Fraud Monitoring by Originators, TPSPs and ODFIs

NACHA Rules currently require Originators to use a “commercially reasonable” fraudulent transaction detection system to screen only when initiating WEB debits or when using Micro-Entries.

The upcoming rule amendment will expand this rule to require each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender to establish, implement and annually review risk-based processes and procedures intended to identify ACH Entries initiated due to fraud across all transaction types and SEC codes. The rule will be implemented in two phases:

• Phase 1 - Effective March 20, 2026 - Applies to all ODFIs, and each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender with annual ACH origination volume of 6 million entries or greater in 2023.
• Phase 2 - Effective June 22, 2026 - Applies to ALL ACH Originators, regardless of volume. 

Standardized Company Entry Descriptions

Standardized uses of the Company Entry Description can help parties in the ACH Network identify, monitor, and count the volume of payments for specific purposes, and can help manage risk. This Rule amendment introduces two new defined Company Entry Descriptions: PAYROLL and PURCHASE.

Effective March 20, 2026

• Originators must use PAYROLL in the Company Entry Description field for wage, salary, and similar types of compensation-related PPD credits. 
• Originators must use PURCHASE in the Company Entry Description field for e-commerce WEB debits. 
  • An e-commerce purchase is defined as a debit Entry authorized by a Consumer for the online purchase of goods, including recurring purchases first authorized online. 
  • An e-commerce purchase must use the WEB debit SEC Code, except as permitted by the rule on Standing Authorizations to use the PPD or TEL debit SEC Codes.

What Do You Need To Do?

• By March 20, 2026 – Update the Company Entry Descriptions in your ACH Software or Templates to ensure accuracy and compliance.
• By June 22, 2026 – Establish a risk-based fraud detection protocol for your ACH-originated transactions, with procedures subject to annual review and update.

Do Your Current Processes Cover the Bases?

Your responsibility as an Originator means that you need to makes sure your processes consider these important factors:

• Obtain proper authorizations, dependent upon the transaction type, and retain authorizations for two years past revocation.
• If requested by the Bank, provide a copy of the authorization. The Bank may request to see your authorizations from time to time as part of an annual audit.
• Send entries on the proper date.
• Give appropriate notice to debtor if changing amount or date.
• Cease subsequent entries when notified.
• Make necessary changes to payee account information within three (3) banking days upon receipt of a Notice of Correction or before another entry is sent.
• Check payees against OFAC compliance checklists.
• Protect the banking information received to originate transactions.
• Ensure your computer and you are protected as outlined in the Bank Digital Banking Agreement.
• Ensure the Originator is clearly identified as the source of the ACH transaction. Specifically, populate the Company Name Field of the NACHA formatted file with a name known to and readily recognized by the Receiver of the entry.

Fraud Risks for ACH

ACH Origination fraud is a challenge for Financial Institutions and ACH Originators like your company. In one origination system hacking scheme, perpetrators hack into the originator’s (your company) computer system using compromised User IDs and passwords and originate ACH credits to “mule” accounts created for the express purpose of committing fraud. Those accounts are then emptied and abandoned. The true originator’s account (your account) is debited for the invalid origination file. The credits are usually irretrievable by the time fraud is discovered. The originator’s credentials may have been compromised by an insider within the organization or stolen through key loggers or Trojan Horse programs on the compromised computer.

Due to the risk of this type of fraud, it is essential that all computer equipment used by your company to operate TowneBank’s ACH Origination program is regularly updated and patched for security vulnerabilities (including the use of and updating of firewall, virus protection, anti- malware protection, anti-spam protection.) You may also want to consider having one computer in your office which is not used to browse the internet or read e-mail to be your sole source of access to the Digital Banking system. Limiting access to the computer which is used to house and transmit ACH data may help avoid the accidental downloading of harmful programs/viruses that could potentially compromise your transactions.

Equipment used to operate TowneBank's ACH Origination program should be regularly updated and patched for security vulnerabilities.

Have one computer in your office that does not browse the internet or access email be your sole source of access to the Digital Banking system.

Ensure that all user ID’s, passwords, authentication methods, and any other security procedures issued to your employees are protected and kept confidential.

The appropriate steps should be taken within your company to ensure that all User ID’s, Passwords, Authentication Methods and any other applicable security procedures issued to your employees are protected and kept confidential. All staff should be aware of the need for proper user security, password controls and separation of duties.

As ACH Origination is a higher risk commercial banking function, we suggest that your company perform your own internal risk assessment and controls evaluation periodically to be sure you are considering all available security options.

FAQs