Skip to main content Go to Online Banking
FDIC Digital Sign, using the official FDIC wordmark. This digital sign indicates the deposit institution is backed by the full faith and credit of the US government.

email icon Account Access

Upcoming Changes to ACH Payment Rules

Nacha, the organization that governs the ACH network, has announced updates to its operating rules that affect businesses and organizations that originate ACH payments. These changes are designed to strengthen fraud prevention and improve clarity across ACH transactions network‑wide.

This page provides additional details, examples, and guidance to help you understand how the new rules may apply to your ACH activity.

What's changing

Standardized Company Entry Descriptions

Beginning March 20, 2026, certain ACH transactions will require standardized wording in the Company Entry Description field. This allows participants to better identify the purpose of the transactions, which can help support fraud transaction monitoring. Standardized use of data can help parties manage risk and improve ACH quality.

Payroll Payments

Originators and Third Parties sending payroll payments via ACH Credits must use the word PAYROLL in the Company Entry Description in the Batch Header Record of a Nacha file.

  • This includes payment of wages, salaries and similar types of compensation. 

Online Consumer Purchases

Originators and Third Parties sending ACH Debits for consumer e-commerce purchases must use the word PURCHASE in Company Entry Description field of the Nacha file.

  • For this purpose, an e-commerce purchase is a debit Entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. An e-commerce purchase uses the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Code.

Questions about standardized ACH descriptions?
Find answers to common questions about when and how the required PAYROLL and PURCHASE descriptions should be used, with examples and screenshots.

View FAQs on ACH Descriptions

ACH Fraud Detection Requirement

Nacha has also introduced a new ACH fraud detection requirement for organizations involved in ACH origination. The rule requires affected parties to establish and maintain risk‑based processes and procedures designed to help identify potentially unauthorized ACH transactions or transactions authorized under false pretenses.

Effective Date

Rule Language

Each Non-Consumer Originator; each Third-Party Sender; each ODFI; and each Third-Party Service Provider that performs any functions of ACH processing on behalf of an Originator, Third-Party Sender, or ODFI must: 

  • establish and implement risk-based processes and procedures relevant to the role it plays in the authorization or Transmission of Entries that are reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses;
  • and at least annually review these processes and procedures and make appropriate updates to address evolving risks.

These processes and procedures do not require the screening of every ACH Entry individually and do not need to be performed prior to the processing of Entries. 

What Does This Mean?

  • This rule applies to all ACH originators.
  • Organizations should implement risk‑based processes and procedures designed to help protect against account takeover and other methods used to initiate unauthorized ACH transactions.
  • These processes may include controls related to changes in payment information for vendors or payroll, such as avoiding reliance on email alone to update account details.
  • Processes and procedures should be reviewed at least annually and updated as risks evolve.
  • Screening every individual ACH transaction is not required.
  • Screening may occur before or after ACH transactions are submitted.

Conduct an ACH Fraud Risk Assessment

The decision on what to do to comply with the new rules should come from identifying the risks, gaps, and weaknesses resulting from your risk assessment. Use the results of your risk assessment to drive "risk-based processes and procedures".

Examples of questions you may want to ask:

  • What are the existing or potential/emerging fraud threats that your organization/industry faces?
  • What has been your organization's or industry's fraud experience?
  • Define scenarios that you consider to be high-risk. (Hint: Risk is elevated whenever there is change)
  • Prioritize - which payment use cases represent the most risk?
  • Assess your present state: What processes and procedures/tools do you currently use to mitigate payment fraud risk?
  • What changes or improvements do you need to make?

Frequently Asked Questions 

What is the purpose of the company entry descriptions?

A company sending an ACH payment is required to use the Company Entry Description field to provide the Receiver with a description of the purpose of each payment. In most cases, the value is determined by the Originator (for example: "Gas bill", "ins. Prem.", "Soc. Sec.", etc.). However, for certain types of payments, the Nacha Operating Rules require Originators to include a pre-defined description. Examples of descriptive statements required by the Rules include, but are not limited to, the new descriptions "PAYROLL" and "PURCHASE," which Originators will be required to adopt no later than March 20, 2026. 

Where can I find this field in a template or one-time payment?

  • One-Time ACH Payment

  • Template ACH Payment

Where can I find this information in the ACH record in a Nacha file?

The Company Entry Description field is in positions 54-63 (Field 7) in the Batch Header Record (Record 5) in a Nacha File. This description can be a maximum of 10 characters.

Can originators add additional characters to the "PAYROLL" and "PURCHASE" descriptions?

Yes, Originators meeting these requirements are required to include these descriptions within the leftmost characters of the Company Entry Description field. At the Originator's discretion, it may utilize the remaining characters for additional descriptive purposes. Example: PAYROLL424 or PURCHASE0l 

When is the Company Entry Description of "PAYROLL" required to be used?

Originators will be required to use the new description "PAYROLL" for all PPD credits for the payment of wages, salaries, or other similar types of compensation, regardless of the status of the employment relationship (i.e., employee, contract employee, other). Use of the term "PAYROLL'' is intended for descriptive purposes only, to help identify compensation payments to RDFls in their efforts to reduce the incidence of fraud involving payroll redirections. Originators and ODFls transmitting entries with this entry description make no representation or warranty to the RDFI or to the Receiver regarding the Receiver's employment status. 

When is the Company Entry Description of "PURCHASE" required to be used?

This requirement applies to Originators offering ACH Debit as a form of payment to consumers, for on line purchases of goods, i.e., e-commerce WEB Debits. This includes purchases that result in multiple payments, such as Buy Now Pay Later purchases. This does not include payment for ongoing services such as utility or rent payments set up online. 

Top
Some content requires Adobe Acrobat Reader to view.