Summary of Recent and Upcoming NACHA Rule Changes

VisionBank of Iowa 2026 NACHA Rule Update

In an effort to keep you safe and informed, VisionBank of Iowa offers updates and reminders regarding the ACH network and best-practices. Information provided here is not comprehensive of all changes that may be implemented, this information has been curated to identify the changes that directly impact our Originator’s general use of the Nacha network. The information included herein is intended as informative only. Please consider your own internal guidance, policies, or procedures, as well as legal advice that your business has received.

 

New Fraud Monitoring Rules Are Coming for ACH Originators
Beginning in 2026, new ACH Rules amendments will require all non-consumer ACH Originators to take a more active role in preventing fraud within the ACH Network. Depending on your organization’s ACH origination volume, these new requirements will take effect on either March 20, 2026, or June 19, 2026 (with a practical effective date of June 22, 2026, since June 19 is a federal holiday).

What’s Changing?
Under the new Rules, ACH Originators must establish and implement risk-based processes and procedures designed to identify entries that are unauthorized or originated under false pretenses. These fraud-monitoring processes must be:

• Tailored to your operations

• Reviewed and updated at least annually

• Focused on higher-risk areas, where fraud attempts are more likely to occur

Fraud Monitoring – Phase 1

• Effective Date: March 20, 2026

• Applies To: Non-consumer Originators with an annual ACH origination volume of six million or greater in 2023

Fraud Monitoring – Phase 2

• Effective Date: June 19, 2026 (practically June 22, 2026)

• Applies To: All other non-consumer Originators, regardless of 2023 origination volume

Why the Change Matters
The ACH Network relies on every participant to play a role in keeping payments secure — and Originators are uniquely positioned to spot suspicious activity early. By monitoring authorizations and transmission processes, Originators can catch fraud before it spreads through the network.

To comply, Originators must create documented, risk-based fraud monitoring processes that are “reasonably intended” to detect entries suspected of being unauthorized and entries authorized under false pretenses.

Building Your Risk-Based Fraud Monitoring Process
The Rules don’t prescribe specific steps, but focusing your efforts on two high-risk areas is a great place to start:

1. New Receivers - When establishing new Receiver relationships, take steps to verify legitimacy:

• Request proper documentation,

• Verify identity and authorized personnel-do not rely solely on email communication,

• Conduct background checks when appropriate,

• Use secure transmission methods for account data

• Ensure authorization forms meet ACH Rules requirements.

• Bank account details: Account number, routing number, account type (checking or savings).

• Payment information: Payment amount (or maximum amount for variable payments), payment frequency (one-time or recurring), and start date of authorization.

• Payment Collection date: start date and frequency (must be signed before start date)

• Payee details: Name of the company or individual being paid.

• Authorization statement: A clear statement such as “I authorize Company to debit my account”.

• Signature: signature of someone on that account (or electronic equivalent for online forms).

• Cancellation parameters: Instructions for canceling recurring payments or payments scheduled in advance.

**If you would like a sample Debit or Credit Authorization form, please reach out to the VisionBank of Iowa Treasury Management Team to request one.

2. Account Change Requests - When an existing Receiver provides new account details, treat it as a red flag. Verify carefully and keep the following in mind:

• Accept only valid, signed or authenticated authorization requests — not email, fax or phone messages,

• Confirm changes using the contact on file, not the contact provided in the change request,

• Apply Know-Your-Customer (KYC) practices.

Fraud tactics evolve constantly — and so should your defense. ACH Originators must review and update their risk-based processes at least annually to ensure they stay effective against emerging threats. By staying proactive, you’ll not only meet compliance requirements but also help strengthen the overall integrity of the ACH Network. Stay vigilant, tailor your risk-based processes to your organization’s needs and review them regularly to keep your fraud defenses strong.

 

How to Keep Yourself Safe

• Never use the same login ID and password for online banking as you use for any other site

• Keep your email address up to date in online banking

• Utilize online banking alerts to be notified if your online access has been attempted without your knowledge. (Someone may inadvertently or directly enter your login but enter an incorrect password. This will generate an email alert to the address on your online banking profile)

• Contact VisionBank of Iowa if anything seems suspicious

Pre-Notifications
Prior to initiating the first credit or debit entry to a Receiver’s account or if account information changes, VisionBank of Iowa strongly recommends the use of a pre-notification entry, a $0 transaction. Originators may initiate subsequent entries as soon as the third banking day following the settlement date of the prenote entry, provided the originator has yet to receive a return or COR.

Entry for that Prenote Entry. If a return or COR is received the originator must only send subsequent Entries to the receiver’s account once they have remedied the reason for the Return Entry or made corrections as requested by the NOC.

Notification of Change (NOC)
A NOC is a non-dollar entry sent by a Receiving Deposit Financial Institution (RDFI) to notify the Originating Deposit Financial Institution (ODFI) (VisionBank of Iowa) that information provided for a recipient is no longer valid. NOCs allow the RDFI to return information to the ODFI and, subsequently, the originator without returning the initiated ACH. Upon receipt of a NOC, we shall notify the originator, who is required to make the requested change within six banking days of receipt, or prior to the next transmittal to the recipient, depending on which is later.

Returned Items
Returned entries may only be re-initiated if returned for insufficient funds (R01) or uncollected funds (R09) and limited in number to two and must be initiated within 180 days of the original entry date. An entry returned for stop payment (R08) or an authorization issue may only be re-initiated if the originator has received appropriate authorization to re-initiate the payment. When re-initiating a returned item, the words “RETRY PYMT” in all capitalized letters is required in the Company.

