by Larry J. Hershman, CISSP
It started with an email.
A property management company received a message from what appeared to be one of their longest-standing vendors – a maintenance contractor they had paid reliably for years. The email was professional, the logo looked right, and the request was routine: a banking detail update before the next payment cycle. Someone in accounts payable processed it without a second thought.
Three days later, $47,000 in ACH payments landed in an account the contractor had never seen. By the time anyone realized what had happened, the money was gone.
This is not just a cautionary tale from a cybersecurity conference. Variations of this story play out hundreds of times a day across businesses of every size and industry. And most of the organizations it happens to believed – right up until it happened – that their controls were adequate.
The Question Many Organizations Have Not Asked
Here is what keeps financial leaders, operations managers, and compliance officers up at night, even if they do not always say it out loud: Do we actually know what is protecting our payments, or do we just assume something is?
For most organizations, the honest answer is somewhere in the middle. There are controls in place. Somebody set them up. But when was the last time anyone reviewed them? Does the AP team know what to do when a vendor calls to update their banking information? Is that process written down somewhere, or does it live in the institutional memory of one long-tenured employee?
These gaps – between what organizations believe their controls are and what those controls actually do – are exactly where fraud happens. And they are exactly what NACHA’s 2026 rule changes are designed to force organizations to confront.
What the NACHA Changes Require
NACHA, the governing body of the ACH payment network that moves trillions of dollars each year, has issued a Risk Management Rule Package with two compliance deadlines: March 20, 2026 and June 22, 2026.
The rules themselves aren’t complicated to understand. What’s significant is who they now apply to and what they actually demand.
Previously, organizations only had to screen for fraud on a narrow category of web-initiated transactions. The new rules extend that obligation across every ACH transaction type – payroll, vendor payments, direct deposits, and more. More importantly, they replace the old “commercially reasonable” standard with “risk-based processes and procedures.”
What does that mean in plain English? It means you can no longer point to the fact that you have something in place and call it done. Your fraud monitoring program will be evaluated against your organization’s specific risk profile. You will need to document it, review it annually, and demonstrate that it actually addresses the threats your business faces – not just the threats that existed when someone set up your payment system five years ago.
And starting June 22, 2026, there is no minimum transaction volume required for these obligations to apply. Every organization that originates ACH payments – the law firm running direct deposit payroll for 15 people, the engineering company paying 40 subcontractors, the healthcare practice processing vendor invoices – is in scope.
There is also a straightforward technical change: ACH payment files for payroll transactions must now use “PAYROLL” in the description field, and online purchase transactions must use “PURCHASE.” If your payroll provider or accounting system generates those files with legacy or custom descriptions, that needs to be fixed before the deadline.
How ACH Fraud Typically Happens
The reason these rules exist is worth understanding, because the threats they address aren’t abstract.
Picture a regional engineering firm midway through a large infrastructure project. Dozens of subcontractors. Payments going out every two weeks. Someone on the project team gets an email – looks like it came from a sub they’ve worked with for years – asking to update banking information before the next payment run. The email address is off by one character. Nobody notices. Forty thousand dollars leaves the company’s account and doesn’t come back.
Or consider a university financial aid office processing thousands of student direct deposit updates every semester. A student’s login credentials were stolen in a phishing attack. Someone uses those credentials to change the bank account on file. The next disbursement goes somewhere it was never supposed to go. By the time the student reports not receiving their financial aid, the money has moved twice.
Or a medical practice with a trusted billing vendor. That vendor – like most small businesses –doesn’t have a formal security program. They get compromised. The attacker uses the vendor’s access to redirect ACH payments over several months before anyone notices the discrepancy.
None of these scenarios requires sophisticated hacking. They require one overlooked process, one distracted employee, one assumption that someone else is checking.
What Noncompliance Can Cost
Here is a question worth considering: “What happens if your organization suffers an ACH fraud incident after the compliance deadline and you were not compliant when it happened?”
It’s the question most organizations don’t ask until it’s too late. The answer is more complicated than a simple fine and considerably more expensive.
The direct NACHA penalties are the least of your problems
NACHA enforces its rules through a National System of Fines. Violations can result in penalties of up to $500,000 per month for repeated noncompliance, required corrective action, suspension of ACH origination access, or permanent termination of origination privileges. For any organization that depends on ACH for payroll or vendor payments, losing origination access – even temporarily – is an operational crisis.
Non-compliance doesn’t shift legal liability, it just makes everything harder
Here’s the nuance most people miss: NACHA’s own rules explicitly state that the new fraud monitoring requirements do not change the allocation of legal liability between parties under UCC Article 4A. In other words, being noncompliant doesn’t automatically mean your bank absorbs the loss on your behalf – and it doesn’t automatically mean you’re liable to your bank either. Those determinations are still governed by your account agreements and applicable law.
What noncompliance does do is stack the deck against you in every direction when you try to recover.
