skip to main content

Nacha Rule Changes to Fight Authorized Payment Scams

Federal Reserve Bank of Atlanta

As my colleagues and I have blogged previously (here and here), a payment that a legitimate account holder authorizes does not fit into the traditional framework for fraud remediation, which involves the Reg E requirement to refund customer money in the event of unauthorized payments fraud. Rates of authorized fraud are soaring, and recovery rates on business email compromise are horrendous. It’s time for a new approach.

New Nacha rules that take effect in mid-2026 are potentially a breakthrough for fighting scams that result in authorized payments. The rules attempt to bring a collaborative approach—enlisting the sending and receiving financial institutions and their ACH customers—into the fight against unauthorized transactions and authorized push payment scams.

Even before 2026, however, on October 1, 2024, receiving financial institutions will be able to formally return entries that appear to be the result of fraud or what Nacha terms “false pretenses.” This is a change from traditional practices, when returns were mostly used to correct technical errors like an incorrect or not-found account number. It formalizes what many institutions already have been doing to thwart money mules and fight business email compromise scams. An RDFI—receiving depository financial institution—may decide to return an entry or to contact the ODFI—originating depository financial institution—to determine the validity of a transaction, based on monitoring of incoming credits. The RDFI can return a transaction it thinks is fraudulent using Return Reason Code R17, which indicates a possibly questionable transaction or suspected anomalous activity.

Read more