If your business uses ACH to run payroll, pay vendors, or collect payments, two critical compliance deadlines are already in motion — and one of them may have already passed. NACHA’s 2026 rule amendments are the most significant changes to the ACH Operating Rules in years, touching every Originator, every Third-Party Sender, and every Third-Party Service Provider in the ACH network. Missing either deadline isn’t just a procedural slip. It exposes your business to fines, operational disruptions, and the kind of fraud liability that keeps CFOs up at night.
Here is everything you need to know — in plain language — about what has changed, who is affected, and what steps to take right now.
What Are the 2026 NACHA Rule Changes?
NACHA (the organization that governs the ACH network) has issued two sets of rule amendments that took effect on a rolling basis in 2026. Together, they address two long-standing gaps in ACH security: inconsistent fraud monitoring practices among Originators, and the lack of standardized payment labeling that helps banks detect suspicious activity.
These are not optional guidelines or best-practice recommendations. They are binding rule changes enforceable under the NACHA National System of Fines — meaning non-compliance can result in financial penalties, interrupted ACH access, or even termination of origination privileges.
The Two-Phase Implementation Timeline
Phase 1 — Effective March 20, 2026
The first phase applies to:
– All ODFIs (Originating Depository Financial Institutions)
– Originators, Third-Party Senders (TPS), and Third-Party Service Providers (TPSP) whose 2023 origination or transmission volume was 6 million entries or greater
If your organization fell into any of these categories, the new fraud monitoring requirements were mandatory as of March 20, 2026. Additionally, the new standardized Company Entry Description rules — covering “PAYROLL” and “PURCHASE” labels — also took effect on this date for all applicable Originators, regardless of volume.
Phase 2 — Effective June 22, 2026
Phase 2 eliminates the volume threshold entirely. Starting June 22, 2026, every non-consumer Originator, Third-Party Sender, and Third-Party Service Provider — no matter how small — must comply with the fraud monitoring requirements. If you originate even a single ACH payroll file on behalf of employees or clients, this rule applies to you.
The message is clear: NACHA is closing the door on the idea that smaller Originators can operate without formal fraud controls.
New Mandatory NACHA Fraud Monitoring Requirements
What Originators Must Now Do
The new rules require covered entities to establish and implement risk-based processes and procedures that are reasonably intended to identify ACH entries that were initiated due to fraud. This includes a category NACHA specifically calls “False Pretenses.”
Understanding “False Pretenses”
This is one of the most important concepts in the new rules. A payment made under “False Pretenses” is one that was technically authorized by the account holder — but only because they were deceived into authorizing it.
Examples include:
– Business Email Compromise (BEC): A fraudster impersonates a vendor or executive to redirect a payment to a fraudulent account.
– Payroll Redirection Fraud: An employee’s payroll direct deposit is rerouted after a bad actor impersonates the employee and changes their direct deposit banking information.
– Vendor Impersonation: A supplier’s banking details are swapped out by someone posing as the vendor.
These are not unauthorized transactions in the traditional sense — the Originator had reason to believe they were legitimate. The new NACHA rules make it your responsibility to have controls that can catch them anyway.
What Compliant Fraud Monitoring Looks Like
NACHA does not prescribe a single technical solution. Instead, it requires that your controls be risk-based and appropriate to your payment types. At minimum, a compliant fraud monitoring program should include:
– A documented ACH fraud risk assessment specific to the types of entries you originate
– Active monitoring controls aligned to those risk areas — such as flagging unusual payroll changes, new account additions, or sudden spikes in transaction volume
– Exception handling and escalation procedures so flagged transactions are reviewed before release
– Annual review of the risk assessment and controls to keep pace with evolving fraud tactics
New Standardized Company Entry Descriptions
Why Standardization Matters
One of the subtler — but equally important — changes effective March 20, 2026, is the requirement to use standardized Company Entry Descriptions in your ACH files. When descriptions are inconsistent or vague (for example, using “WAGES” or just the company name for payroll), receiving banks have a harder time flagging suspicious duplicates or anomalies.
The Required Labels
– “PAYROLL” — Must be used for PPD credits to consumer accounts for the payment of wages, salaries, and similar employee compensation.
