Navigating the 2026 ACH Rule Changes and Updates

The payments landscape changes every year, and periodically, so do the Nacha Operating Rules and Guidelines that govern ACH transactions. That’s true in 2026, as many changes are being implemented to improve readiness, fraud prevention and consistency. So, let’s take a look at the 2026 ACH rule changes and updates, so you can understand what’s changing, the impact to your credit union’s processes and how to stay on course in the year ahead.

Minor Topic Updates

Effective Date: January 1, 2026

There was no delay to the updates in 2026, with a few minor rule update topics effective as of January 1, 2026. These updates are meant to clarify the language and intention of existing rules:

• R17 Return Code – This rule update is meant to provide clarifying language aimed at eliminating confusion on whether an RDFI can use this return code on an entry they have identified as “QUESTIONABLE.” Previously, the language stated that the entry should not be posted to the receiver’s account, which still remained from when the R17 code was intended for use with entries containing invalid account numbers; however, the updated language states that returns can be processed for posted entries as well.
  • RULES REMINDER: If utilizing R17 as your return code, you must include the word “QUESTIONABLE” in all caps in the addenda information field.
• Definition of Banking Day – This rule update removes “Participating DFI” from the rule language in an effort to eliminate ambiguity around what is considered a banking day. With this change, the rule makes it clear that banking days refer to those where the ACH Network is open for business, whether the participating DFI is also open or not.
• Requirement to Provide Payment-Related Information to Non-Consumer Receivers – This rule update provides updated language to clarify that the rule is intended to apply not only IAT entries, but also to Corporate Credit or Debit (CCD), Corporate Trade Exchange (CTX) and Customer Initiated Entry (CIE) entries for non-consumer receivers. It was determined the previous rule language could have been misread or misinterpreted to assume that there is only a requirement to provide payment-related information to non-consumers for IAT entries.

Effective Date: September 18, 2026

• Funds Availability for Non-Same Day Credit Entries – This rule update will eliminate the 5:00 p.m. local time receipt condition, so that funds availability would be required at 9:00 a.m. in the RDFI’s local time on the settlement date for all non-Same Day ACH credits. The intention is to accelerate the availability of funds for some volume of next-day ACH credits that are made available to RDFIs after 5:00 pm local time on the banking day prior to settlement, yet not currently made available by 9:00 am RDFI local time on the settlement date.

Company Entry Descriptions

Effective Date: March 20, 2026

Standard Company Entry Description – PAYROLL

This rule will be introduced to standardize company entry descriptions for payroll transactions via ACH. For PPD credits – including wages, salaries and/or other types of compensation – the company entry description will require the phrase, “PAYROLL” in all caps. The intention behind this new rule is to give RDFIs greater insight into ACH credits for new or even multiple payroll credits for receivers. Richer payment data can also play a role in the supporting the RDFI’s decision to provide or not provide early funds availability and help reduce fraud through payroll redirections. The use of the term “PAYROLL” in the Company Entry Description field is descriptive in nature only and does not indicate representation or warranty of the receiver’s employment status. In addition, the ODFI does not have any obligation to verify employment status.

Standard Company Entry Description – PURCHASE

Along those same lines, a rule will be introduced to standardize the identification of e-commerce purchases, where debits are requested for the online purchase of goods through WEB debits – the largest transaction type by volume. It also applies to e-commerce transactions that utilize a buy now, pay later setup where an initial transaction is made with subsequent agreed upon payment transactions. This rule does NOT apply to recurring online payments like mortgage/rent and utility bills. When identifying e-commerce purchases, the company entry description should include “PURCHASE” in all caps. The ODFI does not have any obligation to verify the accuracy of the word “PURCHASE” as a description of purpose.

Company Entry Description Rule Considerations

• Systems for ODFIs, third-party service providers (TPSPs) and originators may need to be updated to include the required “PAYROLL” and “PURCAHSE” descriptions.
• The descriptions can be used as soon as Originators are ready to incorporate them into their process, but no later than the March 20, 2026, effective date.

Fraud Monitoring

Phase One – March 20, 2026

This new rule will be implemented in two phases. As part of the first phase, effective March 20, 2026, Nacha will require all non-consumer originators, TPSPs and ODFIs, as well as third-party senders (TPSs) with ACH Origination volume of six million or greater as of 2023, to establish and implement risk-based processes and procedures to identify ACH entries that are initiated under fraudulent circumstances, which includes items initiated under False Pretenses. Nacha defines False Pretenses as, “The inducement of a payment by a person misrepresenting (a) that person’s identity, (b) that person’s association with or authority to act on behalf of another person or (c) the ownership of an account to be credited.” In other words, False Pretenses are present in situations including vendor impersonation, payroll impersonation, account takeovers/unauthorized credits and other forms of impersonation. False Pretenses DO NOT cover scams involving fake, non-existent or poor-quality goods or services.

Phase Two – June 22, 2026

The second phase, effective June 22, 2026, will require all remaining non-consumer originators, TPSPs and TPSs to implement fraud monitoring.

