On Monday, June 22, 2026, the last safe harbor disappears. NACHA’s credit-push fraud monitoring rule enters Phase 2, and the volume threshold that shielded smaller players in Phase 1 is gone. Every non-consumer Originator, Third-Party Sender, Third-Party Service Provider, and every Receiving Depository Financial Institution — regardless of how many ACH entries they move — must now have risk-based fraud monitoring in place. If your business touches the ACH network, this rule is no longer somebody else’s problem.
What Actually Changes on June 22
NACHA rolled out its fraud monitoring requirements in two phases. Phase 1, effective March 20, 2026, applied only to ODFIs and to originators and processors whose 2023 volume exceeded six million entries (ten million for RDFIs on the receiving side). That carve-out let a large share of fintechs, payment companies, and payroll processors watch from the sidelines.
Phase 2 ends that. As of the next banking day after June 19 — Monday, June 22, 2026 — the thresholds are eliminated. The obligation becomes universal across the network. The rule deliberately captures the credit-push fraud that dominates today’s losses: business email compromise, vendor impersonation, payroll diversion, and the romance-and-investment scams regulators now group under “authorized push payment” fraud.
The Standard: Risk-Based Processes, Not a Checkbox
The rule does not prescribe a technology or a vendor. It requires each covered party to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. That phrasing matters. “Reasonably intended” is an effectiveness standard, not a paperwork standard — mirroring the broader direction of U.S. AML policy. Examiners and ODFIs will ask whether your monitoring actually catches anomalies, not whether you have a binder.
NACHA names several acceptable approaches, and most programs will blend them:
- Velocity checks — flagging unusual frequency or dollar spikes against a customer’s baseline.
- Anomaly detection — surfacing transactions that deviate from established behavior.
- Behavioral tolerances — thresholds tuned to each account or segment.
- Pattern recognition — identifying mule-account and layering signatures across entries.
The RDFI Side: “False Pretenses” Is Now Your Problem Too
Receiving institutions are pulled in directly. Each RDFI must implement risk-based procedures to identify incoming credit entries suspected of being unauthorized or authorized under false pretenses — and to handle them once flagged. NACHA defines false pretenses as inducing a payment by misrepresenting one’s identity, one’s authority to act for another, or the ownership of the account to be credited. In plain terms: the scam victim authorized the payment, but only because they were deceived. That is the heart of modern push-payment fraud, and the network now expects both sending and receiving sides to share the detection burden.
Who Gets Caught — and Why It Hits Fast-Scaling Firms Hardest
The companies most exposed by Phase 2 are precisely the ones building fast on payment rails: fintechs running FBO and Banking-as-a-Service models, money service businesses, payroll processors operating under NACHA network requirements, and e-commerce platforms originating WEB debits. Many relied on the Phase 1 threshold and have no formal fraud-monitoring procedures documented at all.
There is also a quieter trap. Since March 20, originators must use standardized Company Entry Descriptions — “PAYROLL” for wage credits and “PURCHASE” for certain consumer e-commerce debits. Mislabeled entries undercut the very monitoring the rule now demands and are an easy finding for any auditor or sponsor bank.
FinCheck’s Perspective & The Way Forward
In our work standing up and auditing AML programs for fintechs, MSBs, and payroll firms, we see the same gap repeatedly: fraud controls treated as a feature of the payments stack rather than a documented, testable compliance program. The Phase 2 rule closes that gap by force. Our guidance for the next two weeks — and beyond:
- Confirm your status. If you originate or receive ACH as a non-consumer party, you are in scope on June 22. There is no minimum volume anymore.
- Write it down. Document risk-based monitoring procedures — the triggers you use, who reviews alerts, and how suspected entries are handled and escalated. “We use our processor’s tool” is not a procedure.
- Tune to your risk. Align velocity and anomaly thresholds to your customer base and product, and revisit them as you scale into new states or segments.
- Close the loop with your bank. Sponsor banks and ODFIs will push these expectations downstream; get ahead of their diligence with evidence you can show.
- Fold it into your AML program. Credit-push fraud monitoring and suspicious-activity escalation should reinforce each other, not run in separate silos.
Phase 2 is best read not as a one-time deadline but as the new floor. Regulators and the network are converging on the same message across the BSA, sanctions, and payments worlds: build controls that actually work, and be able to prove it.
Is your ACH fraud-monitoring program ready for June 22? FinCheck LLC helps fintechs, MSBs, payroll processors, crypto, and gaming businesses build and audit AML, BSA, and ACH risk programs that hold up to examiners and sponsor banks — from independent AML audits and ACH risk assessments to fractional Chief Compliance Officer support. Let’s talk before the deadline.