Risk & Compliance

A new risk management framework comes to ACH payments

LSEG Risk Intelligence


Nacha’s introduction of a revamped risk management framework for ACH payments marks a significant shift in tackling fraud and enhancing the reliability of transactions. With a surge in ACH Network usage and evolving fraud methodologies, the framework necessitates upgraded risk management approaches from businesses to meet new compliance standards and security needs.

  • Nacha introduces a new risk management framework for ACH payments, focusing on reducing fraud and improving transaction quality.
  • The framework responds to the increased use of ACH and the rise in sophisticated fraud schemes, necessitating stronger risk management in firms.
  • Businesses must adapt to these changes, requiring upgrades in their risk management systems for compliance and enhanced security.

Nacha is set to move forward with its new ACH risk management framework.

Following a series of proposed rule changes and new guidance, the aim of Nacha’s effort is to reduce the occurrence of fraud, improve fund recovery, and provide an overall enhancement to the quality of transactions.

For those who use ACH to facilitate transactions, the new direction will significantly expand the number of organizations and payment types under Nacha’s risk management purview. Compliance will likely require firms to dedicate a great deal of time, budget, and expertise to enhancing their identity and payments risk management systems.

The changes come as the use of the ACH Network continues to grow. In the third quarter of 2023, ACH volume reached 7.8 billion transactions, worth $19.7 trillion total – up 3.2% from the previous quarter.

In addition, ACH B2B transaction volume increased 9.6% in the third quarter of this year while Same Day ACH payments saw an impressive 27% increase in transaction value and a 20% increase in transaction volume, reaching 212 million transactions, worth over $608 billion in value.

The greater use of ACH has not only attracted more legitimate users, but also the interest of fraudulent actors and a new set of scams designed to outmaneuver and defraud the users of ACH payments.

New threats require new protections

Nacha’s previous risk management strategies centered on shielding consumers, organizations, and their account-holding financial institutions from unauthorized debit fraud. Over time, new types of risks have evolved from targeting unauthorized debit transactions to include authorized ACH transactions.

For example, Nacha’s new risk management framework highlights substantial challenges presented by credit-push fraud. Overall, the framework contains three principal objectives: 1) increase the awareness of fraud schemes that utilize ACH payments; 2) reduce the incidence of successful fraud attempts; and 3) improve the recovery of funds after frauds have occurred.

Among some of the more recent fraud scenarios making use of ACH transactions, the Nacha’s new framework will help address the following:

  • Business email compromise (BEC). A scam frequently carried out by compromising legitimate business email accounts through social engineering or malware.
  • Vendor impersonation fraud. A fraud occurring when a business, public sector agency or organization receives an unsolicited request, supposedly from a valid contractor to update the contractor’s payment information.
  • Payroll impersonation fraud. A fraud scheme targeting employees and human resources departments using stolen credentials. In this scenario, a fraudster changes employee payroll information for the purpose of syphoning funds.
  • Account takeover. And identify fraud scheme wherein a fraudster obtains the credentials of a consumer or a business account and, once gaining access, leverages that account for their financial gain.

ACH risk management next steps

As a part of its new risk management strategy, Nacha intends to provide an all-encompassing course for new initiatives, guidance, rules and industry tools. This risk management framework identifies three areas of opportunity for rule-making that will impact nearly every ACH network participant and type of transaction:

  1. Defining the role of the receiving account-holding institutions in risk management.
  2. Enabling and providing information sharing among financial institutions for the purpose of risk management.
  3. Expanding and improving end-user awareness and education around risk management.

Additionally, Nacha is calling for the expanded use of funds recovery tools such as reversals and RDFI returns; standardizing information for payroll and purchases; and provisions in the written statement of unauthorized debit copy (WSUD) process that provides the ability of receivers to claim unauthorized ACH debits.

Overall, the new rules will expand the responsibility of risk management and fraud monitoring to all ACH participants. This includes the originating depository financial institutions (ODFIs), receiving depository financial institutions (RDFIs) and third parties.

In the next few months, it will be incumbent on ACH participants to review Nacha’s proposals and develop strategies to address Nacha’s rules and follow its guidance.

How to address Nacha’s new risk management proposals

LSEG Risk Intelligence can help firms navigate and prepare for Nacha’s risk management proposals, applying identity validation, account verification, KYC compliance, and multi-factor authentication throughout the customer lifecycle.

Not only can LSEG Risk Intelligence approach satisfy Nacha’s proposed rule changes and guidance, but more effectively mitigate identity and payments risk without negatively impacting customer experience.

Stay updated

Subscribe to an email recap from:

Legal Disclaimer

Republication or redistribution of LSE Group content is prohibited without our prior written consent. 

The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.

Copyright © 2023 London Stock Exchange Group. All rights reserved.