Rule Considerations

• Financial institutions cannot determine that no monitoring is necessary.
• Any reliance on another originating entity must be clear and reasonable, contracted and provide adequate oversight. Procedures implemented by other parties do not impact the obligations of the rule for originating participants.
• REQUIRED of the rule for originating participants:
  • Institutions must, at a minimum, perform a risk assessment to identify higher and lower risk transactions. A review of the institution’s risk-based processes and procedures should be completed annually or as needed to make, “appropriate updates to address evolving risks.”
• NOT REQUIRED by the rule:
  • Screening of every individual ACH entry.
  • Monitoring prior to the processing of entries, although it is considered a best practice for early fraud detection and prevention.
• As part of the implementation of this rule, institutions may want to consider:
  • Developing a risk profile. Determine what are high and low risk transactions for your credit union. Risk profiles can vary depending on the size of your institution, the types of transactions you process, etc.
  • Expanding existing processes and procedures for monitoring abnormal or anomalous activity, velocity and account validation.
  • Performing risk contracting and sharing to address roles and dependencies.
• If a transaction is deemed fraudulent, institutions may want to consider:
  • Reviewing and stopping flagged transactions.
  • Determining all the flags raised by the transaction by consulting internal teams and contacting the RDFI via the ACH Contact Registry for receiver account red flags. This may lead to a request for the return of funds or a freeze of the funds or even the account.

ACH Credit Monitoring for RDFIs

Phase One – March 20, 2026

In a similar fashion as the previous rule, this rule will require RDFIs to implement and establish risk-based processes and procedures with the intention of identifying ACH credit entries that are fraudulently initiated. With the application of this rule, Nacha is looking to reduce the number of fraudulent transactions that pass through the ACH Network successfully and, conversely, increase the incidence of funds recovery.

As with the Fraud Monitoring Rule, phase one will require all RDFIs with an ACH Receipt volume of 10 million or greater as of 2023 to implement the ACH Credit Monitoring Rule by March 20, 2026.

Phase Two – June 22, 2026

The second phase, effective June 22, 2026, will require all remaining RDFIs to implement ACH credit monitoring.

Rule Considerations

• Financial institutions cannot determine that no monitoring is necessary.
• REQUIRED by the rule:
  • Institutions must, at a minimum, perform risk assessments to identify higher and lower risk transactions. A review of the institution’s risk-based processes and procedures should be completed annually or as needed to make, “appropriate updates to address evolving risks.”
• NOT REQUIRED by the rule:
  • Screening of every individual ACH entry.
  • Monitoring prior to the processing of entries, although it is considered a best practice for early fraud detection and prevention.
• As part of the implementation of this rule, institutions may want to consider:
  • SEC Code mismatches
  • Account activity
  • Account age
  • Account name (please note, there is no new rule requirement for name matching)
  • Account type
  • Credit type (determine if behavior seems normal or if early funds availability should be offered)
• If a transaction is deemed fraudulent, institutions may want to consider:
  • Reviewing and stopping flagged transactions. RDFIs can do this by placing a Funds Availability Exemption on the transaction to provide additional time to review and confirm the validity and/or they initiate an R17 Return for a “QUESTIONABLE” entry within the standard return timeframe.
  • Confirming the validity of the transaction through a consultation with the ODFI using the ACH Contact Registry.

More in 2026 and Beyond

As always, Nacha is looking ahead to rule updates, particularly for International ACH Transaction (IAT) entries. Let’s take a look what credit unions can expect in 2027 and even 2028.

Definition of IAT Entries – Effective September 18, 2026

This rule update provides clarity to the definition of IATs to help reduce the amount of misidentified IATs. For the full updated definition, please visit the Nacha website.

IAT Contact Registration – Effective January 1, 2027

Beginning in 2027, IAT contacts will be required to register the following information on the ACH Contact Registry: name, title, email address and phone number. One primary and one secondary contact will be required unless there is a department contact provided. As a reminder, email addresses and phone numbers must be valid, monitored and answered during normal business hours and contacts must be reviewed/updated at least annually, but it is recommended more often if staffing changes occur that impact designated contacts.

IAT Date of Birth Field & Non-Bank Foreign Financial Agencies – Effective March 19, 2027

In March 2027, Nacha will introduce a date of birth field for IAT entries. It will be optional, but the purpose of adding this field will be to help screen potential matches and provide increased security through improved data sharing via the ACH Network. In addition, there will be an “Other” option added to the types of codes used to classify the identification number for non-bank foreign financial agencies. This will allow Originators, TPSPs, TPSs and ODFIs to originate outbound IATs to non-traditional accounts and RFIs potential receipt of IATs from new sources on behalf of account holders.

Sanctions Compliance Obligation Return Reason Code – Effective March 17, 2028

In March 2028, Nacha will implement a new return code, R90, to designate entries returned due to RDFI Sanctions Compliance Obligations. With this code, the return must be made within two banking days from the RDFI’s sanctions compliance determination. The new code will accompany updates for the current return code, R16, which is currently defined for use as Account Frozen/Entry Returned per OFAC Instruction. There has been some ambiguity surrounding the interpretation of  the R16 return code – whether the return is truly for sanction reasons that require compliance action by the ODFI or simply an account that is frozen for reasons such as delinquencies or garnishments. This update will remove language for return code R16 stating, “Entry Returned per OFAC Instruction” and revert to, “Account Frozen.”

Simply put, 2026 is a big year for ACH rule changes and updates. For more details on the changes coming later this year and beyond, we invite you to watch the recording of the recent Vizo Financial webinar, Navigating the 2026 ACH Rule Changes and Updates.

See you again for another update in 2027!

Andi Crockett is the director of payments product managers at Vizo Financial. Her role involves developing and implementing EFT services — including Instant Payments, ACH for Business, ACH Contingency, ACH Receipt & Returns, ACH Originations, ACH Settlement, Domestic, International and Third-Party Wires and Foreign Check and Currency Services — for credit unions. She is also an Accredited ACH Professional (AAP) and Accredited Faster Payments Professional (AFPP).