US Corporate Treasurers’ Work Just Became More Challenging

In the United States, corporate fraud liability falls squarely on the organizations initiating payments, not their banks. For treasury teams managing thousands of vendor payments monthly, this creates a compliance challenge unlike anywhere else in the world.

Nacha, The Workhorse of US Payments is Changing  

Nacha has governed US interbank payments since the 1970s. Automated Clearing House (ACH)I In 2024, 33.6 billion ACH payments were made, valued at $86.2 trillion. By 2025, that had grown to 35.2 billion network payments, averaging 141 million transactions every single day. That infrastructure now has a fraud problem its existing ruleset can’t contain.

Business Email Compromise (BEC), the primary vehicle for payment fraud accounted for 73% of all reported cyber incidents affecting business deposit accounts in 2024, up from 44% the year prior. In the US alone, BEC generated close to $2.9 billion in losses in 2024, with nearly $8.5 billion lost over the preceding three years. These figures are widely considered an undercount.

In response, Nacha has published a package of risk management rule amendments taking effect in 2026, requiring all ACH participants across ODFIs (Originating Depository Financial Institutions), TPSs (Third Party Senders), TPSPs (Third-party service providers) to implement structured fraud monitoring for the first time. The changes roll out in two phases:

• March 20, 2026: ODFIs and large Originators, TPSPs, and TPSs processing more than 6 million ACH entries in 2023

• June 19, 2026 (practical date: June 22*): All remaining non-consumer Originators, TPSPs, and TPSs regardless of volume

*June 19 is Juneteenth, a federal holiday. Nacha has confirmed the practical compliance date is Monday, June 22.

‍

Two concepts are central to the new rules. First, fraud monitoring now extends across all ACH payment types, replacing the vague “commercially reasonable” standard with risk-based processes reviewed annually. Second, false pretences is a newly defined term covering payments authorised by the sender but obtained through deception like vendor impersonation, fake invoice fraud, and executive spoofing. These are the primary mechanisms behind BEC attacks.

For Originators, corporations initiating ACH payments, this is the first time they carry a direct formal fraud compliance obligation under Nacha Rules, independent of their bank.

The US Is Different: Originator Liability

Many countries have formalised liability regimes for fraud losses that place payment validation responsibilities on banks and payment service providers (PSPs). The UK requires Confirmation of Payee. The EU mandates shared liability across sending and receiving PSPs under PSD2. Australia’s banks must validate beneficiary details. The underlying logic: financial institutions can identify fraud better than customers who have been deceived.

The United States operates differently.

Nacha places validation responsibility on payment originators - the businesses and corporations initiating transactions. Your bank processes the payment. You are responsible for ensuring it goes to the right place.

This isn't implicit guidance. It’s explicit in Nacha’s operating rules, and the 2026 amendments significantly expand that responsibility.

What This Means for Treasury Teams

If your company processes 1,000 vendor payments daily, you have 1,000 validation requirements. Each misdirected payment isn't just a financial loss, it's a “compliance” failure.

The FBI reported $2.9 billion in BEC losses in 2023with an average corporate loss of $125,000 per incident and recovery rates below 5% on cross-border payments.

Treasury and AP teams now face direct exposure across five fraud vectors:

1. Business Email Compromise (Vendor Payment Diversion)

2. Executive impersonation

3. Fake invoices

4. Payroll diversion

5. Aging Accounts Payable vulnerabilities

Dormant vendor reactivations are fraud goldmines. An attacker intercepts a reactivation request, updates banking details in your system, and the payment goes to the wrong account.

The 2026 rules require ongoing fraud monitoring, not just validation at onboarding.

International Payments Widen the Fraud Attack Surface

Domestic payments don’t happen in a vacuum of course. They are often the first or last mile of an international payment. If you pay international suppliers, you have another realm of complexity in fraud risk management.

1. International Vendor Payments

Cross-border payments represent the widest validation gap as there is no international equivalent Each country operates independently with different standards and capabilities. Companies like DHL manage global payables across 220+ countries, each with different banking systems and data standards.

Trade tensions are making this harder. Tariff-driven supply chain restructuring means companies are rapidly onboarding new international vendors, often under time pressure that overrides validation rigor. When you're diversifying suppliers to avoid 25% tariffs, the urgency to establish new payment relationships can eclipse the due diligence those relationships require.

These newer, less-established supplier relationships carry higher fraud risk. BEC attackers know companies are shifting supply chains and target the chaos of rapid vendor onboarding. ‍

2. Supply Chain Volatility

Beyond tariffs, supply chains are experiencing unprecedented volatility. Component shortages, geopolitical tensions, and logistics disruptions force companies to qualify and pay new vendors faster than traditional procurement cycles allow.

