
- Membership
- Certification
- Resources
- Events
- Community
- About
- Help
The Automated Clearing House (ACH) network is the backbone of the U.S. financial system, moving trillions of dollars annually through direct deposits, bill payments, and business transfers. There were 35.2 billion ACH payments in 2025, with growth in Same Day ACH and business-to-business (B2B) payments leading the way to an overall 5% volume increase over 2024.. At the center of this massive operation is Nacha, the nonprofit organization that establishes and enforces the operating rules ensuring these payments remain fast, reliable, and secure.
To keep pace with evolving risks and new technologies, Nacha updates its rules every year. Two significant rules are set to take effect on March 20, 2026, specifically targeting risk management and fraud prevention. For businesses involved in payroll or vendor management, understanding these rules is critical to avoiding warnings and potential fines, which can reach up to $500,000 per month for serious noncompliance.
Standardized Company Entry Descriptions | Deadline: March 20, 2026
This upcoming rule focuses on the Company Entry Description field, a 10-character space in the ACH record used to tell the receiver the purpose of a payment. While businesses historically had significant discretion in what they wrote here, Nacha is now mandating standardized terms for specific transaction types to help Receiving Depository Financial Institutions (RDFIs) better identify and monitor payment volume. This is identical to the existing rules requirement to add “ACCTVERIFY” to micro-entries included in the bank file that was required as of September 2022.
The change for internal operations is the requirement to use the description "PAYROLL" for all PPD (Prearranged Payment and Deposit) credits involving wages, salaries, or similar compensation. This term must be placed in the leftmost seven characters of the field (e.g., "PAYROLL", "PAYROLL 02").
Rule compliance is not limited to the payroll department because it is not limited to traditional W-2 employees. It also applies to 1099 contract employees and other compensation relationships, meaning accounts payable / vendor teams must ensure their systems are updated to flag these payments correctly. Furthermore, contributions to an employee’s Health Savings Account (HSA) must also carry the "PAYROLL" description, as these are considered pre-tax components of a salary. By standardizing this data, Nacha aims to help banks detect "payroll redirection" fraud, where bad actors attempt to divert salary payments to fraudulent accounts.
Note: There is also a new standard description, "PURCHASE", that is required for e-commerce debit entries authorized by consumers for online goods that most likely will not involve payroll, accounts payable or vendor teams, but you may want to verify with leadership.
Enhanced Fraud Monitoring | Deadlines: March 20, 2026 (Phase 1) or June 19, 2026 (Phase 2)
This upcoming rule is part of a larger risk management package intended to reduce successful fraud attempts, such as Business Email Compromise (BEC) and vendor impersonation.
Effective March 20, 2026, Phase 1 of this rule applies to all Originating Depository Financial Institutions (ODFIs) and any non-consumer "Originator" (organizations) that had an annual ACH origination volume of 6 million or more in 2023. When calculating this volume, businesses must combine both payroll and vendor payments. Entities below this threshold have until Phase 2, effective June 19, 2026, to comply.
To comply, organizations must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. While Nacha does not mandate a specific "one-size-fits-all" system, it does require that these processes be reviewed at least annually. The rule does not require businesses to screen every single entry individually or monitor them prior to processing, but it does mandate that a risk assessment be performed to differentiate between high-risk and low-risk transactions.
For many organizations this requirement will be a change from current fraud detection processes for those vendors considered high-risk. Accounts payable and vendor teams, especially those that have manual processes, only add fraud detection validation when there are changes to vendor bank details and not when adding a new vendor. Based on this new rule covering ACH entries, organizations must have a fraud detection process in place when new vendors provide banking details for ACH payments as well, such as having two confirmation calls to verify banking details, one during the new vendor add process and one when an existing vendor submits a change.
Even though Nacha accepts compliance when applied to vendors your organization deems higher risk, best practice to avoid payment fraud is to apply fraud detection processes to all vendors.
Next Steps for Compliance
With the deadline approaching, businesses should take immediate action to integrate these requirements into their daily operations.
Conclusion
By staying current with Nacha rules your organization navigate these changes while contributing to a more secure ACH network while reducing the potential for payment fraud.
What are you waiting for?