New rules starting in March 2026 will require most businesses using ACH payments to upgrade their fraud monitoring systems.

Nacha (formerly the National Automated Clearing House Association) governs the ACH Network, the backbone of electronic payments in the U.S.

The changes will affect any business that processes electronic payments, from payroll deposits to vendor payments.

What are the current rules? 

Current Nacha rules require companies to screen WEB debits and micro-entries to reduce unauthorized transactions and fraud. Nacha also urges all participants to implement adequate control systems to detect and prevent fraud, including instances that involve a new account number or changes to an existing account number.

Key benefit types affected:

• WEB debits: Online payments that pull money from consumer bank accounts
• Micro-entries: Small test transactions (under $1) used to verify account access

What is the new Nacha rule?

The 2026 Nacha rule requires ACH network participants to implement risk-based processes to identify fraudulent outgoing ACH entries and monitor entries that are unauthorized or initiated under false pretenses.

Who is affected:

• Non-consumer originators: Businesses or organizations that initiate ACH transactions
• Depository financial institutions: Financial institutions that initiate and receive ACH transactions for their customers' accounts
• Third-party service providers: Payment processors, payroll companies and other services that handle ACH transactions for other businesses

The rules will be implemented in two phases:

• Phase 1, starting March 20, 2026: Applies to non-consumer originators and third parties with 2023 ACH origination volume of 6 million or more
• Phase 2, starting June 19, 2026: Applies to all remaining non-consumer originators and third parties

These entities should establish monitoring processes and review them annually to address evolving fraud risks.

Steps you can take to prepare

Consider these areas for evaluation and discussion with your compliance, legal and technology teams:

1. Assessment and gap analysis: Work with your compliance team to identify gaps in current processes and evaluate data security requirements.
2. Fraud monitoring evaluation: Assess your current risk-based monitoring capabilities and validation processes with your risk team.
3. Technology assessment: Evaluate compliance software options and integration requirements with your IT and compliance teams.
4. Team preparation: Plan staff education on new Nacha requirements and compliance culture with your HR and compliance teams.
5. Contract review: Work with legal to assess vendor and partner agreements' alignment with new requirements.
6. Ongoing compliance strategy: Establish regular review processes with your compliance team.

For additional information on the 2026 NACHA fraud monitoring rules, visit our detailed description on the upcoming changes. 

J.P. Morgan Trust and Safety solutions

As clients evaluate the new Nacha rules, they should consider whether J.P. Morgan Trust and Safety solutions could be helpful for their organization’s specific fraud mitigation objectives. 

• Pre-transaction: Entity Validation verifies individual and business entity information, while Account Validation and Account Confidence Score verify account status, account ownership and potential payment risk associated with that account.
• Post-transaction: The Payment Control Center (PCC) enables transaction rules and exception alerts.