What you need to know:

• Every business that sends ACH payments must have a fraud monitoring process in place
• That process must be documented, reviewed, and updated at least once a year
• These rules apply to all businesses, banks, and third-party payment processors

Entry Description Changes Going Into Effect March 20th‍

Effective March 20, 2026, new standardized Company Entry Descriptions must be used for the following ACH transaction types:

• For all PPD credits (wages, salaries, or similar compensation):, you MUST include the word PAYROLL in the 'Template Description' field.
• For all e-commerce WEB debits, you MUST include the word PURCHASE in the 'Template Description' field.
  Note: This is for consumer-authorized online purchases, including recurring ones first set up online. (Such as when a customer buys good directly from your website)
  SEC Code: Generally, use the WEB debit SEC Code (unless the Standing Authorizations rule permits PPD or TEL).

Please review and update your ACH software, files, and templates to include these new descriptions prior to March 20, 2026 to ensure there is no disruption to your ACH processing. Click here for steps on how to edit your templates.

If you upload a NACHA-formatted file into a template or transmit files directly via FTP (File Transmission Protocol), you can update the Company Entry Description in the following location:
‍Batch Header-Position 54-63 (Field 7): Company Entry Description (If you use a third-party file creation software, please contact your software provider for assistance with making this change).

Fraud Monitoring Rule Going Into Effect June 19th‍

By June 19, 2026, all non-consumer ACH originators must establish fraud monitoring procedures designed to identify outgoing ACH entries that may be unauthorized or initiated under false pretenses.
These procedures must document your business's internal controls and monitoring procedures, and should:

• Be implemented into your ACH processes
• Be reviewed at least annually and updated as necessary to address evolving fraud risks
• Reasonably identify:
  
  • Unauthorized ACH entries
  • Suspicious or unusual transaction patterns
  • Transactions that may have been initiated under false pretenses
    For example: Payments resulting from deception, such as Business Email Compromise (BEC), vendor impersonation, or payroll impersonation.

Risk-based, fraud monitoring procedures can include:

• Documented internal controls and monitoring procedureeveraging fraud prevention features available within your account software
• Leveraging fraud prevention features available within your account software
• A fraud incident response protocol that dictates the steps to take if fraud is detected
  
  • Include who to contact when fraud is detected, along with ConnectOne Bank
    

Examples of Fraud Monitoring Processes and Controls

It is important to recognize that ACH fraud monitoring processes should tailor to your organization's specific needs. The controls you implement should align with your operational structure, transaction volume, and the unique fraud risks associated with your business activities. The examples provided are intended for informational purposes and should be viewed as general guidance rather than a comprehensive checklist.

Always Independently Verify Bank Account Changes
If a vendor or employee requests a change to their bank account information, you must verify it through a trusted, independent channel — not simply by replying to the request. Call a number already on file, don't use contact info provided in the change request.‍

For New Receivers: Confirm legitimacy via ID checks, background reviews, and secure storage of account details.

Secure Your Emails
When sharing ACH details via email, such as account and routing numbers, the email must be encrypted end-to-end. This means using an encrypted email service, a secure file-sharing portal, or a password-protected encrypted document where only the intended recipient can decrypt the data.

Verify Your Payees
ACH entries must be authorized using secure, traceable methods. A standard email from a vendor or employee does not qualify as valid authorization under the updated rules.

Use a secure, traceable method to verify your payee. Some options:‍

• Phone Call: Call your payee known, trusted phone number.‍
• Digital Signatures: Using platforms like DocuSign or Adobe Sign that provide an audit trail.

Friendly reminder, all ACH originators should be checking all payees against OFAC sanction lists before sending any ACH payment:

• Flag and review any matches before releasing funds
• Block payments to prohibited countries and regions
• Keep all compliance documents up to date
• Train staff on proper procedures

Add Additional Layers of Protection
Establish Dual Control and segregation of duties within your business. If one person is entering an ACH payment, have another person review the payment or any payee changes before transmitting.

Use Pre-Notes for account verification. When prenotes are enabled, a non-monetary entry is made to the recipient's account for verification automatically when an ACH template is created or updated. Connect with our Treasury Management team to set up prenotes today!