Important ACH Originator Information
What business ACH originators need to know about Nacha updates effective March 20, 2026 - and how we're here to help
ACH Fraud Monitoring
Risk Based Protection for Your Business
Effective
March 20, 2026, the National Automated Clearing House Association (NACHA) will
require businesses that originate ACH payments to maintain risk‑based
processes designed to identify potentially fraudulent ACH transactions.
The rule focuses on detecting two primary types
of fraud:
- Unauthorized entries, such as transactions initiated without proper approval.
- Entries authorized under false pretenses, including payments triggered by deception, like business email compromise (BEC) or vendor impersonation.
What
Your Business Must Do
Businesses that originate ACH payments are expected to:
Businesses that originate ACH payments are expected to:
- Establish risk‑based fraud monitoring procedures tailored to their ACH activity.
- Review and update these procedures at least annually.
- Evaluate transaction risk and apply appropriate controls.
Who
Is Impacted
This requirement applies to all Opportunity Bank of Montana business customers that originate ACH transactions, including commercial entities, nonprofits, and government organizations. The rule applies industry‑wide and is not specific to one financial institution.
This requirement applies to all Opportunity Bank of Montana business customers that originate ACH transactions, including commercial entities, nonprofits, and government organizations. The rule applies industry‑wide and is not specific to one financial institution.
Businesses beginning ACH origination on or after January 1, 2026 must comply at onboarding. Existing originators must be compliant by March 20, 2026.
Understanding
“False Pretenses” Fraud
False pretenses fraud occurs when a transaction appears authorized but was induced through deception. Common examples include:
False pretenses fraud occurs when a transaction appears authorized but was induced through deception. Common examples include:
- Business email compromise (BEC)
- Vendor or employee impersonation requests
Additional
Risks to Consider
Beyond the rule’s minimum requirements, businesses should also address:
Beyond the rule’s minimum requirements, businesses should also address:
- Internal misuse of payment authority
- Compromised login credentials
- Fraudulent requests to change payment instructions
Tools
and Solutions
The rule does not impose specific technology. Acceptable solutions may include:
The rule does not impose specific technology. Acceptable solutions may include:
- Documented internal controls
- Payroll or accounting software safeguards
- Third‑party fraud monitoring services
Fraud Liability
The rule does not impact ACH fraud liability. It requires reasonable detection controls but does not shift responsibility for losses.
The rule does not impact ACH fraud liability. It requires reasonable detection controls but does not shift responsibility for losses.
Examples
of Risk‑Based Practices
Effective fraud controls may include:
Effective fraud controls may include:
- Dual controls and segregation of duties
- Independent verification of payment changes
- Monitoring for unusual transaction activity
- Account validation before sending payments
- Multi‑factor authentication and access controls
- Dedicated payment workstations
- A documented incident response plan
- Ongoing employee training
Next Steps
Businesses should review their current ACH
fraud controls and ensure they are aligned with Nacha’s requirements ahead of
the compliance deadline.
We
encourage all business customers who originate ACH transactions to begin
reviewing their current fraud controls now. Working proactively with your legal
or technology teams can help ensure you are well prepared ahead of the required
compliance deadline.
If you do not already have the most current version of the Nacha Operating Rules and Guidelines, they are available for purchase through the Nacha website.
Additional Nacha Rule Updates Effective March 20, 2026
Nacha is also updating requirements related to
Company Entry Descriptions (CEDs), including standardized use of PAYROLL and PURCHASE
for certain business ACH transactions. Businesses that originate ACH payments
should review their systems and processes to ensure transactions are
appropriately coded. Standardized transaction
descriptions support more effective, risk-based monitoring and mitigation
efforts across the ACH network.
- PAYROLL: Used for ACH credit transactions related to the payment of wages, salaries, or other compensation to employees. The CED field must contain the description PAYROLL.
- PURCHASE: Used for ACH transactions related to the purchase of goods or services, such as vendor or supplier payments. The CED field must contain the description PURCHASE.
You may need to review how transactions are
coded to ensure the appropriate Company Entry Description is being used. In our
system, these fields are free-form text fields; users must include appropriate
values (PAYROLL or PURCHASE) as appropriate, as the Company Entry Description
when originating an ACH transaction.
These standardized descriptions help improve
transparency, monitoring, and fraud detection across the ACH network.
Click here for more information on the new rule impacting Company Entry Descriptions.
Click here for more information on the new rule impacting Company Entry Descriptions.
Helpful Links and Resources
For official rules, fraud guidance and
educational resources, visit Nacha’s website. Additional security tips for
businesses can be found through the FTC and CISA.
