If your bank or fintech touches ACH payments (payroll, lending, disbursements, account funding, e-commerce), the NACHA Operating Rules updates rolling out in 2026 and beyond affect you directly. Several of these changes are already in effect as of March 20, 2026, with additional phases landing through 2028.
This guide covers every upcoming change, who is affected, what it means for banks and fintechs, and how to prepare.
Why NACHA is updating the rules now
ACH fraud has been rising across the network. The 2024 AFP Payments Fraud and Control Survey found that 80% of organizations experienced payments fraud attacks in 2023, with ACH credits particularly vulnerable. NACHA’s response is a multi-year risk management package designed to reduce successful fraud attempts and improve recovery of funds after fraud occurs.
For banks and fintechs alike, this is significant. Banks serve as originating and receiving depository financial institutions (ODFIs and RDFIs), while many fintechs operate as originators or third-party service providers (TPSPs). These rules apply directly to your operations.
Full timeline of NACHA rule changes
| Effective date | Rule change | Who is affected |
|---|---|---|
| March 20, 2026 | Fraud monitoring by ODFIs | Originating depository financial institutions |
| March 20, 2026 | Fraud monitoring by large originators, TPSPs, and TPSs (Phase 1) | Non-consumer originators and third parties with 6M+ ACH items originated in 2023 |
| March 20, 2026 | ACH credit monitoring by large RDFIs (Phase 1) | Receiving depository financial institutions above volume threshold |
| March 20, 2026 | New Company Entry Descriptions: PAYROLL and PURCHASE | All originators using PPD credits for wages or WEB debits for e-commerce |
| June 22, 2026 | Fraud monitoring by all remaining originators, TPSPs, and TPSs (Phase 2) | All non-consumer originators and third-party providers |
| June 22, 2026 | ACH credit monitoring by all remaining RDFIs | All receiving depository financial institutions |
| September 18, 2026 | Updated definition of IAT entries | All participants handling international ACH transactions |
| September 18, 2026 | Funds availability for non-same day ACH credits | RDFIs (funds must be available at 9:00 AM local time on settlement date) |
| January 1, 2027 | Registration of IAT contacts in the ACH Contact Registry | All participating DFIs handling IAT entries |
| March 19, 2027 | Optional date of birth field for IAT entries | Originators and ODFIs for IAT transactions |
| March 19, 2027 | Non-bank foreign financial agencies in IAT entries | Participants originating or receiving IAT entries |
| March 17, 2028 | New return reason code R90 for sanctions compliance obligations | RDFIs returning entries due to sanctions obligations |
Breaking down the key changes
1. Expanded fraud monitoring requirements (March and June 2026)
This is the most operationally significant change for banks and fintechs.
What changed: NACHA now requires all ACH participants, including originators, ODFIs, and third-party service providers, to implement risk-based processes and procedures to detect entries initiated due to fraud. Previously, fraud monitoring requirements were limited to WEB debits and micro-entries. The 2026 rules expand these obligations across a much broader range of ACH transaction types.
Phase 1 (March 20, 2026) applies to high-volume non-consumer originators and third parties that originated 6 million or more ACH items in 2023.
Phase 2 (June 22, 2026) expands to all remaining non-consumer originators and third-party providers, regardless of volume.
What banks and fintechs should know:
- If you originate ACH payments on behalf of clients (payroll, disbursements, account funding), you are likely classified as an originator or TPSP and are directly subject to these rules.
- “Risk-based” means NACHA expects you to establish baseline activity patterns and flag anomalies. There is no single prescribed method, but you need a documented, defensible process.
- Monitoring systems must be reviewed annually to address evolving fraud risks.
- The rules incorporate a broader definition of “false pretenses” fraud, covering schemes such as business email compromise (BEC), vendor impersonation, and payroll diversion.
2. New standardized Company Entry Descriptions (March 20, 2026)
What changed: Two new standardized Company Entry Descriptions are now required:
- PAYROLL must be used for all PPD credits related to wages or salary payments.
- PURCHASE must be used for all WEB debit entries related to e-commerce or online purchase transactions.
What banks and fintechs should know:
- If you operate a payroll platform or process wage disbursements via ACH, your file generation logic needs to populate the Company Entry Description field with “PAYROLL” for those transactions.