This compressed timeline creates validation shortcuts. Purchase orders get rushed. Banking details get entered manually. Verification steps get skipped because production lines can't stop.

Fraudsters understand this pressure. They time attacks to moments when companies are desperate for parts, inventory, or services, knowing validation will be weaker.

The Cross-Border Payments Compliance Gap is Widening

Domestic ACH validation is improving. Banks are offering validation services. Nacha enforcement is increasing, and instant payment systems such as RTP and FedNow are improving their approaches to mitigating the risks from authorised push payments fraud (see our earlier article on instant payment systems in the US). Tools exist.

International payments though remain wide open.

There's no equivalent to Nacha for cross-border payments. SWIFT doesn't validate beneficiary details in real time, it routes messages. Each country operates independently with different standards, different data formats, different validation capabilities.

You're liable for gaps in infrastructure you don't control. You must validate payments to countries where validation infrastructure barely exists. If something goes wrong, recovery across borders is nearly impossible. ‍

FATF 16 rules are also getting more precise seeking to know and validate ultimate beneficiary and originator for payments across all payment types – fiat money movements, mobile wallet money, and crypto and stablecoin alike.

The FBI's $2.9 billion BEC figure? A significant portion involves international wire transfers where fraudsters exploit exactly this gap, payments that cross borders into banking systems with weaker validation and limited recovery mechanisms.

Getting Ahead: Pre-Transaction Validation

The solution isn't reactive fraud detection. It's pre-transaction validation and verifying payment details before you initiate the transfer. This treats compliance as an engineering problem rather than a monitoring problem.

In practise, this means:

• At vendor onboarding: Real-time verification of banking details against global registries before entering vendor into your ERP

• For aging payables: Batch validation of dormant vendor records before reactivating accounts

• In AP workflows: Automated validation checks that flag mismatches before payments get approved

• For new supply chain partners: Verification integrated into emergency vendor qualification processes

For cross-border payments, solutions exist that verify payee details across 50+ countries in real-time. These tools check that account numbers, routing codes, and beneficiary names match what the receiving bank has on file, before you send the wire.

iPiD provides exactly this capability for cross-border payee validation.

Three Actions for Treasury Leaders

‍Action 1:  Audit Your Cross-Border Payment Flows

Before you can fix exposure, you need to see it. Start with:

❑ How many international payments do you process monthly?
❑ What percentage go to suppliers you've worked with less than a year?
❑ When did you last validate all vendor banking details in your system?
❑ Which countries do you send the most payments to?

The answers reveal your exposure. If 30% of your international payments go to new suppliers, and you're not validating those details in real-time, you have significant compliance risk.

‍Action 2: Assess Your Nacha Compliance Posture

The March and June 2026 deadlines requires documented "risk-based processes and procedures." Can you demonstrate:

❑ How you validate payment details before initiating transactions?
❑ Your process for monitoring and preventing fraudulent payments?
❑ Documentation showing validation occurred for every payment?
❑ Procedures for handling validation failures?

If you can't answer these clearly, you're not ready for the new Nacha rules and the liabilities it exposes your business to.

Action 3: Prioritise Validation by Risk

‍You can't validate everything overnight. Start with highest-risk categories:

Automate validation into existing workflows. Don't create separate manual processes that slow down AP. Integration with your ERP, payment platforms, and approval workflows makes validation invisible to finance teams while ensuring every payment gets checked.

The Compliance Window Is Closing

Nacha's 2026 rules take full effect by June. Treasury teams that treat this as a compliance checkbox will struggle. Those that treat it as an operational upgrade building validation into payment workflows now, will be ready.

Readiness for Nacha is readiness for FedNow and RTP. For corporate treasury teams managing global payment operations, the answer needs to be proactive. Your liability already is.

Resources

• National Automated Clearing House Association - New Nacha Rules: New Fraud Compliance Responsibilities for All Organizations Sending ACH Payments (2024)  

• Federal Bureau of Investigation - Internet Crime Report (2023)

• SWBC - Compliance Spotlight: Navigating Nacha's Account Validation Rule (2022)  

• National Automated Clearing House Association - Supplementing Fraud Detection Standards for WEB Debits (2021)

• National Automated Clearing House Association - Nacha Rules (2024)

• Federal Reserve Financial Services - Fraud Mitigation: Classifying ACH and Wire Fraud (2025)  

• National Automated Clearing House Association - FBI’s IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years (2024)  

• National Automated Clearing House Association - Top 50 Originators and Receivers (2024)  

‍