In June 2026, new ACH Network Rules amendments took effect requiring all non-consumer ACH Originators—including R365 payments clients—to establish and implement risk-based processes and procedures designed to identify unauthorized or fraudulent ACH entries. This article explains what the rule requires and provides recommended steps for meeting the standard.
What's changing
Under the new ACH Network Rules, R365 Payments clients must have fraud-monitoring processes that are:
Tailored to your operations — not a one-size-fits-all checklist
Reviewed and updated at least annually
Focused on higher-risk areas where fraud attempts are most likely to occur
Examples of fraud the rules are designed to address include vendor impersonation and business email compromise (BEC) — situations where a fraudster impersonates a legitimate vendor to redirect ACH payments to a fraudulent account.
Already have fraud monitoring procedures?
If your organization already has fraud monitoring procedures in place, these new rules make such procedures a formal requirement. Review your existing processes to confirm they meet the standard described above.
Recommended steps for building your fraud monitoring process
The ACH Network does not prescribe specific steps. The following recommendations focus on two high-risk areas and reflect best practices for R365 Payments clients.
New vendor onboarding
When establishing a new vendor relationship, verify the vendor's legitimacy before adding them to R365 Payments:
Request proper documentation from the vendor.
Verify the vendor's identity and confirm who is authorized to act on their behalf.
Keep a verified contact person on file for future verification purposes.
Vendor ACH account change requests
When an existing vendor requests a change to their ACH account information, treat the request as a potential red flag. Follow these steps before making any changes:
Do not accept ACH account changes via email or text. Verify all changes by phone using a previously known number — not the contact information provided in the change request.
Resist pressure to act quickly or in secret. Fraudsters use urgency and secrecy to bypass normal controls.
Apply dual control. Have more than one person review and approve the change request before updating the vendor's ACH information in R365.
Business email compromise (BEC): BEC is a common fraud method in which a vendor's email is hacked and used to send convincing-looking requests to update ACH account details. Differences in the email address may be subtle — an extra character, a different capitalization. Always verify changes by phone before acting.
Dual control for R365 Payments
When processing payments through R365 Payments, use dual control:
One person creates and submits the payment batch to R365 Payments.
A separate person reviews and approves the batch before it is sent for processing.
This separation of duties reduces the risk of unauthorized or erroneous payments.
User access and system security
Regularly review access to your R365 instance to limit exposure:
Ensure current employees have access only to the areas they need for their role.
Remove access for former employees promptly.
Keep firewalls current and antivirus software up to date.
FAQ
Is this requirement specific to R365, or does it apply to all businesses?
This is a nationwide requirement for any business that originates ACH payments. Your banking partners may also be communicating similar guidance.
Does this rule change who is liable for ACH fraud losses?
No. The new rule does not change the allocation of liability under existing law. It requires clients to strengthen controls to mitigate fraud risks.
Are there specific steps that must be followed to comply?
No. The ACH Network has not prescribed specific steps. The requirement is that clients take some action to mitigate ACH fraud risks. The steps described in this article are recommendations, not guarantees or prescriptions.