With ACH fraud risks rising, Nacha has introduced key updates, some in effect now and others phasing in through 2026. Here’s what you need to know and act on today.

Credit Push Fraud Risk Management Framework

Credit push fraud, such as Business Email Compromise(BEC) or vendor impersonation, is a growing threat,  and Nacha has reinforced roles and protocols to combat it. In a typical BEC scenario, fraudsters gain access to or spoof a legitimate business email account to trick someone into sending an ACH credit or wire transfer to a fraudulent destination. These attacks often involve fake invoices, altered payment instructions, or urgent requests that appear to come from a trusted internal or external source. As these scams become more sophisticated, financial institutions and businesses must adapt their defenses accordingly.

Receiving institutions must now monitor incoming credits and have risk-based procedures to identify and act on suspicious entries.

ODFIs and RDFIs are encouraged to communicate when suspected fraud is identified. A secure exchange portal is now available for handling return requests, particularly under R06.

Institutions should also educate business and consumer clients about common fraud tactics to increase vigilance before a transaction is initiated.

False Pretenses Transactions

Nacha has introduced a new classification called False Pretenses (which is included in the R17 return code). This covers payments induced by misrepresentation of identity, authority, or account ownership. Examples include payroll impersonation and vendor fraud. It does not apply to scams involving fake products or services.

Return Reason Code R17 – “Questionable”

RDFIs can now use R17 to return entries they believe may be fraudulent, even if the receiving account is valid.

The word “QUESTIONABLE” must be included in the addenda record when this return reason is used.

Return Reason Code R06 – Broader Return Requests

ODFIs can now request returns through the Letter of Indemnity (LOI) process using R06 for other reasons that are applicable to the scenario, such as suspected fraud.

RDFIs must respond to R06 requests within 10 Banking Days. That response can be either a return or a formal status update. A secure exchange portal is available to facilitate these requests and responses.

WSUD Deadline Extended

The Written Statement of Unauthorized Debit (WSUD) no longer needs to be signed by the settlement date. It may now be signed on or after the effective date of the debit, offering greater flexibility for account holders disputing unauthorized transactions.

Fraud Monitoring Requirements for Originators and ODFIs

Beginning in 2026, Nacha will require risk-based fraud detection processes for all Originators and ODFIs. The requirement will take effect in two phases.

Phase 1 begins in March 2026 and applies to Non-consumer Originators (and vendors) with 2023 ACH origination volume of 6 million or greater.

Phase 2 begins in June 2026 and applies to all others.

Processes must be reviewed annually. There is no requirement to review each individual transaction or to conduct manual review before file submission. Instead, participants must establish reasonable procedures to flag suspicious activity based on patterns, amounts, frequency, or account behavior.

Credit Monitoring Requirements for RDFIs

Receiving institutions must implement a risk-based credit monitoring process and respond appropriately when suspicious activity is identified.

This process should be reviewed annually to ensure it remains effective. Monitoring does not require line-by-line transaction reviews, but should include logic to detect red flags such as:

• SEC codes that do not match account types
• Unusually large credit amounts
• Multiple credits from different states

What You Should Do Now

• Update your fraud detection processes
• Train your staff on new classifications like False Pretenses and changes to R17 and R06
• Ensure your systems support the new entry descriptions PAYROLL and PURCHASE
• Prepare for the phased rollout of the fraud monitoring requirements
• Review WSUD policies to allow for signature on or after the effective date
• Test your response time and documentation process for R06 return requests

Final Thoughts

These updates strengthen the ACH ecosystem and clarify roles and responsibilities across all parties. With deadlines extending into 2026, now is the time to make adjustments, train your staff, and ensure your ACH operations align with Nacha’s evolving standards.

At Viking, we build solutions like VIKEngage, VIKExpress, and VIKEdge with these compliance needs in mind. Whether you need real-time monitoring, simplified return processes, or tools to minimize fraud risk, we’re here to help.

If you have questions about your readiness or need support implementing these changes, reach out to your Viking representative today.