Nacha rule changes 2026: Deadlines, requirements, and how to prepare

On Jun 22, 2026, every business that originates ACH payments has to run documented, risk-based fraud monitoring on those transactions. That's the most pressing of three new Nacha mandates rolling out this year, alongside required account verification before sending ACH credits and two new standardized company entry descriptions ("PAYROLL" and "PURCHASE").

The first two mandates are already in effect for Phase 1 originators and for the entry descriptions, both of which became mandatory on Mar 20, 2026.

If your team pays vendors by ACH, runs payroll through direct deposit, or collects customer payments via ACH debit, these rules affect you. The smaller your operation, the more likely Phase 2 catches you off guard, because most small businesses and nonprofits don't track Nacha rule changes and don't have the fraud monitoring infrastructure these rules require.

What Nacha is, and what's changing

Nacha (the National Automated Clearing House Association) sets the rules for the U.S. ACH network, the system you use every time you send a vendor payment, run payroll, or collect a customer payment by direct debit. The network processed over 31 billion transactions in 2024. If you're not paying by card or wire, you're almost certainly running through ACH.

The 2026 changes are Nacha's response to rising ACH fraud—things like business email compromise, vendor impersonation, and payroll diversion. The changes break into three mandates:

1. Risk-based fraud monitoring on the ACH transactions you originate, rolled out in two phases (March 20 for the largest players, June 22 for everyone else)
2. Account verification before sending an ACH credit, in effect now
3. Standardized "PAYROLL" and "PURCHASE" company entry descriptions on the transaction types they apply to, in effect now

Everything else about how ACH operates is unchanged. Settlement timing, return windows, and file formats stay the same. The big change is that fraud detection is no longer just your bank's job. You now carry real obligations of your own.

The three 2026 rule mandates

1. Risk-based fraud monitoring

Every business that originates ACH payments has to run documented, risk-based processes to detect fraud. This rule takes the most work to implement, and it's the only mandate that rolls out in phases.

Phase 1 has been in effect since Mar 20, 2026, and it covers the largest players on the network. That includes every ODFI, non-consumer originators with 6 million or more ACH entries in 2023, third-party senders and service providers at that volume, and RDFIs with 2023 receipt volume above 10 million entries.

Phase 2 takes effect Jun 22, 2026, and it applies to every remaining ACH originator regardless of size. That means every non-consumer originator, third-party sender, and service provider has to comply by June 22. There's no minimum transaction threshold, which means a 15-person nonprofit sending 20 vendor payments a month is held to the same standard as a Fortune 500 company.

The rule technically takes effect on Jun 19, 2026, but that date falls on Juneteenth, a federal holiday. The practical compliance date is the next banking day: Monday, June 22.

"Risk-based" means you don't have to inspect every transaction, but you do need documented processes that catch fraud patterns. Nacha is explicit that manual two-person approval alone is no longer sufficient, so you need automated controls that operate across your full payment volume.

What Nacha expects you to monitor for:

• New vendor onboarding
• Changes to a known vendor's bank account details
• First-time payments to a new account
• Unusual amounts or off-cycle payment runs
• Patterns inconsistent with the vendor relationship
• Urgent payment requests

The rule also expands Nacha's definition of fraud to cover scams like business email compromise, vendor impersonation, and payroll diversion. If your team has ever sent a payment to a "new" vendor account that turned out to be fraudulent, that's exactly the pattern these rules target.

2. Account verification for ACH credits

Before you send an ACH credit—including any vendor payment—you have to verify the recipient's bank account actually belongs to the vendor you're paying. This mandate is in effect now and applies to every originator on the network.

Accepted verification methods include:

• Third-party validation services that confirm account ownership in real time.
• Micro-deposits ($0.01–$1.00) sent to the account, with the recipient confirming the amounts. Typically takes 2–3 business days.
• ACH prenotification which is a zero-dollar test transaction that confirms account details. Takes 3 business days, and confirms details but not ownership.
• Direct vendor contact through a known, trusted channel (not the channel that provided the bank details), confirming account information by phone or in person.

