NACHA ACH Rules

The NACHA rules govern the proper use of the ACH network and a new rule book is published each January. For those of you that use our ACH service, you have agreed to comply with all applicable ACH rules in the creation and transmission of ACH transaction files.

To gain free access to the rule book, please register on the NACHA website as a basic user at https://www.nachaoperatingrulesonline.org/login and follow the steps below. Note: Logins from previous years (2024 and earlier) are no longer valid.

• Click on “Create a New Account” to register and create a new account. 
• Enter your email address two times and click continue:

• Complete the online form. Be sure to click the box next to Check this box if you do not have a Subscription Code. You will receive access to only the Basic Access.
• Click the box next to I agree to the Terms of Use.
• Click the REDEEM button.

• You will receive this message.
• Click the CLICK HERE TO LOG IN button.

• The email from digital@omnipress.com will contain a link to access the NACHA Operating Rules website. If you have previously set up your login to the NACHA Operating Rules, your digital@omnipress.com email will advise you to use your current password. If this is your first time enrolling, follow the instructions in step 3 of the email to set up your password.

• Enter your email and password and click Login.
• If you’ve forgotten your password, click Forgot Password? below the login box and follow the onscreen prompts.

• From the next screen, click on RESOURCES at the top of the page to access the Basic Edition of the NACHA Operating Rules.

• Full versions of the current year’s NACHA Operating Rules & Guidelines are available for purchase. Click on the green highlighted link shown on the landing page above.

Effective June 21, 2024

These changes are minor amendments to the NACHA rules with little to no impact on ACH participants.

• General Rule for WEB Entries: This rule change establishes the WEB SEC code must be used for all consumer-to-consumer credits, regardless of how the consumer communicated the payment instructions. 
• Definitions of Originator: Expands the definition of Originator as the party authorized by the Receiver to credit or debit the Receiver’s account at the RDFI. 
• Originator Action on Notification of Change (NOC): This rule change gives Originators discretion to make NOC changes for any Single Entry, regardless of SEC Code. 
• Data Security Requirements: This rule change clarifies that an Originator must continue to adhere to the Data Security Requirements going forward once they reach the threshold of 2 million originated transactions. The current rules give the Originator until June 30 the year following to be compliant. 
• Use of Prenotification Entries: This rule change is removing language that limits prenote use to only prior to the first credit or debit entry. 
• Clarification of Terminology – Subsequent Entries: This rule change adjusts prenote and NOC language to remedy now-ambiguous references to the use of the term “subsequent entry.”

Visit NACHA for details on minor topics

Effective April 1, 2025

• Expanded Use of ODFI Request for Return/R06 - Phase 2: Phase 2 requires the RDFI to respond to the ODFIs request for return regardless of whether they agree to return the item. The RDFI must advise the ODFI on the status of the request within 10 banking days of receipt.

Effective October 1, 2024

These rule changes are all related to efforts to reduce credit push fraud in the ACH network, and to increase the likelihood of funds recovery when fraud has occurred.

• Codifying Expanded Use of Return Reason Code R17: This rule will explicitly allow, but not require, an RDFI to use R17 to return an entry that it thinks is fraudulent.
• Additional Funds Availability Exceptions: This rule provides RDFIs with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses.
• Timing of Written Statement of Unauthorized Debit: This rule will allow a Written Statement of Unauthorized Debit to be signed and dated by the Receiver on or after the date on which the entry is presented to the Receiver. This may help prevent harm to the Receiver if they determine a transaction is fraudulent before it will post.
• RDFI Must Promptly Return Unauthorized Debit: This amendment will require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth banking day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit.
• Expanded Use of ODFI Request for Return/R06 - Phase 1: This rule expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason.

Visit NACHA for risk management topic details

Effective March 20, 2026

These rule changes establish requirements for the content of the Entry Description field for specific types of transactions. These changes are part of a comprehensive approach to reduce fraud risks in the ACH network.

• PPD credits for the payment of wages, salaries, and similar compensation must use the value of PAYROLL in the Entry Description field for a batch containing those transactions.
• WEB debits for the online purchases of goods, including recurring purchases first authorized online, must use the value of PURCHASE in the Entry Description field for a batch containing those transactions.
• These are “no later than” dates, Originators may begin using the descriptions as soon as practical.

Visit NACHA for company entry description details

Effective March 20, 2026

These rules changes will be implemented in two phases and are part of a comprehensive approach to reduce fraud risks in the ACH network to improve the chances of recovery when fraud has occurred. They require certain ACH participants to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.

• Phase 1 applies to all originators, third-party senders, and third-party service providers that originated more than 6 million ACH transactions in 2023.
• Phase 1 also applies to all banks that received over 10 million ACH transactions in 2023.

Visit NACHA for Phase 1 details

Effective June 22, 2026

These rules changes will be implemented in two phases and are part of a comprehensive approach to reduce fraud risks in the ACH network to improve the chances of recovery when fraud has occurred. They require certain ACH participants to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.

• Phase 2 applies to all originators, third party senders, and third-party service providers that did not meet the threshold for Phase 1, as well as all banks that receive ACH transactions that did not meet the threshold for Phase 1 (effective March 20, 2026).

Visit NACHA for Phase 2 details

ACH Third-Party Senders:

• Initiate ACH transactions on behalf of an originator or another Third-Party Sender when there is not an origination agreement directly between the originator and the Originating Depository Financial Institution (ODFI).
• Have many of the same responsibilities as an Originating Depository Financial Institution (ODFI) under the NACHA Operating Rules and Guidelines (NACHA Rules).

Your agreement with U.S. Bank allows us to conduct a review to ensure your compliance with the NACHA Rules. Non-compliance could result in a termination of service.

As an ACH Third-Party Sender, you have specific responsibilities and requirements under the Nacha Operating Rules. We’ve consolidated information and resources to assist with your fulfillment of these requirements.

NACHA video: What is a Third-Party Sender?

NACHA'S explanation of Third-Party Sender roles and responsibilities

NACHA'S Third-Party Sender identification tool