ACH Fraud Monitoring Under Nacha 2026: What Has Changed and Why It Matters

The Automated Clearing House (ACH) network is one of the largest payment rails in the US, responsible for $86.2 trillion in value in 2024 alone according to Nacha, and rising each year. As volumes rise, so does opportunity for ACH fraud, notably scams made under “false pretenses”, where a payment is carried out through misrepresentation of an account holder’s identity.

With the FTC estimating over $12.5 billion in total fraud losses reported by US consumers in 2024, it’s little surprise that Nacha’s 2026 rule changes are fundamentally raising the bar for ACH fraud monitoring. 

TL;DR

• ACH transaction fraud is driving issues for both financial institutions and businesses, drowning them in false positives, case alerts, and chargebacks, while exposing the everyday consumer to financial loss.
  
  

• With ACH fraud attacks rising to new highs year-over-year, businesses are more at risk than ever from Business Email Compromise (BEC), mule networks, account takeover (ATO), social engineering scams, and ACH kiting.
  
  

• Legacy fraud prevention tools and transaction monitoring solutions cannot keep up with evolving fraud, and are blocked by siloed data and inflexible risk policies.
  
  

• Oscilar’s AI Risk Decisioning™ Platform delivers real-time detection, unified data, layered controls, and audit-ready documentation to help businesses address ACH fraud head-on.

The impact of ACH Fraud in 2026

For ACH network participants — including ODFIs, RDFIs, and payment institutions — ACH fraud is not just a line item in a loss report. It has real impact across fraud and risk operations, compliance, the customer experience, and beyond.

• Chargebacks and returns: Transactions authorized under false pretenses drive huge return volume, to the tune of $11 billion in the US in 2024, costing FIs and impacting their bottom line.
  
  

• Manual reviews and investigation backlogs: Legacy transaction monitoring software, unable to accurately determine genuine transactions from fraud, drives high false positive rates, forcing fraud and AML teams into reactive triage instead of proactive risk management.

• Operational drag and cost: Fragmented fraud and AML systems mean analysts swivel between upward of five tools to piece together a single ACH transaction’s story, driving up cost per alert and slowing response times, impacting the UX.
  
  

• Regulatory and reputational risk: Outside of the impact to the bottom line, weak controls around ACH credits, payroll files, or vendor payments translate into exam findings, Nacha enforcement actions, and reputational damage.

For consumers, the impact is more personal and can take the form of lost money and wages, and the emotional fallout that comes with this.

Nacha’s 2026 operating rule updates are designed to address exactly these downstream harms. Beginning March 20, 2026 (Phase 1) and expanding on June 19/22, 2026 (Phase 2), all ODFIs, RDFIs, non-consumer originators, Third-Party Senders (TPSs), and Third-Party Service Providers (TPSPs), from as little as $1 in transaction volume to $1 billion and beyond,  must implement proactive risk-based processes and procedures to identify ACH entries that are suspected of being authorized under “false pretenses”. These changes are driving real transformation for the ACH network, bringing it in line more broadly with modern AML and transaction monitoring standards.

Prominent types of ACH fraud

Nacha introduced the term “false pretenses” to cover common ACH fraud scenarios such as  Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and payee impersonations, as well as touching on account takeover (ATO). The most prominent fraud typologies under false pretenses include: 

1. Business Email Compromise (BEC): Where attacks spoof a business email account to deceive e.g. vendors, merchants, and employees into initiating a transaction. This attack also enables vendor and payroll impersonation, and can be difficult to track without proper measures in place.

• What it looks like: Fraudsters insert themselves into existing email threads, send urgent payment requests, or share “updated” bank details that look legitimate. ACH payments follow the normal cadence and dollar ranges of prior invoices, making them hard to spot.

• What to look out for: Modern real-time transaction monitoring should correlate beneficiary changes, first-time recipients, and unusual routing details against historical vendor behavior. Building step-up verification mechanisms in the event of suspicious activity can additional identify or deter fraudsters.

2. Mule networks: Where collections of accounts — often newly opened or recently reactivated — receive stolen funds and quickly pass them on through ATM withdrawals, wire transfers, or other payment rails. These accounts can be legitimately owned, acting as a “middle man” between the ACH network and the fraudster.

• What it looks like: An RDFI for example might see a dormant or low-activity account suddenly receiving a lot of payments at velocity, potentially from multiple channels (payroll, benefits, or vendor payments), then rapidly moving those funds out. 

• What to look out for: Nacha increasingly expects ACH network participants to deploy proactive risk-based ACH monitoring, including velocity checks, SEC code mismatches, account age, and behavior history. Look for related accounts in the context of a wider whole than simply looking at a transaction in isolation. 

3. Account Takeover: Where a bad actor gains control of a legitimate bank account or financial instrument and initiates ACH transfers that appear to be authorized by the legitimate account holder.

• What it looks like: Logins from new or risky devices, remote access tool (RAT) usage, or geolocation shifts precede ACH credits or debits to unusual recipients, often coupled with changes to contact details or security settings.

