Commercial Banking

From startups to legacy brands, you're making your mark. We're here to help.

  • Innovation Economy
    Fueling the success of early-stage startups, venture-backed and high-growth companies.
  • Midsize Businesses
    Keep your company growing with custom banking solutions for middle market businesses and specialized industries.
  • Large Corporations
    Innovative banking solutions tailored to corporations and specialized industries.
  • Commercial Real Estate
    Capitalize on opportunities and prepare for challenges throughout the real estate cycle.
  • Impact Banking & Advisory
    When our communities succeed, we all succeed. Local businesses, organizations and community institutions need capital, expertise and connections to thrive.
  • International Banking
    Power your business' global growth and operations at every stage.

Key Links

Credit and Financing

Prepare for future growth with customized loan services, succession planning and capital for business equipment.

  • Asset Based Lending
    Enhance your liquidity and gain the flexibility to capitalize on growth opportunities.
  • Equipment Financing
    Maximize working capital with flexible equipment and technology financing.
  • Trade & Working Capital
    Experience our market-leading supply chain finance solutions that help buyers and suppliers meet their working capital, risk mitigation and cash flow objectives.
  • Syndicated Financing
    Leverage customized loan syndication services from a dedicated resource.
  • Commercial Real Estate
    Capitalize on opportunities and prepare for challenges throughout the real estate cycle.
  • Employee Stock Ownership Plans
    Plan for your business’s future—and your employees’ futures too—with objective advice and financing.

Key Links

Institutional Investing

Serving the world's largest corporate clients and institutional investors, we support the entire investment cycle with market-leading research, analytics, execution and investor services.

  • Institutional Investors
    Putting your long-tenured investment teams on the line to earn the trust of institutional investors.
  • Markets
    Direct access to market leading liquidity harnessed through world-class research, tools, data and analytics.
  • Prime Services
    Helping hedge funds, asset managers and institutional investors meet the demands of a rapidly evolving market.
  • Global Research
    Leveraging cutting-edge technology and innovative tools to bring clients industry-leading analysis and investment advice.
  • Securities Services Solutions
    Helping institutional investors, traditional and alternative asset and fund managers, broker dealers and equity issuers meet the demands of changing markets.

Key Links

Investment Banking

Providing investment banking solutions, including mergers and acquisitions, capital raising and risk management, for a broad range of corporations, institutions and governments.

  • Center for Carbon Transition
    J.P. Morgan’s center of excellence that provides clients the data and firmwide expertise needed to navigate the challenges of transitioning to a low-carbon future.
  • Corporate Finance Advisory
    Corporate Finance Advisory (“CFA”) is a global, multi-disciplinary solutions team specializing in structured M&A and capital markets. Learn more.
  • Development Finance Institution
    Financing opportunities with anticipated development impact in emerging economies.
  • Sustainable Solutions
    Offering ESG-related advisory and coordinating the firm's EMEA coverage of clients in emerging green economy sectors.
  • Mergers and Acquisitions
    Bespoke M&A solutions on a global scale.
  • Capital Markets
    Holistic coverage across capital markets.

Key Links

Payments

Your partner for commerce, receivables, cross-currency, working capital, blockchain, liquidity and more.

Key Links

Private Bank

A uniquely elevated private banking experience shaped around you.

  • Banking
    We have extensive personal and business banking resources that are fine-tuned to your specific needs.
  • Investing
    We deliver tailored investing guidance and access to unique investment opportunities from world-class specialists.
  • Lending
    We take a strategic approach to lending, working with you to craft the right financing solutions matched to your goals.
  • Planning
    No matter where you are in your life, or how complex your needs might be, we’re ready to provide a tailored approach to helping your reach your goals.

Wealth Management

Whether you want to invest on your own or work with an advisor to design a personalized investment strategy, we have opportunities for every investor.


  • Invest on your own
    Unlimited $0 commission-free online stock, ETF and options trades with access to powerful tools to research, trade and manage your investments.
  • Work with our advisors
    When you work with our advisors, you'll get a personalized financial strategy and investment portfolio built around your unique goals-backed by our industry-leading expertise.
  • Expertise for Substantial Wealth
    Our Wealth Advisors & Wealth Partners leverage their experience and robust firm resources to deliver highly-personalized, comprehensive solutions across Banking, Lending, Investing, and Wealth Planning.

Key Links

Who We Serve

Key Links

All Insights

Explore a variety of insights.

Key Links

Insights by Topic

Explore a variety of insights organized by different topics.

Key Links

Insights by Type

Explore a variety of insights organized by different types of content and media.  

Key Links

About Us

We aim to be the most respected financial services firm in the world, serving corporations and individuals in more than 100 countries.

Key Links

Want the latest on Nacha’s 2026 Rule Changes?

Access the PDF summary here and view the recorded webinar below on changes announced in 2024.

Important: The most recent changes announced in October 2025 are not part of this session.

Captioner: Becca Posadas
Date: October 22, 2025
Time of event: 11:00 AM 
Name of event: Nacha New Rule Changes 2026

This text, document, or file is based on live transcription.  Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.  This text, document, or file is not to be distributed or used in any way that may violate copyright law.

This document may contain legally privileged and/or confidential information.  If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this document is strictly prohibited.  If you have received this document in error, please immediately notify the sender and delete this document from your computer.

Confidential & Proprietary
JPMorgan Chase & Co.
For Internal Use Only

>> PRIYA JOHAR: Good morning, good afternoon, and good evening to everyone joining us from different parts of the globe. Welcome to the Nacha Rule Changes 2026 webinar brought to you by JPMorganChase. My name is Priya, and I'm joined today by my colleague, Eric Nulph. Together, we'll be your speakers for this session, guiding you through the upcoming changes and their impact on ACH operations.

But before we begin, I'd like to provide a brief disclaimer to ensure everyone is aligned on the scope and the intent of today's discussion. Compliance with Nacha rule changes is the responsibility of the client and not JPMC, and clients should consult with their legal and compliance representatives. Clients remain subject to and solely responsible for compliance with their obligation under applicable Nacha and other payment network rules.

With that, we'll move on to the next slide.

So the agenda for today is listed on this particular slide. Today's agenda is both comprehensive and forward‑looking. We'll begin with a high‑level overview of the 15 rule changes that were balloted in 2024, setting the stage for our discussion for today.

From there, we'll take a closer look at the four rule changes that will come into effect in 2026, exploring their potential impact and significance. So as we move through the presentation, we'll examine the key parameters and analytical approaches you can use to determine as to which rule change would be relevant for you or for your organization.

