How to Build an Audit-Ready ACH Compliance Program

Knowing that NACHA (the National Automated Clearing House Association) has updated its rules is one thing. Having the documentation, policies, and internal controls to demonstrate compliance to an examiner is another. For financial institutions, the gap between those two points is where risk lives.

As NACHA's rule changes continue to take effect, institutions face growing pressure to move from general awareness to structured, verifiable compliance.

Most financial institutions have someone who tracks regulatory changes. Far fewer have a systematic process for translating those changes into updated procedures, staff training, system configurations, and documented evidence that the work was done.

With the Automated Clearing House (ACH), that gap is consequential. When an examination occurs, regulators do not just want to know that your team is aware of the rules. They want to see that your controls are designed around them and that those controls are operating effectively. Written policies that have not been tested or updated are often worse than no policy at all, because they signal a disconnect between what the institution says it does and what it actually does.

Several aspects of the updated NACHA rulebook are under particular scrutiny during examinations right now.

As part of the 2026 rules update, NACHA now requires that originating depository financial institutions (ODFIs) and third-party senders maintain active, ongoing monitoring for fraudulent transactions. Examiners will ask for evidence of your policies, monitoring methodology, escalation procedures, and how your institution responds when a suspicious pattern is identified. Documented incident logs matter here, not just policy language.

For receiving depository financial institutions (RDFI), examiners will look for similar evidence of credit monitoring — updated policies, with specific language addressing inbound ACH monitoring, fraud detection, and investigation/escalation procedures when alerts are received. Some questions asked might include, “Who owns this process?” or “Where is RDFI credit monitoring formally documented?” The bottom line is that the program should be risk-based and tailored to individual institutions.

Elevated return rates, especially for unauthorized transactions, are a red flag during ACH reviews. Institutions should be tracking return rates by entry class code and have a documented process for investigating and addressing spikes before they escalate to a NACHA inquiry or regulatory finding. NACHA Return Rate Limits for ODFIs are currently 0.5% unauthorized return rate (debited returned as unauthorized by the receiver); 3.0% administrative return rate (returns due to data errors); and 15% total return rate (total returns for any reason). Return rates are calculated using a rolling average, and exceeding NACHA’s thresholds could result in an inquiry, investigation and corrective action, or enforcement actions.

If your institution works with third-party senders, your agreements and oversight practices need to reflect current NACHA requirements. Examiners are looking for evidence of appropriate due diligence and contracts that include the right provisions, along with ongoing monitoring, rather than a one-time review at onboarding.

The most examination-ready programs share a few consistent traits. They start with a current-state assessment against the full NACHA rulebook. They include clearly assigned ownership for each compliance area. They document not just what the policy says, but how compliance is tested and verified on an ongoing basis. And they are revisited at least annually or whenever significant rule changes take effect.

Clark Schaefer Hackett's financial institution specialists help banks and credit unions assess their ACH compliance programs, identify gaps, and build the documentation needed to stand up to regulatory scrutiny. Reach out to your CSH advisor or start a new conversation with us today, to learn how we can help.

Written by: Jenna Skop & Vangie McCloskey