Stephanie Hottle, AAP, APRP, Director, Payments Education, joins host Anne-Marie Leake for part two of their discussion of recent and upcoming changes to the Nacha Operating Rules, focusing on the fraud monitoring rules going into effect in 2026; why performing a baseline risk assessment now is an important part of preparing for these changes; and how originators can stay informed on compliance obligations in our new Originator Education Community. This episode's compliance insight is vital to all ACH participants and stakeholders.

0:00

Upbeat Music

00:20

This is Anne-Marie Leake, Vice President of Communications for ePayResources, welcome to the Payment Space.

I am happy to welcome back Stephanie Hottle, Director of Payments Education for ePayResources. Welcome back, Stephanie.

Thanks, Anne -Marie, happy to be here.

In our last episode together, we took a look back at some of the 2024 rules

changes and the ones going into effect in April of this year. And today, we're going to

how, collectively, these changes will affect our members and enhance fraud prevention

and mitigation, which is always a top concern. It's a lot that's going into effect

All right. So, March 20th of 2026. We have a few things coming into effect, again, revolving around fraud monitoring. And so, we're going to start off with the RDFIs.

We'll talk about what their requirements will be. So, March 20, 2026, any RDFIs that

so, we're talking about our large financial institutions, they're going to be the first ones to implement. And so, they are going to need to establish and implement their risk-based processes and procedures to help identify credit entries that are suspected of being unauthorized or authorized under false pretenses.

We talked about false pretenses in the previous episodes. So, those are basically those items that are initiated where the person is misrepresenting the person's identity or that person's association with the account or the authority to act on behalf of that account.

So, those are things like our business email compromises, those vendor payroll and payee impersonation type scams.

So, what that means is the RDFIs have to do something, whereas right now they really

don't. They're protected by the warranties that the ODFIs provide to them, saying that

this entry is authorized and accurate. But because the fraud is increased

significantly, now not just saying, all right, our ODFIs, you guys got to kind of

help us out too.

So, they are gonna have to implement these processes and procedures

to identify those entries. With these processes and procedures, we definitely want to

make sure that we incorporate an annual review of those, because things change, you

know, year over year, the fraud changes. And so, we're going to want to make sure that

we're going back and reviewing those processes and procedures and making any necessary changes that we need.

So, I do want to say that with these risk -based processes and

procedures, the RDFI is not required to do a name match. So that does not change

the rules state that RDFIs are not required to name match the name that's on the

entry to the name that is on the receiving account.

But you do have to implement some type of process or procedure to help identify. And that can look like a lot of different things.

So, this is a pretty significant change for RDFIs. Is that a fair statement?

I would say so, yes. Because Like I said, the ODFIs, the originators, they are, the ODFIs is the participant that makes the warranties. They make the most warranties. I believe there's 13 of them that they make to either the operator or to the RDFI.

And so typically RDFIs, they know they're protected and they still are, but NACHA’s asking that they take an additional step to If, for some reason, this entry passes the ODFIs checks, which we'll talk about in just a minute, if it gets through on that end, then on the receiving end, the RDFIs are going to be doing something to try to indicate that, hey, this is an unauthorized transaction, or it looks like it's a transaction that's been authorized under false pretenses. So, yeah, this is significant for the RDFIs.

Wow. Okay. Well, you mentioned the origination side. So, let's talk about that.

Yeah. So, the rules are very similar for the ODFIs and their originators and those third-party service providers and third-party senders as with the RDFIs. So, the only difference really is the origination volume.

So, what participants are required to do this in the first phase. And so, any ODFI third -party service provider, third -party sender, or originator that has a 2023 origination volume greater than 6 million will have to do the same thing. They're going to have to implement those risk-based processes and procedures to identify entries that are suspected of being unauthorized or, again, authorized under false pretenses.

They too should be conducting an annual review of those processes and procedures to make any necessary changes as things evolve in the payment industry. And so, yeah, they're going to be doing the same thing.

And like I said, typically the ODFI is going to, their checks and balances are more than likely going to prevent that entry before it ever gets into the network or at least that's what we're hoping but that RDFI is going to come in on the back end just in case something slips through the cracks that RDFI is going to have a process in place to be able to capture and stop those payments from being available to those bad actors.

Right so additional work on the part of participants but the payoff is greatly enhanced risk management.

Absolutely, yeah. So, both parties, the RDFIs and the ODFIs were creating new processes, new procedures. So, we're gonna need that documentation. The documentation, you're gonna want to identify what it is, how you're gonna handle those entries once you've identified them as potentially being fraudulent. And that's on both sides, the ODFI and the RDFI is, okay, this has raised a red flag for us now. Now what do we do?

