All participants in the ACH network will be required to have fraud controls in place. If you’re unsure where to begin, take a look at the checklist below and document all the controls you have available.
Effective date: March 20, 2026
1. Authentication and access controls
- User access management: Restrict access to ACH origination systems based on job roles and responsibilities.
- Session Timeouts: Automatically log out users after periods of inactivity.
- IP Address Whitelisting: Allow access only from approved IP addresses.
2. Fraud detection and monitoring systems
- Transaction monitoring: Implement systems to monitor transactions in real time or near real time for anomalies.
- Velocity controls: Set thresholds for the number or value of transactions allowed within a specified time frame.
- Geolocation monitoring: Detect transactions originating from unusual or high-risk geographic locations.
3. Customer validation and account verification
- Pre-notification entries (pre-notes): Send zero-dollar test transactions to verify account details before initiating live payments
- Micro-deposits: Send small test deposits and require customers to confirm the amounts to verify account ownership
4. Data security and encryption
- Data encryption: Encrypt sensitive data in transit and at rest, including account numbers and personal information.
- Network segmentation: Isolate ACH systems from other parts of the network to reduce vulnerability to cyberattacks.
5. Fraud alerts and notifications
- Threshold alerts: Automatically trigger alerts for transactions exceeding predefined thresholds.
- Suspicious activity alerts: Notify administrators of unusual activity patterns or failed login attempts.
- Customer alerts: Inform customers of initiated transactions and allow them to confirm or dispute them.
6. Training and awareness
- Employee training: Train employees on fraud risks, red flags, and compliance requirements for ACH origination.
7. Incident response and reporting
- Fraud incident response plan: Develop and maintain a documented plan for responding to suspected fraud incidents.
- ODFI communication: Establish protocols for reporting fraudulent transactions to us promptly.
- Customer notification: Notify impacted customers of suspected fraudulent activity and provide steps to mitigate risks.
- Post-incident review: Conduct a root-cause analysis of fraud incidents and update controls to prevent recurrence.
8. Audit and testing
- Regular audits: Perform periodic internal and external audits of fraud controls and ACH origination processes and adjust as necessary.