March 17, 2026
Upcoming NACHA ACH Rule Changes: What Your Organization Needs to Know
Executive Summary
The National Automated Clearing House Association (NACHA) — the governing body for the ACH payment network — has finalized a series of rule amendments that take effect in 2026. These changes represent the most significant update to ACH origination requirements in recent years, driven by a sharp rise in payment fraud, including business email compromise (BEC) and fraudulent vendor impersonation schemes.
All organizations that originate ACH transactions, including insurance companies making claims payments, collecting premiums, or processing payroll, are directly affected. Finance, treasury, and internal audit teams should be aware of the new obligations and take steps now to ensure compliance before the March 20, 2026 effective date.
| KEY COMPLIANCE DEADLINES AT A GLANCE | |
| March 20, 2026 | Standardized company entry descriptions (PAYROLL / PURCHASE) required for all originators |
| March 20, 2026 | Fraud monitoring required for large originators (6 million or more ACH transactions originated in 2023) |
| June 22, 2026 | Fraud monitoring required for all remaining non-consumer originators |
Background
ACH fraud has grown significantly in recent years. According to the 2025 AFP Payments Fraud and Control Survey, 79% of organizations were victims of payment fraud attacks/attempts in 2024. Fraudsters exploit weaknesses in originator processes, particularly around vendor onboarding, account validation, and transaction monitoring.
In response, NACHA has expanded its fraud prevention requirements beyond the narrow existing rules (which applied only to WEB debits and micro-entries (Rule 2.5.17.3)) to cover all ACH transaction types and all non-consumer originators. The 2026 amendments also introduce standardized payment descriptions to help financial institutions and account holders identify legitimate transactions more easily.
Rule Change 1: Standardized Company Entry Descriptions
Effective March 20, 2026, originators must use two specific standardized values in the company entry description field of the ACH batch header record:
PAYROLL — Required for all Prearranged Payment and Deposit (PPD) credit entries used to pay wages, salaries, or similar employee compensation.
PURCHASE — Required for all WEB debit entries for e-commerce purchases, including recurring purchases first authorized online.
This change is designed to make ACH transactions more transparent and consistent, helping financial institutions flag mislabeled or suspicious transactions. The description must match exactly — the words “PAYROLL” and “PURCHASE” in all caps as specified.
| WHY THIS MATTERS FOR INSURANCE COMPANIES |
| Payroll ACH entries: All employee payroll sent via PPD credit must use the description PAYROLL. If your payroll processor generates ACH files, confirm they will update their output by the deadline. |
| Online premium collections: If your company collects premiums via a consumer-facing portal using WEB debits, those entries must use the description PURCHASE. |
| Claims payments: Most claims payments are PPD or Cash Concentration or Disbursement (CCD) credits and do not require a standardized description — but review the payment types to confirm. |
Rule Change 2: Mandatory Risk-Based Fraud Monitoring
This is the most consequential change in the 2026 amendments. NACHA now requires all non-consumer originators, third-party service providers (TPSPs), and third-party senders (TPSs) to establish, implement, and annually review a risk-based process to identify ACH entries initiated as a result of fraud.
The requirement is phased based on origination volume:
| PHASE | EFFECTIVE DATE | WHO IS COVERED |
| Phase One | March 20, 2026 | Non-consumer originators, TPSPs, and TPSs with 6 million or more ACH transactions originated in 2023 |
| Phase Two | June 22, 2026* | All remaining non-consumer originators, TPSPs, and TPSs |
* June 19 is a federal holiday; the practical effective date is Monday, June 22, 2026.
What Does “Risk-Based Process” Mean?
NACHA does not prescribe a specific system or technology. Instead, it requires that each organization build and maintain a fraud monitoring approach appropriate to its size, volume, and risk profile. The process must be:
- Documented — written policies and procedures describing how fraud is identified and escalated
- Operational — controls must actually be in place and functioning, not just described on paper
- Reviewed annually — the process must be formally assessed each year and updated to address evolving fraud risks
Recommended controls that satisfy this standard include:
- Bank account verification to confirm payee account details match the intended recipient
- Transaction velocity and anomaly monitoring to flag unusual patterns
- Heightened scrutiny and dual approval for high-dollar ACH payments
- Vendor and payee onboarding controls, including callbacks for new or changed banking information
Rule Change 3: RDFI Monitoring of Incoming Credits
Receiving depository financial institutions (RDFIs) — the banks and credit unions that receive ACH credit entries on behalf of their account holders — are also now required to implement risk-based monitoring of incoming credit entries. RDFIs should assess risk factors such as account age, transaction velocity, large or rapid repeat credits, and activity in dormant or newly opened accounts.
