Nacha’s Phase Two ACH fraud monitoring rules took effect June 19, extending credit-entry surveillance requirements to every receiving depository financial institution in the country, not just the large-volume banks that faced Phase One in March.
Under the Risk Management Topics framework, RDFIs must now establish risk-based processes for identifying ACH credit entries suspected of being unauthorized or authorized under false pretenses. Originating institutions and certain third-party participants face comparable requirements. Phase One applied to a subset of receiving depository financial institutions.
The timing tracks the fraud curve. Unauthorized-party fraud, including credential theft, account takeover, and payment redirection, now accounts for 71% of fraud incidents and dollar losses at U.S. financial institutions, a reversal from the prior year when authorized-party scams led. Sixty-eight percent of banks raised fraud-detection spending in the past year in response.
The framework doesn’t require transaction-by-transaction review or pre-posting screening. Institutions must maintain programs capable of identifying suspicious patterns across customers, accounts, and payment channels. Machine learning and behavioral analytics, already deployed by most large banks and fintechs, aren’t optional extras under the new standard.
For community banks and credit unions that treated WEB debit monitoring as the ceiling of their fraud program, the Nacha monitoring requirements represent a real reckoning. Cross-channel surveillance is now the regulatory baseline, which means compliance gaps and fraud exposure gaps are the same gap. Those two risks used to be managed separately.
The volume-threshold exemption is gone. All RDFIs comply now.
— Marcus Webb