s Fraud Monitoring Rules

(And What It Doesn’t)

 

Written by Julie Goff, JD, Head of Operations, Lexalign

When Nacha introduced its new Fraud Monitoring Rules, one phrase immediately became central—and, for many banks, confusing: “risk-based” procedures.

The term appears straightforward, but in practice it isn’t always easy to interpret. Some institutions read it as permission to do less. Others assume it requires exhaustive, transaction-by-transaction monitoring of every ACH Entry.

Neither interpretation is correct.

To comply with the new Nacha Fraud Monitoring Rules—and to prepare for examiner expectations—banks need a clear, defensible understanding of what “risk-based” means, what it does not mean, and how it should inform planning under the Rules.

This article unpacks that definition using themes and guidance that have been consistently reinforced by Nacha officials and industry experts.

Where “Risk-Based” Appears in the Nacha Rules

The first fraud monitoring Rule appears in Article 2 (Prerequisites to Origination). It requires participants in the ACH Network—including ODFIs, Originators, and Third-Party Senders—to:

establish and implement risk-based processes and procedures, relevant to the role it plays in the authorization or Transmission of Entries, that are reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses.

Each part of that sentence is intentional and guides the interpretation. In this blog post I’ll focus on “risk-based.”

What Does Nacha Mean by “Risk-Based”?

In Nacha’s explanations of the Rule, “risk-based” is not used casually or as a catchall. It should be read in conjunction with the word “role” in the sentence:  procedures should be aligned to each Party’s role in the ACH flow, and also to both their level of ACH activity, and their ability to detect fraud at that point in the process.

This allows us to infer three key implications:

1. Risk-based is role-based.

The Rule explicitly recognizes that different participants face different risks:

• • ODFIs face risk by transmitting Entries they do not themselves originate and must manage the aggregate exposure of their Origination portfolio.
  • Originators face risk at the point of initiation—where account takeover, social engineering, and impersonation schemes (including business email compromise and increasingly voice or video impersonation) exploit gaps in authorization and access controls.
  • Third-Party Senders often face a combination of these risks, depending on how their TPS and TPSP roles are structured and how much control they exercise over origination.

Risk-based procedures must align to what each Party can reasonably see and control, not to risks that arise elsewhere in the flow.

2. Risk-based focuses on probability and impact—not perfection.

Understanding “risk-based” also requires distinguishing risk from compliance.

On an individual party level, risk refers to the probability of a costly disruption to normal operations or expectations—whether arising from fraud, cyber incidents, operational failures, or market events.  As used in the Nacha Operating Rules, though, “risk” also means the risk to the Network–the impact a party’s actions or omissions might have on other parties active on or affected by activities on the Network. 

Compliance, by contrast, refers to the records and evidence that demonstrate a covered party is satisfying applicable requirements and expectations.

The new Rule does not require banks—or their customers—to eliminate fraud entirely. That is neither realistic nor expected. Instead, it requires measures that are reasonably proportional to the risk a party presents to the Network, taking into account both role and transaction activity.

At the same time, the Rule makes clear that banks must be able to demonstrate risk-based compliance through records. When fraud occurs, the absence of records can have enormous effect—it can greatly amplify regulatory, legal, financial and reputational consequences.

3. Risk-based explicitly includes fraud induced under False Pretenses.

This is one of the most important evolutions in the Nacha Rules.

Nacha defines False Pretenses as the inducement of a payment by misrepresenting:

• • a person’s identity,
  • a person’s authority or association with another party, or
  • ownership of the account to be credited.

In practical terms, False Pretenses captures impersonation-based fraud—including business email compromise, payee impersonation, and similar social-engineering schemes.

These transactions may appear authorized on their face, but they are fraudulent by definition. The Rule explicitly brings these scenarios within the scope of required fraud monitoring.

What “Risk-Based” Does Not Mean

Just as important as understanding what the Rules require is understanding what they do not require.

1. It does NOT mean monitoring every transaction in real time.

Nacha has been clear in its rulemaking and FAQs that screening every ACH Entry before posting is not required.

Transaction monitoring remains an important control, but it is not sufficient for credit-push fraud, which is intentionally engineered to look legitimate and evade bank-side filters.

2. It does NOT mean shifting responsibility to customers.

Another common misconception is that because Originators and Third-Party Senders now have explicit fraud-monitoring duties, responsibility has shifted away from banks.

That is not the case, as Nacha makes clear in the Rule itself and in the FAQs.

The “general rule” in Article 2 that ODFIs are responsible for Entries originated by their Originators and Third-Party Senders has not changed. Risk-based procedures do not alter Subsection 2.1 of the Rules or the ODFI’s ultimate responsibility for Entries, and for the compliance of those customers..

Origination agreements that specify customer obligations are necessary to bind the customer to the Rules—but they do not eliminate the bank’s responsibility for oversight.  In effect, Nacha is imposing a supervisory duty on the ODFI with respect to its customers’ compliance.  Indeed, in describing when a bank can rely on a third party’s (including a customer’s) origination controls, Nacha has specified a standard: “verified by appropriate oversight.”

3. It does NOT mean relying solely on attestations or disclosures.

Simply asking customers to certify compliance or complete a high-level questionnaire, without meaningful engagement or visibility into their operations, does not satisfy the intent of risk-based oversight.

In an article last year, Nacha described how its Risk Management Advisory Group found gaps they had relied on customer assurances on audits, where the customer could not supply records appropriate for an audit.  Reliance solely on third party assurances or attestations can mean actual compliance gaps remain invisible and unaddressed—often revealed only after a fraud event.

What Risk-Based Does Mean in Practice

A practical, defensible risk-based approach centers on three foundational questions.

1. Where does fraud most likely enter the system?

For credit-push fraud, Nacha has consistently emphasized that customers are now a primary point of attack.

That means risk assessment must extend upstream into Originator and Third-Party Sender operations, not remain solely within bank-side transaction monitoring.

2. What controls are reasonable at that point of entry?

At origination, reasonable controls include:

• • how counterparties are verified,
  • how authorization is obtained and validated,
  • whether and how Receiver accounts are validated,
  • how access to payment systems is secured, and
  • how unusual or high-risk activity is identified.

These are operational controls, not just analytical ones.

3. How does the bank demonstrate oversight?

This is where risk management and compliance converge.

Following risk-mitigating practices lowers the probability of fraud—but without records showing that those practices were implemented, reviewed, and maintained, banks lack compliance defensibility.

Risk-based management must therefore produce evidence, not just policy statements or intentions.

How Should Banks Think About Planning Under the New Rules?

When planning for compliance with the Nacha Fraud Monitoring Rules, banks should anchor on four principles:

• • Layered, not singular: No single control addresses credit-push fraud.
  • Customer-inclusive: Fraud monitoring explicitly involves Originators and Third-Party Senders.
  • Proportionate: Higher-risk customers require greater scrutiny than lower-risk ones.
  • Demonstrable: Examiners will expect evidence of assessment, action, and review.

Banks should avoid programs that are either over-engineered (unsustainable) or under-scoped (defensible only on paper).

Risk-based does not mean “do less,” and it does not mean “do everything.”

It means doing the right things, in the right places, for the right reasons—and being able to demonstrate that to examiners.