IN THIS ARTICLE

The grace period is over. As of June 22, 2026, every financial institution in the ACH network is required to run risk-based fraud monitoring. Phase 1 of Nacha's fraud monitoring rules took effect March 20, 2026 for the largest participants (ODFIs, originators and third-party senders above 6 million entries, RDFIs above 10 million receipts). Phase 2 removed the volume thresholds entirely, and the obligation extends past banks to every corporate end user that originates ACH. If your bank receives or originates ACH, this now applies to you, and to your commercial customers.

Here is the 30-second version of the rule. Every bank now needs a documented, risk-based way to spot fraudulent ACH entries, incoming credits included, which is new territory for RDFIs. Nacha does not expect you to screen every entry before it posts. It expects your monitoring to consider velocity, anomalies, account characteristics, and historical account activity, and it expects the program reviewed at least annually. In plain terms: your rules need to know your customers.

That framing matters because there are really two kinds of fraud rules. Rules that count dollars, and rules that know the account. Most banks between $1B and $30B in assets run the first kind: every transaction over $100K gets flagged, an analyst pulls up history in the core, decides it looks like the customer's normal activity, types "false positive" in a comment field, and clears it. Forty times a day. A flat threshold is a smoke detector mounted over the stove. It goes off every night at dinner, and after a while nobody looks up. That is the workflow, and it is held together with scotch tape and gum.

The numbers say the stove is getting hotter. The ACH network carried 35.2 billion payments worth $93 trillion in 2025, per Nacha. Unauthorized-party fraud (credential theft, account takeover, misused payment credentials) now drives 71% of fraud incidents and dollar losses, per PYMNTS Intelligence and Block. In AFP's 2026 survey, 76% of organizations were hit by attempted or actual payments fraud last year, with ACH debits cited by 30% of them. And LexisNexis Risk Solutions puts the fully loaded cost at $5 for every $1 of fraud lost, once investigation, recovery, and remediation are counted.

Now measure what the dollar-counting rule costs you. Industry benchmarks put false positive rates in rule-based transaction monitoring at 90 to 95%, and a routine alert takes 15 to 30 minutes to research and clear. A queue of 40 alerts a day at 20 minutes each is over 13 analyst-hours a day, roughly 3,300 hours a year. If 19 of every 20 flags are good transactions, what is that queue actually protecting? That is more than one and a half full-time employees proving good transactions are good, at a moment when 68% of institutions are already raising fraud-detection spend.

The dollar-counting rule fails the new requirement the same way it fails the analyst. It ignores everything Nacha tells you to consider: whether the account has seen this originator before, whether the velocity fits the account's pattern, whether a credential change preceded the transaction. And because the real monitoring logic lives in your analysts' heads rather than in the system, there is nothing codified to hand an examiner.

Here is the part we find most banks miss: the fix is already sitting in your own data. Every false positive disposition your team has written is a rule waiting to be extracted. "Cleared, customer receives similar amounts from this originator monthly" is not a comment. It is a policy: flag amounts over $100K only when the originator is new to the account within the lookback window. Your disposition history is an operating manual nobody has written down.

That is the work we do. Hudson's rules engine turns that buried judgment into codified, history-aware monitoring:

  • Rules that know the account. Thresholds conditioned on prior activity, originator history, and velocity against the account's own baseline. Industry studies of history-aware and behavioral monitoring consistently report false positive reductions of 70 to 80% versus static rules. Applied to the queue above, 13 analyst-hours a day becomes 3 to 4.
  • Behavior, not just transactions. Password change followed by a new ACH origination, file activity at 2 a.m., off-pattern submission times. The signals Nacha points to on the origination side.
  • Return code sequences. Patterns like repeated R01s on an account over 60 days, flagged automatically instead of discovered in a monthly report.
  • A disposition trail built for exams. Every flag, every decision, every comment in one audit history. When the examiner asks how your monitoring works, you show them the rules and the record, not a spreadsheet.

Banks that treat these rules as a checkbox will keep paying the false positive tax: thousands of analyst-hours a year clearing transactions that were never fraud. Banks that treat them as a reason to codify what their best analysts already know will satisfy Nacha and get most of those hours back. Same rules engine, both outcomes.

If your fraud monitoring still starts and ends with a dollar amount, let's talk. Happy to show you what your own disposition history can become.

Sources: Nacha Risk Management Topics rules (Phases 1 and 2, 2026); Nacha 2025 ACH network volume statistics; PYMNTS Intelligence and Block, 2025 State of Fraud and Financial Crime in the United States; AFP 2026 Payments Fraud and Control Survey; LexisNexis Risk Solutions True Cost of Fraud Study, 2025.

Learn how Hudson’s system can
transform your operation

Book a discovery call to learn how escrow products create new revenue streams and elevate consumer trust.