Finally, and perhaps the most important, we'll highlight essential considerations and actionable practices to help you adapt to the rapidly changing payments environment. We'll also share some of the industry's best practices for fraud monitoring throughout the payment lifecycle, equipping you with practical tools to enhance security and resilience.

So let's get started. In this slide, we are specifically talking about what significance do the rule changes carry. Before I delve deeper into the 15 rule changes, we'd first touch upon the significance of each of these rule changes.

As of March 15, 2024, Nacha, which is our governing body, Nacha's voting membership approved 15 ballots to achieve three key aspects. One, to detect fraud attempts. Basically, through these rule changes, strengthen the ability of the ACH network to detect any fraud attempt that can happen. Second is reduce fraud attempts. Take necessary steps in order to reduce the incidence of successful fraud attempt. And third and the most important, should there be a successful fraud attempt, what enhancements should be required in order to improve the recovery of funds altogether?

Next, so the next slide shows or gives the overview of three of the compliance dates, or rather three of the compliance dates out of four that were listed by Nacha. These three compliance dates are spread across 2024 and 2025 and comprises 11 of those 15 rule changes.

The first compliance date was applicable June 21st, 2024, and had six minor rule changes topic that was covered on that particular date. The second compliance date was on October 1st, 2024, and that comprised four of the risk management topics. The third compliance date, which is the most recent one, was on April 1st of this year and comprised another risk management topic. And till now, we are past 11 of those 15 rule changes implementation dates.

The next slide gives an overview of the four rule changes which will be applicable next year. Two of those rule changes would carry or entail two applicable dates. One would be March 20th of next year and the second one would be 22nd June. Both of the two dates differ primarily because of the thresholds and we'll be discussing in detail about those thresholds and applicability of the rules in the subsequent slide.

You may also find certain resources out there that would state that the applicable date would be 19th June instead of 22nd, but as of recent change, Nacha changed that date from 19th to 22nd, given that 19th is a US public holiday.

The remaining two rule changes, which is rules six and seven, is applicable on 20th March next year, and that contains only one applicable date. And we'll be discussing about those two rule changes in the subsequent slides.

The next slide talks about why is it important for you to understand and comprehend the Nacha rule changes 2026, and primarily, what are the objectives of having this webinar in the first place itself.

So one, knowing about the rule changes will help you from a compliance maintenance perspective. So staying abreast with the industry changes will help you avoid penalties and promote secure ACH transactions.

From an operational improvement standpoint, you'll be able to streamline processes and align your processes as per the updated standards, thereby reducing errors, enhancing transaction monitoring, and speed as well.

The third part is on strategic positionings. So given that you'll understand the rule changes better, you'll be able to implement some of the best practices in order to monitor your transactions. And with that, you'll be able to strengthen your reputation and build trust amongst your partners and customers.

Fourth and the most important pillar here would be financial advantages. So complying with the rule changes would help you avoid any losses due to penalties and would also help you transit secure ACH transactions, thereby saving you a lot of cost when it comes to fraudulent transactions.

So ultimately, this webinar is about empowering you with the knowledge and tools you need to navigate these changes confidently. We want to help you optimize your ACH transactions, reduce errors, enhance operational efficiency, and secure financial benefits by being informed and prepared.

By working together and staying ahead of industry best practices, we can ensure a smooth transition and continued success for all the participants throughout the ACH network.

Next slide, please. Next.

So, now as we transition into talking in detail about each of the four rule changes, this slide is speaking about the four rule changes from an overview perspective.

So, as we discussed earlier, there are four rule changes which will be applicable 2026. The first one would be fraud monitoring by originators, third‑party service providers, and originating depository financial institutions. So all of these participants would need to set risk‑based processes and procedures in place so that they are able to track transactions that are conducted under false pretenses or are unauthorized in nature.

The second rule change would be on the receive side, basically indicating Nacha's interest and proactiveness now towards the receive side of fraud monitoring. So as per the second rule change, the receiving depository financial institution would need to set up risk‑based processes in place so as to monitor credit transactions on the receive side.

The other two rule changes would be about payroll and purchase, basically adding these two nomenclature into the company entry description of certain transactions.

Next. Talking specifically about payroll, which is rule change six, standard company entry description payroll. So the use of the term "PAYROLL" should take place in such transactions which are initiated by the originator with the intent of sending or paying money in terms of salary, wages, payroll to the receiver.

Whenever there is an intent of paying wages and the transmitting form is through the ACH, with the SEC code PPD credit, the word "PAYROLL" needs to be added to the company entry description.

Now, Nacha has mandated a way in which the word "PAYROLL" needs to be added. It should be left aligned. The remaining three spaces of the company entry description can be used as per the requirement of the originator. And more details about how the usage should be is provided on the Nacha website under their FAQ section.

Through this rule change, Nacha has not obligated that an ODFI needs to verify the presence or accuracy of the word "PAYROLL" as a description of purpose or employment status of the receiver. So it is completely at the prerogative of the originator to really understand the usage, the intent of the payment, and add the word "PAYROLL" accordingly.

The next rule change is similar to "PAYROLL", which is "PURCHASE".

Can we move on to the next slide?

So this particular rule change is applicable for all instances where an e‑commerce purchase, which is a web debit SEC code entry authorized by a consumer‑receiver for the online purchase of goods happened, including recurring purchases first authorized online. So in such instances, the word "PURCHASE" would need to be added to the company entry description.

Here again, there is a standard practice that Nacha has mandated to all the participants of the network. The word "PURCHASE" should be appearing in the company entry description. It should be left aligned. The remaining two spaces can be used as per the convenience of the originator.

Here again, the ODFI has no obligation to verify the presence and accuracy of the word "PURCHASE" as a description of purpose. For more details, again, you may refer to the Nacha website and can search through the FAQ section to understand the exact applicability of the word "PURCHASE".

Now, in both those instances, in both these two rule changes, we as financial partners, we as your financial partners or your financial institution can help with regression testing. So, whenever you have, you know, sort of built an infrastructure or made that technical development where the word "PAYROLL" and "PURCHASE" can appear on the intended transactions, you can send sample files to us for testing. We can check how the word is appearing in the company entry description and how it will be transmitted to the ACH network.

So we are available at your disposal for whatever regression testing that you'd be interested in doing. And for that, you may also feel free to reach out to your client service representative or your relationship banker to avail of this service.

