youtube icon linkedin icon mail icon
Login Get Paid Blog Resources
Who We Serve
What We Do
Vendor Risk Management

Vendor Risk Management

Vendor Verification

Vendor Verification

Vendor Onboarding Software

Vendor Onboarding Software

Vendor Fraud

Vendor Fraud

Vendor Compliance

Vendor Compliance

B2B Electronic Payments

B2B Electronic Payments

Why Trust Us
Resources
Case Studies

Case Studies

Real-life examples of how organizations use PaymentWorks to improve compliance, reduce workload, and add value. Stuff to Watch

Stuff to Watch

Library of short and sweet videos featuring product demos, customer interviews, and sessions with experts. Podcasts

Podcasts

The perfect way to geek out on all things vendor management, and get tips from our guests, partners, and customers. Vendor Management Appreciation Day

Vendor Management Appreciation Day

Dedicated to celebrating the unsung heroes of vendor management and up-leveling your strategy. Events

Events

We go places. We do things. Join us!
Partnerships
About Us
Why We Built This

Why We Built This

Read the story of how PaymentWorks came to be. Who We Are

Who We Are

Get to know our management team. Release Radar

Release Radar

Up-to-date product news! Become a Partner

Become a Partner

Join our eco-system! Work With Us

Work With Us

Interested in solving a real-world problem that affects businesses of all sizes?
Demo

Nacha’s Upcoming Rule Change: What You Need to Know

Are you ready to comply with the upcoming rule changes by June 2026?

by Ashley Poynter

by Ashley Poynter

Content Manager

Nacha’s Upcoming Rule Change: What You Need to Know

If you’re in charge of vendor payments, treasury, or compliance, you’ve probably heard the buzz: Nacha is rolling out significant updates to the ACH Operating Rules, with full compliance expected by June 22, 2026.​

But what does this mean for you? In short, it’s time to get serious about your ACH risk assessment processes and procedures.​

In this article, we’ll break down what an ACH risk assessment entails, why it matters, and how to prepare for the upcoming changes—all in plain English.

Table of Contents

Nacha Rule Changes in Plain English

— What is Nacha?

— Why did Nacha amend the rules?

— Who is impacted by the rule change?

What to Know About Compliance With Nacha’s Risk-Based Processes

PaymentWorks: Your Partner in ACH Risk Assessments, Protection, and Indemnification

— How we enable your organization to comply

— What is an ACH risk assessment?

— Key components of an ACH risk assessment

— Best practices for ACH risk management

ACH Risk Assessments Underpin Compliance, Security

Get Ready for Vendor Management Day 2025

Want Help Aligning Teams On ACH Risk Assessments?

Interested in More Tips On ACH Risk Assessments?

Want Personalized Guidance On ACH Risk Assessments?

Nacha Rule Changes in Plain English

What is Nacha?

The North American Clearing House Association (Nacha) is the governing body of the Automated Clearing House (ACH) network.  

Why did Nacha amend the rules?

The rise in sophisticated fraud schemes that rely on “false pretenses” (yes, that’s now an official Nacha term)—especially Business Email Compromise (BEC) and vendor impersonation—has led to significant financial losses across industries. Recognizing this, Nacha is updating its rules to require organizations to proactively assess and manage ACH-related risks. The emphasis is on implementing “risk-based processes” to detect and prevent fraudulent activities before they cause harm. 

You can find the new rules here.

Who is impacted by the rule change?

NACHA has publicly stated that these are “the most significant rule changes in twenty years”. 

Below is a framework for each of the participants in the ACH network, along with their new responsibilities.

What to Know About Compliance With Nacha’s Risk-Based Processes

Alright, now that we’ve covered the “why” behind Nacha’s new rules, let’s get into the “what.” Because yes, there are actual requirements—and they’re not just suggestions.

Starting in June 2026, every business and public sector organization that sends ACH payments will be expected to follow a new set of standards around verifying bank account information. The days of casually updating payment details via email and calling it “good enough”? Those are officially over.

At the heart of the update is a big concept with a somewhat vague name: “risk-based process.” It’s Nacha’s way of saying: “You know your organization better than we do, so build a fraud-prevention process that makes sense for you—but make sure it actually works.”

So, what does a risk-based process really involve? How do you comply? And is automation the only way to stay sane while doing it all?

Let’s break it down.

So, what is the rule change?

Non Consumer Originators (i.e., all companies and public sector institutions) are required to implement a “risk-based” process to ensure bank information is verified through a validated source.

What does a “Risk-Based Process” mean?

Nacha understands there is no “one size fits all” solution.  Rather, each organization must establish processes and controls that are unique to the nature of the organization and the nature of the payments it makes.

What is required to comply with the new rules?

The bare minimum for meeting the rules is the following:

  1. Complete a risk analysis by segmenting outbound payment transactions into low/high risk categories and identify potential gaps in the process/controls.
  2. Establish a formal process to ensure bank information for high-risk transactions are verified through a validated source and implement controls to ensure those processes are being consistently performed.

Is automation required to comply?

Technically, no.  However, depending on the size and complexity of an organization, applying human effort may not be scalable and sustainable.  Also, because manual-based processes & controls are generally ineffective against increasingly sophisticated bad actors, Nacha strongly encourages originators to automate both: 1) payee onboarding and 2) ongoing transaction monitoring. 

Examples of systematic controls recommended by Nacha: 

Multi-layered identity verification

  • Name, Address, Phone number, and Email validity
  • SSN / TIN verification against government databases
  • Sanction and Watchlist Screening
  • Device intelligence and geolocation checks
  • Real-time MFA authentication to ensure you know who you are talking to

Account Ownership and Payment Information Matching

  • Deploy bank account verification processes to confirm the account details match the entity’s legal registration.

