Return Codes Archives

Nacha Fraud Monitoring Updates, Risk Management

As 2025 comes to a close, attention is shifting to 2026 and the next wave of changes in the ACH Network. Nacha has announced several upcoming rule amendments that strengthen risk management expectations, clarify existing requirements, and introduce new monitoring obligations for ACH participants. This article outlines the key updates so businesses can understand what to expect as these Rules take effect throughout 2026.

Some of the changes are minor clarifications that will have limited impact on most participants. Others, particularly those related to fraud monitoring, represent more meaningful shifts in expectations. Not all changes will apply to every Originator, Third Party Sender, or ODFI, but all ACH participants should be aware of what is coming.

Effective January 1, 2026

Use of Return Code R17 “Questionable”
This update clarifies the proper use of R17 rather than introducing a new return code. Under the revised definition, an RDFI may return an entry as “Questionable” when it believes the transaction or Receiver information is inaccurate, incomplete, or inconsistent with what it knows about the account. This change provides clearer guidance for RDFIs and creates earlier feedback for Originators when something about the entry appears suspicious.

Banking Day Definition Clarification
This is not a substantive change but a clarification. It confirms that a “Banking Day” is defined as a day on which the ACH Operator is open for business. The goal is to remove ambiguity and ensure uniform interpretation across the network.

RDFI Requirement to Provide Payment-Related Information
Several SEC Codes require RDFIs to provide Payment-Related Information to Receivers. These include CCD, CTX, CIE and IAT. The updated Rule clarifies that this requirement does not apply if these entries post to a consumer account. The expectation only applies when the Receiver is a non-consumer.

Company Entry Descriptions
These amendments take effect March 20, 2026 and apply to both credits and debits. Originators may adopt the new descriptions before the effective date. The changes support standardization and enhanced monitoring across the network.

ACH Credit Entry
The Company Entry Description for credits that represent wages or other compensation must contain the description PAYROLL.

ACH Debit Entry
For ACH WEB debits that represent the online purchase of goods, including recurring purchases first authorized online, the Company Entry Description must contain the description PURCHASE.

Risk Management Rule Updates
The most significant changes relate to fraud monitoring. Nacha is introducing new requirements for Originators, ODFIs, Third Party Service Providers, and Third Party Senders, along with a separate monitoring requirement for RDFIs. These Rules are being phased in during 2026.

Fraud Monitoring Obligations

These new expectations apply to ODFIs, non-consumer Originators, TPSPs, and TPSs. The requirements take effect in two phases.

Phase 1: March 20, 2026
Applies to participants with annual origination volume of 6 million or more in 2023.

Phase 2: June 19, 2026
Applies to all remaining non-consumer Originators, TPSPs, and TPSs not included in Phase 1.

The purpose of the amendment is to ensure participants establish and implement risk-based processes and procedures designed to identify potentially fraudulent entries. Routine monitoring is expected to reduce the likelihood of successful fraud attempts and strengthen the entire ACH ecosystem.

Today, Originators of WEB debits and users of Micro-Entries must utilize a “commercially reasonable fraudulent transaction detection system”. The updated Rule removes that terminology. The phrase “commercially reasonable” and the expectation of a “transaction detection system” are replaced with more practical language that focuses on processes and procedures.

This shift clarifies that Nacha is not prescribing specific technologies. Instead, entities must maintain documented processes that demonstrate how they reasonably identify and respond to fraud risks, based on the role they play in the ACH Network. The flexibility allows organizations of different sizes and risk profiles to implement approaches appropriate to their environments.

Nacha requires that these processes and procedures be reviewed at least annually, or sooner if material changes occur during the year.

RDFI ACH Credit Monitoring

This update adds new expectations for RDFIs related to monitoring of incoming ACH credits. The Rule does not impose new obligations on Viking Originators but is part of Nacha’s broader fraud prevention strategy.anges, reach out to your Viking representative today.

Preparing for 2026 and Beyond

As these updates take effect in 2026, ACH participants should take time to review their current practices, confirm that documentation is up to date, and ensure fraud monitoring processes align with Nacha’s expectations. While some of the changes are minor clarifications, others require operational adjustments that strengthen risk management across the network. Viking will continue to monitor these developments and support our clients through each phase of implementation to ensure a smooth and compliant transition.

Return to Viking Resource Center

December 9, 2025

About Megan Williams

She is a dedicated payments professional with a passion for operational processes, efficiencies and a love for the Rules. She has been in the financial services industry since 2016, strengthening her understanding of the space and obtaining her ACH Certification (AAP). She specializes in optimizing operations, enhancing payment processes and ensuring compliance in all matters of her job and this industry.

