For Businesses That Send ACH

Authorized, and Still Fraud: The NACHA Rule Every ACH Originator Faces on June 22

Published June 1, 2026 · 8 min read · By the ScamDrill Team
Editorial cover reading ‘Authorized. And still fraud.’ with a JUN 22 2026 deadline badge and three stats: $2.77B lost to business email compromise in 2024, 79% of organizations hit by payment fraud, and a new rule term called False Pretenses

The email looks like a hundred others. A vendor you have paid for years writes to say their bank changed, here are the new routing and account numbers, please use them for this month’s invoice. Someone in accounts payable updates the record and releases the ACH payment. It clears. Everyone moves on. Three weeks later the real vendor calls asking where their money is, and you realize the “new bank” belonged to a criminal who had been reading your email for a month.

Here is the uncomfortable part: nothing about that payment was technically unauthorized. A real employee logged in, approved a real invoice, and sent money on purpose. The fraud lived in the deception, not the keystrokes. For years that distinction left businesses in a gray zone, because most fraud controls were built to catch payments nobody meant to make, not the ones you were tricked into making. On June 22, 2026, a NACHA rule change quietly closes that gap, and it pulls almost every business that sends ACH into scope.

What actually changes on June 22

NACHA, the body that writes the rules for the ACH network, has been rolling out a risk-management package in two phases. Phase 1 took effect on March 20, 2026 and covered the big players: every originating bank, plus large originators and processors that sent six million or more ACH entries in 2023. If you run a small or midsize company, you probably watched that deadline pass without lifting a finger, because the volume threshold left you out.

Phase 2 deletes the threshold. As of June 22 (the rule says June 19, but that is a federal holiday, so the practical date slides to the next banking day), the requirement applies to every non-consumer originator, third-party sender, and third-party service provider, regardless of volume. If your business runs payroll by ACH or pays vendors by ACH, you are an originator under these rules, even if you have never once thought of yourself that way.

The requirement itself is short. You must establish and implement risk-based processes and procedures, relevant to your role, that are reasonably intended to identify ACH entries suspected of being unauthorized or authorized under “False Pretenses,” and you must review those processes at least once a year. NACHA deliberately dropped the old “commercially reasonable detection system” language. The new standard is “processes and procedures,” which is a polite way of saying the network cares less about which software you bought and more about whether you can show a thought-out, written, defensible approach.

Figure 01 · Two kinds of fraud the rule now names

UNAUTHORIZED You never approved it A criminal moves money without your knowledge. Looks like: • Account takeover • Stolen banking login AUTHORIZED · FALSE PRETENSES You approved it, while tricked A real person approves a payment, fooled by a lie. Looks like: • Business email compromise • Vendor & payroll fraud

The June 22 rule asks you to watch for both. Most legacy controls only ever caught the left-hand column. · Source: NACHA 2026 Operating Rules

Why “False Pretenses” is a bigger deal than it sounds

The phrase reads like dry legal boilerplate, but it marks a real shift in how the payments network thinks about fraud. NACHA added False Pretenses as a defined term: the inducement of a payment by a person misrepresenting their identity, their authority to act for someone else, or the ownership of the account being credited. Strip out the lawyer words and it means a payment you genuinely meant to send, that you only sent because somebody lied to you.

For most of the ACH network’s history, “fraud” effectively meant “a transaction the account holder did not authorize.” Scam-induced payments fell through that definition, because the victim did click approve. By naming False Pretenses and asking originators to watch for it, NACHA is formally acknowledging what fraud investigators have known for a decade: the most expensive attacks today do not break your systems, they manipulate your people. Notably, the term covers impersonation, but not buyer’s remorse. If you pay for goods that turn out to be fake or low quality, that is a dispute, not False Pretenses.

$2.77 billion lost to business email compromise in 2024 alone, across 21,442 reported incidents, the second-costliest category of cybercrime in the FBI’s annual tally. Source: FBI Internet Crime Complaint Center (IC3), 2024 Internet Crime Report

The three scams the rule is really aimed at

False Pretenses is broad on paper, but in practice it describes three closely related schemes that drain corporate accounts through the ACH network.

Business email compromise. An attacker gets into, or convincingly imitates, an executive or finance email account and requests a transfer or a change to payment details. It remains the single most damaging category, and increasingly the “email” arrives with a deepfaked voice or even a video call to add pressure. We pulled that thread apart in our piece on deepfake video and voice attacks on businesses.

