Same Day ACH's $10 Million Limit Raises the Stakes on Payee Verification

The FBI's 2025 Internet Crime Report put total fraud losses in the United States at $20.9 billion, up 26 percent from $16.6 billion in 2024. Business Email Compromise (BEC) alone accounted for $3.05 billion of that.

Against that backdrop, the Nacha rules 2026 update raises the Same Day ACH per-payment limit from $1 million to $10 million, effective 1 March 2026. The change brings Same Day ACH into alignment with the Real-Time Payments (RTP) network and FedNow, both of which already operate at the $10 million ceiling. For the payments industry, the change expands the utility of a widely-used rail — large corporate payments, tax remittances, payroll funding, and insurance settlements can now move same-day at scale. For fraud and treasury teams, it raises the exposure on every high-value transaction that clear under the new ceiling, and it does so at a moment when BEC is at its most active and sophisticated.

The structural issue behind same day ACH fraud risk is not the limit itself. It is the detection window that disappears with it.

What Same-Day Finality Changes

With next-day ACH, there was time where a transaction flagged overnight could be caught before funds cleared to the payee bank account. Controls that moved slowly still worked, because the rail was slower than the fraud. Same Day ACH closes that window. Once a payment clears to an account, recall is not guaranteed. ACH return timeframes do not stretch to accommodate same-day finality, and for payments approaching $10 million, the gap between initiating recovery and recovering funds is where most losses crystallise.

This is not a new problem, but the scale is new. A treasury team whose fraud controls were calibrated for $1 million transactions is now operating in a different risk environment, not because their processes changed, but because the ceiling did. Threshold-based alerts set at $900,000 to flag suspicious activity near the previous limit no longer function as intended. Velocity rules built around the old maximum need to be reassessed. Any control that assumed $1 million was the practical upper bound on a single Same Day ACH payment is now mis-calibrated.

The Nacha change does not require treasury and payments teams to rebuild from scratch. It does require them to ask a specific question: do their fraud controls scale to $10 million transactions, given same-day finality?

How BEC Fraud Scales with the New $10 million ACH Limit?

Business Email Compromise is the fraud type most directly affected by this change. BEC attackers target high-value payments. They operate with patience, monitoring email chains, waiting for the right moment, impersonating a CFO or a supplier at the point when a large transfer is being authorised. At $1 million, a successful BEC attack was damaging. At $10 million, it is an event-level loss.

The fraud pattern does not change with the rail limit. What changes is the target. Attackers will calibrate their requests to the ceiling they can plausibly achieve. A BEC actor who previously orchestrated a $900,000 fraud to avoid detection thresholds can now orchestrate a $9 million fraud to the same end. The same techniques, spoofed email domains, fraudulent account details, social engineering, produce losses an order of magnitude larger.

The same pattern is playing out across real-time payments fraud on RTP and FedNow, where finality and high ceilings already coexist. The accounts being targeted in these attacks carry a verified-looking bank account number. The account number may be real. The payee behind it may not be. That distinction is where the fraud lives, and it is not addressed by authenticating the payer.

The Verification Layer That Does Not Move with the Limit

Treasury teams have invested heavily in payer authentication for corporate payment verification like multi-factor approvals, dual controls and out-of-band verification for large transfers. These are necessary but they are not sufficient.  

Payer authentication confirms that the person initiating the payment is who they say they are. It says nothing about whether the account they are paying belongs to the intended recipient.

Payee verification that confirms that the account name, number, and ownership match before a payment is authorised, is the layer that does not automatically scale with a rail limit change. It requires a deliberate decision to implement, and at the $10 million threshold, the cost of not having it has changed materially.

The $10 million Same Day ACH limit is a sensible alignment of US payment rails. The fraud and treasury teams who will manage the risk it introduces have a narrow window to recalibrate. iPiD's pre-payment payee verification operates at exactly this layer, confirming account identity before transactions settle, at any value. For organisations reassessing their controls, that is where the conversation starts.