Hello readers! Reading the title, you may think to yourself, “Great, another article written by a compliance professional that’s going to jolt fear into my bones.” But alas, I am not here to inspire any fear, but make you aware of new NACHA rules that are going to be implemented in 2026 and what you should be considering as these rules take effect.

As I’m sure most of you are aware, NACHA is the National Automated Clearing House Association. NACHA is responsible for enforcing rules and regulations in regard to the ACH network. In 2026, NACHA intends to implement two new rules, one of which will roll out in two phases.

• Risk Management – Fraud Monitoring Phase 1: Effective March 20, 2026
• Risk Management – Company Entry Descriptions: Effective March 20, 2026
• Risk Management – Fraud Monitoring Phase 2: Effective June 22, 2026

New rules and phases

Let’s break these down a bit and discuss how each rule will affect the credit union landscape.

Fraud monitoring phase one

Phase one goes into effect on March 20, 2026. It’s important to understand that these rules are broken down into phases that will affect different institutions at different times.

Phase one will affect all ODFIs, non-consumer originators, TPSPs (Third-Party Service Providers), and TPS (Third-Party Senders) with an annual ACH origination volume of 6 million or greater in 2023. RDFIs (Receiving Depository Financial Institution) with an annual ACH receipt volume of 10 million or greater in 2023, the phase one implementation of March 20, 2026, will also apply to you.

The idea of this amendment is to reduce the incidence of successful fraud attempts as well as reduce the incidence of unauthorized debits resulting from transactions initiated online, which, as stated on the NACHA webpage, can experience increased volume and velocity. Those two terms are important, and we’ll come back to those! This rule also introduces a newly defined term, “False Pretenses.” This represents a payment by a person misrepresenting a person’s identity, that person’s association with an account, or ownership of an account that’s being credited. Essentially, preventing push credit fraud.

Fraud monitoring phase two

Initially set for implementation on June 19, 2026, this was recently updated to June 22, 2026, as June 19 is a federal holiday. Phase two has the exact same rules as phase one, but will then apply to any RDFI, non-consumer originator, third-party service provider, and third-party sender that did not meet the requirement threshold for phase one.

Company entry descriptions

Effective March 20, 2026, the details on this section of the rule are centered around data standardization. The intent is to standardize the use of the entry descriptions for PPD (Prearranged Payment and Deposit) credits for payment of wages, salaries, etc. This rule mandates that the company entry description field must include the description of “PAYROLL.”

Additionally, this rule establishes a standardization for descriptions for e-commerce purchases. This company entry description must contain the description “PURCHASE.” It is important to note that the ODFI has no obligation to verify the presence or accuracy of the word “PURCHASE.”

How does this affect me?

Company Entry Descriptions are intended to help improve targeted risk mitigation. Standardizing the descriptions allows credit unions to better query this information and perform data analysis to understand these transactions. Data standardization is always a benefit in the compliance world. This allows you to look for patterns or deviations from patterns that can be considered abnormal or potentially suspicious.

Fraud monitoring has more buzz in the credit union space over the Entry Descriptions. From an RDFI standpoint, the ACH credit monitoring is the standout. The term “Risk-Based Approach” is important here.

Above, I mentioned velocity and increased volume. Credit unions will want to ensure that their core or third-party fraud monitoring service have the ability to accomplish the strategic goals set forth by the credit union to mitigate risk. Incorporating technology, such as pattern thresholds that can run against transaction data that is configurable by the credit union, is an excellent solution.

These patterns typically will give you the ability to look for large ACH transactions, increased velocity, or a percentage increase in member activity compared to previous activity. Allowing the credit union to take a risk-based approach based on that member’s previous activity or what they would consider a large ACH compared to the rest of their membership.

Better monitoring

To summarize, it will be important for credit unions to develop policies and procedures for a risk-based approach to ACH fraud monitoring that makes sense for their institution. Keep the term “risk-based” in mind here. These policies and procedures should include information on how you are performing fraud monitoring for these transactions. This may require conversations with your core or third-party service provider.

Standardized descriptions will help credit unions better analyze data and create analytics that can assist with better identifying the volume of activity, as well as look for deviations from the norm.