latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/new-rules-aim-to-define-banks-role-in-fighting-payment-scams-83389940 content esgSubNav
In This List

New rules aim to define banks' role in fighting payment scams

Blog

Banking Essentials Newsletter: September 18th Edition

Blog

Navigating the New Canadian Derivatives Landscape: Key Changes and Compliance Steps for 2025

Loan Platforms: Securing settlement instructions and prioritising the user experience

Blog

Getting an Edge with Services: Driving optimization by embracing technological innovation


New rules aim to define banks' role in fighting payment scams

The payment industry is taking its first steps to tackle the rising number of fraudulent payments resulting from social engineering scams.

The proliferation of social networks and online payment apps has amplified such scams, in which a consumer may use an app like Zelle to send money to someone they consider legitimate but who is, in fact, a scammer. Such cases have been a gray area under existing regulations, because the payments are considered to be authorized by the sender, and current regulation only protects against unauthorized payments, such as credit card charges not made by the cardholder.

Frustrated consumers hope their banks can retract such transactions and lawmakers have urged banks to cover their customers' losses, but financial institutions have argued that asking them to remedy fraudulent transactions outside the scope of the current law is an overreach.

In response, the National Automated Clearinghouse Association, an industry body formed and governed by banks and credit unions, is instituting new rules aimed at enhancing collaborations between sending and receiving institutions to identify suspicious activities and react faster. The organization, known as Nacha, operates one of the largest payment rails in the US, the Automated Clearing House payment network (ACH).

Beginning June 19, 2026, banks and credit unions must comply with new Nacha rules to monitor fraud on payments that they send out and monitor ACH credit on payments they receive.

The new rules are "potentially a breakthrough for fighting scams that result in authorized payments," Claire Greene, a payments risk expert at the Federal Reserve Bank of Atlanta wrote in a blog post.

Bringing in the receiving institutions

Nacha has also released rules to make the return of funds faster and easier on ACH. Starting Oct. 1, Nacha will allow banks and credit unions to request the return of payments sent under false pretenses from the receiving institution. Starting April 1, 2025, the receiving institution will be obligated to respond to such a request within 10 banking days.

The rule changes form part of a new risk management framework that Nacha set forth in 2022, with wide-ranging considerations addressing fraud. The new framework marks the first time that the receiving bank will have a defined role in fraud monitoring. Currently, that role is mainly the responsibility of the sending institution.

"This, to me, is just the start of what's going to be a long journey to actually not just implement controls on the sender, but now implement controls on the receiver," Carl Slabicki, co-head of global payments for BNY Treasury Services, said in an interview.

The industry's push for changes is taking place amid heightened regulatory attention. The Consumer Financial Protection Bureau is reportedly investigating how US banks including JPMorgan Chase & Co., Wells Fargo & Co. and Bank of America Corp. handle disputed transactions on Zelle.

Limited scope

While Nacha's new rules demonstrate the industry's efforts to improve, they will not be able to fix social engineering scams immediately, industry experts said.

The technical changes on ACH that will take effect in October are only the bare minimum, Heman Daswani, a principal consultant at core banking software company Temenos, said in an interview.

"Nacha's framework is a much bigger picture: how things should work; what is the right way of handling these types of situations. But the rules that are being enforced now are just, I would say, a small section of the big framework," Daswani said.

In the new framework, Nacha uses the term transactions under "false pretenses" to define authorized but scammed payments. The new category aims to complement what is covered by the main payments law, the Electronic Fund Transfers Act, which only addresses unauthorized payments.

So far, the examples of payments under false pretenses that Nacha has clearly enumerated are mostly on the commercial side, such as business email compromise, in which a scammer takes over a business email account, impersonates the account owner and directs payments.

However, Nacha's authority is limited and its actions cannot supersede the law. Legislative clarification will be necessary for consumers to hold their financial institutions accountable for false-pretenses losses.

A new bill addressing "authorized" but fraudulently induced payments was introduced in the Senate in August, Daswani noted. The bill, dubbed the Protecting Consumers From Payment Scams Act, is sponsored by Sen. Richard Blumenthal (D-Conn.) and co-sponsored by Sen. Elizabeth Warren (D-Mass.).

Upgrading technology

Whether banks should refund consumers often makes the headlines, but an urgent problem is how banks can detect and block scammed payments and reduce such scams at their roots.

"If we simply say that the bank is responsible for paying back, then fraudsters will find other ways of doing these types of frauds, knowing that they will be paid back," Daswani said.

Payments experts hope faster and broader data transmission between institutions will make a substantial difference. The industry is already executing a major upgrade, adopting the new messaging standard ISO 20022, which contains richer data about transactions, from which financial institutions can generate insights.

"Exchanging intelligence within the payment itself will make the payment safer than anything else," Cleber Martins, head of payments intelligence and risk solutions at ACI Worldwide, said in an interview.

Emphasizing the accountability of the recipient on fraud monitoring will also enhance security, Martins said. With insights about suspicious activities provided by counterparties, financial institutions could grasp a fuller picture of a scammer's profile and take action faster.

Banks' prompt responses to scams are crucial for loss recovery, and the new Nacha rules aim to help banks identify and return fraudulent transactions before scammers sweep the money out of their bank accounts, Greene wrote in her blog post.

Helping smaller institutions

Experts said the technology enhancement will have to be accompanied by additional investments.

Cost pressures are likely to weigh on small institutions more heavily because they have less data and fewer resources to identify fraudsters. A mechanism for all involved financial institutions to notify one another when potential fraud is identified would benefit smaller institutions by allowing them to perform a retroactive search to see if they have a relationship with the bad actor, Daswani said.

Smaller institutions may process fewer payments from which to derive actionable insights, so scammers may use them as the weakest link in defense to breach the payment system, said Andrew Davies, global head of regulatory affairs at ComplyAdvantage.

"They will find that weakest link," Davies said. "It's why even a small institution had to adopt a risk-based approach."