If your bank allows customers to originate ACH transactions, you’ve probably heard about the change going into effect in June 2026 changes. You might not have thought about how your liability exposure could change. Most importantly, many of the monitoring systems banks are relying on — including their core system — won’t meet the new standard.
Here’s what’s changing, why it matters, and what compliant monitoring actually looks like.
What Changes in June 2026
Before the new rules, if your bank missed an ACH fraud, your liability was essentially limited to the transaction amount. You owed the money back.
Under the new NACHA rules, that changes. A bank that fails to proactively monitor ACH activity and misses a fraud can now be sued for personal injury — emotional distress, financial disruption, and other damages that go well beyond the transaction itself.
Think about what happens to the person on the other end. Their checking account is drained by a fraudulent ACH debit. They don’t catch it for a few days — or longer, if they’re elderly. Meanwhile, their mortgage autopay bounces. Their credit card autopay fails. Late fees stack up. Their credit score takes a hit. By the time they get the money back, real damage has been done to their financial life.
That’s the injury NACHA is putting squarely in the bank’s lap if the bank wasn’t monitoring proactively.
The Key Technical Shift: It’s About the Originator, Not Just the Amount
Here’s where most banks get tripped up. They think their existing monitoring covers them because their core system flags large or unusual ACH transactions. It doesn’t.
Under the new rules, the standard isn’t whether a transaction amount looks unusual for a given customer. The standard is whether the bank is monitoring at the originator level — tracking what a specific originator is sending to specific customers, and catching patterns that don’t belong.
This is a fundamentally different question, and it’s one core systems and some AML systems aren’t built to answer.
Why Your Core System Won’t Meet the Standard
Core system AML modules often look at dollar amounts per customer. They’re designed to flag a transaction that’s unusually large relative to what that customer normally receives. That’s useful — but it’s not what the new NACHA rules require.
Here’s a scenario that illustrates the gap:
A fraudster wants to steal from your bank’s ACH customers. They find out the originator ID (OID) used by a legitimate company that already originates transactions to your customers. OIDs are almost always tax ID numbers — and tax ID numbers aren’t hard to find. Then they open accounts at three or four different banks using the same tax ID number. Each one sends a modest transaction — small enough to look normal in dollar terms — to multiple customers at your bank.
Your core system sees a familiar originator ID sending a transaction that’s within normal dollar range. It passes.
The problem is that the transaction didn’t come from the legitimate originating bank. It came from a completely different institution — one that’s never sent transactions to your customers before.
A system that looks at the originator ID and the originating bank (called the ODFI — Originating Depository Financial Institution) would catch this. A system that only looks at the originator ID won’t.
Most monitoring systems — including some well-known AML platforms — only look at the OID.
What Proactive ACH Monitoring Actually Looks Like
Meeting the June 2026 standard requires a monitoring system that can answer all of these questions, at the transaction level, every day:
- Is this transaction amount unusual for this customer?
- Is this originator one that has sent transactions to this customer before?
- Is this transaction coming from the same bank (ODFI) that has sent this originator’s transactions in the past?
- Does this originator have a first-transaction-to-this-customer pattern that warrants review?
- Which of my ACH originators are currently above the 1% or 2% return rate threshold?
If your current system can answer questions 1 and 2, you’re ahead of many banks. If it can’t answer question 3 — the ODFI check — you have a blind spot that the June 2026 rules are specifically designed to address.
A Note on Florida
Florida has had protection-of-the-elderly financial laws on the books for over 15 years that require exactly this type of originator-level ACH monitoring. The NACHA June 2026 rule is, in large part, a national adoption of what Florida has required at the state level for well over a decade.
Banks that have been operating in Florida or using monitoring software built to the Florida standard are already compliant. The June 2026 deadline is not new territory for them — it’s been their baseline for years.
What to Do Before June 2026
If you’re not sure whether your current monitoring covers you under the new rules, here are the questions to bring to your core system vendor or AML software provider:
- Does your ACH monitoring look at the originating bank (ODFI), or just the originator ID (OID)?
- Can you generate a report showing ACH return rates by originator, over 30/60/90-day windows, broken out by return code?
- Does your system flag first-time originators sending to existing customers — especially with no prior transaction trend?
If the answer to any of these is no — or “we’ll have to check on that” — it’s worth understanding your exposure before June arrives.
Barnett Software’s SAM meets and exceeds originator-level ACH monitoring requirements. If you’d like to see how our Suspicious Activity Monitor’s ACH reports work and whether they’d address the gaps in your current program, contact us to schedule a walkthrough.