Learn More

ACH | Lenders | Merchants

FedNow: Revolutionizing Payment Processing

ByJohn O'Shea August 1, 2023November 11, 2025

Read More FedNow: Revolutionizing Payment Processing
ACH | Merchants | Payments

Understanding Remotely Created Checks (RCCs)

ByTracey Gibson July 9, 2024November 11, 2025

Read More Understanding Remotely Created Checks (RCCs)
ACH | Lenders | Merchants | Payments

Common ACH Audit Findings

ByTracey Gibson June 22, 2025November 11, 2025

Read More Common ACH Audit Findings
Lenders | Merchants | Payments

PCI DSS 4.0 in 2025

ByThomas Stephens June 7, 2025November 11, 2025

Read More PCI DSS 4.0 in 2025
Merchants | MX Suite | Restaurants

Elevate Restaurant Efficiency: Revolutionize Back-of-House Workflow with POS

ByAdam Garrett December 13, 2023November 11, 2025

Read More Elevate Restaurant Efficiency: Revolutionize Back-of-House Workflow with POS
ACH | Lenders | Merchants | Payments

Real-Time Payments: Two New Payment Rails

ByJohn O'Shea July 1, 2024November 11, 2025

Read More Real-Time Payments: Two New Payment Rails

Bigger Possibilities Await.

Contact Us

New ACH Rules: What Originators and RDFIs Must Know in 2025

With ACH fraud risks rising, Nacha has introduced key updates, some in effect now and others phasing in through 2026. Here’s what you need to know and act on today.

Credit Push Fraud Risk Management Framework

Credit push fraud, such as Business Email Compromise(BEC) or vendor impersonation, is a growing threat, and Nacha has reinforced roles and protocols to combat it. In a typical BEC scenario, fraudsters gain access to or spoof a legitimate business email account to trick someone into sending an ACH credit or wire transfer to a fraudulent destination. These attacks often involve fake invoices, altered payment instructions, or urgent requests that appear to come from a trusted internal or external source. As these scams become more sophisticated, financial institutions and businesses must adapt their defenses accordingly.

Receiving institutions must now monitor incoming credits and have risk-based procedures to identify and act on suspicious entries.

ODFIs and RDFIs are encouraged to communicate when suspected fraud is identified. A secure exchange portal is now available for handling return requests, particularly under R06.

Institutions should also educate business and consumer clients about common fraud tactics to increase vigilance before a transaction is initiated.

False Pretenses Transactions

Nacha has introduced a new classification called False Pretenses (which is included in the R17 return code). This covers payments induced by misrepresentation of identity, authority, or account ownership. Examples include payroll impersonation and vendor fraud. It does not apply to scams involving fake products or services.

Return Reason Code R17 – “Questionable”

RDFIs can now use R17 to return entries they believe may be fraudulent, even if the receiving account is valid.

The word “QUESTIONABLE” must be included in the addenda record when this return reason is used.

Return Reason Code R06 – Broader Return Requests

ODFIs can now request returns through the Letter of Indemnity (LOI) process using R06 for other reasons that are applicable to the scenario, such as suspected fraud.

RDFIs must respond to R06 requests within 10 Banking Days. That response can be either a return or a formal status update. A secure exchange portal is available to facilitate these requests and responses.

WSUD Deadline Extended

The Written Statement of Unauthorized Debit (WSUD) no longer needs to be signed by the settlement date. It may now be signed on or after the effective date of the debit, offering greater flexibility for account holders disputing unauthorized transactions.

Fraud Monitoring Requirements for Originators and ODFIs

Beginning in 2026, Nacha will require risk-based fraud detection processes for all Originators and ODFIs. The requirement will take effect in two phases.

Phase 1 begins in March 2026 and applies to Non-consumer Originators (and vendors) with 2023 ACH origination volume of 6 million or greater.

Phase 2 begins in June 2026 and applies to all others.

Processes must be reviewed annually. There is no requirement to review each individual transaction or to conduct manual review before file submission. Instead, participants must establish reasonable procedures to flag suspicious activity based on patterns, amounts, frequency, or account behavior.

Credit Monitoring Requirements for RDFIs

Receiving institutions must implement a risk-based credit monitoring process and respond appropriately when suspicious activity is identified.

This process should be reviewed annually to ensure it remains effective. Monitoring does not require line-by-line transaction reviews, but should include logic to detect red flags such as:

SEC codes that do not match account types
Unusually large credit amounts
Multiple credits from different states

What You Should Do Now

Update your fraud detection processes
Train your staff on new classifications like False Pretenses and changes to R17 and R06
Ensure your systems support the new entry descriptions PAYROLL and PURCHASE
Prepare for the phased rollout of the fraud monitoring requirements
Review WSUD policies to allow for signature on or after the effective date
Test your response time and documentation process for R06 return requests

Final Thoughts

These updates strengthen the ACH ecosystem and clarify roles and responsibilities across all parties. With deadlines extending into 2026, now is the time to make adjustments, train your staff, and ensure your ACH operations align with Nacha’s evolving standards.

At Viking, we build solutions like VIKEngage, VIKExpress, and VIKEdge with these compliance needs in mind. Whether you need real-time monitoring, simplified return processes, or tools to minimize fraud risk, we’re here to help.

If you have questions about your readiness or need support implementing these changes, reach out to your Viking representative today.

Return to Viking Resource Center

July 17, 2025