2026 Nacha Rule Changes: What You Need to Know
Beginning in 2026, Nacha is introducing new requirements that will impact how businesses originate ACH transactions. These updates are designed to strengthen fraud prevention, enhance transaction transparency, and improve overall network security. This page outlines what’s changing, who is affected, and how your business can prepare.
What Is Nacha?
Nacha—the National Automated Clearing House Association—oversees and administers the ACH Network in the United States.
The ACH Network supports millions of electronic payments every day, including payroll, vendor payments, direct deposits, and more.
The ACH Network supports millions of electronic payments every day, including payroll, vendor payments, direct deposits, and more.
Why These Changes Matter
New Nacha rules taking effect in 2026 will require most ACH-originating businesses to enhance fraud monitoring practices.
If your business processes electronic payments of any kind, these changes likely apply to you.
If your business processes electronic payments of any kind, these changes likely apply to you.
Your Responsibilities as an ACH Originator
As an Originator, you are responsible for:
- Knowing and complying with current Nacha Rules
- Staying informed about upcoming rule changes
- Maintaining internal controls that meet Nacha’s requirements
What's Changing in 2026
1. Enhanced Fraud Monitoring
Beginning in 2026, Originators must implement risk-based practices to detect and prevent unauthorized or unusual outgoing ACH entries.
This includes:
This includes:
- More proactive monitoring of ACH activity
- Validating transactions that seem inconsistent or unexpected
- Ensuring your business has controls aligned with Nacha’s expanded security expectations
2. New Company Entry Description Requirements
Nacha will require standardized Company Entry Descriptions for certain ACH transactions. The first seven characters of the description must contain the required term.
- PAYROLL - Required for all PPD credit entries used for wages, salaries, or similar compensation.
- PURCHASE - Required for all e-commerce purchase transactions.
For example:
| Transaction Type | Correct Example | Incorrect Example | Why |
|---|---|---|---|
| Payroll (PPD Credits) | PAYROLL-WK | WEEKPAY | Must begin with PAYROLL |
| Payroll (PPD Credits) | PAYROLL01 | EMPPAY | Description must clearly identify payroll |
| E-Commerce Purchase | PURCHASE1 | ONLINEPAY | Must begin with PURCHASE |
| E-Commerce Purchase | PURCHASEA | WEBORDER | Required descriptor not present |
Key Requirements
The first 7 characters must contain PAYROLL or PURCHASE and be capitalized.
The Company Entry Description field allows up to 10 characters.
Compliance Dates to Know
Phase 1 — March 20, 2026
Businesses that originate ACH transactions are required to have the standardized Company Entry Descriptions for certain ACH transactions in place.
Phase 2 — June 19, 2026
Businesses that originate ACH transactions are required to have fraud monitoring in place.
Preparing Your Business
Taking steps now will make compliance easier and reduce disruption. Preparation helps ensure:
- Stronger internal controls
- Reduced exposure to fraudulent activity
- A smoother transition as the March and June deadlines approach
- Better protection for your clients and your business
ACH Originator Compliance Checklist – (June 2026 NACHA Rules)
Fraud Monitoring Controls
- We have written fraud‑monitoring procedures that apply to all ACH activity, including ACH credits and ACH debits.
- Our monitoring looks for both unauthorized transactions and transactions that were authorized but based on fraud (such as business email compromise or fake vendor requests).
- We understand what “normal” ACH activity looks like for the company (including usual dollar amounts, volumes, timing, and recipients).
- We promptly review and investigate any unusual or suspicious ACH activity.
- We review and update our ACH fraud‑monitoring procedures at least once a year to address new or emerging risks.
- We ensure we use the Bank’s multi factor authentication method to login to our account(s)
Payment Instructions, Dual Control & Change Verification
- ACH transactions follow the bank’s dual‑control requirements and proper separation of duties.
- One authorized employee creates or enters the ACH transaction.
- A different authorized employee reviews and approves the ACH transaction before it is released.
- When vendor or payroll payment instructions change, we independently verify the change using a different communication method (for example, calling a known phone number instead of replying to an email).
- Employees are not allowed to rely only on emails when confirming changes to payment instructions.
Standard Company Entry Descriptions
- Payroll ACH credits use the Company Entry Description “PAYROLL” in all capital letters.
- Consumer web‑based debit transactions use the Company Entry Description “PURCHASE” in all capital letters.
- Company Entry Descriptions are used consistently across all ACH files.
- ACH software and file formats have been updated to ensure these descriptions are applied correctly.
ACH Authorizations & Recordkeeping
- We have valid, NACHA‑compliant authorizations for every ACH transaction we originate.
- Authorizations are kept on file and can be provided upon request, consistent with NACHA record‑retention rules.
- Our authorization process is reviewed at least once a year.
Annual Employee Training & Awareness
- Employees involved in ACH origination are trained on common fraud risks such as business email compromise, payroll diversion, and invoice fraud.
- Training explains how and when to escalate suspicious ACH activity.
- Employees clearly understand their responsibilities for ACH entry, approval, verification, and release.
Additional Resources