While this obligation falls on the financial institution rather than the originating company, it is relevant context for treasury and finance teams: banks may flag or delay credits to certain accounts, and companies should be prepared to respond to inquiries from receiving banks about payment legitimacy.
Implications for Insurance Companies
| Insurance companies originate a variety of ACH transactions and are squarely within the scope of these new rules. Key payment flows to review include: Claims payments to policyholders — typically large-dollar PPD or CCD credits. High fraud risk due to volume and dollar amountsPremium collections — WEB debits for online premium payments are subject to the PURCHASE description requirementPayroll — all PPD credits for employee compensation must use the PAYROLL descriptionAgent and broker commissions — review whether these are sent via ACH and whether they fall under the fraud monitoring scopeVendor and supplier payments — any ACH payments to third-party vendors must be included in the fraud monitoring program Companies that use third-party processors, payroll vendors, or premium billing platforms to originate ACH transactions on their behalf should confirm that those vendors are also compliant and should review service agreements to address NACHA compliance obligations explicitly. |
Internal Audit Considerations
The 2026 NACHA amendments create meaningful audit coverage opportunities. Internal audit teams should consider the following areas:
| Pre-Implementation Readiness (Now through March/June 2026) | Post-Implementation Audit (Q3/Q4 2026) |
| Has management completed a gap assessment of current ACH processes against the new requirements?Have company entry descriptions been updated in all relevant systems (Administration systems, payroll processor, bank portals, ACH file templates)?Has a risk-based fraud monitoring framework been documented, approved, and implemented?Have third-party ACH processors been assessed for compliance readiness? | Test a sample of ACH file transmissions to confirm PAYROLL and PURCHASE descriptions are transmitting correctly.Review the fraud monitoring program documentation for completeness, risk-appropriateness, and evidence of operating effectiveness.Verify that an annual review process has been established and scheduled, with documented findings and updates.Assess the adequacy of controls around high-risk ACH flows, particularly claims payments and vendor disbursements.Review third-party contracts for NACHA compliance clauses and evidence of third-party monitoring. |
| Ongoing Audit Coverage | |
| Incorporate the annual fraud monitoring review requirement into the audit plan — audit should confirm that management’s annual review occurs, is documented, and leads to meaningful updates.Consider adding ACH fraud monitoring effectiveness as a standing area of coverage, particularly given the insurer’s exposure to large-dollar claims payments. | |
| Recommended Action Items by Function | |
| Finance / Treasury | Update company entry descriptions (PAYROLL, PURCHASE) in all ACH origination systems by March 20, 2026. Confirm third-party vendor compliance. Document the risk-based fraud monitoring program. |
| IT / Systems | Test ACH file outputs to verify correct descriptions. Update templates and automated file generation processes. |
| Internal Audit | Conduct a pre-implementation readiness review in March 2026. Plan a post-implementation audit for Q3 2026. Add annual fraud monitoring review to the audit plan. |
| Legal / Compliance | Review and update vendor agreements to include NACHA compliance obligations. Confirm that the fraud monitoring program meets the “risk-based” and “annual review” standards. |
NACHA Rule Change Timeline
| EFFECTIVE DATE | REQUIREMENT |
| March 20, 2026 | Standardized company entry descriptions (PAYROLL / PURCHASE) — all originators |
| March 20, 2026 | Mandatory fraud monitoring — large originators (6 million or more ACH transactions originated in 2023) |
| June 22, 2026 | Mandatory fraud monitoring — all remaining non-consumer originators and third parties |
For More Information
To learn how Johnson Lambert can help your organization prepare for and support ongoing compliance with the new rules, contact us today. For the authoritative text of the new rules and additional compliance resources, visit NACHA’s official New Rules page at www.nacha.org/newrules. Questions about how these rules apply to specific payment workflows should be directed to your originating depository financial institution (ODFI) or legal counsel.