We'll move on to the next slide, which basically talks about fraud monitoring from an originations perspective, and we'll also discuss on the receive side along with the transaction analysis as to which rule change would be applicable to you.

So more on that by Eric. So Eric, over to you.

>> ERIC NULPH: Thank you, Priya. And thank you, everyone, for joining this very important information sharing session.

The next two rules that I'm going to describe really encompass almost every participant in the ACH network. So more than likely, everyone that's listening to this call is going to be affected by the rule number one that you're seeing on your screen now.

And before I get into the details of these two rules, I want to talk about a new term that Nacha is introducing into the rules language. And that language or the term is called "false pretenses".

And what they're trying to do with the term "false pretenses" is identify when a payment may be induced by a person who's misrepresenting their identity. They're misrepresenting their association or authority to authorize transactions against a certain account. They are misrepresenting that they actually have permission if you were, let's say, a CFO at a company and somebody misrepresents themselves as that person. That is inducing an ACH entry under false pretenses.

So when we, kind of, dive into these rules, and we'll specifically start with rule number one, every single originator, every single third‑party service provider or third‑party sender, every single ODFI in the network, and for rule two, every RDFI in the ACH network are affected by these rules. So as we go through them, keep in mind how the rule may apply to your specific circumstance.

So as we dive into rule number one, and it talks about origination, and really, all debits and credits are going to be in scope for this specific rule, right?  And what they're trying to do is tell you to establish and implement a risk‑based process or procedure relevant to your role in the authorization and processing of a transaction. And we'll talk about that a little bit more here in a minute. And it's reasonably intended to identify entries that are suspected as being unauthorized or unauthorized under the new term False Pretenses.

So when we look at that, they're not really asking you to check each transaction as you originate or as you process. They're asking you to create a sensible procedure to be able to detect and prevent invalid entries from being created in the first place. So they're not asking you to review each transaction individually. They're not necessarily asking you to detect entries before they're processed. It could be a process where you're monitoring activity, you're monitoring trends, you're monitoring expected outcomes, and you're detecting that you have suspect entries, and then you're actioning those entries.

And the reason they wrote the rule this way is because it needs to apply to all participants. It needs to apply to an originator who only sends 10 payroll credits a week. It needs to apply to maybe an e‑commerce platform that sends 100 million transactions a week, right? So it's really allowing the originators in each participant to, based on their role, to decide what is best for them.

So let's talk about the participants themselves. So if you're an originator, who is the originator? It is the party that has the relationship with the receiver of the entry that's being created, right? Those are the people that are best positioned to understand and authenticate that the party authorizing the transaction and providing the financial information related to it are the actual intended recipient.

So what do these cover? It kind of covers just standard disbursements: Payrolls, pensions, maybe retirement payouts, maybe refunds of, you know, maybe a return on Amazon or something, and you're getting a refund to your bank account. It covers vendor payments.

And it doesn't actually have to be a corporate. It could be a government agency, who's maybe processing tax payments or tax refunds. And then it also extends on the debit side to collections. So now you're collecting for a bill payment. You're collecting for a debt to be settled.

And in all these cases, if we go back to the definition of False Pretenses and what these suspect transactions are, we're trying to make sure that we can identify and detect things like account takeover, like business email compromise, like vendor impersonations.

So it's very common things where a bad actor has come in and is trying to redirect a payment. So I'm trying to redirect a payroll or a vendor payment to an account that it's not intended to go to really. I'm trying to satisfy a debt by debiting an account that isn't mine or I'm not authorized to debit. And these things make perfect sense from an originator perspective, right?

So now the next participant would be maybe a third‑party service provider. And what they're doing is maybe they're performing functions for the originator. Maybe they're creating payments. Maybe they're sending payments on behalf of that originator.

Another flavor of that is a third‑party sender, and the third‑party sender maintains a relationship with the ODFI to be responsible for settling payments for their underlying clients.

Third‑party senders have an entire chapter in the Nacha rule book related to their obligations for sound risk management practices and different things related to their customers.

And then the last participant would be the ODFI. And the ODFI sends entries into the network on behalf of a third‑party sender or an originator.

And why are they in a good position potentially to identify bad transactions? They have information that they've accumulated over time on bad actors. They have sophisticated software that can detect patterns or first‑time beneficiaries where activity might be abnormal.

They have returned item monitoring, which can detect when, potentially, there's a large number of unauthorized entries being claimed and disputed, or invalid account numbers being sent back, which would be indicative of somebody just making up account numbers for bill pays and certain things like that.

So those are kind of a drill down into who these different actors are. And from an applicability standpoint, the first implementation date is going to be March 20th of 2026. And that applies to the participants who have volumes of 6 million items or greater in 2023.

And then everybody else comes into scope by June of 2026. So that's why everybody is affected by this rule.

And what you want to do, again, is apply a risk‑based approach. What makes sense for me? How does my company or my originator manage acquiring financial institution and account information? How do they manage modifying it? How do they manage validating that account numbers are valid or that users are authenticated?

And then you would apply this risk‑based process or procedure to be able to detect that activity.

So your first step is really to document what it is you do today. Your second step is to assess whether or not that process will reasonably detect fraudulent behaviors. Then you need to modify that process if your situation has changed or if it doesn't really meet a risk‑based control. And then finally, you need to establish an annual review period to review those processes annually.

So if you're doing an annual Nacha rules compliance audit, maybe it sits in there. Maybe it sits with the compliance group. But the important piece is to continually go back and revisit those controls and those processes as times change, as fraudster capabilities change over time. Because what we see today is nothing like what we saw 10 years ago.

So, if we move on to the RDFI ACH credit rule. Next slide, please?

This applies only to incoming credits to a RDFI, which is the bank receiving the entry and posting it to an account. Now, I'll say that most banks have some sort of process. And it's normally something that they're reviewing items after they've posted.

All banks have anti‑money laundering processes. They have financial crimes obligations. So many banks already have something in the hopper for this.

But again, the same theory applies. Apply a risk‑based process that's relevant to your role ‑‑ you're the RDFI ‑‑ and does it reasonably detect bad activity?

Now, ideally, I think, you want to detect activity prior to posting, especially in the event of a credit. If it's a credit and it's posted and it's intentional fraud that's performed under false pretenses, your recoverability of those funds is much less if you allow it to post than if you prevent it from posting in the first place.

Again, same rules apply. Document it, assess it, change it if you need to, and then establish an annual review process.

