High-Risk ACH: Faster Payments and Fraud Expose Failures in Risk Oversight

ACH processing and its related financial crimes risk controls were never designed for this.

For decades, ACH functioned in the background.  It was slow, predictable, and largely invisible. It deposited payroll, paid bills, and supported other routine activities. Risk was mitigated by product, time, and scale.

This mitigation no longer holds.

Over the past few years, ACH volumes have more than doubled. Annual ACH dollar volume has grown from roughly $40–45 trillion in the mid‑2010s to more than $90 trillion today. That growth has been powered by new participants bringing new products to the payments ecosystem—fintech platforms, embedded payments, B2B automation tools, payout processors, and other non‑bank intermediaries operating at scale. It has also been accelerated by Same Day ACH, the faster payments method of the ACH network, with a volume of $3.9 trillion last year, a 21.4% increase from 2024.

Regulators have taken notice, and so have criminals.

In 2024, TD Bank agreed to pay more than $3 billion in penalties tied to systemic AML and transaction‑monitoring failures. This included failing to examine the now-higher-risk ACH activity using their automated transaction-monitoring tools.

NACHA, the organization that governs the ACH network, has thoughtfully responded with new risk management rules to reduce the incidence of successful fraud attempts and improve the recovery of funds after fraud has occurred.  While compliance requires new “risk-based processes and procedures,” in 2026, mere compliance with the rule is no guarantee that your institution’s risk will decrease.

The combination of ACH scale, speed, and complexity raises a basic question Boards and senior risk officers can no longer avoid: whether their ACH risk oversight has evolved to match how the network is actually being used today. To address this, boards and CROs could take several concrete actions to modernize oversight.

To help leadership move from intent to execution, these actions can be prioritized as a practical roadmap for the first year of implementation:

1. First 30 days: Foster collaboration with fintech partners to gain deeper insights into the transactional data and enhance understanding of emerging risks. Early and ongoing engagement facilitates quicker, informed decision-making and helps institutions adapt oversight to changing risk profiles.

2. First 90 days: Evaluate critical ACH infrastructure and initiate projects to upgrade or replace applications that fail to support the type of real-time, complete data access needed to shift financial crime controls from detective and delayed to preventive.

3. First 6 months: Implement real-time and near-real-time transaction name list screening and monitoring systems that provide more immediate alerts on bad actors and anomalous activities. This enables institutions to better match beneficiary account information to ACH records and to proactively respond to issues before they escalate, thereby improving detection and escalation.

4. By 12 months: Regularly update risk assessment frameworks to include new transaction volumes, types, and actors within the ACH network. As the business evolves, ensuring oversight mechanisms keep pace with current operations reduces the risk of control failures and supports sustainable governance.

   
   

ACH Payment Volume Has Grown—But Oversight Models Haven’t

Even if ACH risk reaches senior management or the board, the discussion frequently focuses on familiar themes: rising volumes, aging infrastructure, vendor limitations, or the need to tune transaction‑monitoring scenarios.

Those issues matter. But they are not the point of failure.

The deeper issue is conceptual. Many ACH risk programs still rest on assumptions formed when ACH was slower, simpler, and more centralized—when delayed visibility was tolerable, and accountability was easier to define.

Those assumptions no longer hold.  

ACH today operates in an environment where origination, customer ownership, monitoring responsibility, and decision authority are frequently fragmented among multiple less-regulated entities or departments within a single institution. Controls can exist and still fail—not because they are absent, but because they surface issues too late to matter.

Not Your Grandparent’s ACH

Underlying this tension is the transformation of ACH itself.

ACH was once a predictable batch system supporting payroll, bill payments, and government benefits. Today, it underpins a far more diverse ecosystem: platform‑driven B2B payments, app‑enabled consumer transfers, automated AP/AR workflows, digital MSBs, payout processors, and next‑generation merchant and marketplace models.

Fintech growth has been a major driver. Industry reporting shows fintech revenues growing far faster than the wider financial services sector, with increasing profitability and scale. Those firms are now responsible for a significant share of ACH origination volume—often acting on behalf of thousands or millions of underlying users. These transactions ultimately flow through traditional banking channels.  Channels built for a bygone era.

These trends point to continued expansion, not stabilization.

