There has been an important change to the national rules that govern ACH payments that may affect your business or organization. These new requirements aim to help prevent fraud across all electronic payments; this includes payroll, vendor payments, and other business transactions you process through Sunrise Banks.
NACHA—the organization that establishes and enforces the rules for the ACH payment network—will require all businesses that originate ACH payments to have a written, risk-based fraud monitoring program in place. This requirement applies to every ACH originator, regardless of size or transaction volume.
Frequently Asked Questions
What does the rule require?
The rule does not require a specific technology or a one-size-fits-all solution. Instead, it requires a “risk-based” approach—meaning your program should be proportionate to the type and volume of ACH payments your business sends. For a small business, this does not need to be complicated. We’re here to help.
At a minimum, your written program must:
- Cover all ACH entries you originate — not just payroll or just vendor payments, but all ACH activities.
- Describe the steps you take to mitigate fraud risk — for example, how you verify a vendor bank account change before updating your payment records.
- Address the risk of payments authorized under false pretenses — meaning payments you were tricked into sending, where the authorization appeared legitimate but was obtained through fraud or deception.
- Be reviewed and updated at least once every 12 months, or sooner if your payment activity changes materially.
- Be in writing and available for review by Sunrise Banks as your originating bank.
Why are they introducing this rule?
ACH payment fraud has grown significantly across industries in recent years — particularly fraud where a business is tricked into sending a payment it would not otherwise have sent. Criminals impersonate vendors, suppliers, and even company executives to convince businesses to redirect payments to fraudulent accounts. This type of fraud, sometimes called Business Email Compromise or payment redirection fraud, cost U.S. businesses billions of dollars last year alone.
NACHA’s new rule is a response to this trend. By requiring all ACH originators to actively monitor their payment activity and apply basic internal controls, the rule is designed to make the entire ACH network safer for businesses and their employees, vendors, and banking partners.
What kinds of fraud is this rule designed to catch?
The rule specifically focuses on fraud scenarios where the payment instruction itself appears authorized, but the authorization was obtained by deceit. These are sometimes called “authorized push payment” scams. Common examples include:
Vendor or Supplier Impersonation
A fraudster emails your accounts payable team pretending to be one of your regular vendors. They inform you that the vendor has changed banks and ask you to update the payment details before the next invoice is due. The email looks convincing—correct logo, familiar name, urgent tone. You update the information and send the payment. The money goes to the fraudster.
Payroll Redirection
A fraudster contacts your payroll administrator—or gains access to your payroll system—and changes an employee’s direct deposit information to redirect their paycheck to a fraudulent account. The employee does not receive their pay; you have already sent it.
Executive Impersonation (Business Email Compromise)
An employee receives an email that appears to come from a company owner or senior executive, instructing them to process an urgent ACH payment to a new account—often with reasons like a confidential acquisition or a time-sensitive supplier situation. The executive’s email account may have been spoofed or compromised.
Resources and Further Reading
If you would like to read more about the NACHA rule, the following pages on NACHA’s website provide additional background and frequently asked questions: