The deadlines surrounding Nacha’s new rules for financial institutions using the ACH network are approaching quickly, and institutions are running out of time to comply.
Nacha’s new operating rules redefine how institutions need to detect and respond to fraud. With the March 20, 2026 compliance deadline looming, we sat down with Colin Parsons, Vice President of Product Management at Nasdaq Verafin, to discuss what these obligations mean for financial institutions.
Evolving to Protect Customers from ACH Fraud
Q: Why are the Nacha rules changing?
Colin: The Nacha operating rules are evolving to address the growing threat of fraud in the ACH network, which processed 33.6 billion payments valued at $86.2 trillion in 2024. Fraudsters are exploiting vulnerabilities in electronic payments, and Nacha’s new rules will strengthen fraud detection across the transaction lifecycle.
The ACH network has become a cornerstone of the U.S. payments system, but fraudsters often use it to enact their Authorized Push Payment (APP) and Business Email Compromise (BEC) scams. Consumers and institutions face billions of dollars in losses annually.
Further, this shift reflects the urgent need for financial institutions to adopt more proactive and holistic fraud prevention strategies. In our Global Financial Crime Report we found consumer scams, including things like romance scams, elder financial exploitation, etc., now cost $43.6 billion annually worldwide. That shows how crucial it is to strengthen defenses against this activity.
Fighting Authorized Push Payment Fraud & Business Email Compromise
Q: How do the new Nacha rules address these APP and BEC issues?
Colin: The new rules empower both Receiving Depository Financial Institutions (RDFIs) and Originating Depository Financial Institutions (ODFIs) to detect and respond to ACH fraud more effectively. RDFIs are now expected to monitor inbound ACH transactions for suspicious activity; they’ve also been granted powers to delay or return funds without a customer claim.
Meanwhile, ODFIs can request the return of ACH payments for any reason, which gives them a more active role in the recovery of fraudulent payments. In this way, the new rules aim to reduce the incidence of APP fraud by building transparency into both sides of a transaction.
New Nacha Rules for RDFIs & ODFIs
Q: Can you elaborate on the impact this will have on operations for RDFIs and ODFIs?
Colin: RDFIs will need to implement risk-based monitoring to flag suspicious incoming ACH credit entries. This is a lengthy task. It isn’t just a gap assessment and subsequent revision to internal processes — it’s a completely new process that also includes collaboration with ODFIs to align on risk and recovery strategies. They’ll then need to review and update policies during their annual ACH audit.
ODFIs also have work to do: They need to refine their current processes for monitoring suspicious ACH credit and debit entries. And again, some of these institutions might not have these processes yet at all.
The Penalties of Non-Compliance
Q: What about institutions who don’t comply; what are the penalties for non-compliance?
Colin: Ultimately, non-compliance can lead to losing access to the Nacha network. If institutions show ongoing negligence, it can also result in fines. But what’s most important here is the relationship between institutions and their customers. Reputational damage is certainly possible if customers discover their institution did not take all available steps to protect them.
Furthermore, institutions that fail to mitigate this risk will fall behind their peers in fraud prevention capabilities, exposing them to significant financial losses in a competitive industry.
Meeting the New ACH Requirements on Time
Q: How can institutions meet these requirements in a short timeframe?
Colin: To meet the new Nacha requirements, institutions must perform a series of complex, lengthy operations, such as conducting a gap assessment of current fraud controls and updating internal policies and systems. That takes time — and the deadline is just around the corner.
A consortium data solution, together with platform technology, can help financial institutions quickly meet these new requirements and manage the alert burden associated with reviewing these transactions. That’s why at Nasdaq Verafin, we’ve updated our ACH solution to do the heavy lifting. We know this is a large requirement, and we’re in a unique position to make things much easier for institutions using our ACH fraud solution.
Are You Ready to Meet the Nacha Deadline?
The new Nacha rules represent a pivotal moment in the fight against ACH fraud. With the March 20, 2026 deadline fast approaching, institutions must act now to avoid being overwhelmed by manual processes and alert fatigue. Nasdaq Verafin is building advanced analytics and fraud detection tools that empower institutions to meet these requirements confidently.
By combining behavioral evidence, consortium insights and real-time monitoring, our solution offers a comprehensive defense against APP fraud and BEC scams.
Financial institutions must embrace this opportunity — not just to comply, but to lead in protecting customers and the integrity of the ACH network.
Visit verafin.com for more information.
About the Expert
COLIN PARSONS
Vice President — Head of Fraud Product Strategy at Nasdaq Verafin
Colin Parsons spearheads the strategic development of technology solutions to combat fraud at Nasdaq Verafin. Throughout his time with the company, Colin has worked as a development team lead, software developer and in product marketing. Applying the knowledge gained through his roles and experiences, Colin is focused on using technology to solve the hard problems that are persistent within the fraud space.
