External link
You are about to leave MainStreet Bank website and view the contents of an external website. MainStreet Bank cannot be held responsible for the contents of external websites.
Continue
Digital Banking Login
Access accounts, online services, and view transaction history.

If you have a direct login for MainStreet Connect for remote deposit check scanning or ACH debit service, click here.  For steps on how to download and set up your 2FA Symantec VIP token, download our user guide.

Customer Service
Resources
Branch and ATM Locations
Search
Investor Relations
(703) 481-4567
Sign In

ACH Fraud Monitoring

A RISK BASED APPROACH TO COMBATTING FRAUD

Effective March 20, 2026, National Automated Clearing House Association (NACHA) is implementing a new rule for ACH originators.

The new rule requires all non-consumer ACH Originators to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. The core focus of this rule is to mitigate fraud in ACH transactions, specifically targeting Unauthorized Entries: Transactions initiated without the account holder’s permission (e.g., account takeover) and Entries Authorized under False Pretenses: Payments resulting from deception, such as Business Email Compromise (BEC), vendor impersonation, or payroll impersonation.

 

Key requirements for MainStreet Bank ACH originators

The rule requires that your business establishes and maintains a proactive risk-based approach:

 

  1. Establish and Implement Risk-Based Procedures: You must define and apply processes and procedures, relevant to your role as an Originator, that are reasonably intended to identify outgoing ACH Entries that may be unauthorized or initiated under False Pretenses.
  2. Annual Review: These processes and procedures must be reviewed and, if necessary, updated at least annually to address evolving fraud risks.
  3. Risk-Based Approach: You must conduct a risk assessment to identify high-risk vs. low-risk transactions and apply appropriate monitoring measures. This allows you to focus resources where the risk is highest.

Who does this new rule apply to?

This rule applies to all MainStreet Bank business customers who originate ACH files. Any business, government entity, or organization that initiates ACH transactions (such as payroll, vendor payments, or collections of customer payments) is considered a non-consumer Originator.

Is MainStreet Bank the only bank affected by the rule?

No, this was a mandated rule change by Nacha affecting all financial institutions that have business customers who originate ACH payments.

When do I need to comply with the new rule?

The NACHA deadline for implementing these essential fraud monitoring processes is March 20, 2026.

 

To manage this change efficiently, all new business customers who sign up for ACH Origination on or after January 1, 2026, will be asked to implement the new requirements as part of their initial setup. All existing customers must ensure these new requirements are fully implemented by the March 20, 2026, deadline.

 

MainStreet Bank will incorporate the review of your new fraud monitoring processes into your established annual ACH review process, unless changes to your ACH service require an earlier review.

 

What is “False Pretenses” fraud and why is it important?

“False Pretenses” refers to fraud scenarios where a payment is authorized based on an act of deception and is one of the threats you should consider when creating your fraud monitoring processes. This is a crucial addition to the NACHA rules because it covers many of the most damaging fraud schemes today, including:

 

  • Business Email Compromise (BEC): A fraudster impersonates an executive or vendor via email to instruct an ACH payment to a fraudulent account
  • Impersonation: A fraudster calls or emails to trick an employee into changing payment information for a legitimate vendor or employee

Learn more about False Pretenses

 

What other types of threats should I consider when implementing my fraud monitoring processes?

Effective fraud monitoring processes must be layered and tailored to your business. What you monitor should depend on your specific ACH transactions (e.g., payroll vs. vendor vs. collection of customer payments).

 

In addition to the rule’s requirements, your program should consider:

 

  • Unauthorized Withdrawals: How can you prevent external parties from pulling money without permission?
  • Internal Misconduct: How can you prevent misuse of payment authority by employees?
  • Compromised Credentials: How can you protect your internal systems used for managing payment information and activity?
  • Change Request Fraud: How can you verify the authenticity of payment instruction changes?

 

Does MainStreet Bank require me to use a specific software system?

No. The rule is principles-based, not prescriptive. It requires you to implement risk-based processes and procedures that are effective for your specific business. This can include:

 

  • Manual, documented internal controls
  • Utilization of new features in your accounting or payroll software
  • Adoption of a third-party fraud monitoring solution

 

Does this rule change my liability for ACH fraud losses?

No. This rule is a compliance standard for Originators, Third-Party Senders, and all Financial Institutions. It establishes a requirement for all Originators to have active, risk-based fraud monitoring. It does not change the fundamental allocation of liability for fraud under existing law, but it does require you to strengthen your controls to mitigate these risks.

What are some examples of risk-based processes for my business?

It is important to remember that your ACH fraud monitoring processes are unique to your business. The processes you implement must be tailored to your specific structure, payment volume, and unique fraud risks. The examples provided below are for informational guidance only – they are a starting point, not a complete checklist. Your unique fraud monitoring processes may include a combination of the following procedural and technical controls:

 

  • Dual Authorization/Segregation of Duties: Requiring at least two separate individuals to authorize high-dollar payments or ACH files. No single person should be able to create, approve, and release a payment
  • Out-of-Band Verification: When receiving an email request for a bank account change (vendor or employee), verifying the change via a trusted secondary channel (e.g., a phone call to a known number on file, not the number listed in the suspicious email)
  • System Controls and Anomaly Detection: Utilizing your internal accounting or payment systems to automatically flag or alert you to unusual activity, such as:
    • Payments to a new vendor that exceed a set dollar threshold
    • Sudden increases in transaction volume or amount outside of normal business patterns
    • Unusual payment destinations (e.g., high-risk geographical locations)
  • Pre-Payment Account Validation: Utilizing ACH prenotes (zero-dollar verification) or third-party validation services to confirm the existence and ownership of a new vendor’s or employee’s bank account before the first live payment is initiated
  • Strong Access Controls (MFA): Limiting the number of employees who have access to your ACH origination system and enforcing Multi-Factor Authentication (MFA) for all users to protect against compromised login credentials
  • Dedicated Payment Workstations: Restricting the computers used to initiate or approve ACH payments from being used for high-risk activities like opening external email attachments or general web browsing
  • Formal Fraud Incident Response Plan: Maintaining a clear, documented plan that specifies the immediate steps to take if fraud is detected, including who at MainStreet Bank to call and internal protocols for isolating the risk
  • Mandatory, Continuous Employee Training: Implementing regular (e.g., quarterly) training for all staff involved in payments to recognize, question, and independently authenticate suspicious requests (a key defense against social engineering)

 

We urge all MainStreet Bank business ACH Originators to begin assessing their current fraud controls immediately. Please work with your compliance, legal, and technology teams to ensure you are fully prepared before the mandatory deadline.

 

If you don’t have the newest version of the Nacha Operating Rules and Guidelines, you can purchase it directly from the Nacha website.

 

For additional information about ACH and step by step instructions on how to use our services, we encourage you to visit mstreetbank.com/resources where we frequently add new resource guides and materials like our ACH Basics Guide – A summary of key information about ACH (Automated Clearing House) transactions, including key participants, common SEC codes, details about authorizations, returns, and reversals.

 

We’re here to help! If you need any assistance or have questions, give us a call at 703-481-4589 or start a chat in Digital Banking.

 

  • MainStreet Bank American Banker Top 200 Community Banks
© 2025 MainStreet Bank. All Rights Reserved. NMLS# 416495
Web Privacy Policy     |    Contact us     |    Accessibility
facebook
linkedin
instagram
YouTube