Fraud no longer arrives through one payment type or one customer relationship. Criminals move across accounts, payment channels and institutions, often relying on stolen credentials, account takeover and business impersonation schemes. That broader threat picture is now reflected in the rules governing the ACH Network.

The most significant practical change from Nacha is that fraud monitoring expectations have expanded beyond the narrower requirements that previously applied to specific ACH transactions.

Under the new Risk Management Topics rules, effective as of this week for the first phase affecting receiving financial institutions, receiving depository financial institutions (RDFIs) are expected to establish and maintain risk-based processes and procedures reasonably intended to identify ACH credit entries suspected of being unauthorized or authorized under false pretenses. The broader Risk Management package also requires originating institutions and certain third-party participants to implement comparable risk-based fraud monitoring processes. Phase Two extends the requirements to additional institutions as of June 19.