NACHA Rule Changes 2026: What Your Institution Needs to Know

The Automated Clearing House (ACH) network moves trillions of dollars each year, and the rules that govern it are not standing still. NACHA (the National Automated Clearing House Association) has been issuing a steady stream of meaningful rule changes, with more on the horizon. For financial institutions, staying ahead of these updates is not optional. It is a compliance requirement with real operational, audit, and risk implications.

Whether you are a community bank, a credit union, or a larger depository institution, the changes affect your obligations as an originating depository financial institution (ODFI), a receiving depository financial institution (RDFI), or both. Understanding what has changed and what is still rolling out is the essential first step.

Two broad forces are driving NACHA's rulemaking activity: the increasing speed of payments and the increasing sophistication of fraud. The result is a regulatory environment that demands more from every institution in the ACH ecosystem. NACHA has responded in the last several years by expanding its rules and guidelines to better detect and mitigate fraud, improve monitoring expectations, and reinforce accountability for originating and receiving institutions.

Several significant updates have taken effect or are being phased in to prevent fraudulent entries from entering the network or being detected when they arrive at the RDFI. New fraud monitoring requirements took effect for some institutions in March 2026, and full compliance is expected for all ACH participants by June 2026. Additional ACH rules updates will continue to roll into fall 2026. Financial institutions must evidence compliance with the following rule updates:

ODFIs, large non-customer originators, third-party senders (TPSs), and third-party service providers (TPSPs) are required to perform risk-based fraud monitoring for all ACH transactions (including credits). The monitoring process must be documented, reviewed, and updated annually. Procedures should be able to detect unauthorized entries, transactions made under false pretenses (such as business email compromise), and abnormal file volumes and payment patterns.

RDFIs must have a documented fraud monitoring program in place to define monitoring methodology, risk thresholds, and procedures to escalate flagged activity. Banks need real-time alerts set and documented internal processes to review and resolve flagged transactions. Written policies and annual review are crucial and will be reviewed as part of the self-assessment.

Effective in March 2026, the 10-character field in the ACH record describing the purpose of the payment was standardized for certain payroll and purchase transactions. For payroll prearranged payment and deposit entries (PPD), “PAYROLL” must appear on the record. For WEB debit entries, “PURCHASE” must appear in this field. All ACH participants involved in originating these entries must comply.

On September 18, 2026, the definition will be updated to “A transfer of funds that originates with or is delivered to an account at an office or financial agency located outside of the United States.” This redefines what qualifies as an IAT and how financial institutions classify, monitor, and comply with payments across international borders. IATs trigger additional OFAC (Office of Foreign Asset Control) screening requirements, data elements, and due diligence obligations, making accurate identification essential for compliance and operational readiness.

Today, if an RDFI receives a credit before 5:00 PM local time, it is made available to the customer by 9:00 AM the next day. If received after 5:00 PM, it can be made available later in the day. As of September 18, 2026, this 5:00 PM cutoff is eliminated, and all non-same day credits must be available to customers by 9:00 AM local RDFI time on the settlement date. Financial institutions will need to review sufficient processing support and update posting schedules. Even though funds will be available to customers sooner, the institutions still must align availability with fraud monitoring requirements.

Knowing the rules have changed is not enough. Financial institutions need to translate each update into revised policies, updated system configurations, staff training, and audit-ready documentation. That process takes time and requires a clear picture of where your current program has gaps.

If your institution has not done a structured review of its ACH compliance posture recently, now is the right time. Clark Schaefer Hackett works with financial institutions of all sizes to assess compliance readiness and build programs that hold up to regulatory scrutiny. Reach out to our experts to start the conversation.