So the other advantage an RDFI has in these cases is they have information on bad actors. They're very intimately aware of what normal activity under an account is. They're very aware, through know your customer guidelines, what is expected on an account.

So they know how long the account's been open. They know what to expect. And they're in a very good position to be able to detect anomalous activity.

So if you go on to the next slide. Next one. One more. Okay.

So, again, how do you apply it? Looking specifically at Rule 1, which is originators, third‑party processors, third‑party senders, and ODFIs, everybody is impacted. So, again, you'd want to assess when is my implementation date and what activities do I have to do to be able to get there?

If we look at the second use case that Priya went into detail with, which is payroll, I don't think we need to say too much there because she did a very good job in indicating payroll.

We have been asked questions. Does commission ‑‑ is commission pay payroll? And the answer is yes. Commission pay is related to compensation. And any entry that's PPD entry, which is consumer that's related to compensation, would need the keyword "PAYROLL".

And then if we look at the purchase rule, again, it's for debit initiations, primarily web debits, and those would need to use the keyword "PURCHASE".

And I think as time goes on, Nacha is going to do more of this codifying of transactions to be able to identify specific activity in the network. So don't be surprised if, from a risk management and operations perspective, they come out with more of these.

Relative to web debits on the purchase side, I'll add that there's an existing rule that's out there. So any debit originator of web debits actually has a more stringent requirement for fraud detection than is set forth in these new rules. Right.

If you're a web debit originator, you are to have a commercially reasonable fraud detection system. You are to have an account validation system. You are to have are to have bank ID validation processes. And actually, those are much more stringent than what's being called for here, which is a risk‑based detection system.

So if you're already doing web debits, you should probably take this opportunity to go look at those commercially reasonable fraud detection processes. Make sure that they're up to snuff as you're looking at applying the keyword "PURCHASE".

So hopefully, you found that information useful. And I'll pass it back to you, Priya.

>> PRIYA JOHAR: Great. Thank you so much, Eric. Can we move on to the next slide, please?

So taking cues from what Eric mentioned in terms of certain points to consider, given the dynamic fraud landscape or the payment landscape that we have, we need to ‑‑ it is important that every organization and every business conduct a compliance review, have regular processes set in place so that they are able to review those compliance processes.

They are able to enhance their fraud monitoring or implement the fraud monitoring in order to stay in compliance with some of the rule changes. And also are able to change or adjust their strategies to the dynamic world of ever‑changing fraud landscape that's there.

But apart from that, there are a couple of points also to consider. One is education and training. So that's an important point that you'd need to build as an organization. You need to foster a culture of compliance by educating and training each and every employee about the Nacha rule changes, and not just that, about Nacha rules in general as well.

Now, what will happen is that once people start understanding the Nacha rules, the Nacha rule changes, its applicability, the reason behind it, there will be easier or faster adaptability to these rule changes. And you, as an organization collectively, will be able to achieve compliance faster and more seamlessly.

The last point to consider, and the most important of them all, is seek legal advice. So consulting with your legal and compliance experts is very important. It's imperative to not just do it on an ad hoc basis but to actually embed that culture on a day‑to‑day basis so that you're able to gain insights and advice on Nacha rules and its applicability so that you're able to navigate the changes and the rules that are currently there.

Next slide, please.

So this slide talks about some of the best practices for fraud monitoring, for ACH monitoring as a whole. So if you are considering the entire payment life cycle, there are three key touch points that really are very meaningful and impactful and can lead to some key risk areas if not taken care of properly. So one is identity and onboarding, which is basically the starting or the genesis of the entire payment life cycle.

Some of the key risk areas at the start stage or at the stage of onboarding is you can end up onboarding fraudulent entities, you can end up onboarding synthetic identities to your organization or to your account that can lead to account takeovers and other such issues.

The blue box indicates the best practices and we'll come back to that in a while.

The second touchpoint in the payment lifecycle is change management itself. By change management, we mean every time there is a change in, probably, the name of the already‑existing entity that's listed or, say, the account that's listed or if there is a change in phone number, a change in account details, etc.

All of that needs to be taken care of carefully because such instances or such changes can actually lead to account takeovers. It can lead to impersonation fraud and it can lead to a lot more issues if not, you know, taken care of very specifically through certain best practices.

The third and the most important part in the entire payment lifecycle is payment and disbursement itself. So there are certain key risk areas there. One is ACH credit fraud can take place if the beneficiary accounts are not identified, as Eric highlighted earlier.

There can be instances of unauthorized disbursements. There can be instances of billing fraud, etc.

So starting with identity and onboarding, some of the best practices are, first, set up multi‑layered identity verification. So you can leverage some of the real‑time API integrations in order to verify name, address, phone number, email, and all other details of the account getting onboarded. That can be done against, say, government databases, sanction and watchlist screening, etc. So all of that can be done against some database, some validated database, so that you can ensure 100% accuracy there.

You can also leverage device intelligence and geolocation checks that can be available at your disposal while you are building multi‑layered identity verification as a process to your identity and onboarding of the payment lifecycle.

The second part is ‑‑ or the second example is behavioral and predictive analytics. So there is a lot of data available at your disposal all the time, given that we live in a world full of data. So it is important, it is imperative that you as an organization start leveraging that data and are able to build a robust process so that you're able to detect patterns of suspicious behavior and synthetic identities using your historical data that could be available in your data lake or in some warehouse, etc.

The third part is account ownership and payment information matching. So basically, under this best practice, what really happens is that you'd be integrating your account onboarding by deploying bank account verification processes to confirm that the account details really match with the entity's legal name that is getting listed at the time of onboarding.

You can also use cross‑check payment method where you're actually checking information with known high‑risk accounts of flagged entities against some verified database. Now, all the best practices that we are mentioning are something that can be availed of either through third‑party providers. It can also be built internally. So, we have a lot of clients who have chosen to build all of these processes internally as well, given their business appetite, their risk appetite, etc. So, it's a call that you'd need to take.

Third, you can also choose to, you know, talk to your financial institution to check if they have any product available that can help you, you know, set processes, fraud monitoring processes in place at each of the stages of the payment lifecycle.

With that, I'll move on to the second part of the payment lifecycle, which is change management. Some of the best practices that you can consider is multi‑factor authentication. Basically here, you require step up authentication to be in place or, you know, you're setting up secondary communication channel through SMS, phone, email for really high‑risk changes. So whenever you feel that, you know, there are certain high‑risk changes that are happening in terms of, say, changing the threshold of the transactions being sent or changing the name of the entity that is already onboarded since a while. It is important that you set up step‑up authentication in the form of, say, OTPs, in the form of biometric verification, knowledge questions, etc.

