Nacha 2026 ACH Rules: What Changes for Business Expense Compliance

The only Nacha 2026 ACH rule with a June 22, 2026 deadline is the Phase 2 fraud-monitoring expansion. It removes the old volume threshold, so it now applies to every business that sends ACH payments, regardless of size.
It is a risk-based rule. You need a written, sensible process for catching unauthorized or "false pretenses" payments (like business email compromise), reviewed at least once a year. You do not have to screen every transaction.
The PAYROLL and PURCHASE payment descriptions are a separate rule that already took effect March 20, 2026. Account validation is not part of the 2026 package.
The practical burden is documentation: verifying vendor and payroll bank-detail changes, and being able to tie each payment to a real invoice. Organized expense records, including tools like Receiptor AI, make that trail easy to produce.

Last updated: June 8, 2026

If your business sends payments by ACH, the Nacha 2026 ACH rules affect you. From June 22, 2026, every business that originates ACH payments has to keep a documented, risk-based process for spotting fraudulent or unauthorized payments, no matter how few you send. The good news for expense compliance: most of the work is documentation, not new software.

The one change that actually has a June 22 deadline

There is a lot of noise about "Nacha 2026" covering several changes at once. For the June 22 deadline, only one rule matters: the second phase of Nacha's fraud-monitoring requirement.

Here is the short history. Phase 1 took effect on March 20, 2026 and applied to banks and to the largest originators, those that sent more than 6 million ACH entries in 2023. Phase 2 takes effect June 22, 2026 and removes that volume threshold. From that date the requirement applies to every business that originates ACH payments, regardless of size, plus all receiving banks.

(The official effective date is June 19, 2026, but because that is a federal holiday, Nacha set the practical compliance date as the next banking day, Monday June 22.)

A plain-English primer on ACH origination

ACH is the network that moves money between US bank accounts: direct deposit for payroll, vendor payments, and recurring debits all run on it. When your business sends money out this way, you are the "Originator." Your bank, which actually submits the payment to the network on your behalf, is the "ODFI" (originating bank). The recipient's bank is the "RDFI" (receiving bank).

The Phase 2 rule reaches Originators (your business), third parties that process ACH on your behalf (for example a payroll provider), and the banks on both ends. If your business only pays by card or paper check and never sends ACH, this particular rule does not land on you.

What the Nacha 2026 ACH rules actually require

You need a written, sensible process for catching payments that should not go out, and you need to review that process at least once a year.

Nacha calls this a "risk-based" requirement, and the wording matters for small businesses. The rule does not ask you to inspect every payment, and it does not require any monitoring before a payment is sent. It asks you to think about where your payment fraud risk actually sits, put reasonable controls there, and write the approach down. A sole owner sending four vendor payments a month and a finance team running weekly payroll will land in very different places, and the rule allows for that.

The rule also introduces a defined term, "False Pretenses." This covers a payment you were tricked into sending because someone misrepresented who they were, their authority to act, or who owns the receiving account. In day-to-day terms that means business email compromise, a fake "our bank details have changed" message from a supposed vendor, or someone impersonating an employee to redirect payroll. It does not cover ordinary disputes over goods that arrived late or were poor quality.

What about the PAYROLL and PURCHASE labels?

You may have seen the new standardized payment descriptions, PAYROLL and PURCHASE, mentioned alongside the 2026 changes. Those are a separate rule, and they already took effect on March 20, 2026, not June 22. If you run payroll, your PPD credit payments should already carry the description PAYROLL instead of older labels like SALARY or WAGES, and consumer e-commerce WEB debits should use PURCHASE. If your payroll or payment provider handles this, it is worth a quick check that they have made the switch.

To be clear about a common point of confusion: account validation is sometimes lumped in with "Nacha 2026," but it is not part of this package and is not a new June 2026 obligation.