• What to look out for: Nacha’s rules explicitly call for risk-based monitoring that leverages behavior and account characteristics, not just static, point-in-time views of the customer. Where something seems off about a transaction, step-up verification methods and processes can provide additional security and deterrence. 

4. Social engineering and fake payment scams: Where individuals are manipulated into authorizing ACH payments themselves, often through social engineering, romance scams, etc. — these payments are “legitimate”, but driven by coercion.

• What it looks like: Fraudsters use phone, SMS, email, or screen-sharing tools to manipulate victims into login, account changes, and ultimately payments. From a legacy system perspective, everything looks normal.

• What to look out for: Here, continuous transaction monitoring that fuses behavioral, device, and transactional signals is essential. Look for signs of hesitation, guided navigation, and abrupt payment pattern shifts that give away even the slightest hint of suspicious activity in the background.

5. ACH kiting: Where bad actors exploit the ACH process by moving money between accounts at different banks, creating the illusion of available funds and exploiting the lag between transactions.

• What it looks like: Fraudsters transfer funds between accounts at different financial institutions, inflating available balances due to payment lag time and creating the space to effectively spend money that does not actually exist.

• What to look out for: Here, monitoring the flow of transactions and looking for patterns such as repeated transactions across accounts, frequent cross-bank transfers, round sums, etc. can highlight where ACH kiting is occurring. 

Where legacy ACH fraud prevention fails

Nacha’s 2026 changes are, in many ways, an indictment of legacy fraud and AML transaction monitoring approaches.

• Static, hard-coded rules: Legacy tools that rely on rigid rule sets applied to narrow slices of ACH activity (for example, analysing just web debits, or just account opening) struggle to keep pace with dynamic scam patterns like BEC, payroll diversion, and mule networks, driving the majority of false positives. When new fraud typologies emerge, changes require heavy engineering efforts that divert resources away from the core roadmap.
  
  

• Siloed data and infrastructure: When the view of the customer (or fraudster) is hoisted between different teams and systems, gaps emerge and create space for ACH fraud. Where KYC / BSA compliance, ACH fraud monitoring, AML transaction monitoring, etc. exist in silos, businesses are unable to effectively track customer behavior across the lifecycle.
  
  

• Slow, manual operations that drive bottlenecks: Alert queues from legacy transaction monitoring software often require extensive hand-offs and manual enrichment. Where rigid flows and siloed data drive false positives, high volumes can slow decision cycles, increase per-case cost, and overwhelm analysts.
  
  

• Fraud prevention technology built for a pre-AI world: Today’s fraudsters are using the latest and greatest tools such as Generative AI. With AI-enabled fraud projected to reach $40 billion annually in the U.S. by 2027, outmoded and compromised fraud prevention methods simply cannot keep up.

How to leverage AI to prevent ACH fraud

Oscilar’s AI Risk Decisioning™ platform was built for exactly this moment: a world where ACH fraud monitoring must now be real-time, explainable, and deeply integrated with AML and transaction monitoring across the full customer journey. Here’s how: 

• Building a true 360 degree view of customers and fraudsters: Osilcar’s unified platform, across onboarding, fraud, and compliance enables transaction monitoring across ACH, wires, RTP, card, and beyond to build a stronger view of activity.
  
  

• Giving teams the power to adapt with no code: Risk teams can define and update policies in plain English, including detection logic for False Pretenses scenarios, SEC code anomalies, velocity thresholds, and mule indicators, without requiring engineering resources to go-live. It’s how we’re helping businesses like SoFi reduce their time-to-market for new policies by 50%.
  
  

• Reducing false positives with tailor-made ML models: Unified, cross-rail transaction monitoring, tuned to key ACH fraud signals such as out-of-pattern ODFI and RDFI debits / credits, SEC code mismatch and anomaly detection, transaction velocity monitoring, dormant account reactivation alerts, and more.
  
  

• Going beyond the surface with device and behavioral signals: Oscilar’s Cognitive Identity Intelligence blends thousands of digital markers across device, network, and behavioral dimensions to uncover patterns between attacks and protect against sophisticated AI-powered attacks, ATO, social engineering, and beyond.
  
  

• Leveraging AI from the ground up: Oscilar AI empowers fraud, compliance, and credit teams to make risk decisions with confidence — from delivering accurate decisions in under 100ms through to unlocking efficiencies for your team through dedicated AI agents.

Oscilar’s solution is built to help businesses meet the needs of continuous transaction monitoring, aligning with Nacha expectations for risk-based processes, documentation, and annual program reviews. As a Nacha Preferred Partner, Oscilar is supporting businesses as they transform their risk operations to support risk-based ACH fraud monitoring.

To dive deeper into how to operationalize Nacha’s 2026 rules and learn howAI Risk Decisioning™can fast-track your ACH fraud program, visit our dedicated Oscilar Fast-Track program today.