Payments Insider 1st Quarter 2026
The inside scoop on payments for businesses of all sizes.
by Shelly Sipple, AAP, AFPP, APRP, NCP, Director, Certifications & Continuing Education, EPCOR
Several important ACH Rules amendments take effect beginning in 2026 that will impact how companies originate ACH payments. Additional amendments, effective in 2027 and 2028, may require additional preparation time. It’s essential for companies to understand these changes to maintain compliance and ensure efficient payment-processing operations.
Effective March 20, 2026, companies must use standardized Company Entry Descriptions for certain transactions. While the 10 character field typically allows flexibility, the ACH Rules now require that Prearranged Payment and Deposit (PPD) credits related to employment compensation use PAYROLL,
and WEB debits for e-commerce or online retail purchases use PURCHASE. These standardized descriptions help ensure consistent identification of these transaction types across the ACH Network.
Starting in 2026, companies will be required to have risk-based fraud monitoring practices in place for all ACH payments they originate, regardless of payment type. Phase 1 is effective March 20 for companies originating 6M+ transactions in 2023, and Phase 2 is effective June 19 for all companies, regardless of annual origination activity. The goal is to reduce successful fraud attempts by identifying payments that may be unauthorized or authorized under false pretenses. Unauthorized payments occur when a fraudster gains access to online banking credentials, while payments authorized under false pretenses result from social engineering schemes—such as business email compromise or vendor or payroll impersonation—where an employee is tricked into sending a payment.
Although the ACH Rules do not require automated transaction screening or review of every payment, companies must implement reasonable, documented procedures to detect suspicious activity. While they are not expected to prevent all fraud, companies must make a good faith effort to identify questionable payments before they reach the ACH Network.
To help you prepare for these changes and future amendments, please download the 2026 ACH Rules Update for Corporate Originators and Third Party Senders document.
by Casey Demma, AAP, AFPP, APRP, Senior Analyst, Payments, Risk & Compliance, EPCOR
The ACH Rules require Third-Party Senders (TPSs) and Third-Party Service Providers (TPSPs) to complete an ACH Rules Compliance Audit annually. In 2025, EPCOR’s team of experts conducted audits for a wide range of TPSs and TPSPs. Throughout these engagements, our team observed several recurring compliance issues. Here’s a breakdown of last year’s top audit findings and the common areas needing attention.
A surprising number of TPSs and corporate partners that provide or manage ACH services don’t even realize they are TPSs, leaving them unaware of their obligation to perform an annual ACH Rules Compliance Audit or a periodic risk assessment. EPCOR frequently conducts these first-time audits for organizations that have been operating as TPSs for years. On the flip side, some TPSs do complete their annual audits but can’t produce six years of documentation, as required by the ACH Rules. Staff turnover is usually the culprit, turning missing documentation into a compliance headache.
Risk assessments create another gap. While they aren’t required annually, TPSs and organizations handling ACH activity must periodically evaluate the risks associated with those ACH activities and build a risk management program based on the results. The key is staying proactive: understanding the obligations, acting on results and revisiting risk before it becomes a problem.
Due diligence goes beyond onboarding. ACH activity must be continuously monitored, and oversight of Originators and Nested TPSs can take several different forms. Reviewing the creditworthiness of the account relationship is valuable, but it does not fulfill all obligations. Many TPSs limit reviews to financial information, neglecting their Originators’ actual ACH activity, leaving a significant oversight gap.
The ACH Rules explicitly require the establishment of exposure limits, which must be reviewed and enforced as part of an ongoing risk management program. Yet it remains common to find TPS programs with no limits in place, or that use prefunding requirements as a substitute, which do not meet ACH Rules requirements. Corporate entities managing or outsourcing ACH services should understand that prefunding only addresses liquidity, not broader operational or credit risk.
Many TPSs provide a mix of services to their Originators and any nested TPSs, but their contracts often don’t keep pace. Instead of including clearly defined ACH terms, organizations rely on broad master service agreements that omit required language. Beyond the requirements, the key guidance from Appendix C in the ACH Rules (who does what, who owns which risk and how responsibilities flow between parties) is frequently not included. Absent schedules, missing appendices or incomplete agreements lead to unclear roles, misaligned expectations and compliance gaps. Corporate management should ensure that all service agreements clearly define ACH responsibilities, even if ACH activities are outsourced.
Authorization issues commonly stem from missing Rule required language, such as revocation terms or clear timing of the Entry. We often see authorizations that aren’t recognizable as authorizations at all. This happens most often online, where critical language gets buried behind hyperlinks rather than presented upfront. When authorizations aren’t complete or clearly identifiable, organizations face delays responding to proof of authorization (POA) requests. These challenges are relevant not just to TPSs, but to any company that initiates ACH activity on behalf of clients or vendors.
A non-monetary Notification of Change (NOC) is the RDFI’s way of telling the ODFI, “Here’s the corrected information you need to use going forward.” When a TPS or Nested TPS is involved, updates must reach the Originator within two banking days of receiving the NOC. Then, the required changes must be implemented within six banking days, or before the next outgoing Entry, whichever comes later.
Common breakdowns usually happen in two places:
Both gaps create compliance risk and make it harder to prove that NOC requirements are being met. For companies, staying on top of updates and keeping clear records is key to avoiding compliance headaches.
These are some of the most common issues EPCOR identified during 2025 audits of TPSs and TPSPs, though they do not represent the full scope of findings. Every organization’s program is different, and even well-established processes can have gaps.
For information about becoming an EPCOR member, or to inquire about managing ACH-related obligations and book an EPCOR Third-Party Sender ACH Audit or Risk Assessment, reach out to advisoryservices@epcor.org.