Every verification has to be documented: the method you used, the date and time, and the outcome. Records have to be retained for at least 2 years, and if a vendor changes their bank details, re-verification is required before the next payment goes out.

This mandate is a direct response to business email compromise, the most common form of ACH fraud. The typical pattern is an attacker impersonating a vendor and providing new (fraudulent) bank account details, and account verification before payment is the direct countermeasure. Without it, a single spoofed email can redirect a payment to a criminal's account.

3. Standardized "PAYROLL" and "PURCHASE" entry descriptions

Two new standardized company entry descriptions have been required since Mar 20, 2026, with no Phase 2 grace period for either one. The requirement applies to every originator on the network from day one.

"PAYROLL" is the required description for every PPD credit related to wages or salary payments. Your payroll provider has to use "PAYROLL" on every PPD credit for wages or salary. This requirement falls on whatever system you use to run payroll, but you as the originator are still responsible for confirming your provider is compliant.

"PURCHASE" is the required description for WEB debit transactions tied to online consumer e-commerce. If you originate online consumer debits, those transactions have to use "PURCHASE" on every entry.

Standardizing these descriptions helps banks spot fraud faster. For example, flagging a payroll diversion becomes easier when every legitimate payroll entry is clearly labeled. A mismatch between the description and the receiver's history becomes a much clearer anomaly.

Who do the 2026 Nacha fraud rules apply to?

The 2026 rules apply to every party involved in an ACH transaction. The terminology can be confusing, so let's break it down.

If you're a finance team running ACH through a bank or a payments platform, you're an originator. Your bank is the ODFI, and your payroll vendor is most likely a TPSP. Each party has its own obligations, and you can't fully outsource yours to your bank or vendor.

What non-compliance costs

The 2026 rules have real enforcement behind them.

• Nacha fines and penalties: The exact amounts aren't publicly disclosed, but they can be substantial and recurring.
• ACH network suspension: The most severe consequence. If Nacha suspends your access, you can't process any ACH transactions—no vendor payments, no payroll, no customer collections.
• Liability shifts in fraud disputes: Under the new rules, you have to prove you were monitoring for fraud. If a fraudulent transaction goes through and you can't show your controls were working, you absorb the liability.
• Banking relationship consequences: Your ODFI has its own compliance obligations. If you're not compliant, your bank may raise fees, add restrictions, or drop you entirely.
• Direct financial exposure: Without proper monitoring and verification, fraudulent payments may not be recoverable. You absorb the loss.

This is how Nacha actually enforces the rules, which is what makes June 22 a hard deadline.

Tips for how to comply with Nacha’s new rules

The 2026 Nacha rules don't dictate a specific technology or process. They require documented, risk-based controls that would hold up under an audit.

1. Audit your current fraud controls: Document what monitoring you already have on outbound ACH credits and inbound debits. Identify which controls are manual, which are automated, and which transaction types lack any review.
2. Identify your phase: Pull your 2023 ACH origination volume. If you cleared 6 million entries or more, you've been on the hook since Mar 20, 2026. Otherwise, your binding deadline is Jun 22, 2026.
3. Confirm entry description templates are compliant: Audit every system that generates ACH files. Confirm payroll batches are tagged "PAYROLL" and consumer e-commerce WEB debits are tagged "PURCHASE." This requirement is already in effect, so any non-compliant entry going out today is exposing you.
4. Set up an account verification process: Pick a method (third-party validator, micro-deposits, prenotification, or direct vendor contact) and apply it to every new vendor and every change to existing vendor banking details. Document the method, the date, and the outcome for each verification. Retain the records for at least 2 years.
5. Build or document risk-based monitoring procedures: Focus the highest scrutiny on first-time payment recipients and on changes to a known vendor's bank account details. Those are the patterns Nacha's expanded fraud definition specifically targets.
6. Coordinate, document, and review annually: Confirm in writing that your ODFI and any TPSP (payroll provider, payment processor, billing platform) is ready. Maintain written fraud prevention procedures, transaction verification records, vendor change logs, and approval workflow records. Schedule and document an annual review as Nacha requires it at least once a year.

