Big ACH Updates Coming Soon: Prepare Now for 2026 Regulations

March 13, 2025

By Kristin Aulwes, Senior Compliance Auditor AAP

Since the invention of the popular Automated Clearing House (ACH) in 1972 — goodbye, paper checks! — the National Automated Clearing House (NACHA) has continuously monitored and regulated the electronic movement of money in the United States to ensure the millions of ACH payments Americans make every day are processed smoothly and securely.

The risks associated with ACH have transformed over the past several decades as the world has evolved into a more digital one. With every step forward, it’s important to acknowledge the continued risks that come with digital growth — like fraud. Fraud monitoring has been a heavily discussed topic for many years, and NACHA recently introduced new rules, set to go into effect in 2026, that will help originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) prevent fraud and be better equipped when it does occur.

Upcoming regulations will impact financial institutions’ ACH policies and procedures and potentially monitoring systems. Given the time and budget it may take to properly adjust these to align with the new regulations, early preparation is key for credit unions and banks.

Reflecting on the 2024 ACH Changes

Several regulation updates that rolled out in 2024 affect how financial institutions approach ACH and could help build a framework for the expected 2026 regulations.

Changes to WSUD

NACHA made optional changes to the Written Statement of Unauthorized Debit (WSUD) process for pending payments. Prior to this change, when consumers had pending payments on their accounts and reported them to their financial institution, the financial institution had to wait until the payment was posted before they could file the WSUD. With the new changes, financial institutions can immediately file the WSUD upon presentation of the pending payment in the account. 

This change is optional but could provide peace of mind to consumers who are stressed about incorrect pending payments on their account. What financial institutions should do is choose a course of action and stick to it, whether that means waiting until the payment is posted to file the WSUD or filing the WSUD immediately upon presentation. After selecting a preferred procedure, financial institutions should then document any changes and train staff to ensure the consistent and smooth handling of these issues.

Updates to Return Codes R17 & R6

R17 is a return code that allows RDFIs to return transactions they suspect to be fraudulent before they even hit a consumer’s account. By using this code and inputting the descriptor “QUESTIONABLE” in their return addenda, the ODFI will also be notified of the fraudulent transaction and can check the originating account.

The R6 return code applies to ODFIs that send a transaction to an RDFI and then realize what they sent was a fraudulent transaction that needs to be returned. ODFIs in these situations need to use R6 as a code to request a return, and then the RDFI must respond within 10 days with an intent to investigate, return, or not return funds. The primary responsibility for reporting fraud remains with the ODFI, but this update places more responsibility onto the RDFI and encourages communication between ODFIs and RDFIs that was not previously required.

2026 Regulations & How to Prepare

The coming 2026 regulations focus heavily on fraud detection and recovery, and this will significantly affect how both ODFIs and RDFIs operate within ACH. Due to the expected impact, it is crucial that organizations get ahead of the game and start preparing for these changes now, ensuring they are already equipped with policies and procedures that adhere to the new regulations when they go into effect.

What’s Changing for RDFIs

Previously RDFIs were not required to monitor accounts for fraudulent activity, but with the changes approaching RDFIs will need to begin monitoring the transactions coming into their accounts. They will need to look for transactions that don’t match previous account activity, like an increase in frequency of ACH transactions or a sharp increase in value of ACH transactions, and create risk-based processes and procedures that can monitor accounts for fraudulent activity to scale for their organization.

Fraud monitoring requirements for institutions that received ACH receipt volume of 10 million or greater in 2023 go into effect on March 20, 2026. All other intuitions have a deadline of June 19, 2026. Organizations that are not sure of their volume threshold can reach out to their ACH operator to have that identified. How RDFIs choose to monitor fraud is up to them, but it must be continuously re-evaluated to ensure it works for the unique needs and size of their organization and remains accurately documented in policies and procedures.

The criterion for fraudulent activity is wide, but includes situations like:

• Unauthorized transactions
• Authorized transactions done under false pretenses

“Authorized transactions done under false pretenses” is a relatively new term in the ACH space. These are transactions that occur because someone has gained unauthorized access to an account or somehow scammed an individual into sending them money. This is a common occurrence with the creation of person-to-person (P2P) digital payment systems like Cash App, Zelle, and Venmo.

Although this is a big change for RDFIs, in 2026 it will be required for everyone involved in the ACH process to have a fraud monitoring process in place, including ODFIs, originators, third-party service providers, and other third-party senders. ODFIs must have fraud detection by March 20, 2026. Non-consumer originators, TPSP and TPS with 6 million or greater volume in 2023 should have a fraud detection program set up by March 20, 2026, as well, and all others by June 19, 2026.

Programs do not need to screen every ACH entry or screen prior to processing to meet the requirements. It may be beneficial to screen prior to posting; however, it is not required. Institutions should determine how best to screen for fraud based on their unique risks and risk assessment. But doing nothing and claiming to have no risk is not sufficient. The fraud monitoring processes and procedures must be reviewed at least annually. This rule was established to decrease potential fraud and to encourage communication between the ODFIs and RDFIs regarding potential fraud.

What to Start Doing Now

Since RDFIs are required to have a fraud monitoring process in place by either March 20 or June 19, 2026, based on volume, it would be wise to start preparing now. The process of monitoring could look different depending on the size and bandwidth of the RDFI, but it needs to evaluate their unique risks. Smaller organizations may be able to manually monitor fraud, but larger organizations may need to implement more sophisticated fraud monitoring systems.

RDFIs should lean on existing internal resources, like their BSA Fraud Monitoring groups. Those systems and groups can help to monitor fraudulent activity already.

The new requirement for monitoring fraud means RDFIs need to evaluate their risks, update their risk assessments and then assess the options available to them. Investing in new risk management software or adding additional modules to existing software could be a long and potentially costly process — it takes time to evaluate, approve, implement, and document a new solution —ahead of the rule’s effective date, so the sooner organizations get started the better.

RDFIs should also be prepared to put in extra time to train staff on updated policies and procedures. By scheduling the training well in advance, everyone in the organization will understand it is a priority and have visibility into the timeline.

Another way RDFIs can begin preparing for the coming regulations is by increasing communication with ODFIs, BSA professionals, and other individuals essential to the ACH process. It is also critical to make sure ACH staff and personnel, especially ACH fraud professionals, are registered on the ACH Contact Registry. RDFIs can also use the ACH Contact Registry if a transaction is suspected to be fraudulent by reaching out to the fraud contacts at the ODFI and working together to find a solution faster.

Finally, RDFIs should consider scheduling an ACH audit in 2025 to ensure they are properly set up for successful compliance with the impending regulation updates.

If you’re interested in learning more about ACH fraud monitoring and how the ViClarity Audit Services team can help you adapt your policies and procedures to adhere to the coming regulations, or provide a comprehensive audit of your ACH program, please contact us or email info@viclarityus.com.