SardineCon SF/2026

Learn More
FRAUDFORWARD
#106

From Liability to Visibility: The Real Story Behind NACHA Phase 2

What’s up fraud fighters, and welcome back to Fraud Forward!

Today we are talking about ACH compliance, and I know that may not sound like the most exciting opener in the world, but if you work in fraud, payments, operations, compliance, treasury, management, or anywhere near ACH this matters because ACH is one of the most widely used payment rails in the country. And when something goes wrong, it doesn’t just stay contained to one team. It impacts customers, creates operational strain, introduces regulatory risk, and can expose gaps in how your institution detects and responds to fraud.

Over the last few months, I have had conversation after conversation with fraud leaders at community banks and credit unions who are asking the same questions. Do we need new technology? Are we expected to monitor every ACH transaction in real time? What exactly are examiners going to expect from us? And if your head has been spinning a little bit, I want you to hear me on this: you are not alone.

This episode is about the real story behind NACHA Phase 2. And to me, the real story is not that every institution needs to run out and buy another fraud platform. The real story is that ACH compliance is becoming a much more intentional conversation. It is about knowing your risk, documenting your processes, understanding who owns what, and being able to explain why your institution monitors ACH fraud the way that it does.

I actually think that is a good thing. Because for too long, our industry has leaned on liability as the finish line. If we are not liable, it is not really our problem. And technically, maybe sometimes that has been true. But operationally, ethically, and from a fraud fighter perspective, that has never sat well with me.

Fraud does not live in silos. Neither should ACH fraud prevention.

What you’ll hear in this episode:

  • Why NACHA Phase 2 is about intentionality, not just technology
  • What changed in the final Nacha ACH rules and why that flexibility matters
  • How ACH compliance applies to community banks and credit unions now in scope
  • Why layered controls do not always mean buying another vendor solution
  • How false pretenses fit into ACH fraud detection and ACH fraud prevention
  • Why RDFI compliance and ODFI compliance require clear ownership across teams
  • What examiners may expect when reviewing your ACH compliance program
  • Five questions every institution should ask about ACH fraud documentation

You should listen to this episode if:

  • You work in fraud operations, payments compliance, ACH operations, BSA, AML, or treasury management
  • Your institution is working through NACHA Phase 2 implementation
  • You are trying to understand ACH examiner expectations without overbuilding your program
  • You serve a community bank or credit union and need practical ACH compliance guidance
  • You want to move from a liability mindset to a visibility mindset in payments fraud

If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts.

Episode notes:

ACH compliance is about process, not just technology

When these rule changes were first proposed, a lot of institutions immediately assumed the worst. Another regulatory burden. I think this is where a lot of the confusion started. When these rules were first proposed, everyone assumed it meant more tech, more spend, more pressure. But where NACHA actually landed is much more grounded than that.

This is really about knowing your risk and being able to explain your process. Not every institution needs the same setup, and that’s intentional. What matters is that you have a monitoring approach that fits your role, that you review it, document it, and can clearly walk someone through why it works for you. That’s a very different conversation than “did we buy the right tool?”

Layered controls do not always mean more vendors

I think we’ve accidentally trained ourselves to hear “layered controls” and immediately think “we need another system.” But layering isn’t about stacking vendors, it’s about making sure your controls actually work together.

In a lot of institutions, the pieces are already there. Fraud, AML, operations, treasury, they’re all looking at something, but not always in a coordinated way. Sometimes the real fix isn’t adding more, it’s connecting what you already have, clarifying ownership, and making sure your controls tell a complete story instead of operating in silos.

ACH compliance should move us beyond the liability mindset

One of the biggest shifts here is moving away from the idea that if you’re not liable, it’s not your problem. I’ve never loved that mindset, and I think these rules are quietly pushing us past it.

Fraud fighters already know when something doesn’t look right. The question is whether we act on that or wait until it becomes someone else’s responsibility. ACH compliance is really about using the visibility you already have and being willing to lean into those moments where something deserves a closer look, even if liability isn’t technically yours.

False pretenses are not new, but the language matters

When you hear “false pretenses,” it can sound like a brand-new category, but it’s really just putting a name to things we’ve been seeing for years. Things like BEC, impersonation scams, and situations where the customer technically authorized the payment but was manipulated into doing it.