Behavioural & Predictive Analytics

  • Use machine learning to detect patterns of unusual/suspicious activity.

Ongoing Payment Monitoring

  • Segment high-value transactions at the time of payment to ensure the necessary safeguards and controls (above) have been performed.  

When do non-consumer originators need to comply?

That depends. If your organization originated more than 6 million ACH transactions or received more than 10 million in 2023, you’re on the hook by March 20, 2026. Everyone else? You’ve got until June 22nd, 2026.

With both compliance deadlines approaching, it’s crucial to start your ACH risk assessment process now. Early preparation allows ample time to identify vulnerabilities, implement necessary controls, and ensure your organization meets Nacha’s updated requirements.

What happens if my organization doesn’t comply?

Non-Consumer Originators can be denied access to the ACH network by their ODFI as well as be subject to the normal rules violation process and potentially incur fines or penalty fees.

Why will most organizations comply with the rule changes?

Prior to these rule changes, Non-consumer originators that experienced fraud were unwitting victims of bad actors (“shame on them”).  

After the rule changes, those same organizations will be considered delinquent for ignoring / not complying with the new rules (“shame on you”). 

If you’d like to download this guide on the new rule changes, you can grab a copy here.

PaymentWorks: Your Partner in ACH Risk Assessments, Protection, and Indemnification

Good news! Organizations can use third parties like PaymentWorks to comply. Platforms like PaymentWorks not only streamline ACH onboarding and verification—they provide the ongoing fraud monitoring capabilities Nacha expects, with built-in alerts and analytics. Plus, our payments security platform is the first (and only) of its kind to indemnify customers from fraudulent payments, so you get peace of mind and protection.

How we enable your organization to comply

PaymentWorks:

  • Is the definition of a “risk-based process” to eliminate BEC / Social Engineering / Vendor Impersonation fraud
  • Provides an out-of-the-box solution to meet all the new (and existing) Nacha requirements
  • Offers ACH risk assessment templates
  • Stands behind the platform by providing fraud indemnification to customers

What is an ACH risk assessment?

An ACH risk assessment is like a health check-up for your payment processes. It involves evaluating your organization’s procedures for initiating ACH transactions to identify potential fraud risks.. The goal is to implement controls that mitigate these risks, ensuring the security and reliability of your ACH activities.

Key components of an ACH risk assessment

  • Identify Risks: Start by mapping out your ACH processes and pinpointing areas where risks may arise. This includes evaluating the potential for unauthorized transactions due to social engineering or vendor impersonation fraud.
  • Assess Risks: Determine the likelihood and potential impact of each identified risk. This helps prioritize which areas need immediate attention and resources.​
  • Implement Controls: Develop and enforce policies and procedures to mitigate the identified risks. This could involve multi-factor authentication, employee training, and regular audits.
  • Monitor and Review: Continuously monitor your ACH activities to detect anomalies and review your risk assessment periodically to adapt to new threats or changes in operations.

Best practices for ACH risk management

  • Segregation of Duties: Ensure that no single individual has control over all aspects of a financial transaction.​
  • Employee Training: Educate staff on recognizing phishing attempts and other social engineering tactics.​
  • Vendor Verification: Implement procedures to verify the legitimacy of vendors before initiating payments and confirming bank information against a verified source (phone calls to company switchboard or using Early Warning Systems)
  • Use of Technology: Leverage software solutions that offer real-time monitoring and alerts for suspicious activities.

ACH Risk Assessments Underpin Compliance, Security

Navigating Nacha’s new rule changes and the complexities of ACH risk assessments may seem daunting, but with a structured approach and the right resources, your organization can enhance its payment security and comply with Nacha’s forthcoming rules.​  Nacha offers numerous resources that can be valuable as you prepare.  

Remember, proactive risk management isn’t just about compliance—it’s about protecting your organization’s financial integrity and reputation.​

If you need assistance with your ACH risk assessment or have questions about the upcoming changes, don’t hesitate to reach out. We’re here to help you every step of the way.

Get Ready For Vendor Management Appreciation 2025

The Vendor Management Appreciation Day (#VMAD) celebration continues in 2025! And you should join us. 

Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.

Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2025 celebration, and we want you to be a part of it!

VMAD is a new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

Moreover, we’ve released gifts each month to help you supercharge your vendor management efforts. Additionally, we’re planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.

In the meantime, learn more here, and grab some free vendor management goodies.

Want Help Aligning Teams On Achieving “Business Identity Verified” Status?

Explore our blogs below. They’re filled with action items you can implement right away.

Vendor Verification – Get vendor data right, always

Vendor Verification Process: How NOT to Do it and What to Do Instead

Fraudsters Love Your Company Culture. Here’s How to Fix It (and Stop Fraud) With Vendor Onboarding Best Practices

The New Face of Vendor Fraud Cases

Interested in Regular Tips On Achieving “Business Identity Verified” Status?

Subscribe to our blog

Want Personalized Guidance On Achieving “Business Identity Verified” Status?

Contact Us–we’d love to help you

Let us show you how we can help

We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.

Request a Demo
empty space
PaymentWorks Logo

280 Moody Street, Unit #5
Waltham, MA 02453

Get help with registration.

Follow us on

youtube icon linkedin icon mail icon

Who We Serve

What We Do

Why Trust Us

About Us

Blog

Resources

Request a Demo

Get Paid

Jobs

Partnerships

Partner Referral

Events

© Copyright 2025 - PaymentWorks

Privacy Policy Terms of Service PaymentWorks EarlyPay Terms of Service Transparency in Coverage