- If you process consumer e-commerce debits (pulling funds from a consumer account for a purchase), those entries now require “PURCHASE.”
- These changes are designed to improve transaction transparency and help financial institutions identify and categorize transaction types more easily, which supports the broader fraud monitoring goals.
- Review your ACH file templates and automation logic now. If you use a banking partner’s portal, confirm whether the update is handled upstream or if you need to make changes on your end.
3. Updated IAT (International ACH Transaction) rules (September 2026 through March 2027)
NACHA is making several changes to how international ACH transactions are defined, processed, and documented:
- Clearer IAT definition (September 18, 2026): The existing definition has caused confusion across the industry. The updated rule provides more clarity for participants determining whether a transaction qualifies as an IAT entry.
- IAT contact registration (January 1, 2027): Participating DFIs must register their IAT-handling contact in the ACH Contact Registry, including at least one primary and one secondary contact.
- Optional date of birth field (March 19, 2027): A new optional field for IAT entries allows originators to include the date of birth for the individual in the transaction.
- Non-bank foreign financial agencies (March 19, 2027): Updated rules address how non-bank foreign financial agencies are handled in IAT entries.
What banks and fintechs should know:
- If you process cross-border payments or serve customers who send or receive international ACH, review your IAT classification logic.
- Work with your ODFI to confirm IAT contact registration requirements and timelines.
- The optional date of birth field may support enhanced due diligence and sanctions screening for international transfers.
4. Funds availability for non-same day ACH credits (September 18, 2026)
What changed: The rule eliminates the 5:00 PM local time receipt condition. Going forward, funds availability is required at 9:00 AM in the RDFI’s local time on the settlement date for all non-same day ACH credits.
What banks and fintechs should know:
- If you rely on ACH credit timing for account funding, lending disbursements, or payroll, this change may improve the speed at which your end users can access funds.
- For banks and fintechs building products around faster money movement, this standardization of availability timing reduces variability across receiving institutions.
5. New return reason code R90 for sanctions compliance (March 17, 2028)
What changed: A new return reason code (R90) will allow RDFIs to return ACH entries specifically for sanctions compliance obligations, with a unique return time frame.
What banks and fintechs should know:
- If you process incoming ACH entries, your return handling logic will need to recognize and process R90 returns.
- This change supports cleaner audit trails for sanctions-related transaction dispositions, which is relevant for any bank or fintech operating in regulated payments.
What banks and fintechs should do now
Immediate (if not already done)
- Confirm your classification. Are you an originator, TPSP, or TPS under the NACHA rules? Your compliance obligations depend on this.
- Audit your ACH file generation. Verify that Company Entry Description fields are correctly populated with PAYROLL and PURCHASE where required.
- Document your fraud monitoring process. If you do not have a written, risk-based fraud monitoring program covering your ACH origination activity, build one. Include baseline activity patterns, anomaly detection criteria, escalation procedures, and review cadence.
By June 2026
- Expand monitoring to all ACH origination activity. Phase 2 eliminates the volume threshold. Every non-consumer originator and TPSP must have monitoring in place.
- Coordinate with your banking partner. Confirm what monitoring your ODFI handles versus what falls on you as the originator or TPSP.
By end of 2026
- Review your IAT classification logic. If you handle cross-border ACH, update your processes to align with the new IAT definition.
- Update funds availability assumptions. Factor in the 9:00 AM availability standard for non-same day credits.
By 2027 and beyond
- Register IAT contacts in the ACH Contact Registry if applicable.
- Prepare for R90 return code handling in your ACH processing systems.
How Equinox can help
NACHA rule changes touch multiple parts of a bank’s or fintech’s compliance infrastructure: fraud monitoring, transaction processing, vendor management, and examiner readiness. For banks partnering with fintechs, the compliance expectations flow in both directions.
Equinox Compliance works with fintechs, banks, and crypto companies to build and strengthen compliance programs that meet regulatory expectations and support real growth. Our team has deep experience designing compliance frameworks across BSA/AML, payments compliance, and bank-sponsor governance.
If your team needs help assessing your current ACH compliance posture, building a fraud monitoring program, or preparing for examiner questions about NACHA readiness, reach out to start a conversation.