What’s important here is the recognition that authorization doesn’t always mean intent. And no, you’re not expected to know exactly what happened behind every transaction. But if something doesn’t line up, activity that doesn’t match the account or patterns that feel off, that’s your signal to take a closer look. That’s always been how good fraud work starts.

ACH compliance documentation starts with ownership

If there’s one place where things tend to break down, it’s ownership. ACH touches a lot of teams, and when that happens, it’s really easy for responsibility to get blurry.

At the end of the day, someone has to be able to answer who’s reviewing, who’s deciding, and who’s documenting. The institutions that handle this well aren’t necessarily the ones with the most resources. They’re the ones where the process is clear, the handoffs make sense, and nobody is guessing who owns what.

Five ACH compliance questions to take back to your team

If you’re trying to figure out where you stand, start simple. Can you clearly explain your ACH monitoring process? Do you know who owns each step? Could you defend why your controls make sense for your risk?

Notice what’s not in those questions. There’s nothing about buying new technology. This is about understanding your program. Before you add anything new, get clear on what you already have, how it works, and whether your team could confidently explain it if they had to. That’s where a strong program really starts.

Key takeaways:

  • ACH compliance is about having a clear, documented process, not just implementing new technology
  • NACHA Phase 2 provides flexibility, allowing institutions to tailor monitoring to their role and risk profile
  • Layered controls do not require more vendors; they require better coordination and clarity across teams
  • Moving beyond a liability mindset helps institutions proactively prevent fraud instead of reacting after losses
  • False pretenses are not new, but formal recognition helps standardize how institutions approach these cases
  • Fraud detection often starts with recognizing patterns that do not fit expected customer behavior
  • Clear ownership across fraud, operations, compliance, and treasury teams is critical for effective ACH monitoring
  • Documentation and governance matter more than tool selection when preparing for examiner expectations
  • Community banks and credit unions should build ACH compliance programs that reflect their specific risk, not industry pressure
  • Asking the right internal questions is the first step toward strengthening your ACH compliance program

Final takeaway:

Here is what I hope you take away from this episode: NACHA Phase 2 does not fundamentally change what good fraud programs have been trying to do all along. It formalizes it.

Fraud professionals have always looked for transactions that do not make sense. We have always connected the dots. We have always asked questions. We have always relied on experience, curiosity, documentation, and collaboration.

Now those expectations are written more clearly into the rules.

And I think that is a positive step, because fraud is not slowing down. Payments fraud is becoming more organized, more automated, and more sophisticated. The institutions that will succeed are not necessarily the ones with the flashiest technology. They are the ones that understand their risk, communicate across departments, document their decisions, and continuously evaluate whether their controls still make sense.

If you want to go deeper, check the Sardine resources on Phase 1, Phase 2, and the new guidance around false pretenses. These and additional resources are linked below. They are great companion pieces if you are working through ACH compliance documentation with your team.

And as always, share this episode with someone in fraud, payments, operations, treasury, or compliance. These conversations are most valuable when they happen across the entire institution.

Stay vigilant, stay informed, and keep moving fraud forward.

