What do the 2026 Nacha rule changes mean for your business?
New fraud‑monitoring and ACH labeling requirements began in March, 2026, and businesses that send or receive ACH payments should act now to stay compliant and reduce risk.
What businesses should do now
If your organization sends or receives ACH payments, preparation is essential in 2026. Nacha’s updated Operating Rules introduce new requirements that apply across the ACH Network—from businesses and financial institutions to third‑party processors.
- Establish documented, risk‑based ACH fraud monitoring to identify unauthorized payments and transactions initiated under false pretenses.
- Review and document fraud‑monitoring controls at least annually, accounting for changes in volume, risk, and operations.
- Update Company Entry Descriptions by using PAYROLL for PPD payroll credits and PURCHASE for WEB debit e‑commerce transactions.
- Prepare for Nacha compliance reviews, including third‑party audits where applicable.
Why Nacha is updating the rules
The ACH Network is one of the most widely used payment rails in the United States, supporting payroll, B2B payments, consumer debits, and government transactions. Its scale also makes it an attractive target for fraud.
“ACH simplifies transactions for businesses. At the same time, there are always people trying to take advantage of weak points in the system,” said Jessica Jett, product manager in Regions Treasury Management.
The 2026 Nacha rule changes are designed to expand fraud‑detection responsibilities, address payments authorized under deception, and improve consistency across the ACH Network.
“ACH offers so many advantages both in terms of security and efficiency,” Jett said. “With the right advance preparation, these changes should prove seamless. It’s just a matter of staying on top of expectations.”
Overview of the 2026 Nacha rule changes
What changed on March 20, 2026
Phase 1 of the new rules requires ACH participants including all ODFIs, and to any non-Consumer Originators, TPSs, and TPS Providers whose ACH origination or transmission volume exceeded 6 million transactions in 2023, to maintain risk‑based monitoring processes designed to identify unauthorized transactions and payments authorized under false pretenses, including social‑engineering and business email compromise scams.
Standardized Company Entry Descriptions
Also, effective March 20, 2026, Nacha requires standardized Company Entry Descriptions: PAYROLL for PPD credit payroll payments and PURCHASE for WEB debit consumer e‑commerce transactions.
What changes on June 22, 2026
Beginning June 22, 2026, risk‑based ACH fraud‑monitoring requirements expand to all remaining ODFIs and all non‑consumer Originators, Third‑Party Senders, and Third‑Party Service Providers, regardless of volume.
Additional changes effective September 18, 2026
Additional updates clarify International ACH Transaction (IAT) classifications and require non‑same‑day ACH credit funds to be available by 9:00 a.m. local time on the settlement date.
2027 and beyond: What’s ahead
Future Nacha updates include new IAT contact registration requirements, optional data‑field enhancements, and the introduction of return reason code R90 to support sanctions‑compliance obligations.
Ready to help
To learn more about Nacha rule changes, contact your Regions Treasury Management relationship manager or call Regions Client Services at 1-800-787-3905.
Frequently Asked Questions
All ACH participants—including businesses, financial institutions, and third‑party providers—must comply. By June 22, 2026, the requirements apply to all non‑consumer ACH participants.
No. Nacha requires risk‑based fraud‑monitoring programs, not real‑time or transaction‑by‑transaction review.
Failure to comply may result in formal Nacha rule violations, financial penalties, or restrictions on ACH origination.
Related Insights
-
Article
6 min read
-
Article
10 min read
-
Article
7 min read
-
Article
8 min read
