Nacha Operating Rules: How AP Teams Should Prepare for 2026

ACH payments power nearly every modern finance organization, from vendor payments and payroll to customer collections and reimbursements. But as ACH fraud continues to rise, Nacha operating rules are evolving beyond basic payment formatting and authorization standards. The newest requirements shift more responsibility to the businesses originating ACH payments, making fraud monitoring, vendor controls, and audit-ready processes a direct operational obligation for finance and AP teams.

For organizations still managing vendor onboarding, payment approvals, and ACH workflows across disconnected systems, spreadsheets, and email threads, compliance is becoming harder to maintain manually.

This post covers what Nacha is, what its operating rules require, what changed in 2026, and how AP teams can reduce ACH risk while keeping payments moving on time.

What Is Nacha?

Nacha (the National Automated Clearing House Association) is the organization that establishes and enforces the rules for the U.S. ACH network. In 2025, the ACH network processed 35.2 billion payments valued at $93 trillion, making it one of the largest payment systems in the world.

Nacha is not a government agency. It is a non-profit industry association whose members include banks, credit unions, and payment processors. Its operating rules are contractually enforced across participating financial institutions, and enforcement ultimately flows through your bank.

For businesses, Nacha rules define:

• What you must do before originating an ACH payment
• What information must accompany each transaction
• What security and fraud controls you must maintain
• How disputes, returns, and unauthorized transactions are handled
• What happens when you violate the rules

Who Do the Nacha Rules Apply To?

The rules apply to every participant in the ACH network:

Originators (your business). Any organization that initiates ACH transactions. If you pay vendors via ACH, run payroll through direct deposit, or collect customer payments electronically, you are an originator.

Originating Depository Financial Institutions (ODFIs). The bank that processes your ACH transactions and submits them to the network on your behalf.

Receiving Depository Financial Institutions (RDFIs). The bank receiving the payment on behalf of the payee.

Third-Party Service Providers (TPSPs). Payment processors, payroll services, and other entities that handle ACH transactions for originators.

The key point for finance and AP teams: Nacha compliance is ultimately the originator’s responsibility. Your bank provides the infrastructure and may offer compliance tools, but the obligation to follow the rules rests with the business initiating the payment. That makes the upstream controls around invoice approvals and accounts payable internal controls directly relevant to compliance, not just to finance hygiene.

What Do the Nacha Rules Cover?

Authorization

Every ACH transaction requires proper authorization from the parties involved. For ACH credits (payments you push to recipients, such as vendor payments), the originator must have authorization to send the payment. For ACH debits (payments you pull from another account), you must have the receiver’s explicit written or electronic consent.

Authorization requirements vary by entry class code, including:

• CCD (Corporate Credit or Debit): Standard B2B transactions
• CTX (Corporate Trade Exchange): Business payments with attached remittance data
• PPD (Prearranged Payment and Deposit): Consumer payments like payroll direct deposits

Data Security

Nacha requires all parties handling ACH data to protect it from unauthorized access. Requirements include encryption of sensitive account information in transit and at rest, access controls limiting who can view or modify ACH data, regular risk assessments, and breach notification procedures.

For finance teams, this means the systems where vendor bank details are stored, including ERPs, AP platforms, payment systems, and payment files, must support secure handling and controlled access. Organizations relying on manual spreadsheets, email approvals, or disconnected systems may find these requirements increasingly difficult to manage consistently at scale.

Account Validation

Nacha’s WEB Debit Account Validation Rule, in effect since 2021, requires originators of consumer WEB debits to validate the receiving account on first use of a new account number. Accepted methods include ACH prenotification, micro-entry validation, or commercially available account validation services.

The formal rule is scoped to WEB debits (consumer-initiated online debits, not AP vendor payments). For AP teams originating ACH credits to vendors, account validation is not a Nacha mandate, but the same logic applies as a fraud-prevention practice. Collecting vendor banking information through email and manually updating ERP records without standardized verification procedures creates exactly the fraud exposure Nacha’s broader risk-management package is designed to address. Strong vendor management practices centralize onboarding, enforce verification, and create audit trails around bank account changes before payments are released. The same logic applies to ongoing vendor screening and upfront verification once a vendor relationship is established.

Fraud Monitoring

The 2026 rule changes introduced mandatory risk-based fraud monitoring for ACH originators, ODFIs, third-party service providers, and third-party senders. Nacha does not prescribe a specific method or require that monitoring happen pre-origination; instead, organizations must establish documented, risk-based processes for detecting fraudulent ACH activity and responding to it. In practice, that means defined criteria for evaluating transaction risk, processes for identifying anomalous payment behavior, records of monitoring decisions for audit purposes, and clear approval authority for handling flagged transactions.