The biggest mistake teams make is treating Phase 1 as not their problem because they're below the volume threshold. Phase 2 doesn't have a volume threshold, and Jun 22, 2026 is the date that catches the rest of the network, which means the runway is short.

Common pitfalls to avoid

Finance teams tend to make the same mistakes every time Nacha rolls out new rules.

Assuming your bank handles all of it. Your ODFI has its own obligations under the 2026 rules, but you, as the originator, also have to monitor your outgoing entries. The bank can't write your fraud monitoring procedures for you.

Treating PAYROLL and PURCHASE as cosmetic. The new descriptions are mandatory, not optional. A non-compliant entry can trigger return reason codes and additional bank scrutiny, and repeated violations can lead to penalties from Nacha. Your payroll provider, AP system, and e-commerce billing all need to be checked.

Skipping account verification. This is its own mandate, not a piece of fraud monitoring. Every ACH credit needs a verified recipient account, with the verification method, date, and outcome retained for at least 2 years. Email-only confirmation isn't sufficient under the rule.

Confusing the June dates. The Phase 2 rule references Jun 19, 2026, which is a federal holiday. The practical effective date is Monday, Jun 22, 2026. If your internal compliance calendar reads June 19, update it to June 22 so your team doesn't show up to a closed banking day.

How Ramp Bill Pay supports Nacha Phase 2 readiness on the AP side

Manual AP doesn't scale to what Nacha operating rules now require. The rules demand automated fraud monitoring, vendor verification before every payment, and a searchable audit trail—running continuously, not just when someone remembers to check.

That's a lot to bolt onto spreadsheets and bank portals—and most businesses can't.

But Ramp Bill Pay takes a different approach. Fraud detection, vendor verification, approval routing, and audit trails run on every invoice by default. Invoices move 2.4x faster than manual AP¹, and most of the AP-side Nacha readiness work happens in the background.

What Ramp Bill Pay supports

Risk-based fraud monitoring on AP transactions. Ramp runs a fraud prevention agent on every transaction and checks 60 signals before you send a payment, so you catch fraud before money leaves your account. That's Nacha's automated fraud monitoring requirement, handled for you on the AP side.

Account verification within the AP workflow. Ramp extracts vendor bank details from invoices automatically, can request ACH details directly from vendors inside the platform, and cross-references vendor data across its network. The fraud prevention agent flags unverified vendors and alerts you when existing banking details change.

Documented approval workflows. Custom routing handles dollar amount, vendor type, department, or any combination. Ramp's approval agent summarizes vendor history, contract terms, and PO matching, then recommends approval or rejection. Role-based permissions enforce separation of duties, and every approval decision is logged with full context.

Audit trail and documentation. Every invoice is tracked from intake through approval, payment, and ERP sync, with approval histories and activity logs at each stage. AP aging reports export to CSV. Nothing lives in email threads or spreadsheets, which is exactly what Nacha's searchable audit trail requirements call for.

Automated controls at scale. AI auto-coding, 2-way and 3-way invoice matching against POs, fraud detection, and payment execution all run automatically on every transaction. That meets Nacha's explicit position that manual review alone is no longer enough.

What stays on your side

Ramp Bill Pay covers the AP workflow. The rest of your Nacha obligations are still yours:

• Payroll compliance (handled by your payroll provider, not Ramp)
• ACH collections (Ramp covers outgoing payments, not incoming)
• Written fraud prevention policy (you draft and maintain it)
• Annual procedures review (you schedule and document it)
• Third-party provider oversight (you confirm vendors and processors are compliant)
• Incident response documentation (you write the report when fraud happens)

Start processing bills with fraud prevention built in

Phase 2 takes effect June 22, 2026.

See how our AP software’s fraud prevention features sets your AP controls in place before the deadline. →

The information provided in this article does not constitute accounting, legal or financial advice and is for general informational purposes only. Please contact an accountant, attorney, or financial advisor to obtain advice with respect to your business.

¹Based on Ramp's customer survey collected in May’25.