- For additional information about ACH, review our ACH Basics Reference Guide
- Nacha Official Website - Main source for ACH rules, updates, and procedures
- Nacha Operating Rules & Guidelines - The complete, authoritative rulebook (available for purchase)
- Nacha ACH Fraud Management Resources - Guidance on fraud monitoring best practices and tools
- Nacha ACH FAQ & Education Center - FAQs and educational materials about the ACH Network
- Cybersecurity & Infrastructure Security Agency (CISA) - Resources for businesses, guides on phishing, malware, and Business Account Compromise (BEC)
- Federal Trade Commission (FTC) - Business guidance on scams and fraud
- Opportunity Bank of Montana Fraud Education Center
We're Here to Help
If
you have questions or need assistance, our team is here to help. Please contact
your local branch, call us at 888-750-2265, or reach out to our Business
Solutions or Digital Banking teams for support.
- Digital Banking Support: 888-750-2265, Option #
- Email Our Business Solutions Team: businesssolutions@oppbank.com
- Live Chat, Mon - Fri 8:00 am - 5:00 pm (MT)
Brandi Schweigert
VP, Business Relationship Director
NMLS# 730864
Brandi Mergenthaler
AVP, Business Relationship Officer
Taylor Wilson
Business Solutions Specialist
Frequently Asked Questions
ACH fraud monitoring refers to the processes
and controls businesses use to identify potentially fraudulent ACH transactions
before funds are sent. These controls help reduce the risk of unauthorized or
deceptive payments.
Company Entry Descriptions (CEDs) are short
descriptions included with ACH transactions that help identify the general
purpose of the payment. Effective March
20, 2026, Nacha is updating its rules to require more consistent use of certain
CEDs for business ACH transactions, including PAYROLL and PURCHASE. Consistent identification
of transaction purpose allows for more targeted risk monitoring and fraud
controls.
Nacha (the National Automated Clearing House
Association) is the organization that governs the ACH Network in the United
States. The ACH network is the system financial institutions use to process
electronic payments such as payroll direct deposit, vendor payments, and
electronic bill payments.
Nacha establishes the rules, standards, and
timelines that banks and businesses must follow when sending and receiving ACH
transactions. These rules apply to all financial institutions and businesses
that participate in the ACH Network. These requirements are industry-wide and
are enforced consistently across banks.
If your business originates ACH payments, Nacha’s rules apply to you. They help ensure that ACH
transactions are processed consistently and securely across all financial
institutions. From time to time, Nacha updates its rules to address emerging
risks, including fraud, which is why businesses may see new requirements
related to ACH activity.
These requirements apply to all business
customers that originate ACH transactions,
including payroll, vendor payments, and collections. They apply to businesses,
nonprofits, and government entities.
The
rule focuses on identifying unauthorized transactions and payments that were
initiated under false pretenses, such as business email compromise, vendor
impersonation, or fraudulent change requests.
These
are transactions that appear to be approved but were actually the result of
deception. For example, an employee may be tricked into sending a payment after
receiving a fraudulent email that looks like it came from a trusted vendor or
executive.
Not necessarily. Nacha does not require specific
technology. Businesses may use existing internal controls, features within
payroll or accounting systems, or third‑party monitoring tools, as
long as the approach is reasonable and risk‑based.
Our ACH tool allows users to include text
values (PAYROLL or PURCHASE) as the Company Entry Description.
At
a minimum, businesses should review and update their ACH fraud monitoring
procedures annually, or sooner if business activity or risk changes.
No.
The rule does not change ACH fraud liability. It requires businesses to have
active monitoring and detection procedures and controls in place but does not
shift responsibility for losses.
Effective fraud controls may include:
- Dual controls and segregation of duties
- Independent verification of payment changes
- Monitoring for unusual transaction activity
- Account validation before sending payments
- Multi‑factor authentication and access controls
- Dedicated payment workstations
- A documented incident response plan
- Ongoing employee training
As
part of the ACH relationship, Opportunity Bank of Montana will review your
fraud monitoring approach during onboarding and periodic ACH reviews to ensure
it aligns with Nacha requirements.
Businesses that originate ACH payments should
review their current controls, document their procedures, and make any
necessary updates ahead of the compliance deadline.
Businesses should also review how transactions are coded to
ensure the appropriate Company Entry Description is being used.
Businesses
that originate ACH payments are required to comply with Nacha’s fraud
monitoring rule by the deadline. If a business has not implemented reasonable,
risk-based ACH fraud controls, we may be unable to continue supporting ACH
origination for your business until the requirement is met.
Our intention is not to disrupt your operations, but to ensure ACH services are used safely and in accordance with industry rules. We will work with you to identify gaps, provide guidance, and allow reasonable time to address any deficiencies whenever possible. Failure to meet Nacha requirements could result in additional review, restrictions, or temporary suspension of ACH origination until appropriate controls are in place.