– “PURCHASE” — Must be used for WEB debit transactions for the online purchase of tangible goods (e-commerce purchases). It does not apply to purchases of services, subscriptions, utilities, or other non-goods payments.
By standardizing these labels across all Originators, receiving banks gain a clearer view of inbound ACH activity — making it easier to detect, for example, a duplicate payroll credit sent to a recently changed account.
Who Is Affected — and Who Is Not
Covered by both phases:
– Businesses that originate ACH payroll (direct deposit) for their own employees
– Accounting firms and payroll bureaus that initiate ACH on behalf of client businesses
– HR platforms and fintech tools with ACH origination capabilities
– Any entity that transmits ACH files as a Third-Party Sender or Service Provider
Not directly covered:
– Purely consumer-side ACH users
Note on RDFIs: RDFIs are not exempt from these rules. For the first time under Nacha rules, RDFIs also have fraud monitoring obligations: Phase 1 (March 20, 2026) applies to RDFIs whose 2023 ACH receipt volume exceeded 10 million entries; Phase 2 (June 22, 2026) extends the requirement to all RDFIs regardless of size.
The practical reality: if your company runs ACH payroll — even for a five-person staff — you are an Originator, and the June 22 deadline applies to you.
5 Steps to Achieve Compliance Before June 22
1. Determine your role. Are you a direct Originator, or do you work through a Third-Party Service Provider? Knowing your role in the ACH chain determines your specific obligations.
2.Conduct and document a fraud risk assessment. Identify the ACH entry types you originate and the fraud scenarios most relevant to each. Write it down — documentation is an explicit requirement.
3.Review your entry descriptions. Audit your ACH file templates. Confirm your Company Entry Description reads “PAYROLL” exactly for payroll runs.
4. Implement monitoring controls. These can range from dual approval for new payee account changes to technology-based anomaly detection. Controls must be proportionate to your volume and risk profile.
5.Talk to your ACH processor. Confirm they have updated their systems to support the new entry description requirements and that fraud monitoring responsibilities are clearly defined in your agreement.
How a Certified ACH Processor Simplifies Compliance
NatPay has been processing ACH transactions since 1991, with more than $158 billion processed annually and SSAE 18/SOC 1 Type 2 certification confirming the rigor of our internal controls. Our systems are built and maintained to align with NACHA Operating Rules — so the standardized entry descriptions, file-level controls, and compliance infrastructure are built into what we do, not an afterthought.
For small and mid-sized businesses, HR departments, and accounting firms, that translates into one less compliance burden on your plate.
Frequently Asked Questions
Do the 2026 NACHA fraud monitoring rules apply to small businesses?
Yes. After June 22, 2026, the volume threshold is removed entirely. Any non-consumer Originator — regardless of size — must comply. Even a small business running direct deposit payroll for a handful of employees qualifies as an Originator.
What happens if my company doesn’t comply?
NACHA enforces compliance through its National System of Fines. Verified violations can result in financial penalties, required corrective action, suspension of ACH origination access, or termination of origination privileges.
Does my payroll software handle compliance for me?
Not automatically. A certified ACH processor handles technical file formatting and entry description requirements, but the fraud risk assessment and internal monitoring controls are ultimately the Originator’s responsibility.
What is the difference between Phase 1 and Phase 2?
Phase 1 (March 20, 2026) applied the new rules to all ODFIs, plus Originators, Third-Party Senders, and Third-Party Service Providers with 6M+ entries in 2023. Phase 2 (June 22, 2026) eliminates that threshold and extends the same requirements to all remaining non-consumer Originators, TPS, and TPSPs.
What does “PAYROLL” as a Company Entry Description mean for my ACH files?
The Company Entry Description field in your ACH batch header must contain the word “PAYROLL” exactly for any PPD credit representing wages or salaries paid to employees. This has been required since March 20, 2026.
Ready to Simplify ACH Compliance?
NACHA compliance doesn’t have to be a scramble. NatPay’s ACH processing platform is built on over three decades of direct deposit expertise, SSAE 18/SOC 1 Type 2 certified controls, and a deep understanding of NACHA Operating Rules — so your payroll keeps moving and your compliance obligations are covered.
Contact NatPay today at natpay.comto learn how our ACH processing solutions keep your business compliant, secure, and on time — every payroll cycle.