The following article originally appeared on January 18, 2026, from the U.S. Faster Payments Council’s Business Benefits of B2B Instant Payments Work Group.
The U.S. Faster Payments Council’s Business Benefits of B2B Instant Payments Work Group is on a mission: to raise awareness, foster adoption and accelerate innovation around instant payments. Together, subject matter experts from across industries are shaping a future where faster, smarter financial operations become the standard in business-to-business (B2B) transactions.
In the digital age, many aspects of business have evolved—but B2B payments still lag far behind. Despite the rise of automation and real-time data in other areas, most businesses continue to rely on slow, manual and error-prone invoice and payment processes. On the accounts receivable (order-to-cash) side of processing, today’s B2B transaction workflows are riddled with inefficiencies, from waiting days for checks to clear to matching invoices and credit notes with payments and reconciling those payments with bank statements. On the accounts payable (procure-to-pay) side, manually entering and reconciling invoices against purchase orders and shipments is time-consuming, error-prone and inefficient.
But there is good news. The convergence of instant payments and e-invoicing is poised to reshape the B2B payments landscape entirely. When combined, these two technologies offer a powerful, end-to-end solution that automates the payment lifecycle (from procure-to-pay and order to cash), covering key stages like processing, settlement and reconciliation.
This article explores why this pairing is so powerful—and why businesses should act now.
While consumer payments have gone digital and mobile, business payments remain stuck in a fragmented and outdated system. This leads to slower payments, higher costs, more errors and poor visibility.
A recent study by the Federal Reserve highlights these inefficiencies and the demand for instant payments:
Non-instant payments are more than just a delay—they trigger a cascade of challenges across the business, leading to the following realizations:
Instant payments clear and settle in real-time, 24x7x365. They are irrevocable, with guaranteed funds and can carry structured data—such as remittance details—to support reconciliation.
Instant payments bring the following benefits to traditional payment processing:
E-invoicing refers to the digital creation, exchange and processing of invoices between businesses. Unlike PDFs or email attachments, e-invoices use structured data formats such as UEN 19631d by the Digital Business Networks Alliance) or EN 19631 19631 (used by Pan-European Public Procurement On-Line) that can be processed automatically by systems.
E-invoices offer a form of Request-for- Payment (RfP) like those offered via the ISO 20022 RfP message (i.e., RfP pain.013), leveraged by the FedNow® Service and RTP® Network, but at a more detailed level. When combined with more complex B2B payments involving invoices with purchase orders, receipt level details, discounts, taxes and more, e-invoices provide the structured data needed to load invoices into AP systems, while instant payment requests facilitate and automate the payment itself.
To adopt this modern approach of marrying e-invoicing with instant payments, businesses need to consider:
Industries like manufacturing, supply chain management and professional services are already seeing measurable gains from integrating instant payments and e-invoicing:
The future of B2B payments is digital, data-driven and real-time. As standards solidify and interoperability improves, expect further innovation, especially in areas like:
Instant payments and e-invoicing are not just technology upgrades—they are a strategic advantage and are in high demand. Together, they represent a leap forward in how businesses transact, free up working capital, reduce friction and future-proof financial operations. The future of B2B payments is instant. It is digital. And it is already here.
Source: The U.S. Faster Payments Council
by Madison Howard, Director, Marketing & Communications, EPCOR
Third-Party Senders are entering 2026 facing a dramatically different fraud and compliance landscape. Fraudsters are more sophisticated, scams are harder to detect and regulatory expectations are rising fast. If it feels like the risk environment is shifting under your feet, you’re not imagining it.
Today’s fraudsters are no longer relying on simple social engineering tactics. They’re using advanced technology, including generative artificial intelligence (AI), to create scams that are more convincing, scalable and difficult to spot.
Third-Party Senders have become a prime target, particularly as familiar schemes continue to evolve. Business Email Compromise and Payroll Diversion fraud are on the rise, with criminals redirecting funds to networks of money mules rather than traditional accounts.
Another fast-growing concern is False Pretenses, a newer Nacha fraud category where victims are tricked into authorizing payments to fraudsters. This makes detection far more challenging, especially as deepfake voice technology is now being used to impersonate executives or trusted partners and bypass traditional security controls.
The financial impact of fraud continues to climb at an alarming rate:
These figures highlight why fraud prevention is no longer just an operational issue—it’s a critical risk management priority.
At the same time, fraud is increasing, and regulatory expectations are tightening. Under newACH Rules:
Nacha now requires risk-based processes and procedures that are reasonably intended to identify both unauthorized transactions and false pretense entries. This means organizations must take a proactive, documented approach to fraud monitoring, not a one-size-fits-all solution.
Fraud doesn’t stop at ACH, which is why organizations need a total payment defense strategy that covers every payment channel. Best practices include:
Across all payment types, dual controls and account validation are critical to ensuring the payee name matches the account information before funds are released.
Fraudsters will continue to adapt, but so can we. By staying alert, understanding emerging threats and implementing strong monitoring and controls, Third-Party Senders can reduce exposure to scams such as Business Email Compromise, synthetic identity fraud and false pretenses.
Staying informed is one of the strongest defenses we have. For more fraud-prevention tips and educational resources, explore your financial institution’s fraud awareness tools or reach out to your financial institution for guidance.
New ACH Fraud Monitoring Rules are Now in Effect!
Check out these resources for quick guidance and practical tips to keep your payments operations compliant:
Ensure your organization is compliant with the new ACH Rules!
Our team of dedicated professionals are here to support you.
