Nacha Audit Expansion Raises the Stakes for ACH Compliance

For banks and credit unions, ACH compliance is moving from a back-office requirement to a central piece of risk management. Starting in the third quarter of 2025, Nacha will dramatically expand its proof-of-audit program. Instead of checking a small sample of institutions each quarter, Nacha will ask more than a thousand banks, credit unions, and Third-Party Senders to confirm they’ve completed their annual ACH audit.

Until now, Nacha’s process touched about 125 financial institutions and 125 Third-Party Senders each quarter. That number is jumping to roughly 700 and 400, respectively, thanks to automation through the Risk Management Portal. Nacha’s stated goal is to cycle through every institution and Third-Party Sender in the network within three years.

Why the change? The ACH Network is too big and too important to leave gaps. It handled more than 31 billion payments worth $80 trillion in 2024. When compliance slips, fraud risk rises. Nacha has made it clear: the annual audit is mandatory. Missing it is a Class 2 Violation and fines are often higher than the cost of the audit itself.

The Rules, Plain and Simple

Every FI, Third-Party Sender, and Third-Party Service Provider that moves ACH entries must complete a compliance audit every year. This is spelled out in Article One, Section 1.2.2 of the Nacha Rules. The deadline is December 31, covering the prior 12 months.

Audits can be done two ways:

• Internal: by employees outside of ACH operations, such as compliance or risk staff.

• External: by an outside firm, like a CPA or payments consultant. Many FIs choose this route for added independence and clearer documentation.

The scope is detailed in Appendix Eight of the Nacha Rules. It covers items like origination practices, handling of returns, and access controls. Whether internal or external, the audit must be thorough, documented, and ready to show if Nacha asks.

Why This Matters More Now

In the past, only a small fraction of institutions were asked to prove completion. With the new process, many more will get emails each quarter, and Nacha expects every FI to be able to produce a certificate, summary, or cover letter if chosen.

This is where legacy methods show their age. Spreadsheets and CRM notes worked when requests were rare. They don’t scale when the regulator can ping any institution, at any time, and expect a fast attestation.

Fraud losses underline the point. The 2024 AFP Payments Fraud and Control Survey found 82 percent of organizations were hit with fraud attempts, and ACH activity is a leading target. Compliance teams already stretched thin spend too much time gathering documentation and not enough time protecting their institutions and accountholders.

What to Expect from Nacha

Starting later this year, proof-of-audit emails will no longer come from individual Nacha staff. They will be generated by the Risk Management Portal and sent to every administrator listed for an FI. That means keeping the administrator list current is now critical.

Selected institutions will need to log in, confirm the audit date, and attest that it was completed. Some will be asked to provide supporting proof. Acceptable documentation includes an audit summary, certificate, or cover letter.

Preparing for the Change

Institutions that rely on manual processes risk missing emails or scrambling for paperwork. The smarter move is to modernize. Modern compliance tools cut down on wasted time, give teams clear visibility, and leave a reliable paper trail for regulators.

At Advanced Fraud Solutions, we see this expansion not just as a compliance test but as a chance for institutions to strengthen both their audit readiness and their fraud defenses. Our ACH fraud prevention tools provide real-time insight, simplify audit preparation, and help teams coordinate across departments.

Payments are moving faster, regulators are watching closer, and Nacha’s expansion makes it clear that compliance is no longer background work. Institutions that modernize now will not only be audit-ready but also better positioned to earn and keep customer trust.

3 Things to Do Now

1. Confirm your annual ACH audit is scheduled
Do not wait until December. If you miss the audit, the fine can exceed the cost of the audit itself.

2. Update your Nacha Portal administrator list
Requests will now go to every administrator, not just one contact. Make sure the right people are on the list.

3. Move away from spreadsheets
Legacy methods are too slow. Invest in ACH fraud defense tools that provide real-time visibility, stronger fraud detection, and reliable documentation.

The Nacha audit expansion is here. With more proof-of-audit requests coming, preparation is the only safe strategy.