Another best practice that you can consider is setting alerts for unusual activities. So basically, under this practice, whenever you feel that a particular account is being changed very often recently ‑‑ account details is being changed very often recently and there is a pattern to it ‑‑ you may choose that alert to be sent across to all the impacted parties and stakeholders.

So, such tools are also, again, available at your disposal in the market. You can explore those tools by talking to your FIs, and you may also choose to build it in‑house, given the risk appetite that you'd want to trade on.

The third and the most important part of the entire payment lifecycle is payments, and some of the best practices there is, one, real‑time account status and risk screening. So basically, integrating bank account validation APIs to check whether the beneficiary account is open, is active, in good standing, or if there are any past fraudulent activity that may have taken place on the receiver side.

Second is account ownership and verification, wherein you are leveraging or using risk‑based scoring for new pays, especially for large‑value ACH transactions, so that you're able to detect any of such beneficiaries, fraudulent beneficiaries beforehand. Third, and recently the most common that we have noticed is transaction limit and velocity monitoring.

So basically there are a lot of clients who are setting thresholds to the transactions that can be transmitted to the receiver's account. They are also setting limits to the frequency or the number of transactions that can be sent across.

And all of that can be availed of by using a particular tool, by either developing it in‑house, etc. So these are some of the best practices that can help you understand and can help you navigate some of the risk‑based processes across the payment lifecycle, depending on the business financial standing that you may be having, depending on your legal and compliance obligations, etc.

With that, we'll move on to the next slide, please.

So we at J.P. Morgan provide a couple of products under our trust and safety umbrella and that comprises account confidence score and identity account validation.

Now so to note, just a disclaimer here, these are certain products which are available at your disposal for you to build fraud monitoring processes. It does not ensure that you'll be in compliance, so you'll still need to consult with your legal and compliance teams and understand your risk appetite in order to ensure that, you know, availing of these products may or may not lead to compliance of the rule changes as mentioned earlier.

Now, what is account confidence score? So, account confidence score is basically an AI‑based machine learning score that actually generates or indicates the probability that a beneficiary account is anomalous or fraudulent.

And how does it really work? So, this particular product that we have developed is a derivation of in‑house fraud screening model, which is an AI/ML model that we have built that helps translate our output into a numerical indicator. Now, that output can help you or allow you to evaluate the likelihood of fraud on the beneficiary account.

So, when can you really use this particular product? So, we spoke about the payment lifecycle in the previous slide. This product usually fits the bill at the time of onboarding, at the time of registration of an account or of an entity in your organization and can also help you in advance of any payment instruction. So that's account confidence score for you.

The second product that we have is identity and account validation. Basically, there are two sub‑products under it: AVS and EVS.

AVS is Account Validation Service that provides the ability to validate the status and ownership of an account. While EVS, which is Entity Verification Service, provides verification of individuals of business data from trusted data sources and third‑party regulatory vendor.

So when can you use this product? Again, from a payment lifecycle perspective, it can help you at the point of onboarding or registration or even before initiating a payment instruction.

Now, both these products that I spoke about was, I mean, my description was very brief. If you'd want to have a demo, if you'd want to go through, get a walkthrough of the product, understand these more in details, you can reach out to your client relationship manager at J.P. Morgan, and they'll be more than happy to walk you through both the products and help you understand its utility in your business environment.

Before I conclude, I'll once pass it over to Eric, and then I'll provide my concluding remarks. Eric, over to you.

>> ERIC NULPH: Sure. So, I took a peek at the Q&A queue. So, while we don't have time to answer all the questions that are in there, there are certainly some interesting ones. One was, what do we do if we don't send Nacha‑formatted payments and we send ISO‑formatted payments?

And that's a great question because many banks and many originators use different types of transaction initiation vehicles. You can use ISO pain.001 or pain.008 for credits and debits.

You might be using an API, which typically they're kind of smaller versions of ISO payments.

You could be using EDIX12. While not very common, you could be using SWIFT formatted entries to send to your bank. I don't think that that's very common for J.P. Morgan clients. But what you do in those cases is you would work with your specific channel originator because those payments all end up in ACH format eventually.

So the people that support your specific initiation channel are in the best position to tell you, for example, how do I accomplish the requirement for payroll and purchase? And it could be a combination of, if you only do a single type of entry, maybe they're applying a default value and maybe that needs to be updated. If it's a dynamic value ISO, typically, those are the piece of data for payroll and purchase travels and something called category purchase proprietary.

So go speak with the the the group that supports your channel. If they have any additional questions, they'll come to us, their ACH expert teams. And hopefully, you would have a nice, easy path to get those changes made relative to would we be able to have a roadmap or a checklist really beyond what we've shared today, we can't tell you based on your specific circumstance what you need to review when you're assessing your risk‑based analysis.

We would not be able to tell you what changes we need to make. And as Priya mentioned at the beginning, you know, we may have tools and we may have expert advice to help you achieve compliance, but we cannot rubber stamp that whatever you have come up with is compliant to the rule. That's really up to your own legal and compliance areas within your own institutions.

And I think the only other question I saw out there that was repeated, Priya, was whether or not this presentation will be available. Will it be just a recording? Is it available in hard copy? And I'll defer to you on that.

>> PRIYA JOHAR: Yeah. Thank you so much, Eric. So, well, yes, the deck and the recording will be available to you at the start of October. We'll be sharing it with our client service representatives so you can get in touch with them, get the recording, get the deck and make use of the resources.

We'll also be uploading these two resources on our client resource center under the Nacha rules section. So you'll be able to extract both of them from there as well.

Apart from that, we'll be also sending out emails to the same email list and you'll get the link to the recording and to this deck over there as well.

So all of the all of these three channels will be at your disposal so that you are able to get hold of the two resources.

We've also seen one question talking specifically about whether the word "PURCHASE" indicates or is indicative only to goods. The answer is yes. Nacha has mandated that the word "PURCHASE" would be applicable to goods only and not to services. So, things like bill payment, et cetera, will not be included in that particular rule change scope.

With that, thank you all for attending today's Nacha Rule Changes 2026 webinar. We really appreciate your time and attention as we discussed the upcoming Nacha updates, their impact on ACH, and best practices for transaction monitoring and fraud prevention.

