Free cookie consent management tool by TermsFeed Generator Update cookies preferences

The Blog

We Value Sharing Wisdom for Your Success

Financial insights to keep you focused on the money matters. 

2026 Nacha ACH Rule Change Affects Every Nonprofit

best practices board finance fraud Jul 09, 2026
new 2026 ACH rules

New ACH Fraud Rules: What Nonprofits, Churches, and Schools Need to Know

ACH payments are easy to ignore because they usually happen quietly in the background.

Payroll runs. Vendors get paid. Tuition refunds go out. Contractors receive deposits. Grant payments are processed.

But starting June 22, 2026, new Nacha Operating Rules raise the expectations for how organizations monitor ACH payments for fraud.

And yes, this applies to nonprofits, churches, ministries, and private schools too.

If your organization sends ACH payments, this is no longer just a bank compliance issue. It is an internal controls issue.

What Changed?

Nacha’s updated Risk Management Rules are aimed at reducing credit-push fraud.

That means fraud where someone is tricked into sending money out of an account. For example, a staff member receives what looks like a legitimate request to update vendor banking information, releases the ACH payment, and later discovers the money went to a fraudulent account.

The key change in Phase 2 is that all non-consumer ACH Originators are now expected to have risk-based fraud monitoring processes in place.

In plain English: if your organization sends ACH payments, you need a process for identifying suspicious activity before money leaves the account.

This does not mean every nonprofit needs expensive fraud software. But it does mean informal trust-based habits are not enough.

“We’ve always done it this way” is not a control.

Why Nonprofits Should Pay Attention

Mission-driven organizations are often more vulnerable than they think.

Many nonprofits, churches, and schools operate with small finance teams, limited backup, and payment processes that developed informally over time. A bookkeeper may handle the details. A pastor, executive director, or head of school may approve by email. A board may only see the financial reports after payments have already gone out.

That setup may feel efficient, but it can leave major gaps.

ACH fraud often starts with something ordinary:

  • A vendor asks to change bank accounts.
  • An employee updates direct deposit information.
  • A contractor sends new payment instructions.
  • A leader appears to request an urgent payment.
  • A familiar-looking invoice arrives with new ACH details.

None of those situations are automatically fraudulent. But each one deserves a pause.

Once funds are sent by ACH, recovery is not guaranteed. The best protection is catching the problem before payment is released.

Are You an ACH Originator?

If your organization initiates ACH payments, you may be considered an ACH Originator.

That can include payments for:

  • Payroll
  • Vendors
  • Contractors
  • Employee reimbursements
  • Grant recipients
  • Donor refunds
  • Tuition refunds
  • Benevolence payments
  • Recurring bills

Using a payroll company, bank portal, payment processor, or accounting platform does not remove your responsibility for the steps your team controls.

The provider may process the payment. But your organization still decides who gets paid, what account is used, who approves the transaction, and how changes are verified.

That is where your internal controls matter.

Five Steps to Review Now

You do not need to overcomplicate this. Start with the places where ACH fraud usually slips through.

1. Ask Your Bank What Is Changing

Contact your bank, payroll provider, or payment processor and ask what they are changing because of the new Nacha rules.

Ask whether your organization should expect:

  • New payee verification
  • Account validation requirements
  • Additional approval steps
  • Fraud alerts
  • Transaction holds
  • Updated ACH agreements
  • Changes to your online banking workflow

Your team needs to know what is normal so they do not ignore important warnings or get surprised by new requirements.

2. Tighten ACH Approval

If one person can add a payee, enter banking information, approve the payment, and release funds, that is a weak process.

ACH payments should include separation of duties, especially for higher-risk transactions.

Pay close attention to:

  • New vendors
  • Changed bank information
  • Large payments
  • Unusual timing
  • Payments requested outside normal procedures
  • Payments to individuals instead of established organizations

At minimum, your process should clearly show who requested the payment, who verified the information, and who approved the release.

If you cannot trace those three things, the process is too loose.

3. Verify Banking Changes Outside of Email

Email is not a trusted verification method.

If someone sends new ACH instructions by email, verify the change through a separate channel before sending payment.

Use a phone number already on file, a secure vendor portal, or a known contact. Do not use the phone number or link included in the change request itself.

This one habit can prevent a costly mistake.

Banking changes should always trigger extra caution, even when the request appears to come from someone familiar.

4. Train Staff to Slow Down

Fraudsters rely on urgency.

They want the request to feel rushed, confidential, or too important to question. That is why your team needs permission to pause.

Staff should be trained to question:

  • Urgent payment requests
  • Last-minute banking changes
  • Requests to bypass the normal process
  • New email addresses from familiar vendors
  • Odd wording or unusual tone
  • Payment instructions that do not match past patterns

A healthy finance culture does not punish people for slowing down to verify. It expects them to.

5. Put the Process in Writing

A process that only lives in someone’s head is not a process.

Your written ACH procedures should explain:

  • Who can initiate ACH payments
  • Who can approve them
  • How new payees are verified
  • How bank account changes are confirmed
  • When dual approval is required
  • What to do if something looks suspicious

This does not need to be a massive policy manual. A clear, practical procedure your team actually follows is far more valuable than a long document no one reads.

What Boards Should Ask

Boards and finance committees do not need to manage ACH payments day to day. But they should confirm that basic safeguards exist.

Good questions include:

  • Who can create or change ACH payees?
  • Are bank account changes independently verified?
  • Do high-risk payments require dual approval?
  • Are ACH procedures written down?
  • Has staff been trained on payment fraud?
  • Do we know what to do if fraud is suspected?

That is not micromanagement. That is responsible financial oversight.

The Bottom Line

The new Nacha rules are a good reminder to look closely at your ACH payment process.

If your nonprofit, church, or private school sends money electronically, you need more than trust and routine. You need clear steps for verifying, approving, and monitoring ACH payments.

Start simple.

Talk to your bank. Tighten approvals. Verify banking changes outside of email. Train your team to slow down. Write the process down.

ACH fraud prevention is not just about compliance. It is about protecting the resources entrusted to your organization.

If your current process depends on one person remembering what to do, it is time to strengthen it.

Need Help Reviewing Your Payment Process?

Fractional CFO Services can help your nonprofit, church, or private school review ACH workflows, strengthen internal controls, and identify gaps before they become expensive problems.

If your team is not sure whether your current payment process is strong enough, let’s start the conversation here.

You can also download our free resource, 5 Steps for Nonprofit Leaders to Thrive, at www.thrivenonprofit.com/empower.

Sign Up to Receive Financial Tips in Your In Box

We hate SPAM. We will never sell your information, for any reason.