We often find through NEACH Payments Group (NPG) Audits, Risk Assessments, and other Consulting services that institutions disclose in account agreements for business clients that the institution shall not be held liable for account takeover fraud and other unauthorized transactions.
While business accounts are not protected under Regulation E, which requires financial institutions to investigate disputes and act in a certain timeframe for consumers, they are protected under the Uniform Commercial Code.
Additionally, the Originating Depository Financial Institution (ODFI) warrants that the Entry is authorized by the Originator and the Receiver. So, if the Entry is not properly authorized, the ODFI may face a breach of warranty claim.
And one may argue that businesses will now have some level of protection under new Nacha Rules, requiring all Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFI), to implement risk-based processes and procedures to identify ACH Entries initiated under fraudulent circumstances (which include corporate account takeover). This new Rule may allow attorneys to argue that if fraud monitoring is implemented, and if potential fraud is flagged on the system, but staff clears the flag, then the financial institution is not taking advantage of a commercially reasonable method for fraud monitoring and identification.
NPG staff often act as expert witnesses for attorneys who are representing business clients that become victims of fraud when their financial institutions refuse to act on their claims of unauthorized activity, often resulting in financial loss and other damages.
Attorneys partner with NPG for guidance on payment laws, regulations and the Nacha Rules. The question we often provide them guidance on is, “What could the financial institution have done, if anything, to monitor for the fraud and could they have done anything to attempt to recover the funds?” The answer is almost always yes; the financial institution could have done something.
Financial institutions will be required to have fraud monitoring capabilities enabled to identify potential fraud, follow up on it, and attempt to recover the funds. A financial institution can alert the ODFI of the fraud, mindful of a possible breach of warranty, so the ODFI can act upon it, and the RDFI can request the return of the funds.
However, too often, institutions essentially tell their business account holders that they cannot do anything when fraud is suspected, leaving these financial institutions at risk for costly legal disputes.
I encourage all financial institutions to take a close look at disclosures you have with your business accounts and work with your legal counsel to ensure they are in line with your institution’s insurance policies and that they aware of the protections under the laws, regulations, such as, Uniform Commercial Code, and even Nacha Rules. In addition, you should examine the upcoming Rule changes requiring you to monitor for fraud, to ensure your disclosures are not putting you at risk for a legal dispute.
If you need assistance communicating with attorneys or want to discuss how your financial institution or business can implement commercially reasonable processes to monitor for fraud, reach out to us at NPG. We would love to work with you.
Additional Information:
The new Nacha Rules will also require non-consumer Originators, Third-Party Service Providers (TPSPs), Third-Party Senders (TPSs), and Receiving Depository Financial Institutions to implement risk-based processes and procedures to identify ACH Entries initiated under fraudulent circumstances. The new Rules will go into effect in two stages beginning March 20, 2026, with the second stage taking effect on June 22, 2026.