PaymentsJournal
How FIs Can Get Ready for Nacha’s Upcoming New Rule
As fraudsters become more innovative in their schemes, Nacha is rolling out new rules to address emerging fraud risks, particularly scams involving business email compromise, vendor impersonation, and the increasing use of money mules.
These key changes, centered around the ACH rules, began rolling out in October and will continue through 2026.
In a recent PaymentsJournal podcast, Glenn Fratangelo, Head of Fraud Prevention Product Strategy and Marketing at NICE Actimize, and Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research, discussed what financial institutions need to do to enhance their fraud detection programs to better protect both banks and customers.
The Growing Threat
There’s no doubt that authorized fraud is on the rise. Fraud threats have increased in both volume and complexity, especially as payment innovations evolve to keep up with advancements in technology, as well as consumer and business needs.
“Javelin has noted these increases over the last few years in terms of imposter scams, fraud, and other new activity,” said Sando. “Anecdotally, we’re hearing so much about imposter activity, which is becoming more sophisticated and convincing. It relies on that sense of urgency for the unsuspecting customer to act, and it’s not going to go away anytime soon. The digital and fast-paced nature of payments has really emphasized the importance of dealing with the problem.”
In the past, Receiving Depository Financial Institutions (RDFIs) managing ACH transactions on behalf of their customers could take a more reactive approach, handling each transaction as it came through. The responsibility for detecting fraud primarily rested with the originating institution, or ODFI. However, the new rules now hold RDFIs accountable for catching fraud in real time—or as close to real time as possible.
This shift means actively reviewing suspicious activity, flagging transactions that seem off, and taking the initiative in returning funds that do not belong in certain accounts. RDFIs can now return questionable transactions, and ODFIs have more leeway \to request returns when issues arise on their end. Starting in 2026, these monitoring requirements will become even more stringent.
Increasing the Burden
In terms of operational burden, RDFIs will now bear greater responsibility for real-time fraud detection and case management to effectively identify and prevent fraud.
“Traditionally, that fell under the purview of the ODFI, but with the shift RDFIs will have to dedicate resources to monitor suspicious transactions and potentially fraudulent activity that is incoming, something they previously did not have to do,” said Fratangelo. “That’s going to create increased workloads for an already stretched operations team, which will now be required to flag and investigate suspicious incoming transactions in real-time.”
Larger financial institutions will need to implement new machine learning models, which will require additional governance time and introduce another layer of complexity to their existing fraud detection systems.
“Larger institutions may have the capacity and ability to scale their teams, but we all know quality investigators are hard to find,” Fratangelo said. That’s why there’s a ramp up period to train analysts and investigators and get them up to speed.”
Smaller institutions will face even more difficulty, as they often lack effective automation. As their transaction volumes grow and new alerts are added, scaling up their workforce can be cost-prohibitive. These costs are sometimes passed on to customers in the form of lower interest rates or higher fees.
Maintaining Business As Usual
Generative AI and deep fakes are making this situation even worse, exposing corporations to business email comprise and account takeovers. Previously, the RDFI took a passive approach to matching account numbers, but now it’s not just the account number that needs to match—the individual must also be verified, and the organization needs to ensure the recipient is not a bad actor.
“It can become more difficult to maintain business as usual if you’re a smaller institution, like a community bank or credit union,” said Sando. “With operational shifts like these, there are often also impacts to the customer experience for the customer, particularly when financial institutions personnel are now faced with spending significantly more time manually reviewing suspicious transactions instead of spending time with their everyday customer needs.”
For financial institutions, fighting these threats involves more than just securing incoming funds. They need to focus on the accounts and applications they receive, ensuring that they aren’t being created with synthetic or fraudulent identities.
“Fraud is all interconnected,” said Fratangelo. “It’s not just a singular fraud typology that’s coming through. But we have to follow the breadcrumbs, as we’re seeing more responsibility shift to receiving banks to address the current issues. Ultimately, it’s about protecting customers, and we need to ensure protections are in place to protect those customers. Bad actors can’t have access to these funds.”