Vendor impersonation and invoice fraud. The opening scenario in this article. A supplier you trust appears to email new banking details, and the next legitimate invoice routes straight to the criminal. This is the textbook example NACHA had in mind, which is why the rule specifically calls out change controls for vendor payment information.

Payroll diversion. A staff member is phished for their HR-portal login, or HR receives a spoofed message in an employee’s name asking to “update my direct deposit.” The next paycheck lands in a prepaid card the attacker controls, and a quiet inbox rule hides the confirmation so nobody notices until payday goes wrong. It is a small-dollar attack that scales, and it preys on the helpfulness of payroll teams.

Figure 02 · How often this actually happens

79% of organizations faced payment fraud 63% named BEC the top fraud vector 50% saw ACH credits targeted by BEC

Roughly four in five organizations now deal with attempted payment fraud in a given year, and ACH is squarely in the crosshairs. · Source: 2025 AFP Payments Fraud and Control Survey

What “risk-based” really means for a normal business

The key word in this rule is risk-based, and it is good news for anyone picturing an expensive screening engine on every payment. NACHA was explicit on three points. You do not have to screen every entry individually. You do not have to monitor before a payment processes. And you get to concentrate your effort where the risk is, taking basic precautions on routine, low-risk activity and exempting the genuinely trivial.

There is exactly one thing you cannot do: decide that no monitoring is necessary at all. At a minimum, NACHA expects a written risk assessment that separates your higher-risk payments from your lower-risk ones. For most companies, the higher-risk bucket is obvious once you say it out loud: new payees, changes to existing banking details, unusually large amounts, and anything that arrived as an urgent request. Those are precisely the moments a False Pretenses scam needs you to move fast and skip a step.

A defensible starting point

Write one page. List your payment types (payroll, vendor ACH, one-off transfers), mark which are higher risk and why, name the control you apply to each (a callback, dual approval, a confirmed-payee check), and date it. That single document, reviewed annually, is the spine of a “risk-based process” and is far more than many small originators have today.

The boring control that quietly defeats the whole category

Here is the part the compliance memos bury. The rule is sophisticated, but the defense that actually stops False Pretenses fraud is almost embarrassingly low-tech. NACHA itself points to it, noting that originators are best placed to apply “change controls regarding payment information and instructions for vendor and payroll payments.” Translated: before you move money to a new or changed account, verify the request through a separate channel you already trust, using a phone number you had on file beforehand, not one printed in the email asking for the change.

That one habit breaks the chain at its weakest link. Every scam in this category depends on the victim trusting the channel the lie arrived in. A callback to a known number sidesteps the spoofed email entirely, and it costs nothing but a minute and a little friction.

Figure 03 · Where a callback breaks the chain

1 · Spoofed vendor email “Our bank changed, pay this account” STOP · Verify by callback Call a known number before you save it. The scam dies here. If this step is skipped 2 · AP updates the vendor record 3 · ACH payment released 4 · Money gone, weeks later

One out-of-band verification, inserted before the record changes, ends the attack before any money moves.

Technology still helps, especially on the volume side. Watching for sudden changes in payment velocity, dollar amounts, or where money is heading can flag patterns a human will miss, and that kind of monitoring satisfies the rule’s spirit nicely. But the highest-leverage control in this whole rule is a verification step run by a trained employee who knows to slow down. That is also why this is, at heart, a social-engineering problem more than a software one.

One honest caveat: compliance is not a shield

It is worth being clear-eyed about what this rule does and does not do for you. NACHA stated plainly that the requirement does not change the allocation of liability under UCC Article 4A, and it does not create a duty to prevent fraud beyond your commitment to follow the rules. In other words, ticking the compliance box does not guarantee you get your money back if a scam succeeds. Whether a loss is recoverable still depends on the facts and on the law.

The rule does not hand you a refund. It hands you a reason to build the habits that stop the loss in the first place.

That is the right way to read June 22. Treat it as a floor, not a finish line. The businesses that come out ahead will not be the ones with the thickest policy binder, but the ones that used the deadline as a nudge to fix the operational basics: verify banking changes, require two sets of eyes on large or unusual payments, lock down email with multi-factor authentication, and make sure the people who actually approve payments can recognize the pressure tactics aimed at them. If the worst does happen, having a plan ready matters enormously, which is exactly what our business incident-response playbook is for.