Episode transcript
Hailey Windham
Hailey Windham
00:07
[a] What's up, fraud fighters? Welcome back to another episode of Fraud Forward. Today we're talking about something that if you work in payments, fraud, operations, compliance, treasury management, or honestly anywhere near ACH, you've probably been hearing a lot about it over the last few months. Nacha’s new fraud monitoring rules. Back in March, the team at Sardine published a deep dive breaking down the rule changes, explaining the differences between ODFI and RDFI responsibilities and helping institutions understand what was actually changing. More recently, we followed that up with another article focused specifically on phase two. Because as of June 22nd, these requirements now apply to many community banks and credit unions that weren't previously in scope. Since then, I've had conversations with fraud leaders all over the country and I keep hearing the same questions. Do we need technology? Are we expected to monitor every ACH transaction in real time? What exactly are examiners going to expect? And if that's where your head is right now, hopefully by the end of this episode, you'll realize something. The rule isn't about technology, it's about intentionality. It's about understanding your risk, documenting your processes, and making sure your institution can explain why it monitors fraud the way that it does. And I mean, I think it's a really good good thing. So let's jump into it. Okay, I think that we need to separate myth from reality. When these rules were first proposed, I think a lot of people immediately assumed, you know, the worst. It's another regulatory burden, another expensive compliance project, another reason to buy yet another fraud detection platform. Fortunately though, that's not where Nacha landed. One of the biggest changes between the proposed rule and the final rule is that they intentionally built flexibility into
Hailey Windham
Hailey Windham
02:11
The requirements. The phrase commercially reasonable disappeared. The expectation for detection systems became processes and procedures. Monitoring only applies to the role your institution actually plays in the ACH ecosystem. There's no requirement for pre-processing monitoring, and institutions are expected to review their processes at least annually, not reinvent them every few months. Those aren't small wording changes, those are meaningful shifts. And to me, it signals that Nacha understands community financial institutions don't all operate the same way.
Hailey Windham
Hailey Windham
03:03
To me, it signals that NATO understands community FIs don't all operate the same way. A billion-dollar community bank shouldn't be expected to have this the exact same fraud programs as one of the nation's largest financial institutions. Likewise, a small community credit union shouldn't feel pressured to implement enterprise level technology just because a new rule was published. Instead, the expectation is actually pretty straightforward. Know your risk, have a process. document that process, review it periodically, be able to explain why it makes sense. And I think that's such a a it it's a much different conversation than simply asking whether you purchased the latest fraud software. And that brings me to something I think we've gotten wrong as an industry. We've started we've
Hailey Windham
Hailey Windham
03:59
We've started equating layered controls with buying more technology. Those are not the same thing. When people hear the phrase layered controls, they often picture another vendor on top of a vendor, another dashboard, another alert queue, another subscription. But layered doesn't necessarily mean adding more. Sometimes it means understanding the controls you already have. I've seen institutions where fraud is monitoring one thing, AML is monitoring something very similar, operations has another report, and Treasury has yet another spreadsheet. Four different teams, four different programs. Processes and no one has ever stepped back to ask whether they're actually working together. Sometimes layering means improving communication instead of buying another solution. You know, at Sardine, we've spent a lot of time talking about risk orchestration instead of point solutions. The goal shouldn't be to stack technology indefinitely, right? The goal should be making sure every control has a purpose and every layer complements the others. And here's something I think every institution. Needs permission to hear. If you're relying on the same fraud solution you selected 15 or 20 years ago, it's okay to reevaluate that relationship. Fraud has changed dramatically. The way criminals operate has trained has changed dramatically. AI has accelerated everything. It's perfectly reasonable to ask whether your current tools are keeping pace. That doesn't mean you need another vendor. Sometimes it means replacing one that no longer fits your institution's needs, technology should support your strategy. It shouldn't become your strategy. Speaking of changing strategies, there's one part of these rules updates that I genuinely love because I think it challenges a mindset our industry has carried around for far too long.
Hailey Windham
Hailey Windham
05:54
And it's the liability mindset. So one of the reasons I appreciate these rules, these rule changes so much is because they encourage institutions to look beyond liability. For years I've heard variations of this same statement. If we're not liable, it's not really our problem. Okay, technically sometimes that's true. Operationally it might even be accurate, but ethically, that's a different conversation. I remember during the height of COVID and the PPP program reviewing incoming ACH files manually, there were business accounts that had, you know, these a that had averaged less than a thousand dollars for an entire year. Then almost overnight they received PPP deposits well into six figures. Everything about those transactions stood out. The account history didn't match. The the balances didn't make sense. The activity looked completely different than what we'd expect to come from those customers. Sure, my institution might not have been liable if something turned out to be fraudulent. And yes, our BSA team would eventually investigate suspicious activity and determine whether a SAR needed to be filed. But I kept asking myself the same question. How could I watch something that obviously, you know, didn't fit the account's history and simply ignore it because someone else technically owned the liability? That never sat well with me. Reporting suspicious activity after the money is gone isn't the same as preventing fraud. in the first place. What I appreciate about these rules is that they encourage institutions to use that visibility that they already have. Fraud fighters are naturally curious. We notice patterns, we recognize when something doesn't fit. These rules don't ask us to predict the future. They simply encourage us to act when something deserves a closer look. I think that's a healthy shift for the for the industry.
