As my colleagues and I have blogged previously (here and here), a payment that a legitimate account holder authorizes does not fit into the traditional framework for fraud remediation, which involves the Reg E requirement to refund customer money in the event of unauthorized payments fraud. Rates of authorized fraud are soaring, and recovery rates on business email compromise are horrendous. It's time for a new approach.
New Nacha rules that take effect in mid-2026 are potentially a breakthrough for fighting scams that result in authorized payments. The rules attempt to bring a collaborative approach—enlisting the sending and receiving financial institutions and their ACH customers—into the fight against unauthorized transactions and authorized push payment scams.
Even before 2026, however, on October 1, 2024, receiving financial institutions will be able to formally return entries that appear to be the result of fraud or what Nacha terms "false pretenses." This is a change from traditional practices, when returns were mostly used to correct technical errors like an incorrect or not-found account number. It formalizes what many institutions already have been doing to thwart money mules and fight business email compromise scams. An RDFI—receiving depository financial institution—may decide to return an entry or to contact the ODFI—originating depository financial institution—to determine the validity of a transaction, based on monitoring of incoming credits. The RDFI can return a transaction it thinks is fraudulent using Return Reason Code R17, which indicates a possibly questionable transaction or suspected anomalous activity.
Red flags identified during monitoring could include inconsistencies in the use of a Nacha standard entry class (SEC) code that does not line up with the identity of the receiver. For example, a CCD payment (cash concentration or disbursement) to a consumer account would be fishy because CCD payments should only involve a transfer of funds between two corporate entities. On the other hand, payments to an individual should use a code designated for consumers such as a PPD (preauthorized payment and deposit).
Another red flag: multiple payroll payments from different entities to the same account. Payroll impersonation, a growing risk, occurs when workers are tricked into entering their account credentials into online portals to receive direct deposit but instead the funds get rerouted to a scammer's account. In this case the account coding, PPD, could be correct, but the volume of activity would be suspicious.
Beginning in 2026, sending institutions will be required to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Receiving institutions should establish and implement similar processes and procedures focusing on ACH credits received. One goal of the rule changes is to enable quick return of potentially fraudulent transactions—before the money is swept out of the receiving account. These Nacha rules apply to the ACH network only but could potentially be a model for other payment rails. That's because fast detection is essential to stopping fraud and the cooperation of all parties is a good start.