This requirement reflects the rise in business email compromise (BEC), vendor impersonation, payroll diversion, and social engineering attacks targeting AP teams. Nacha’s updates introduce a new “False Pretenses” concept that explicitly covers credit-push fraud, the inducement of a payment by someone misrepresenting their identity, authority, or ownership of an account. The fraud monitoring mandate works alongside the internal controls organizations already maintain. The difference is that Nacha now expects those controls to be documented, consistent, and audit-ready.

Why AP Workflows Matter More Under the New Nacha Rules

Nacha compliance was historically viewed primarily as a banking or treasury concern. The 2026 updates make AP operations directly relevant to ACH risk management, because most ACH fraud incidents originate upstream from the payment itself:

• A fraudulent vendor bank change
• A spoofed executive approval
• A compromised supplier email account
• An urgent payment request bypassing normal workflows

Compliance increasingly depends on the strength of AP processes, not just bank controls. Finance teams need systems that can centralize vendor information, enforce approval workflows, verify banking changes, detect anomalous payment behavior, maintain immutable audit trails, and apply segregation of duties across payment creation and approval.

This is one reason many organizations are moving away from fragmented email-based payment processes and toward integrated AP automation and payment platforms. By embedding controls directly into invoice, vendor, and payment workflows, organizations can reduce fraud exposure while making Nacha compliance easier to operationalize at scale.

Return Rate Standards (ACH Debit Originators)

Nacha also monitors return rates closely. The thresholds below apply to ACH debit activity, so they primarily affect organizations originating debits, such as billers, lenders, and businesses collecting customer payments electronically. They do not apply to AP teams originating ACH credit payments to vendors.

It’s also important to distinguish between Nacha’s unauthorized return rate threshold and the administrative and overall return rate levels. The thresholds work differently:

• Unauthorized return rate threshold: 0.5%. Exceeding this is a direct rule violation and can trigger corrective action and enforcement through your ODFI.
• Administrative return rate Level: 3%. Exceeding this does not constitute an automatic violation. It allows Nacha to open a preliminary inquiry into the originator’s ACH origination practices and activity, which may or may not lead to enforcement.
• Overall return rate Level: 15%. Same model as the administrative Level. Crossing it opens the door to a preliminary inquiry, not an automatic violation.

AP teams originating ACH credits should still treat return-rate hygiene as a related ACH control. Sending vendor payments to invalid accounts, outdated banking information, or unverified recipients creates the same operational risks the debit thresholds are designed to address: failed payments, rework, and weakened audit trails. Accurate vendor data, proper account verification, clean payment files, and consistent approval workflows reduce that exposure regardless of which side of the ACH transaction you sit on.

The 2026 Nacha Rule Changes

The 2026 updates introduced three major mandates affecting ACH originators, outlined in Nacha’s summary of upcoming rule changes.

1. Risk-Based Fraud Monitoring

Phase 1 (March 20, 2026): Applies to ODFIs and to the largest non-consumer originators, third-party service providers, and third-party senders whose 2023 ACH origination volume exceeded 6 million entries.

Phase 2 (June 22, 2026): Eliminates the volume threshold and applies to all remaining non-consumer originators, TPSPs, and TPSs, regardless of transaction volume. (June 19 is a federal holiday; the practical effective date is the next banking day.)

Nacha’s rule does not require that fraud monitoring happen before an entry is originated. It requires that the monitoring process itself be risk-based, documented, and reasonably designed to identify suspicious activity.

2. Standardized Company Entry Descriptions

Effective March 20, 2026: PPD credits for wage and salary payments must use the company entry description “PAYROLL”. Online consumer debit entries for e-commerce purchases must use “PURCHASE.” The goal is to improve payment transparency and support fraud detection across the network.

3. ACH Credit Monitoring by RDFIs

Receiving banks now have their own risk-based monitoring obligations, phased in alongside the originator rule. The rule does not require RDFIs to monitor credits pre-posting; it requires reasonable, risk-based processes to detect and respond to suspicious credit activity. Originators should still expect more questioning on flagged credit entries.

These changes represent Nacha’s response to rising ACH fraud and reflect a broader shift toward shared fraud responsibility across businesses, banks, and payment providers.

What Happens If Your Business Is Not Compliant?

