The Hidden Infrastructure Behind Modern Money Movement

What’s up fraud fighters, and welcome back to Fraud Forward!
Today we are talking about ACH compliance, and I know that may not sound like the most exciting opener in the world, but if you work in fraud, payments, operations, compliance, treasury, management, or anywhere near ACH this matters because ACH is one of the most widely used payment rails in the country. And when something goes wrong, it doesn’t just stay contained to one team. It impacts customers, creates operational strain, introduces regulatory risk, and can expose gaps in how your institution detects and responds to fraud.
Over the last few months, I have had conversation after conversation with fraud leaders at community banks and credit unions who are asking the same questions. Do we need new technology? Are we expected to monitor every ACH transaction in real time? What exactly are examiners going to expect from us? And if your head has been spinning a little bit, I want you to hear me on this: you are not alone.
This episode is about the real story behind NACHA Phase 2. And to me, the real story is not that every institution needs to run out and buy another fraud platform. The real story is that ACH compliance is becoming a much more intentional conversation. It is about knowing your risk, documenting your processes, understanding who owns what, and being able to explain why your institution monitors ACH fraud the way that it does.
I actually think that is a good thing. Because for too long, our industry has leaned on liability as the finish line. If we are not liable, it is not really our problem. And technically, maybe sometimes that has been true. But operationally, ethically, and from a fraud fighter perspective, that has never sat well with me.
Fraud does not live in silos. Neither should ACH fraud prevention.
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts.
When these rule changes were first proposed, a lot of institutions immediately assumed the worst. Another regulatory burden. I think this is where a lot of the confusion started. When these rules were first proposed, everyone assumed it meant more tech, more spend, more pressure. But where NACHA actually landed is much more grounded than that.
This is really about knowing your risk and being able to explain your process. Not every institution needs the same setup, and that’s intentional. What matters is that you have a monitoring approach that fits your role, that you review it, document it, and can clearly walk someone through why it works for you. That’s a very different conversation than “did we buy the right tool?”
I think we’ve accidentally trained ourselves to hear “layered controls” and immediately think “we need another system.” But layering isn’t about stacking vendors, it’s about making sure your controls actually work together.
In a lot of institutions, the pieces are already there. Fraud, AML, operations, treasury, they’re all looking at something, but not always in a coordinated way. Sometimes the real fix isn’t adding more, it’s connecting what you already have, clarifying ownership, and making sure your controls tell a complete story instead of operating in silos.
One of the biggest shifts here is moving away from the idea that if you’re not liable, it’s not your problem. I’ve never loved that mindset, and I think these rules are quietly pushing us past it.
Fraud fighters already know when something doesn’t look right. The question is whether we act on that or wait until it becomes someone else’s responsibility. ACH compliance is really about using the visibility you already have and being willing to lean into those moments where something deserves a closer look, even if liability isn’t technically yours.
When you hear “false pretenses,” it can sound like a brand-new category, but it’s really just putting a name to things we’ve been seeing for years. Things like BEC, impersonation scams, and situations where the customer technically authorized the payment but was manipulated into doing it.
What’s important here is the recognition that authorization doesn’t always mean intent. And no, you’re not expected to know exactly what happened behind every transaction. But if something doesn’t line up, activity that doesn’t match the account or patterns that feel off, that’s your signal to take a closer look. That’s always been how good fraud work starts.
If there’s one place where things tend to break down, it’s ownership. ACH touches a lot of teams, and when that happens, it’s really easy for responsibility to get blurry.
At the end of the day, someone has to be able to answer who’s reviewing, who’s deciding, and who’s documenting. The institutions that handle this well aren’t necessarily the ones with the most resources. They’re the ones where the process is clear, the handoffs make sense, and nobody is guessing who owns what.
If you’re trying to figure out where you stand, start simple. Can you clearly explain your ACH monitoring process? Do you know who owns each step? Could you defend why your controls make sense for your risk?
Notice what’s not in those questions. There’s nothing about buying new technology. This is about understanding your program. Before you add anything new, get clear on what you already have, how it works, and whether your team could confidently explain it if they had to. That’s where a strong program really starts.
Here is what I hope you take away from this episode: NACHA Phase 2 does not fundamentally change what good fraud programs have been trying to do all along. It formalizes it.
Fraud professionals have always looked for transactions that do not make sense. We have always connected the dots. We have always asked questions. We have always relied on experience, curiosity, documentation, and collaboration.
Now those expectations are written more clearly into the rules.
And I think that is a positive step, because fraud is not slowing down. Payments fraud is becoming more organized, more automated, and more sophisticated. The institutions that will succeed are not necessarily the ones with the flashiest technology. They are the ones that understand their risk, communicate across departments, document their decisions, and continuously evaluate whether their controls still make sense.
If you want to go deeper, check the Sardine resources on Phase 1, Phase 2, and the new guidance around false pretenses. These and additional resources are linked below. They are great companion pieces if you are working through ACH compliance documentation with your team.
And as always, share this episode with someone in fraud, payments, operations, treasury, or compliance. These conversations are most valuable when they happen across the entire institution.
Stay vigilant, stay informed, and keep moving fraud forward.








