Brian Holbrook
The National Automated Clearing House Association (Nacha) will be implementing a range of rule changes to strengthen fraud prevention measures related to ACH transactions. It is crucial that industry participants are fully aware of all upcoming changes. Moreover, with effective dates confirmed, organisations are encouraged to start preparing now.
- In response to surging fraud and financial crime, Nacha will be implementing new rules to strengthen fraud prevention measures related to ACH transactions.
- Structured planning and preparation are vital to fully understand and adapt to the new rules.
- Timeframes are tight and forward planning is essential.
Payment fraud and the ACH network
Nacha is the administrator of the ACH Network, the US payment system covering direct deposits and direct payments. The network processes substantial volumes and value each year, but surging financial crime – much of it relating to payments fraud – is creating a headache for organisations.
The statistics are eye-wateringly high. A staggering 80% of organisations were victims of payments fraud in 2023, a 15% rise over the previous year.[1] Moreover, ACH is the payment method most often targeted in BEC (business e-mail compromise).[2]
In March, Nacha approved a set of rules aimed at tackling rising fraud. The key objective of the new rules is to lower the success rate of attempted fraudulent activities. Amongst other changes, fraud detection responsibilities will be expanded across more ACH Network participants.
It is crucial that all impacted payments industry players are aware of the implications of these upcoming changes, and further that they take action to prepare ahead of the imminent implementation dates. Forward planning is essential.
The new rules: a snapshot
The proposed amendments have staggered effective dates ranging from October 2024 until June 2026, meaning that the preparation timeframe is tight. Here we focus specifically on the impact of Fraud Monitoring – Phase 1, outlined in the table below:
| Dates | Effective Dates for Rule Amendments |
|---|---|
| October 1, 2024 |
|
| March 20, 2026 |
|
| June 19, 2026 |
|
Four key areas of change include:
- Fraud monitoring
This rule requires each Originator, ODFI, Third-Party Service Provider, and Third-Party Sender to establish and implement risk-based processes and procedures intended to identify ACH entries initiated due to fraud.
- Risk-based processes and procedures – new language
New rule language has been introduced around fraud monitoring. This relates to establishing and implementing risk-based processes and procedures intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses.
- Credit monitoring
The rule amendment requires RDFIs to establish and implement risk-based processes and procedures intended to identify credit ACH entries initiated due to fraud.
- False Pretenses – new language
The inducement of a payment by a Person misrepresenting that Person’s identity or the ownership of an account credited. This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, account take over and others.
Preparing for change: a four-step plan
As a Nacha Preferred Partner for Compliance and Risk and Fraud Prevention, LSEG Risk Intelligence has created a Preparation Playbook to help you assess your current capabilities and determine the steps you need to take to ensure your organization is ready for the new Nacha rules.
- Review your current capabilities
The first step is to review your current capabilities in the context of the customer life cycle. It is necessary, for example, to understand how fraudsters sneak into the environment, look at what your fraud rates are, consider your ACH return rates and assess the fraud detection systems you currently have in place. This can help you identify gaps.
- Examine the customer lifecycle
Secondly, take a closer look to help identify potential fraud across the three key areas of the customer lifecycle: identity and onboarding, payments and disbursements and change management events. Your solutions must allow you to trust the identity, trust the account and trust the interaction.
- Identify areas for improvement in fraud detection
Next, look at where you might need to develop or enhance your fraud detection tools, processes and procedures. Understand what enhancements to existing processes are needed to comply with the new rules.
- Identify new technology or partners needed
Finally, consider the new technology solutions or partners you might need to work with going forward. We recommend having a partner that “can come in and consult with you, share with you what they are seeing in the industry, and help you understand fraud trends from a risk perspective.”
Adopting a holistic fraud prevention strategy that identifies and mitigates potential fraud across the customer life cycle is essential – and choosing the right partner to achieve this is vital.
Access our webinar to hear from Nacha and LSEG Risk Intelligence experts discuss the new amendments, as well as provide our four-step preparation plan here.
Compliance with Nacha rules is not always straightforward. Discover how our account verification solutions can help you reduce payments risk and ensure compliance with evolving Nacha rules. Learn more.
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2024 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
