New rules are coming. They’ll change how banks think about risk, liability, and real-time fraud.

ACH fraud is growing fast. NACHA—the organization that oversees the Automated Clearing House (ACH) network—is responding with major updates. These changes aren’t just about checking boxes. They mark a shift toward real-time risk management, smarter fraud tools, and shared responsibility across the network. The updates that started in 2022 were only the beginning. The 2026 rules are where things really change.

A Quiet Shift That’s Already Happening

Since March 2022, if you initiate ACH debits, you must validate every new consumer account before sending the first transaction. This means confirming that the account exists, is open, and can accept debits. You don’t need to verify ownership—just functionality. How you do that is up to you. Micro-deposits, API-based connections, or third-party databases are all acceptable. But if you’re not validating, you’re not compliant.

At the same time, stored account numbers must be encrypted or made unreadable. This rule rolled out in stages during 2022 based on ACH volume. It applies to more than just structured databases—it includes logs, backups, cached files, or anything else where account numbers are stored.

NACHA also introduced a Risk Management Framework. The goal is to move the industry away from reacting to fraud and toward actively preventing it. That means stronger authorization flows, real-time transaction monitoring, and complete audit trails. The expectation is clear: stop fraud before it settles.

2026: The Big Change

Starting March 20, 2026, new monitoring rules take effect for large-volume participants. If you originated six million or more ACH transactions in 2023, or received ten million or more, you must actively monitor for fraud. ODFIs need to flag risky outbound debits. RDFIs need to catch suspicious inbound credits—especially push payments, which are common fraud targets.

By June 22, 2026, these rules will apply to everyone, no matter how many transactions they process. There are no exceptions.

For the First Time, You Can Act Immediately

For the first time, RDFIs will be allowed to delay or return suspicious transactions before a customer complains. They can investigate on the spot and send the money back if needed. This is a major shift in how fraud is handled across the network.

Return Code R17 now supports this kind of fraud response. It allows RDFIs to return fraudulent entries without waiting on the customer. And starting October 1, 2024, banks can also return payments made under false pretenses—something that wasn’t possible before. Until now, return codes were mostly for technical errors. This update turns them into a real tool for fraud prevention.

ODFIs also get more flexibility. They’ll be able to request reversals for unauthorized or mistaken payments more easily, helping speed up resolutions across the board.

The Old Playbook Doesn’t Work Anymore

The traditional process—wait for the customer, file a claim, try to recover funds—is too slow. Fraud happens too fast. Once a push payment settles, the money is often gone for good.

NACHA’s vision is different: real-time detection, immediate action, and shared responsibility between parties. To meet that vision, banks need to build systems that can move as fast as the fraudsters do.

This isn’t just about keeping losses low. It’s about showing your work. You need data to back up your performance. You need logic that explains your decisions. And you need infrastructure that proves your defenses are working before fraud happens.

It’s Not Just About Rules. It’s About Architecture.

The hardest part of compliance isn’t the list of requirements—it’s your system design. Validating accounts, encrypting data, monitoring fraud in real time, automating returns, and tracking it all with audit logs: these aren’t surface-level tasks. They require deep, coordinated architecture.

Most banks aren’t built for that. Their systems are fragmented. Their fraud tools are tacked on. Their teams work in silos. And the bundled tools from core processors often don’t offer the flexibility this new environment demands.

To stay compliant—and competitive—you need a system that can detect, decide, and act in real time. Fraud prevention can’t be a plug-in anymore. It has to be part of the foundation.

Two Types of Institutions. One Common Need.

Established banks have the scale and the budget. But their tech stacks are complicated. Years of legacy systems, third-party vendors, and internal friction make every new rule harder to implement.

Newer institutions—digital banks, credit unions, fintechs—don’t have the same baggage. They can build their systems right from the start. But they often lack the resources to waste on tools that don’t scale or adapt.

Both types of institutions need the same things: real-time risk intelligence, flexible fraud rules, and infrastructure that keeps up with the pace of change.

Enlace Is Building for This Future

At Enlace, we’re building Fraud Capture for this next phase. It reads real-time signals—like account behavior, device fingerprints, and transaction context—and turns them into decisions you can act on instantly. Whether it’s added on top of your existing system or becomes your core platform, it’s built to meet the new NACHA standards and help you stay ahead.

NACHA is making the ACH network stronger. This is your chance to make it smarter. Not just to stop fraud—but to show you know how.

The insights in this post are based on industry research, conversations with banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.