ACH Fraud Monitoring

Who does this new rule apply to?

This rule applies to all Mainstreet Community Bank business customers who originate ACH files. Any business, government entity, or organization that initiates ACH transactions (such as payroll, vendor payments, or collections of customer payments) is considered a non-consumer Originator.

Is Mainstreet Community Bank the only bank affected by the rule?

No, this was a mandated rule change by Nacha affecting all financial institutions that have business customers who originate ACH payments.

When do I need to comply with the new rule?

The NACHA deadlines for implementing these essential fraud monitoring processes are as follows:

The NACHA deadline for new business customers who signed up for ACH Origination on or after January 1, 2026, was March 20, 2026. The requirements were included as a part of the initial setup.

All existing ACH business customers (prior to January 1, 2026) are required to implement the new requirements by the June 20, 2026 deadline.

What is “False Pretenses” fraud and why is it important?

“False Pretenses” refers to fraud scenarios where a payment is authorized based on an act of deception and is one of the threats you should consider when creating your fraud monitoring processes. This is a crucial addition to the NACHA rules because it covers many of the most damaging fraud schemes today, including:

• Business Email Compromise (BEC): A fraudster impersonates an executive or vendor via email to instruct an ACH payment to a fraudulent account
• Impersonation: A fraudster calls or emails to trick an employee into changing payment information for a legitimate vendor or employee

What other types of threats should I consider when implementing my fraud monitoring processes?

Effective fraud monitoring processes must be layered and tailored to your business. What you monitor should depend on your specific ACH transactions (e.g., payroll vs. vendor vs. collection of customer payments).

In addition to the rule’s requirements, your program should consider:

• Unauthorized Withdrawals: How can you prevent external parties from pulling money without permission?
• Internal Misconduct: How can you prevent misuse of payment authority by employees?
• Compromised Credentials: How can you protect your internal systems used for managing payment information and activity?
• Change Request Fraud: How can you verify the authenticity of payment instruction changes?

Does Mainstreet Community Bank require me to use a specific software system?

No. The rule is principles-based, not prescriptive. It requires you to implement risk-based processes and procedures that are effective for your specific business. This can include:

• Manual, documented internal controls
• Utilization of new features in your accounting or payroll software
• Adoption of a third-party fraud monitoring solution

Does this rule change my liability for ACH fraud losses?

No. This rule is a compliance standard for Originators, Third-Party Senders, and all Financial Institutions. It establishes a requirement for all Originators to have active, risk-based fraud monitoring. It does not change the fundamental allocation of liability for fraud under existing law, but it does require you to strengthen your controls to mitigate these risks.

What are some examples of risk-based processes for my business?

It is important to remember that your ACH fraud monitoring processes are unique to your business. The processes you implement must be tailored to your specific structure, payment volume, and unique fraud risks. The examples provided below are for informational guidance only – they are a starting point, not a complete checklist. Your unique fraud monitoring processes may include a combination of the following procedural and technical controls:

• Dual Authorization/Segregation of Duties: Requiring at least two separate individuals to authorize high-dollar payments or ACH files. No single person should be able to create, approve, and release a payment
• Out-of-Band Verification: When receiving an email request for a bank account change (vendor or employee), verifying the change via a trusted secondary channel (e.g., a phone call to a known number on file, not the number listed in the suspicious email)
• System Controls and Anomaly Detection: Utilizing your internal accounting or payment systems to automatically flag or alert you to unusual activity, such as:
  • Payments to a new vendor that exceed a set dollar threshold
  • Sudden increases in transaction volume or amount outside of normal business patterns
  • Unusual payment destinations (e.g., high-risk geographical locations)
• Pre-Payment Account Validation: Utilizing ACH prenotes (zero-dollar verification) or third-party validation services to confirm the existence and ownership of a new vendor’s or employee’s bank account before the first live payment is initiated
• Strong Access Controls (MFA): Limiting the number of employees who have access to your ACH origination system and enforcing Multi-Factor Authentication (MFA) for all users to protect against compromised login credentials
• Dedicated Payment Workstations: Restricting the computers used to initiate or approve ACH payments from being used for high-risk activities like opening external email attachments or general web browsing
• Formal Fraud Incident Response Plan: Maintaining a clear, documented plan that specifies the immediate steps to take if fraud is detected, including who at Mainstreet Community Bank to call and internal protocols for isolating the risk
• Mandatory, Continuous Employee Training: Implementing regular (e.g., quarterly) training for all staff involved in payments to recognize, question, and independently authenticate suspicious requests (a key defense against social engineering)