New ACH Rules Are Here: What Your Business Needs to Know

The organization that governs the ACH Network, NACHA, has implemented new requirements that directly impact businesses like yours. Here’s what’s changing, why it matters, and what you need to do.

What’s Changing?

Under the updated NACHA Operating Rules, banks are now required to ensure that business customers who originate ACH payments have written fraud prevention procedures on file.

This means BankSouth — and every other financial institution — must collect and maintain documentation of your company’s ACH fraud prevention processes. If your bank hasn’t requested your ACH fraud prevention practices, be on the lookout by summer 2026.

This isn’t optional. It’s a requirement for any business that sends ACH credits or debits through the banking system.

Why is This Happening?

ACH fraud has been on the rise nationwide. Criminals are increasingly targeting businesses through tactics like:

• Business Email Compromise (BEC): tricking employees into sending payments to fraudulent accounts by compromising your business’s email accounts
• Account takeover: gaining unauthorized access to initiate ACH transactions
• Payroll diversion schemes: redirecting direct deposits to fraudulent accounts

These new rules are designed to create an additional layer of protection by ensuring every originating business has intentional, documented safeguards in place, and not just their bank.

What Does This Mean for Your Business?

If your business originates ACH transactions through BankSouth, you will need to provide documentation of your fraud prevention procedures. At a minimum, your procedures should address:

1. Internal Controls

• Who within your organization is authorized to initiate ACH transactions?
• What is the approval process for new or changed payment instructions?
• Are dual approvals required for high-value transactions?

2. Verification Practices

• How do you verify new vendor or employee bank account information?
• Do you use callbacks or secondary verification for payment changes?
• How do you authenticate requests received via email?

3. Technology Safeguards

• Are your systems protected with multi-factor authentication?
• Do you use ACH positive pay, debit blocks, or transaction alerts?
• How do you monitor to prevent unauthorized or suspicious activity?
• Do you have a process for employees to report suspicious emails?

4. Employee Training

• Are employees trained to recognize phishing and social engineering?
• How often is training conducted and updated?
• Are roles and responsibilities clearly defined?

5. Response Procedures

• What is your process for reporting suspected fraud?
• Do you have a plan for recovering unauthorized transactions?
• Who do you contact at your bank in the event of an incident?

What Do You Need to Do?

Here are the steps to make sure your business is compliant:

Review your current fraud prevention practices. If you already have procedures in place, make sure they’re documented in writing.

Create written procedures if you don’t have them. Even simple, straightforward documentation satisfies the requirement.

Submit your procedures to BankSouth (or your bank). Your banker will work with you to ensure we have your documentation on file.

Update your procedures regularly. As your business evolves and new threats emerge, your procedures should be reviewed and updated accordingly.

How BankSouth Can Help

We know this may feel like one more thing on your to-do list, but we’re here to make it as easy as possible. Your BankSouth banker can:

• Walk you through what’s needed
• Provide guidance on best practices for ACH fraud prevention
• Ensure your documentation meets the requirements

These rules exist to protect your business and your customers. Having strong fraud prevention procedures isn’t just about compliance; it’s a smart business practice.

BankSouth is committed to helping our business customers navigate the evolving payments landscape. For more about this new rule, contact your local Business Development Officer or our Customer Care team at (706) 453-2265.