When re-initiating a returned item, the words “RETRY PYMT” in all capitalized letters is required in the Company Entry Description field. Identical content is required in the following fields: Company Name, Company ID, and Amount. Modifications to other fields are permitted but only to those necessary to correct an administrative error made during processing. Return notifications will be sent to originators directly from their Treasury Management Officer. 

Return Rates
NACHA Rules require that financial institutions monitor ACH Origination customers’ return rates

• Unauthorized Entry Return Rate must be less than .05% . This includes returns to you for the following reasons:

  • R05 – Unauthorized Debit or Consumer Account using Corporate SEC Code (CCD)

  • R07 – Authorization Revoked

  • R10 – Customer advises not Authorized

  • R29 – Corporate Customer Advises Not Authorized

• Administrative Return Rate of 3.0% or less. This includes returns made to you for the following reasons:

  • R02 – Account Closed

  • R03 – No Account/Unable to Locate R04 – Invalid Account Number

  • Overall Return Rate must remain at 15.0% or less

Exceeding these limits can cause NACHA to assess fines. In such an event, the bank will discuss action plans with the ACH Originator including but not limited to terminating origination services.

Reversals
If an originator creates erroneous ACH entries or files, corrections may be made by initiating reversing entries or files.
An erroneous entry or file is defined as:

• A duplicate of an entry previously initiated by the originator or ODFI

• Orders payment to or from receiver not intended to be credited or debited

• Orders payment in a dollar amount different than was intended

• Originated within five banking days following the settlement date of the erroneous entry

• Please reach out to the VisionBank of Iowa Treasury Management Team if you believe you need to submit a reversal.

Note: We strongly recommend that originators use an authorization agreement (credits) with their receivers that states they are authorized to debit/reverse any entries made in error. This is good business practice and will help with any disputes in the future.

Allowed Standard Entry Class (SEC) Codes PPD - Pre-arranged Payment or Debit

• Commonly used for direct deposit

• For business-to-consumer use

• The written agreement must be on file with the recipient if you debit their account. Written agreement to debit a consumer must be kept on file for 2 years after termination.

• It is suggested that the written agreement is on file for credit entries, but verbal agreement is acceptable.

CCD - Cash Concentration or Disbursement

• For business-to-business use only

• It can be used for moving funds between a business’ accounts at different institutions

• Used for payments or debits to other businesses

• Agreements are handled by contract authorization between companies.

 

Important Reminders

Entry Types by SEC Code - You cannot combine different recipient types (consumer, business) within a single batch. As noted on page 4, different SEC codes are required based on the recipient type.

Example: You cannot generate an “ACH Batch” that contains employees for weekly payroll and also businesses you are paying for invoices or other payment needs. You would need to originate one PPD batch containing all the employee transactions and one CCD batch containing all the B2B transactions.

Subsidiaries - If your online banking supports more than one legal entity, and more than one legal entity does any ACH or Wire origination, you must utilize the appropriate subsidiary when generating the transaction to ensure compliance with NACHA regulation. Choosing the correct subsidiary completes the required fields such as Business Name and Company ID, failure to do so is a breach of NACHA regulations and may result in a recipient disputing the transaction. Failure to comply with either of these may result in the removal of origination capabilities.

Access to 2026 NACHA Rules - It is expected that you will stay up to date with the annual publication. While the rules may be purchased from several vendors, including directly from NACHA.org, we would be happy to provide a copy for you upon request at a discounted rate. The publication is available in digital format or as a printed book. If you would like to request pricing or to order a  copy of the publication, please contact us at treasurymanagementhelp@visionbank.com

Documentation Requirements
ACH Limit Increase - When you enter a Collection, Payment, or Payroll ACH and receive an error message “Over Your Limit,” it states the ACH you are trying to originate exceeds your approved limit. We set two types of approved limits: A Daily Limit-that is a dollar amount set for the total daily amount for credits or debits. Please do not hesitate to call or email Treasury Management Support if you receive an error message. Please provide us with the type of ACH you are originating and the amount needed to accommodate your needs. That will help us in setting new limits. 

Periodic ACH Questionnaires - This document asks for additional details about how your company uses our ACH solution. We will email the person(s) who is most often submitting ACHs through online banking on behalf of your company. The email will include a link to make it simple to complete 
the questionnaire online. Regulations do require that we collect a questionnaire from originators periodically.

Proper ACH Consumer Debit Authorization
We are required to verify you have obtained proper authorization for collections (debits) to a consumer’s account. We do conduct periodic authorization audits where we will select two random recipients from one of your files created within the last 90 days and request that you provide us with proof of authorization for these two recipients. If another financial institution were to request proof of authorization, to dispute a collection you have sent, you must respond within 10 days. You must keep these authorizations on file for two years after the termination of the agreement.

Our Commitment to Help

While there are several functions that VisionBank of Iowa employs to help protect you from a Corporate Account Takeover event.

• VisionBank of Iowa requires multi-factor authentication for access that requires:

• Login Name

• Login Password

• Out of Band Authentication: the Bank uses a one-time passcode (OTP) delivered by text message or voice call, or a software token.

• We continue to strongly encourage dual control for all “risky” (Funds moving to or from accounts outside of VisionBank of Iowa) transactions.

• Provide alerting services for authorization or processing of transactions.

• Establishing limits for the number of transactions and transactions’ amounts based on actual customer needs and expectations.

For questions or for more information please reach out the VisionBank of Iowa Treasury Management team at treasurymanagementhelp@visionbank.com or call (515) 956-7900