Figure 04 · Your June 22 readiness checklist

Write a one-page risk assessment of your payments Verify new or changed bank details by callback Require dual approval on large or unusual payments Turn on MFA for email and payroll/HR portals Train staff who approve payments to spot impersonation Then re-read it at least once a year. That review is mandatory.

Save this. It is the short version of compliant, and most of it is just good treasury hygiene.

The rule watches the payment. We train the person who approves it.

Every scam in this rule, BEC, vendor impersonation, payroll diversion, starts with a human being deceived. ScamDrill sends safe, realistic phishing and impersonation simulations to your team, with an instant teachable moment the second someone takes the bait, so the people releasing your ACH payments learn to pause and verify before the money is gone.

Start free →

The takeaway

The vendor-email scam that opened this article is not exotic, and it is not rare. It works because it hides inside a perfectly normal, fully authorized payment. What changes on June 22 is that the ACH network now expects your business to be looking for exactly that. You do not need a fraud-operations team or a six-figure platform to comply. You need a written sense of which payments are risky, one stubborn verification habit, and a team that knows the tricks aimed at them. Build those before the deadline, and you are not just compliant. You are the kind of target these scams give up on.

Frequently asked questions

What exactly does the NACHA Phase 2 fraud-monitoring rule require?

It requires every non-consumer Originator, Third-Party Sender, and Third-Party Service Provider to establish and implement risk-based processes and procedures, relevant to the role it plays, that are reasonably intended to identify ACH entries suspected of being unauthorized or authorized under False Pretenses. You also have to review those processes at least annually and update them as risks change. NACHA deliberately did not prescribe specific tools. It dropped the old “commercially reasonable detection system” language in favor of “processes and procedures,” which means a documented, defensible approach matters more than any one piece of software.

Does this rule apply to my company?

If your business originates ACH payments and you are not a consumer, almost certainly yes. Phase 1 (March 20, 2026) covered originating banks and large originators that sent 6 million or more entries in 2023. Phase 2, effective June 22, 2026, eliminates the volume threshold entirely and applies to all remaining non-consumer originators regardless of size. A company that runs payroll by ACH or pays vendors by ACH is an originator, even if it never thinks of itself that way.

What does “authorized under False Pretenses” mean?

NACHA added False Pretenses as a defined term: the inducement of a payment by a person misrepresenting their identity, their authority to act on behalf of another person, or the ownership of an account to be credited. In plain language, it is a payment you genuinely approved, but only because someone deceived you. It captures business email compromise, vendor impersonation, and payroll diversion. It does not cover disputes over fake or low-quality goods and services. This is the conceptual shift in the rule: a payment can be fully authorized and still count as fraud the network expects you to watch for.

Do I have to screen every ACH payment in real time?

No. The rule does not require screening every entry individually, and it does not require monitoring before processing. It is explicitly risk-based: you identify which payments are higher risk and focus your controls there, take basic precautions on lower-risk activity, and document your reasoning. The one thing you cannot do is conclude that no monitoring is necessary at all. At a minimum NACHA expects a risk assessment that separates higher-risk from lower-risk transactions.

If I comply, am I protected from losing the money in a scam?

Not automatically. NACHA was explicit that the rule does not change the allocation of liability under UCC Article 4A, and it does not create a duty to prevent fraud beyond the commitment to follow the rules. Compliance means you have a documented, reviewed process, which matters for enforcement and for your bank relationship. Whether a given loss is recoverable still depends on the facts and the law. The real financial protection comes from the operational controls the rule nudges you toward, especially verifying changes to vendor and payroll banking details through a separate, trusted channel before money moves.

Keep reading

Your Business Just Got Scammed. Now What?

The first 60 minutes, first 24 hours, and first 72 hours after a ransomware or wire-fraud hit. The incident-response playbook to have ready before you need it.

Social Engineering Targeting SMBs

Roughly 68% of breaches start with a person being deceived, not a system being hacked. The pretexting and phishing tactics hitting small organizations, and the defenses that hold.

Phishing Simulation for Small Teams: 30-Day Rollout

Exactly what to send, when, and how to turn a clicked test into a teachable moment instead of a blame session. From baseline to measurable risk reduction.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.