In the final episode of the Payments Pros special two-part series, Jordan Bennett, Nacha's senior director of network risk management, joins Keith and Carlin to discuss the new rules regarding fraud monitoring.
In the final episode of the Payments Pros special two-part series, Jordan Bennett, Nacha's senior director of network risk management, joins Keith and Carlin to discuss the new rules regarding fraud monitoring.
Fraud Monitoring Phase 1 will become effective on March 20, 2026, and Phase 2 on June 19, 2026. These rules require all nonconsumer originators, ODFIs, third-party service providers, and third-party senders to establish and implement risk-based procedures to identify potential fraudulent transactions. The aim is to reduce the incidence of successful fraud attempts.
The group discusses that the rules do not prescribe a specific method for monitoring, allowing each party to adapt according to their needs. However, inaction is not an option. Parties should conduct a risk assessment and adjust their policies accordingly.
Jordan advises leveraging existing resources and ensuring contacts are prepared to respond to fraud incidents. He clarifies that these changes don't reallocate liability or establish new duties, but aim to foster teamwork in fraud prevention.
Payments Pros – The Payments Law Podcast: Tackling Credit Push Fraud: Understanding Nacha's Risk Management Package (Part Two)
Hosts: Keith Barnett and Carlin McCrory
Guest: Jordan Bennett
Date Aired: May 2, 2024
Keith Barnett:
Welcome to another episode of Payments Pros, a Troutman Pepper Podcast, focusing on the highly regulated and ever-evolving payments industry. This podcast features insights for members of our FinTech and payments practice as well as guest commentary from business leaders and regulatory experts in the payments industry. My name is Keith Barnett, I’m one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanPepperFinancialServices.com. And don't forget to check out our other podcasts on Troutman.com/Podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. So, be sure to subscribe to hear the latest episodes.
Today, Carlin and I welcome back Jordan Bennett, Nacha’s Senior Director of Network Risk Management. This time, he's here for the final part of our two-part series on the newly approved rules. Today, we will be discussing the fraud monitoring portion of the new rules. On March 20th, 2026, a first set of rule amendments related to the monitoring for fraud will become effective. And then the second set of the rule amendments will become effective on June 19th, 2026. So, Jordan, thank you again for joining us today to finish our discussion on the new rules.
Jordan Bennett:
Yes, thanks for having me.
Carlin McCrory:
And Jordan, we'll just go ahead and dive right in. So, two of the rules we discussed in part one of this series involve fraud monitoring. These seem to be large changes. What parties are affected? Then, what's expected of each party with these changes?
Jordan Bennett:
Sure. Pretty much everybody. We are asking everybody. This is a team effort to monitor ACH activity, and make sure that we're all doing our part to identify potential fraudulent transactions. Everybody, but consumers. So, it is the non-consumer originator, the ODFI, third-party service providers, third-party senders. Everybody's being asked to establish and implement risk-based procedures and processes to reasonably intend to identify ACH entries initiated due to fraud.
So, the whole idea of these and already advise as well, I'll get to that in a minute. The idea is to reduce the incidence of successful fraud attempts. Like many of our rules, we don't prescribe how, and we want to stay away from prescribing how, because our rules affect vast parties in the system. And if we were to try and prescribe exactly how you're going to do this, for the largest banks, they're going to do one way. For the smallest banks, you're going to do the other. That's fine. We want it to meet whatever your bank needs to do.
If you've got a small financial institution with hundreds of transactions a day, and you have an ACH person who is really good at identifying that, you've done a risk assessment, and that is your process, this particular individual is going to look at everything. That's fine. But your large banks can't do that. They're going to have to implement some sort of automation, and then that's going to get looked at by an individual. So, we are really open to however each party feels they should conduct their monitoring and their risk-based processes and procedures.
The only thing we really say is that you can't do a risk assessment and say there's no risk and then do nothing. Doing nothing is not acceptable. So, do a risk assessment, that really should be the first step. Do that risk assessment. From there, look at your policies and procedures and say, “Where do I need to adapt? And how can I change?” Maybe you're already doing something that is totally effective. Many financial institutions already are. Many of the other parties, the originators of third-party senders, already really are.
Carlin McCrory:
Then, I think what's also on the top of our listener’s minds is what can these participants that you mentioned, start doing now in order to begin to get into compliance with these recently passed rules?
Jordan Bennett:
Sure. So, I think when listeners see this, when they hear this, they're thinking, “Oh, my goodness. This is a massive left and I don't know what to do.” But let's slow down. Let's think about what we're already required to do. Most everybody should be familiar with Title 31, Part 10, 20. And this is a rule that is out there to establish customer identification programs that requires at a minimum anti-money laundering program requirement for financial institutions. So, financial institutions are already doing BSA and AML. You've got experts already in-house. So, reach out to those experts, and see what your financial institutions already doing. There are other silos where somebody may be doing something else to help out.
So, look at your institution, reach out to your experts, and see where you already have synergies. Many financial institutions are already using vendors and these vendors have different products that they're using for monitoring right now, or they may have been turned off. They may turn these products on. So, look and see what your current vendors are offering. Look and see what current reports you're already running. I think, you're going to find a lot of synergies with what you're already doing.
Another important thing to do is to look into the risk management portal and look at your contacts. Make sure that they're up to date. And make sure that that contact is prepared to respond. If they are reached out to for fraud incident, you want them to know how to react. So, communication is absolutely key. Looking at what you're already doing is, of course, hugely important. We do have some guidance out there. We have some guidance of what can be done, and we're going to be putting a lot more in the guidelines. So, you'll be able to go to nacha.org and see that guidance. When you get your rulebook, or you if you subscribe to the rulebook online, you'll be able to see additional guidance as this comes along.
One of the things that I didn't say earlier that I think is hugely important is that we are not changing the liability or duties to other parties. But we want to make it very clear that changes to the fraud monitoring rules and language don't need to be misinterpreted as reallocating any liability between the ODFIs and RDFIs establishing new duties to other parties to stop fraud. This is all what we're doing is teamwork, and there's language in the rules for that.
Carlin McCrory:
I know the dates for compliance for the ODFIs and RDFIs are different than that of third-party senders or it's based off volume. A lot of the banks push down their obligations to their third-party senders. So, it seems as though the third-party senders would need to comply earlier, based off the pushdown of obligations. Is that understanding correct?
Jordan Bennett:
Somewhat. You can always comply earlier. If your bank asks you to do something as part of your agreement with them, you've got to meet whatever agreement you have with your financial institution. But as far as the rules go, they are only obliged to meet the Nacha rules. You can always go above and beyond. And with all of these changes, any of the rule changes that are 2024 or 2026, you don't have to wait. If you are ready to change the company entry description, the payroll right now, please do so. If you want to change it to purchase for those transactions. Right now, do so.
If you're already implementing monitoring, awesome. So, these are must-do by dates, not waited till dates. So yes, please help us stop fraud before you have to. Nobody wants the fraudsters to succeed.
Keith Barnett:
That's great. All right. Well, Jordan, thank you for joining Carlin and me today. Thank you to our audience for listening to this special two-part series. Don't forget to visit our blog TroutmanPepperFinancialServices.com and subscribe so you can get the latest updates. Please be sure to also subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. And as Jordan mentioned, please do not hesitate to go to Nacha’s website to get even more information at nacha.org. Get your role books out, either in paper form, or online form because these are exciting new things and we look forward to the next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.