So as we move forward, staying informed and proactive will be key to maintaining operational excellence and safeguarding your organization against emerging risks. We encourage you to review your current processes, engage with your compliance teams, and leverage the resources and tools available to you.

If you have any further questions or need additional support, please don't hesitate to reach out to us or your JPMorganChase representative. We are here to help you navigate these changes and ensure a smooth transition.

Thank you once again for joining us and we wish you continued success in your ACH transactions. Have a great day. 

Compliance dates

1. Fraud Monitoring by Originators, TPSPs and ODFIs (Rule #01)

  • Effective date - Phase 1: March 20, 2026 for all ODFIs and non-Consumer Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023.
  • Effective date - Phase 2: June 19, 2026 for all non-Consumer Originators, TPSPs, and TPSs that did not fall under the requirement threshold for Phase 1. (2023 is the baseline year for the volume thresholds)

Current:

  • The Nacha Rules currently require Originators to use a commercially reasonable fraudulent transaction detection system to screen WEB debits and when using Micro-Entries
    • These rules are intended to reduce the incidence of unauthorized debits resulting from transactions initiated online, which can experience increased volume and velocity
  • These current requirements do not encompass any other transaction types, and so do not currently apply to other types of debits or to any credits other than Micro-Entries
    • However, the existing Nacha Board policy statement “urges that all participants implement adequate control systems to detect and prevent fraud.”

Amendment as per Nacha:

  • “Each Non-Consumer Originator, ODFI, and Third-Party Service Provider or Third-Party Sender acting on behalf of an Originator, Third-Party Sender or ODFI, must:
    • Establish and implement risk-based processes and procedures relevant to the role it plays in the authorization or Transmission of Entries that are reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses; and
    • At least annually review such processes and procedures and make appropriate updates to address evolving risks.

For more details, please refer to the Nacha website.

2. RDFI ACH Credit Monitoring (Rule #02)

  • Effective date - Phase 1: March 20, 2026 for RDFIs with annual ACH receipt volume of 10 million or greater in 2023
  • Effective date - Phase 2: June 19, 2026 for all RDFIs that did not meet the threshold requirement for Phase 1. (2023 is the baseline year for the volume thresholds)

Current:

  • Historically, the RDFI has played a passive role in the ACH Network
    • The ODFI warrants that an Entry is authorized and that it complies with the Rules
    • The RDFI may rely solely on the account number for posting an Entry, and the RDFI may rely on Standard Entry Class Codes for the purpose of complying with the Nacha Rules
  • Currently, the Nacha Rules require ODFIs to perform debit transaction monitoring, but do not apply transaction monitoring requirements to RDFIs

Amendment as per Nacha:

  • “Each RDFI must:
    • Establish and implement risk-based processes and procedures relevant to the role the RDFI plays in connection with the receipt of credit Entries that are reasonably intended to identify credit Entries that are suspected of being unauthorized or authorized under False Pretenses, including processes and procedures for responding when credit Entries are identified as potentially unauthorized or authorized under False Pretenses; and
    • At least annually review such processes and procedures and make appropriate updates to address evolving risks.

      These processes and procedures do not require the screening of every ACH Entry individually, and do not need be performed prior to the processing of Entries.”

For more details, please refer to the Nacha website.

3. Standard Company Entry Description – PAYROLL (Rule #06 – Effective March 20, 2026)

Change Brief:

  • Establishes the entry descriptions for payroll related entries to enable better transaction monitoring and risk management
  • This rule would establish a new standard description for PPD Credits for payment of wages, salaries and similar types of compensation. The Company Entry Description field must contain the description “PAYROLL”.
  • RDFIs that monitor inbound ACH credits would have better information regarding new or multiple payroll payments to an account.
  • The usage of the term "PAYROLL" is explained in the FAQ section of the Nacha website.

Amendment as per Nacha:

  • Language has been added to disclaim any representation or warranty about actual employment status:
    • “The use of the term “PAYROLL” in this field is descriptive and by use of the word, neither the Originator, nor the ODFI (or any Third-Party Service Provider acting on behalf of an Originator or ODFI), makes any representation or warranty to the RDFI or the Receiver regarding the Receiver’s employment status.
  • Language also has been added to disclaim obligation on the part of ODFIs to “police” Originators’ correct use:
    • “The ODFI has no obligation to verify the presence or accuracy of the word “PAYROLL” as a description of purpose or employment status.”

For more details, please refer to the Nacha website.

4. Standard Company Entry Description – PURCHASE (Rule #07 – Effective March 20, 2026)

Change Brief:

  • Establishes the entry descriptions for ecommerce purchase related entries to enable better transaction monitoring and risk management
  • "PURCHASE" for an e-commerce (WEB or PPD) goods purchase debit authorized by a consumer Receiver.
  • The usage of the term "PURCHASE" is explained in the FAQ section of the Nacha website.

Amendment as per Nacha:

  • Language for the definition of e-commerce purchases has been refined to (new language underlined):
    • “For this purpose, an e-commerce purchase is a debit Entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. An e-commerce purchase uses the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Code.”
  • Language has also been added to disclaim obligation on the part of ODFIs to “police” Originators’ correct use
    • “The ODFI has no obligation to verify the presence or accuracy of the word “PURCHASE” as a description of purpose.”
    • “For this purpose, an e-commerce purchase is a debit Entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. An e-commerce purchase uses the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Code.”

For more details, please refer to the Nacha website.

Updates effective in recent years

Available beginning Q1 2021 - Q2 2022
Nacha has approved rule changes to enhance Same Day ACH functionality and improve risk management. As a result, J.P. Morgan will be making changes to US ACH origination service and US ACH eLockbox/Receiver Services reporting.

1. Codify Use of Return Reason Code R17 (Rule #03 – Effective October 1, 2024)

Current:

  • There currently is no defined Return Reason Code to return an entry as suspected fraudulent or “QUESTIONABLE”
    • Unauthorized reasons are based on a customer, dispute or claim
  • The Rules provide for using the return code that most closely approximates the reason for the return
    • Nacha guidance has been that R17 is likely the closest return code for incidents of potential fraud
    • The word can continue to be used for high volume of invalid account number entries

Amendment as per Nacha:

  • Clarifies that R17 “QUESTIONABLE” must be use by the RDFI to return an ACH entry that is suspected fraudulent
  • This rule will explicitly allow, but not require, an RDFI to use R17 to return an entry that it thinks is fraudulent. Such use is optional and at the discretion of the RDFI
  • The rule retains the current requirement to include the descriptor QUESTIONABLE in the return addenda record for such use
  • The amendment is intended to improve the recovery of funds originated due to fraud

For more details, please refer to the Nacha website.