Hailey Windham
Hailey Windham
08:00
And speaking of things that don't make sense, let's talk about one of the most discussed additions to these fraud rules, and that's false pretenses. I think it's one of the biggest additions in these updates is the formal definition of false pretenses. When you first read the definition, it sounds like something entirely new, but it really isn't. Natcha defines false pretenses as inducing someone to make a payment by misrepresenting your identity, your authority, andor who owns the account receiving the money. If you've worked fraud for any length of time, you've already investigated these cases. Business email compromise, vendor impersonation, pay. Role impersonation, executive impersonation, romance scams involving payment deception. The fraud itself isn't new, but this language is. For years, fraud professionals have understood that a customer can willingly authorize a payment and still be the victim of fraud. Just because someone clicked send doesn't mean they weren't manipulated into doing so. Not just finally acknowledging that reality. And another question I hear all the time is: how is an RDFI supposed to know? Whether a payment was authorized under false pretenses? The answer is you probably won't know with certainty, and that's okay. The rule isn't asking institutions to read people's minds. It's asking institutions to recognize patterns that don't make sense. Maybe it's a corporate ACH entry being sent into a consumer account. Maybe it's a brand new account suddenly receiving multiple payroll deposits. Maybe it's a dormant account that suddenly comes to life with large incoming credits. Maybe it's a transaction. Transaction activity, maybe it's transaction activity that's completely inconsistent with customers' historical behavior. Those situations don't automatically prove fraud, they simply justify taking a closer look. And honestly, that's exactly how fraud investigations have always started. Not with certainty, but with curiosity. There's one more thing about these rules.
Hailey Windham
Hailey Windham
10:05
There's one more thing I think these rules highlight that doesn't get talked about nearly enough, and that's ownership. It what really stands out to me is how many different departments these rule changes touches. ACH isn't owned by one team. Fraud touches it. Operations, compliance, treasury management, commercial banking, relationship managers, all touch it. When we conducted our fraud benchmarking research earlier this year
Hailey Windham
Hailey Windham
10:42
We're in the process of conducting the fraud benchmarking research, and one theme that keeps coming through over and over again is that fraud teams are stretched thin. Many institutions don't have clear ownership over certain processes. Sometimes everyone assumes that someone else is responsible. These new expectations expose those gaps because eventually someone has to answer questions like who reviews this alert, who makes the decision, who documents why the Institution did or didn't take action, technology doesn't answer those questions. Governance does. Communication does. Leadership does. The institutions that will navigate these rule changes most successfully won't necessarily have the biggest budgets. They'll have the clearest processes. So if you're wondering where to start, let me leave you with five questions. If I were sitting down with a community bank or credit union tomorrow, these are the five Questions I'd asked. Can your institution clearly explain its ACH fraud monitoring process? Do you know who owns every step of that process? Are you relying on vendors or controls that haven't been evaluated in years? Could you explain why your controls are appropriate for your institution's risk profile? And finally, if an examiner walked into your institution tomorrow morning, could your team confidently explain your approach? Notice that none of those questions ask whether you purchased a new system. They're all focused on understanding your own program. And that's exactly where I think institutions should spend their time. As I wrap up today's episode, here's what I hope you'll remember. Phase two doesn't fundamentally change what good fraud programs have been doing all along. It just formalizes it. Fraud professionals have always looked for transactions that don't make sense. We've always connected the dots. We're always asking questions. We've always relied on experience, curiosity, and collaboration. Now those expectations are simply written into the rules. And I think it's a positive step because fraud isn't
Hailey Windham
Hailey Windham
12:56
slowing down, it's becoming more sophisticated, it's becoming more organized, it's becoming more automated. The the institutions that will succeed aren't necessarily the ones with the budgets or the biggest budgets or the flashiest technology. They're the ones that understand their risks, communicate across departments, document their decisions, and continuously evaluate whether their controls still make sense. At the end of the day, that's what these rule changes are really asking us to do. If you'd like to go deeper into these rule changes, I've linked both the sardine articles in the show notes, including a webinar that we did on phase one. again, just along with additional resources covering phase one, phase two, and the new guidance around false pretenses. They're great companion pieces if you're working through implementation with your team. As always, thank you for listening. If you've enjoyed today's episode, I'd really appreciate it if you shared it with someone in fraud, payments, operations, or compliance. These conversations are most Valuable when they happen across the entire institution. So until next time, stay vigilant, stay informed, and keep moving fraud forward. [a]@heather@thedigitalnova.com
Host
Hailey Windham
Hailey Windham
Fraud Forward, Sardine