Your bank will look at what you had – or didn’t have – in place
When a noncompliant organization goes to their bank seeking loss recovery after a fraud incident, the conversation is fundamentally different than it would be for a compliant one. A bank presented with evidence that a business had no documented fraud monitoring program, no vendor verification process, and no annual review on record has much stronger grounds to argue the loss falls on the customer. The same fraud, hitting a compliant organization with documented controls, may have a very different outcome.
Civil litigation exposure is real and underappreciated
If an ACH fraud incident harms a third party – a vendor who didn’t receive a legitimate payment, a client whose funds were misdirected, an employee whose payroll was diverted – noncompliance with a published regulatory standard becomes powerful evidence in a negligence claim. Plaintiffs’ attorneys will use the existence of NACHA’s rules, and your failure to follow them, to argue that you knew the standard of care, had an obligation to meet it, and didn’t. That is a difficult position to defend.
Your cyber insurance may not cover you
Many commercial crime and cyber liability policies include conditions requiring the policyholder to maintain “reasonable” or “industry-standard” payment controls. If an insurer is presented with evidence that its insured was operating below a published standard at the time of loss, that may create grounds to deny or reduce the claim, depending on the policy language and the facts. What felt like adequate coverage on paper may not hold up against a documented control failure.
The property management company from the opening of this article? They didn’t just lose $47,000. They spent months in disputes with their bank, were unable to collect on their crime insurance policy because their internal controls failed to meet the policy’s requirements, and faced a civil claim from the vendor whose legitimate payment was delayed as a result of the fraud investigation. The original fraud was painful. The downstream consequences were devastating.
Noncompliance doesn’t guarantee any of these outcomes. But it removes the protections that compliance provides and those protections matter most precisely when something goes wrong.
Four Practical Steps to Take Now
Understanding the rules is one thing. Acting on them is another. Here are four concrete steps every organization should take before the June 2026 deadline:
1 – Find out what you actually have in place.
Before you can improve your fraud controls, you need to know what exists today. Pull together everyone involved in initiating or approving ACH payments – AP, Payroll, HR, and IT – and map out exactly what happens when a payment is set up, when a vendor changes banking details, and when something unusual appears. You may discover your controls are stronger than you thought. You may discover they exist mostly in someone’s head. Either answer is useful.
2 – Build a verification step that can’t be skipped.
Any request to add or change a bank account – for a vendor, an employee, a student, anyone – needs to be verified through a channel that is completely separate from the request itself. That means calling a phone number you already have on file for that person or organization. Not the number in the email. Not the number on the new form they submitted. A number you looked up independently. This is the single most effective process change an organization can make to prevent payment fraud, and it costs nothing to implement.
3 – Get confirmation from your payment systems.
Call your payroll provider. Call your ERP or accounting software vendor. Ask them directly: will your ACH output files include “PAYROLL” in the Company Entry Description field for direct deposit payroll transactions? Will they include “PURCHASE” for applicable transactions? Ask for written confirmation. This is a systems change that your vendor needs to make, and you need to know whether it’s happening automatically or whether it requires action on your end.
4 – Write it down and put someone’s name on it.
The new rules require an annual review of your fraud monitoring procedures. That review needs to be documented. But before you can review something, you need to have documented it in the first place. Assign one person – or one team – clear ownership of your ACH fraud monitoring program. Write down what you do, why you do it, who is responsible for each step, and when the next review is scheduled. A simple document that reflects reality is worth infinitely more than a polished policy that nobody follows.
Why This Is More Than a Compliance Deadline
The 2026 NACHA rule changes are important. But they are also a window into something larger.
For organizations already managing obligations under HIPAA, CMMC, the FTC Safeguards Rule, or other frameworks, these changes are a reminder that compliance doesn’t stay static. The threat landscape evolves. Regulators respond. And businesses that treat compliance as a one-time project rather than an ongoing practice tend to find themselves caught flat-footed – not because they were reckless, but because they assumed yesterday’s controls were enough for today’s risks.
Compliance is not just about avoiding fines. It is about preserving your options when something goes wrong – with your bank, your insurer, the courts, or your customers. A documented, actively maintained compliance program does not guarantee you will never be a victim. But it can materially improve your position if you are.
A Practical Next Step
If the 2026 NACHA rule changes raise questions about your payment controls or whether your current processes would hold up under scrutiny, now is a good time to review them. In many organizations, the issue is not the absence of controls. It is that the controls were never documented, never tested, or never revisited as the business changed.
UTRS InfoSec helps organizations assess operational and compliance risk in a way that is practical, defensible, and appropriate to their size and environment. That includes evaluating payment-related controls, identifying gaps in process ownership and documentation, and helping leadership understand where additional rigor is warranted.
Larry J. Hershman, CISSP, is Managing Director of UTRS InfoSec LLC part of Universal Technical Resource Services, Inc. (UTRS). The company draws on a long history of delivering cybersecurity and information assurance support in high-consequence environments and applies that same discipline to private-industry clients.