So, you want to make sure that you have thorough processes and procedures in place to walk you through what you're going to do if you've identified a transaction as being unauthorized or authorized under false pretenses. What's your next step?

Absolutely. So, I understand there are some new company entry descriptions involved. Is that correct?

Yes, there are. And those actually kind of play into this fraud monitoring. So, NACHA decided to add two new company entry descriptions. So, we have payroll, and we have purchase.

And so, using these company entry descriptions is going to help identify- you're going to be able to distinguish what's a payroll credit from other types of transactions, which is just going to enhance that fraud prevention. It's going to help improve your reporting.

And same with purchase, formatting that transaction to indicate that it is a purchase is going to help, you know, mitigate those transactions. It'll be more clear that, Hey, these are, these are legitimate.

When we talk about payroll, there is- NACHA has included disclaim language stating that the use of that company entry description payroll, it does not mean that the originator nor the ODFI or if there is a third party service provider that's acting on behalf of that originator ODFI.

They're not making any representation or any type of warranty to the RDFI or to the receiver regarding that receiver's employment status. So, NACHA thought that was very important to include.

Also, the ODFI has no obligation to verify the presence or the accuracy of the word payroll as a description of purpose or employment status.

So ODFIs do not have to, they're not required to go in and make sure that if their originator is sending a payroll file, that originator is using payroll for the company entry description.

But again, using it is going to help enhance that fraud prevention. It's going to help improve the reporting. So, originators should be using it but the ODIFI does not have to verify the presence or accuracy.

Well, the more communication, the better, right?

Absolutely, yes, especially in today's time. When we're incorporating these new entry descriptions, it really helps to kind of streamline the process. They did that with the micro entries a few years ago.

And before that, there was no company entry description for micro entries. You saw that it was less than a dollar and you realized, "Oh, that's one of those test deposits."

But using the correct format and putting the correct company entry description, it communicates better. It tells me, "Hey, this is a payroll batch.” So, doesn’t mean that this person is necessarily employed by this originator.

The ODFI doesn't need to worry about that, but, using that is definitely going to help enhance the fraud prevention and the reporting.

Right, so then there's another group of rules with an effective date of June 19, 2026 right?

Yes that's really just the second phase for the fraud monitoring for the RDFIs and the fraud monitoring by the originators and the ODFIs. Basically, it's the same thing.

What NACHA has done is they've broken it down into two phases. Phase one is those larger financial institutions. Phase two is everybody else. So, if you weren't or you're not part of the phase one group, either as an RDFI with more than 10 million in receipt volume or on the ODFI side with an origination volume of more than 6 million. So, if you're less than that, you're in phase two so you have a little bit longer, you have to be in compliance by June 19th.

But everything else is the same, you have to have those processes and procedures in place to be able to identify those transactions.

Great. A couple of things I wanted to mention before we wrap up: One, I wanted to share that the payments associations like ePayResources collectively are working on developing some resources to help financial institutions prepare for these fraud monitoring rule changes.

If anyone participated in our Fraud Monitoring Town Hall recently, the survey questions that were asked: The answers from those will be reported anonymously and used collectively with data from the other payments associations to determine what sort of resources financial institutions feel like they need to help them comply with these rules.

So, be on the lookout for more information on those resources. I also wanted to mention on behalf of ePay advisors, they want to make sure our audience understands that part of the preparation now should be conducting a risk assessment to lay the groundwork for those risk-based processes and procedures that must be established under these rule changes.

Great points, Anne-Marie. Also, I'd like to mention that it's imperative that the ODFIs make sure that they are educating their originators, their third -party service providers, and their third -party senders of these obligations so that they are in compliance with these rule changes as well.

12:37

In fact, ePayResources has launched a new online community to help with this. Our Originator Education Community is a place where ACH Originators and the ODFIs, Third-Party Service Providers, and Third-Party Senders that support them can network and find resources to help them understand their roles and obligations under the NACHA Operating Rules & Guidelines.

12:58

In addition to discussion posts, the community includes a quarterly newsletter that addresses specific compliance issues and presents them in plain English that focuses on the impact to ACH Originators.

13:09

Yes, absolutely. Thank you so much for mentioning that. Stephanie, thank you as always for coming on the podcast and sharing your expertise with our audience. Hope to see you again soon.

Thanks, Anne-Marie, I hope to come back soon.

13:41

(upbeat music)