As 2025 comes to a close, attention is shifting to 2026 and the next wave of changes in the ACH Network. Nacha has announced several upcoming rule amendments that strengthen risk management expectations, clarify existing requirements, and introduce new monitoring obligations for ACH participants. This article outlines the key updates so businesses can understand what to expect as these Rules take effect throughout 2026.

Some of the changes are minor clarifications that will have limited impact on most participants. Others, particularly those related to fraud monitoring, represent more meaningful shifts in expectations. Not all changes will apply to every Originator, Third Party Sender, or ODFI, but all ACH participants should be aware of what is coming.

Effective January 1, 2026

Use of Return Code R17 “Questionable”
This update clarifies the proper use of R17 rather than introducing a new return code. Under the revised definition, an RDFI may return an entry as “Questionable” when it believes the transaction or Receiver information is inaccurate, incomplete, or inconsistent with what it knows about the account. This change provides clearer guidance for RDFIs and creates earlier feedback for Originators when something about the entry appears suspicious.

Banking Day Definition Clarification
This is not a substantive change but a clarification. It confirms that a “Banking Day” is defined as a day on which the ACH Operator is open for business. The goal is to remove ambiguity and ensure uniform interpretation across the network.

RDFI Requirement to Provide Payment-Related Information
Several SEC Codes require RDFIs to provide Payment-Related Information to Receivers. These include CCD, CTX, CIE and IAT. The updated Rule clarifies that this requirement does not apply if these entries post to a consumer account. The expectation only applies when the Receiver is a non-consumer.

Company Entry Descriptions
These amendments take effect March 20, 2026 and apply to both credits and debits. Originators may adopt the new descriptions before the effective date. The changes support standardization and enhanced monitoring across the network.

ACH Credit Entry
The Company Entry Description for credits that represent wages or other compensation must contain the description PAYROLL.

ACH Debit Entry
For ACH WEB debits that represent the online purchase of goods, including recurring purchases first authorized online, the Company Entry Description must contain the description PURCHASE.

Risk Management Rule Updates
The most significant changes relate to fraud monitoring. Nacha is introducing new requirements for Originators, ODFIs, Third Party Service Providers, and Third Party Senders, along with a separate monitoring requirement for RDFIs. These Rules are being phased in during 2026.

Fraud Monitoring Obligations

These new expectations apply to ODFIs, non-consumer Originators, TPSPs, and TPSs. The requirements take effect in two phases.

Phase 1: March 20, 2026
Applies to participants with annual origination volume of 6 million or more in 2023.

Phase 2: June 19, 2026
Applies to all remaining non-consumer Originators, TPSPs, and TPSs not included in Phase 1.

The purpose of the amendment is to ensure participants establish and implement risk-based processes and procedures designed to identify potentially fraudulent entries. Routine monitoring is expected to reduce the likelihood of successful fraud attempts and strengthen the entire ACH ecosystem.

Today, Originators of WEB debits and users of Micro-Entries must utilize a “commercially reasonable fraudulent transaction detection system”. The updated Rule removes that terminology. The phrase “commercially reasonable” and the expectation of a “transaction detection system” are replaced with more practical language that focuses on processes and procedures.

This shift clarifies that Nacha is not prescribing specific technologies. Instead, entities must maintain documented processes that demonstrate how they reasonably identify and respond to fraud risks, based on the role they play in the ACH Network. The flexibility allows organizations of different sizes and risk profiles to implement approaches appropriate to their environments.

Nacha requires that these processes and procedures be reviewed at least annually, or sooner if material changes occur during the year.

RDFI ACH Credit Monitoring

This update adds new expectations for RDFIs related to monitoring of incoming ACH credits. The Rule does not impose new obligations on Viking Originators but is part of Nacha’s broader fraud prevention strategy.anges, reach out to your Viking representative today.

Preparing for 2026 and Beyond

As these updates take effect in 2026, ACH participants should take time to review their current practices, confirm that documentation is up to date, and ensure fraud monitoring processes align with Nacha’s expectations. While some of the changes are minor clarifications, others require operational adjustments that strengthen risk management across the network. Viking will continue to monitor these developments and support our clients through each phase of implementation to ensure a smooth and compliant transition.