What to have in place before June 22

A short, practical checklist for a business that sends ACH payments:

Ask your bank what they already cover. Your ODFI has its own obligations under the same rule and may handle much of the monitoring. Confirm in writing what they watch for and what they expect from you.
Write your process down. Even a one-page description of how you decide a payment is legitimate counts. Note that you will review it at least once a year.
Verify bank-detail changes before you pay. A request to change a vendor's or employee's account number should be confirmed by calling a known number, not by replying to the email that made the request. Nacha specifically points to these change controls.
Tie every payment to a real source document. Before money goes out, you should be able to point to the invoice or bill it pays and the vendor it belongs to.
Check your payment descriptions. Confirm payroll uses PAYROLL and consumer e-commerce debits use PURCHASE, which has been required since March.

Where clean expense records fit

The hardest part of the new rule for most small businesses is point 4: being able to show, quickly, that a payment matches a legitimate invoice from a known vendor. That is a documentation problem, and it is far easier to solve when your receipts and invoices are already captured and organized than when they are scattered across inboxes and folders.

This is where Receiptor AI fits. It works as the record-keeping layer behind your payments, not as a payments or fraud tool. It collects receipts and invoices from email, WhatsApp, and uploads, categorizes them against your chart of accounts, and posts them to Xero or QuickBooks as a bill or expense with the original document attached. From there your accounting software can match each one to the corresponding bank transaction during bank reconciliation. The result is a clean audit trail sitting behind every payment, so when you need to confirm that a payment was legitimate, the evidence already exists and is already structured.

Receiptor AI does not monitor ACH transactions, validate bank accounts, or move money. It keeps the documentary record that makes the rest of your compliance work manageable.

When this may not require much from you

If you do not send ACH payments at all, the Originator fraud-monitoring rule does not apply to you, though your own bank still has obligations on transactions you receive. If you originate payments only through a payroll provider or a bank that already runs monitoring, your direct burden may be light. The honest move in both cases is to confirm with the provider or bank rather than assume, and to keep a short written note of what you confirmed.

A note on this article

This article is for general information about the Nacha 2026 ACH rules and expense compliance. It is not legal or compliance advice. The rules can apply differently depending on how your business sends payments, so consult your bank, your ODFI, or a qualified compliance professional for guidance specific to your situation.

For more on keeping clean records behind your spending, see our guides on how long a US business should keep receipts, your guide to business tax compliance, and turning your inbox into a smart financial archive.

Do the Nacha 2026 ACH rules apply to small businesses?

Yes, if your small business sends payments by ACH. The Phase 2 fraud-monitoring rule that takes effect June 22, 2026 removes the previous volume threshold, so it applies to all non-consumer Originators regardless of size. If you never originate ACH payments, this particular rule does not apply to you, although your bank still has its own obligations.

What do I actually have to do before June 22, 2026?

Put a documented, risk-based process in place for identifying fraudulent or unauthorized ACH payments, and commit to reviewing it at least annually. Practically, that means confirming what your bank already monitors, verifying vendor and payroll bank-detail changes before paying, and being able to tie each payment to a legitimate invoice. The rule does not require new software or screening of every transaction.

What does 'False Pretenses' mean under the new Nacha rule?

False Pretenses is a payment you were induced to send because someone misrepresented their identity, their authority to act, or who owns the receiving account. It covers scenarios like business email compromise, vendor impersonation, and payroll redirection. It does not cover ordinary disputes over goods or services that were late or poor quality.

Do I have to monitor every ACH transaction?

No. Nacha's requirement is risk-based, not transaction-by-transaction. You assess where your payment fraud risk is highest, apply reasonable controls there, and document your approach. The rule also does not require any monitoring before a payment is processed.

Are the PAYROLL and PURCHASE descriptions part of the June 22 deadline?

No. The standardized Company Entry Descriptions, PAYROLL for payroll credits and PURCHASE for consumer e-commerce debits, took effect on March 20, 2026, not June 22. If you run payroll or take online consumer payments, those labels should already be in use, often handled by your payroll or payment provider.