Nacha enforcement operates through your ODFI, and consequences escalate based on severity and remediation responsiveness:

• Level 1: Notification and corrective action. Your bank requires a remediation plan and corrective measures.
• Level 2: Financial penalties. Nacha may assess fines through your ODFI.
• Level 3: Restriction or suspension. Repeated violations can result in ACH origination privileges being restricted or revoked.

Beyond direct penalties, non-compliance creates operational disruption. Losing ACH origination capabilities can force organizations onto more expensive or manual payment methods, including wires and paper checks. For finance teams processing large volumes of vendor payments, this disruption can significantly impact efficiency, vendor relationships, and cash flow operations.

How Modern AP Platforms Simplify Nacha Compliance

Nacha compliance is no longer just a treasury issue. It now touches vendor onboarding, invoice approvals, payment execution, fraud monitoring, and audit readiness. Managing these responsibilities across disconnected tools creates operational complexity, especially as payment volumes grow.

Modern AP automation platforms help finance teams operationalize compliance by embedding controls directly into payment workflows.

• Centralize vendor and payment data. Storing vendor records, invoices, approvals, and banking details across disconnected systems increases both fraud risk and audit complexity. Centralized AP platforms create a single system of record for vendor and payment activity, improving visibility and reducing inconsistencies.
• Automate audit trails. Nacha’s fraud monitoring requirements emphasize documented, audit-ready processes. A complete AP audit trail provides a consistent record of approval activity, vendor banking changes, payment decisions, exception handling, and verification workflows.
• Strengthen internal controls. Modern AP workflows support segregation of duties, role-based approvals, controlled payment release, and standardized approval routing. These controls align directly with Nacha’s expectations around fraud prevention and risk management.
• Reduce fraud exposure. AI-driven workflow intelligence and anomaly detection can help identify unusual payment requests, new or modified bank accounts, changes in payment behavior, and duplicate or high-risk transactions.
• Build compliance into everyday operations. The most effective approach to Nacha compliance is embedding it directly into AP and payment workflows rather than managing it as a separate manual process.

How Stampli Helps AP Teams Strengthen ACH Controls

We built Stampli around the same principle the 2026 rules now formalize: fraud prevention belongs inside the AP workflow, not bolted on after the fact. Stampli AI evaluates every invoice and approval scenario against the data in your ERP, while people confirm, correct, and approve. The system learns from every correction, and that institutional knowledge persists as teams change and volume grows.

Here’s how that maps to each of the three 2026 mandates.

Risk-based fraud monitoring support

Stampli helps AP teams identify and escalate payment risk before instructions are sent to the payment processor. Stampli AI continuously evaluates invoices for duplicates, variances, suspicious vendor changes, and policy exceptions, flagging anomalies for human review before payment is released. Approval routing is predicted based on organizational structure and past behavior, and every decision is captured in the audit trail. Vendor bank-detail review, dual-approval workflows, ACH ID whitelisting at the customer’s bank, exception handling, and full audit trails create a documented, workflow-level control environment that can support the risk-based monitoring processes Nacha now expects.

Vendor account collection and bank-change controls

Stampli supports secure vendor onboarding and controlled bank-detail collection, reducing reliance on the email-based workflows that create most ACH fraud exposure. A secure self-service vendor portal collects W-9s, banking details, and insurance documents directly from vendors, and validation guardrails block invoices or payments if mandatory documents are missing or expired. Changes to vendor bank information must be reviewed and confirmed by a Vendor Manager with payment permissions before they can be used for payment. That creates a controlled process around one of the highest-risk AP events: a vendor banking change.

Documented controls and audit readiness

Stampli Payments enforces pre-payment safety checks against ERP records, separates invoice approval from payment approval, and produces 1-to-1 reconciliation: one payment creates one bank transaction and one ERP record. The full history of approvals, vendor changes, and payment decisions is captured in Stampli’s audit trail and accessible to auditors at any time.

Stampli is also a Nacha affiliate member and maintains SOC 2 Type 2 certification.

The result is fewer fraud-driven losses, a defensible position in the event of an audit or Nacha inquiry, and payment operations that continue to scale without forcing finance teams to manage compliance as a parallel manual process.

The Future of ACH Compliance Is Operational

Nacha’s 2026 rule changes reflect a broader shift happening across finance organizations: payment fraud prevention is becoming an operational responsibility, not just a banking function. For AP teams, compliance now depends on consistent workflows, verified vendor data, strong approval controls, real-time payment visibility, and audit-ready documentation.

Organizations that modernize their AP and payment operations now will be better positioned to reduce fraud risk, maintain compliance, and scale ACH payments confidently as regulatory expectations continue to evolve.