NACHA Phase 2 is in effect as of today, Monday, June 22, 2026. Every non-consumer business that originates ACH payments — including a bookkeeping firm running accounts payable for clients — must now have written, risk-based fraud-monitoring procedures, with no volume threshold to exempt small firms. If your firm sends ACH and you do not yet have those procedures written down, you are out of step with the rule today. This checklist is what to do about it.
The good news for small firms: the rule is risk-based, not transaction-by-transaction. You are not expected to screen every payment with enterprise software. You are expected to identify where your fraud risk is highest, apply reasonable controls there, write the approach down, and review it annually. For most firms running client AP, the highest-risk item is the one NACHA names directly — a request to change a vendor’s bank details.
What changed on June 22, 2026
Phase 1 of NACHA’s fraud-monitoring rule applied only to larger originators above a volume threshold. Phase 2 eliminates that threshold. As of June 22, 2026, all non-consumer Originators, Third-Party Service Providers, and Third-Party Senders must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated under false pretenses — the category that includes business email compromise and vendor-impersonation fraud (NACHA Risk Management Topics — Fraud Monitoring Phase 2).
For a bookkeeping firm, “no volume threshold” is the operative phrase. It does not matter that you only send a handful of ACH payments per client per month. If you originate ACH, the rule now applies to you exactly as it applies to a large enterprise.
This matters because the underlying threat is not theoretical. The 2025 AFP Payments Fraud and Control Survey found that 79% of organizations were targets of payments fraud activity in 2024, with business email compromise the most common vector — and vendor bank-change requests are the classic BEC payload.
The compliance checklist
1. Write down how you decide a payment is legitimate
The rule’s practical core is documentation. Even a one-page description of how your firm decides an ACH payment is genuine satisfies the “written procedures” requirement far better than an unwritten habit. State, in plain language: what triggers extra scrutiny (a new vendor, a changed bank account, an unusually large or urgent payment), who reviews it, and when you pause a payment. If an examiner or your ODFI asks for your procedures, you hand them this document.
2. Assess where your ACH fraud risk actually lives
A risk-based program starts with an honest assessment. For a firm running client AP, list your payment types — vendor payments, contractor payments, expense reimbursements, payroll if you touch it — and mark where impersonation fraud is most likely. For almost every firm, the top risk is a vendor or employee bank-detail change request, because that is the single action that reroutes real money to a fraudster’s account. Document that conclusion; it justifies where you concentrate your controls.
3. Verify every bank-detail change out of band
This is the control NACHA points to specifically, and it is non-negotiable for AP firms. A request to change a vendor’s account number or routing number must be confirmed by calling the vendor back on a number you already had on file — not by replying to the email that made the request, and not by calling a number included in that request. Attackers supply their own “updated” phone number; calling it just connects you to the fraudster. If you need the exact words for that call, our vendor bank-change callback script lays it out line by line.
4. Require a second set of eyes above a threshold
Set a dollar amount above which a second person approves any payment or any bank-detail change. Even a two-person firm can do this: one person performs and logs the callback, the other approves the release. Document the threshold and the rule so it is consistent rather than ad hoc.
5. Keep a record you can actually produce
A control you cannot prove you performed is, for compliance purposes, a control you did not perform. For every bank-detail change, capture the date and time, who you spoke with, the number you called and where it came from, what was confirmed, and who approved it on your side. A tamper-evident record — one that cannot be quietly back-dated or edited — is far more credible to a bank or auditor than a note typed into a spreadsheet after the fact. This is the artifact most firms are missing, and it is exactly what auditors ask you to produce.
6. Confirm what your ODFI already covers
Your originating bank has obligations under the same rule and may monitor for some fraud signals on its side. Ask, in writing, what they watch for and what they expect from you. This both narrows your own workload and documents the division of responsibility — useful evidence that your program is reasonable.
7. Schedule the annual review
The rule requires that you review your processes and procedures at least once a year. Put a recurring calendar entry on a fixed date, note who owns the review, and keep a short record each time confirming it happened and what changed. A program that is written once and never revisited is weaker than one with a visible review cadence.
How this maps to a firm running multiple clients
The wrinkle for bookkeeping firms is scale across clients. You are not documenting one company’s procedures — you are running AP for several, each with its own vendors, its own bank, and potentially its own ODFI relationship. A single shared spreadsheet quickly becomes unmanageable and is hard to defend as “tamper-evident.”
The practical answer is a consistent procedure applied per client, with a verification record that is attributable (who did it), time-stamped (when), and segregated by client. That way, when one client’s bank or auditor asks, you produce that client’s record without untangling it from everyone else’s. The deeper version of this multi-client routine is covered in vendor verification for bookkeeping firms under NACHA Phase 2.
Where CallbackProof fits
CallbackProof is a documentation and workflow tool. It enforces the callback-and-approval sequence above and keeps a SHA-256 hash-chained, tamper-evident log of every verification across all of your clients, so the record your ODFI or an auditor asks for already exists instead of needing to be reconstructed. It does not screen transactions or replace your bank’s monitoring — it makes the verification step you perform consistent and provable, which is the part of a NACHA Phase 2 program that lands on the AP firm.
If you would rather start with paper, the free vendor bank-change verification template gives you the independent-contact rule, the callback script, a dual-approval step, and a one-page log sheet — no signup, nothing to buy. Adopting it today is a concrete way to close the biggest gap in your Phase 2 readiness.
The bottom line
NACHA Phase 2 did not invent a new control; it made an existing best practice mandatory for everyone, including the smallest AP firm. Write down your procedure, concentrate it on bank-detail changes, verify those changes out of band, get a second approval above a threshold, keep a record you can produce, coordinate with your bank, and review it yearly. None of that requires enterprise tooling. It requires that you do it consistently and that you can prove it — which, as of today, is the rule.
Frequently asked questions
Does NACHA Phase 2 apply to a small bookkeeping firm?
Yes. Phase 2 removed the volume threshold as of June 22, 2026. If your firm originates ACH payments — including on behalf of clients — the fraud-monitoring requirement applies regardless of how few payments you send.
Do I have to monitor every transaction?
No. The requirement is risk-based. You assess where your fraud risk is highest, apply reasonable controls there, document your approach, and review it annually. You are not required to screen every individual payment.
What is the single most important thing to document?
Your out-of-band verification of vendor and employee bank-detail changes. NACHA points to these change controls specifically, and a request to reroute payments is where impersonation fraud does the most damage. Capture who you called, on what known number, what you confirmed, and who approved it.
Is a written one-page procedure really enough?
A clear, written description of how you identify and handle suspicious payments — reviewed at least annually — satisfies the written-procedures expectation far better than an unwritten routine. Start there, then make sure you can also produce evidence you actually follow it.