2. Expanded Use of ODFI Request for Return/R06 (Rule #04 – Implementation extended to April 1, 2025)

Change Brief:

  • Expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason
  • RDFI has 10 business days to respond to the ODFI after receipt

Amendment as per Nacha:

  • This rule will expand the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason
    • The ODFI would still indemnify the RDFI for compliance with the request
    • Compliance by the RDFI would remain optional.
    • An RDFI’s only obligation to the ODFI would be to respond to the ODFI’s request
      • Regardless of whether the RDFI complies with the ODFI’s request to return the Entry, the RDFI must advise the ODFI of its decision or the status of the request within ten (10) banking days of receipt of the ODFI’s request
  • This rule is intended to improve the recovery of funds when fraud has occurred.

For more details, please refer to the Nacha website.

3. Additional Funds Availability Exceptions (Rule #05 – Effective October 1, 2024)

Current:

  • Currently, the Nacha Rules provide RDFIs with an exemption from funds availability requirements if the RDFI reasonably suspects the credit entry was unauthorized
    • This exemption encompasses cases of account takeovers, in which a party that is not the Originator is able to initiate an ACH credit from the Originator’s account

Amendment as per Nacha:

  • Expands current RDFI exemption from funds availability requirements to include credits suspected are originated as part of a fraud scheme or event
  • RDFI must make “reasonable efforts” to contact the ODFI to advise the delay

For more details, please refer to the Nacha website.

4. Timing of Written Statement of Unauthorized Debit (WSUD) (Rule #08 – Effective October 1, 2024)

Current:

  • The current Rules require that the Written Statement of Unauthorized Debit (WSUD) be dated on or after the Settlement Date of the Entry

Amendment as per Nacha:

  • This rule will allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account
  • Allow a consumer Receiver’s Written Statement of Unauthorized Debit to be completed on the date an ACH debit is presented

For more details, please refer to the Nacha website.

5. RDFI Must Promptly Return Unauthorized Debit (Rule #09 – Effective October 1, 2024)

Current:

  • Defines “promptly” that an RDFI return an unauthorized debit by the 6th banking after receipt and completion of the WSUD process
  • The rule includes new language to set the return deadline to the opening of business of the 6th Banking Days after the RDFI completes its review of the Receiver’s signed WSUD (new language underlined):
    • “the RDFI Transmits the Extended Return Entry to its ACH Operator by its deposit deadline for the Extended Return Entry to be made available to the ODFI no later than the opening of business on the sixth Banking Day after the Banking Day on which the RDFI completes its review of the Receiver’s signed Written Statement of Unauthorized Debit, but in no case later than the opening of business on the Banking Day following the sixtieth calendar day following the Settlement Date of the original Entry.”

Amendment as per Nacha:

  • This amendment will require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Banking Day following the completion of its review of the consumer’s signed WSUD
  • The amendment is intended to improve the recovery of funds and reduce the incidence of future fraud
  • The prompt return of an unauthorized debit alerts an ODFI and an Originator to a potential problem
  • This is also true in first-party fraud schemes in which the party who disputes the debit Entry is the same party who benefits from the original entry
  • A prompt return supports controls that an Originator may have enabled, such as a hold on funds or delayed shipment of merchandise
  • This amendment will not change reasons or requirements for obtaining a Written Statement of Unauthorized Debit

For more details, please refer to the Nacha website.

1. General Rule/Definition of WEB Entries (Rule #10 – Effective June 21, 2024)

Current:

  • While the Rules already require all consumer-to-consumer credits to use the WEB SEC Code, the current reference to “Internet or Wireless Network” is confusing to some industry participants.
    • Some ODFIs and P2P service providers are coding consumer-to-consumer credits as PPD entries when the consumer’s instruction has been communicated through non-internet means (e.g., via phone, in person)

Amendment as per Nacha:

  • General Rule for WEB Entries (Article Two, Subsection 2.5.17.1) and Definition of “Internet-Initiated/Mobile Entry” (Article Eight, Section 8.55)
    • This change will re-word the WEB general rule and definition in Article Eight to make it clearer that the WEB SEC Code must be used for all consumer-to-consumer credits, regardless of how the consumer communicates the payment instruction to the ODFI or P2P service provider

For more details on minor topics, please refer to the Nacha website.

2. Definition of Originator (Rule #11 – Effective June 21, 2024)

Current:

  • Currently, the Rules define an Originator by the relationship it has with the ODFI –“a Person that has authorized an ODFI…to Transmit...an Entry…”.
  • The existing definition is silent with respect to the Originator’s obligation to have obtained the Receiver's authorization (when required by the Rules) to credit or debit the Receiver’s account

Amendment as per Nacha:

  • Definition of Originator (Article Eight, Section 8.71) - This amendment makes clarifying changes and alignments to the definitions of Originator:
    • Adds a reference to the Originator’s authority to credit or debit the Receiver’s account.
    • Adds a notation to the definition of Originator that the Rules do not always require a Receiver’s authorization (e.g., Reversals, Reclamations, Person-to-Person Entries).

For more details on minor topics, please refer to the Nacha website.

3. Originator Action on Notification of Change (Rule #12 – Effective June 21, 2024)

Current:

  • Current wording of the definition is out of date and requires minor modification for clarity and reflection of current business practice
    • Current NOC rules are silent as to whether an Originator has discretion to make NOC changes related to single entries bearing other SEC Codes (e.g., PPD, CCD, CTX, IAT);
    • In practice and in enforcement situations, Originators and Nacha have supported uniform treatment of NOCs for any one-time entries, regardless of SEC Code.
  • The Rules currently allow the Originator discretion on whether it will act on NOCs received with respect to ARC, BOC, POP, RCK, single-entry WEB, single-entry TEL, XCK
    • This list identifies SEC Codes that, by definition, are one-time entries, and those that previously required a single/recurring indicator within the entry.

Amendment as per Nacha:

  • ODFI and Originator Action on Notification of Change (Article Two, Section 2.12.1)
    • This amendment gives Originators discretion to make NOC changes for any Single Entry, regardless of SEC Code.

For more details on minor topics, please refer to the Nacha website.