Complexity, Volume, and the Rise of ACH‑Enabled Crime

As ACH grows in complexity and value, it becomes increasingly attractive to criminals.

Criminals understand what institutions routinely struggle to adapt: where responsibility is diffused, where data arrives late, and where monitoring obligations are unclear.

Consider this: if you were looking to hide $5 million in plain sight within your organization’s payment flows, where would you put it? This is the provocative question criminals already ask as they map for blind spots and gaps in your risk oversight. They exploit uncertainty around who owns the customer, who performs KYC, who monitors activity, and how long it takes for anomalies to surface. Requiring leaders to imagine the attacker’s point of view can clarify just how easily sophisticated actors navigate institutional complexity—and underscore the need for boards and executives to fund meaningful improvements before a real incident happens.

Unsurprisingly, ACH‑related fraud has increased in absolute terms. Industry surveys show a growing share of organizations experiencing ACH debit and credit fraud, particularly in B2B contexts — total dollar exposure has risen alongside volume and value.

The pattern is dangerous. Detection occurs long after settlement, when recovery options are limited, and escalation becomes reactive.

Buggy‑Whip Infrastructure and the Limits of Legacy Design

These control weaknesses are exacerbated by an aging infrastructure. Core ACH engines at many institutions remain batch‑oriented, file‑based systems built decades ago. They are costly to maintain, difficult to modify, and increasingly reliant on a shrinking pool of specialized expertise.

Industry research has repeatedly described ACH modernization as both an operational risk and a strategic imperative. As ACH usage grows and use cases evolve, institutions face a widening gap between what legacy systems were designed to deliver and what the market now requires. To bridge this gap, ACH network participants should consider implementing newer cloud-based processing systems.  In addition to lowering overall operational risk, these systems reduce financial crime risks by creating real-time API access to transaction-level data, enabling preventive controls, and providing a richer, more timely source of data for detective controls.

In the interim, participants should still implement enhanced detective controls.  These controls should include near-real-time name screening of ACH detail records against account names and an external consortium list to detect misdirected payment schemes and  Mule Account activity. It should also include near-real-time behavioral transaction-monitoring systems to quickly identify and address anomalies. By focusing on these areas, executives can better align their oversight programs with the demands of the modern payments landscape.

But technology alone does not explain the outcomes institutions are experiencing.

Even modern tools struggle when oversight models assume that risk can be reviewed comfortably after the fact. Faster payments compress the window between origination and impact. Visibility delays that previously felt operational now function as risk multipliers.

Why Boards and CROs Are Often the Last to See ACH Risk

Many institutions take comfort in the existence of controls, alerts, and dashboards that suggest ACH risk is being managed.

But activity is not awareness.

If meaningful insight into anomalous ACH behavior surfaces only after batch processing, alert queues, prioritization, and investigative backlogs, leadership is not managing risk. It is continually creating control failure post-mortems.

This distinction matters. Regulators increasingly expect institutions to demonstrate not just that controls exist, but that risk is surfaced, escalated, and acted upon early enough to prevent harm. Current regulatory guidance emphasizes the importance of real-time risk assessment and proactive governance strategies. Institutions need to align their oversight practices with this guidance to ensure compliance and effective risk management.

A Governance Question That Now Matters

For boards and chief risk officers, the critical question is no longer whether ACH controls exist.

It is whether risk is visible early enough to matter.

That requires moving beyond control coverage toward risk visibility—a clear line of sight between activity, interpretation, escalation, and decision-making. Where those connections are weak, the reported residual risk is likely to underestimate the actual risk. To help boards and chief risk officers monitor progress and effectiveness, adopting key risk visibility metrics is critical. Practical indicators could include the average time to detect anomalies, the rate of false positives in transaction monitoring, and the time from anomaly detection to escalation. Regularly monitoring these metrics can provide valuable insights into the effectiveness of a risk oversight strategy.

Final Thought

ACH has quietly moved from back‑office utility to front‑line risk channel.

Institutions that continue to govern it as legacy infrastructure should expect continued surprises—regardless of how much they invest in systems or programs. Those surprises are rarely technical failures. They are governance failures, driven by outdated assumptions colliding with payment flows that now move faster than oversight.