What is Nacha Phase 2?

Nacha Phase 2 (effective June 22, 2026) requires all originating depository financial institutions (ODFIs) to screen for fraudulent transactions at the account level for every ACH entry, not just at the batch level. This applies across all 17 Standard Entry Class (SEC) codes including ACH, WEB, TEL, and PPD entries.

Which SEC codes does Nacha Phase 2 cover?

All 17 SEC codes are covered: ACK, ADV, ARC, BOC, CCD, CIE, CTX, DW, IAT, MTE, PHD, POP, PPD, RCK, SHR, TEL, WEB. Every ACH entry must be screened at the receiving account level regardless of entry type.

How do community banks prepare for Nacha Phase 2?

Community banks need to implement account-level fraud screening that evaluates each transaction against account-level risk factors, history, and behavioral patterns — not just batch-level rules. BankerDetect provides pre-built compliance rules, real-time scoring, and alert workflows specifically designed for smaller institutions with limited BSA staff.

What is the deadline for Nacha Phase 2 compliance?

June 22, 2026. With approximately 35 days remaining, banks that have not yet implemented account-level ACH fraud monitoring face significant compliance risk.

Compliance Deadline

Is Your Bank Ready for Nacha's June 22 Deadline?

Nacha's expanded ACH fraud monitoring rules take full effect on June 22, 2026. The shift from reactive return handling to proactive, risk-based monitoring across all 17 SEC codes is the biggest change to ACH compliance in a decade. Here's what your bank needs to know.

Take the Self-Assessment

Phase 1 March 20, 2026 — Passed

Phase 2 June 22, 2026 — 59 days

17 SEC codes now covered

What Changed

From reactive return handling to proactive risk monitoring

Nacha's updated rules fundamentally change how financial institutions must approach ACH fraud. The old playbook of monitoring return rates and reacting to chargebacks is no longer sufficient.

Before (Old Approach)

Reactive, return-rate focused

Monitor WEB debit returns only
React when return rates exceed thresholds
Compliance measured by return rate metrics
Limited SEC code coverage
Annual risk assessment checkbox

After (New Requirement)

Proactive, risk-based monitoring

Monitor all 17 SEC codes for fraud indicators
Proactively detect suspicious patterns before settlement
Demonstrate detection effectiveness to examiners
Real-time or near-real-time transaction screening
Continuous risk assessment with documented updates

Implementation Timeline

Two phases, one message: monitor proactively or face scrutiny

Nacha split the rollout into two phases. Phase 1 is done. Phase 2 is the one that catches institutions off guard.

March 20, 2026

Phase 1: Foundation Requirements

Financial institutions must have baseline ACH fraud monitoring in place for WEB debit originations. Risk assessments updated. Monitoring systems operational. This phase established the minimum floor.

Effective — Passed

June 22, 2026

Phase 2: Full Scope Enforcement

Monitoring requirements expand to all 17 Standard Entry Class (SEC) codes. Institutions must demonstrate proactive, risk-based fraud detection — not just return rate tracking. Examiners will test detection capabilities, not just check for policy documents.

59 Days Remaining

Exam Readiness

5 questions your examiner will ask about ACH fraud monitoring

Based on recent regulatory guidance and examination trends, these are the areas where examiners are focusing their ACH compliance reviews.

Question 1

Does your risk assessment align with your actual transaction mix?

Examiners are comparing stated risk profiles against actual origination volumes by SEC code. A risk assessment that says "low ACH risk" while processing $50M in WEB debits monthly will trigger findings. Your assessment must reflect reality, not last year's template.

Question 2

Can you demonstrate SAR quality, not just volume?

FinCEN's effectiveness initiative has shifted examiner focus from "how many SARs did you file" to "are your SARs actually useful to law enforcement." Institutions must show that detection leads to quality narratives with actionable intelligence — not checkbox filings.

Question 3

How are you using technology (including AI) in your fraud program?

Examiners are increasingly asking about technology capabilities. If you're using AI or machine learning, you need model governance documentation. If you're not using advanced tools, you need to justify why manual processes are adequate for your risk profile.

Question 4

What is your false positive rate and how do you manage it?

High false positive rates signal an ineffective program — investigators waste time on noise instead of actual fraud. Examiners want to see documented thresholds, regular tuning cycles, and evidence that your team can separate signal from noise.

Question 5

When did you last update your detection rules?

Static rule sets from 2020 do not address 2026 fraud patterns. Examiners expect evidence of regular rule updates, ideally quarterly. If your rules haven't changed since deployment, that's a finding waiting to happen — regardless of how good they were originally.

Self-Assessment

How ready is your institution?

Check each statement that applies to your current fraud monitoring program. Be honest — this is for your team, not for us.

We actively monitor all 17 SEC codes for fraud indicators, not just WEB debits.
Our ACH risk assessment has been updated within the last 12 months and reflects our actual transaction volumes.
We have documented false positive thresholds and a regular tuning process for our detection rules.
Our fraud detection rules have been reviewed and updated within the last quarter.
We can demonstrate detection effectiveness (not just SAR volume) to an examiner if asked today.
Our monitoring includes real-time or near-real-time transaction screening (not batch-only processing).
We have AI/technology governance documentation for any automated detection tools in use.

Your Readiness Score 0 / 7

You haven't checked any items yet. Click the statements above that apply to your institution.