4. Data Security Requirements (Rule #13 – Effective June 21, 2024)

Current:

  • Current rules require Non-Consumer Originator, Participating DFI, Third-Party Service Provider, and Third-Party Sender to protect DFI account numbers by rendering them unreadable when stored electronically
  • This requirement is threshold-based and applies to covered entities once those participants’ annual ACH origination or transmission volume exceeds 2 million entries for the first time
  • The rules include a grace period for newly-covered parties to address implementation issues (must comply by June 30 of the year after triggering the 2 million entry threshold)

Amendment as per Nacha:

  • Security Requirements (Article One, Section 1.6)
    • This amendment clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.

For more details on minor topics, please refer to the Nacha website.

5. Use of Prenotification Entries (Rule #11 – Effective June 21, 2024)

Current:

  • The Rules currently allow Originators to transmit prenotification entries for account validation prior to initiating the first credit or debit entry to the Receiver’s account
  • Originators indicate a need to re-validate that certain accounts are open and can accept ACH entries, even after live entries previously have been transmitted. Originators want the ability to use ACH Network-based account validation methods for this purpose
  • The recent Rule on Micro-Entries does not limit validation to before first use

Amendment as per Nacha:

  • General Rule for Prenotifications (Article Two, Subsection 2.6.1) & Definition of Prenotification Entry (Article Eight, Section 8.81)
    • This amendment will align the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.

For more details on minor topics, please refer to the Nacha website.

6. Clarification of Terminology - "Subsequent Entries" (Ballot #14 - Effective June 21, 2024)

Current:

  • With the adoption of definitions and rules for Standing Authorization and Subsequent Entries, minor changes are needed to prenote and NOC language to remedy now-ambiguous references to the use of the non-defined phrase “subsequent entry”:.
    • Exceptions to ODFI Warranties for Entries Originated Using Corrected Data from Notification of Change (Article Two Subsection 2.4.2)
    • Waiting Period Following Prenotification Entries (Article Two, Subsection 2.6.2)
    • ODFI and Originator Action on Notification of Change (Article Two, Subsection 2.12.1)

Amendment as per Nacha:

  • The changes replace “subsequent” with other synonymous terms –“future”, “additional”, and “another”
    • This change will re-word the WEB general rule and definition in Article Eight to make it clearer that the WEB SEC Code must be used for all consumer-to-consumer credits, regardless of how the consumer communicates the payment instruction to the ODFI or P2P service provider

For more details on minor topics, please refer to the Nacha website.

Increase of Same Day ACH Transaction Limits — Effective March 18, 2022

  • This rule expands the capabilities of Same Day ACH. Increasing the Same Day ACH dollar limit is expected to improve Same Day ACH use cases, and contribute to additional adoption.
    • Increases the Same Day ACH limit for both eligible debit and credit entries from $100,000 to $1 million USD.
  • Increasing the dollar limit has been a frequently asked for change by ACH end-users. Most recently, a summer 2020 survey of corporate ACH end-users resulted in recommendations for Same Day ACH:
    • Increase or remove dollar limits
    • Expand processing hours and days

For more information on this rule, please refer to the formal press release on the Nacha website, here.

Supplementing Data Security Requirements – Phase 2 - Effective June 30, 2022

  • The existing ACH Security Framework including its data protection requirements is supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
    • June 30, 2021 - Implementation began with the largest Originators an TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually.
    • June 30, 2022 - A second phase becomes effective for those originators with ACH volume of 2 million transactions or greater annually
  • The Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically.
    • Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider

For more information on this rule, please refer to the formal press release on the Nacha website, here.

Use of Micro-Entries — Effective September 16, 2022

  • This Rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation
  • This Rule will become effective in two phases:
    • Phase 1 – September 16, 2022
      • The term Micro-Entry will be defined, and Originators will be required to use the standard Company Entry Description and follow other origination practices
    • Phase 2 - March 17, 2023
      • Originators of Micro-Entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volume

For more information on this rule, please refer to the formal press release on the Nacha website, here.

Third-Party Sender Roles and Responsibilities — Effective September 30, 2022

  • The overarching purpose of these Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by
    • Addressing the existing practice of Nested Third-Party Sender relationships, and
    • Making explicit and clarifying the requirement that a TPS conduct a Risk Assessment
  • These two rules will become effective September 30th, 2022, with a 6-month grace period for certain aspects of each rule (March 31, 2023) if any of the below are met:
    • ODFIs to update TPS registrations to denote whether or not a TPS has Nested TPSs
    • TPSs that have not conducted a Risk Assessment to do so
    • A TPS need not wait for passage of this rule, or its effective date, to conduct a Risk Assessment

For more information on this rule, please refer to the formal press release on the Nacha website, here.

New Third Same-Day ACH Processing Window — Effective March 19, 2021

  • A third Same-Day ACH processing window is being created, expanding Same-Day ACH availability by 2 hours to provide greater access for all Originators and their customers.
  • The timing of this new processing window is intended to balance the desire to expand access to Same-Day ACH through extended hours with the need to minimize impacts on financial institutions’ end of day operations and the re-opening of the next banking day.
  • Specific cut-off times for J.P. Morgan U.S. Same Day ACH origination will be determined.
  • eLockbox Same-Day report delivery will be extended by approximately two hours, to 8 p.m. ET instead of 6 p.m. ET.
  • Non-consumer receivers subscribing to eLockbox will be required to post same day entries received by J.P. Morgan by 5:30 p.m. ET with same-day value during their normal posting schedule.

Supplementing Fraud Detection Standards for WEB Debits — Effective March 19, 2021

  • As a supplement to existing requirements, Originators of WEB Debits will be required to use a commercially reasonable fraudulent transaction detection system to ensure new and changed customer receiving accounts are able to successfully receive transactions prior to origination of WEB Debits. 
  • U.S. ACH Originators of WEB Debits may need to make changes to their account validation processes.
  • J.P. Morgan offers tools and services to complete this validation, but you can use any commercially reasonable fraud detection system.
  • Please reach out to your Relationship Management team if you have questions.

Differentiating Unauthorized Return Reasons – Phase 2— Effective April 1, 2021

  • Re-purposed return reason code R11 will now be covered by the existing Unauthorized Entry Fee.
  • Clients will be billed on their monthly statement of charges.

Supplementing Data Security Requirements – Phase 1 — Effective June 30, 2021

  • The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect account numbers collected for or used in ACH transactions by rendering them unreadable when they are stored electronically.
  • Implementation begins with the largest Originators and TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually.