ACH fraud is any scheme that moves money through the ACH network without your genuine authorization, and the most dangerous myth about it is that ACH payments are easy to reverse. For a consumer, there is real truth to that. For a business, there mostly is not. A company that receives an unauthorized ACH debit has about two banking days to return it, and a company that originates an ACH credit it was deceived into sending usually has no right to pull it back at all. The belief that you can always call the bank and claw an ACH payment back is consumer-account advice repeated as business fact, and it is why teams treat ACH as a safe, undoable rail when it is neither. Nacha, the body that governs the ACH network, has tightened this further: its fraud-monitoring rules, whose second phase took effect in June 2026 for all remaining non-consumer originators1, now require every business that originates payments to screen for transactions made under false pretenses. This guide explains what is actually reversible on ACH for a business, how short the real windows are, what the 2026 rule requires, and how to stop ACH fraud at the only reliable point, which is before the payment settles. The honest version is that ACH gives you a little more time than an instant rail and far less than the folklore promises, and none of it substitutes for verifying the payment before it goes out.
Why "ACH is reversible" is consumer advice, not business reality
The reversibility myth comes from the consumer side of the ACH network, where the protections are genuinely strong. A consumer who spots an unauthorized ACH debit generally has up to 60 days to dispute it and get their money back, under the rules that govern consumer accounts. That experience, of calling the bank and having a bad debit reversed, is where the belief that ACH is easy to undo comes from. It is true, for consumers.
A business operates under different rules. Corporate accounts do not carry the same extended dispute rights, the return windows are measured in days rather than weeks, and the protections that do exist cover a narrower set of situations. Most importantly, the myth conflates two very different events: money pulled out of your account without permission, and money you pushed out yourself after being deceived. The first has a short return window. The second usually has none. Treating ACH as a safe, undoable rail because a personal bank once reversed a fraudulent charge is how businesses end up sending an ACH credit they can never get back.
The two-day window on an unauthorized debit, and what it does not cover
When someone debits your business account through ACH without authorization, you do have a remedy, but it is fast and narrow. Your bank can return the entry using return reason code R29, which covers a corporate customer advising that a debit was not authorized, and the return generally must be made by the opening of the second banking day following settlement. That is roughly a two-day window, and it depends on your team noticing the unauthorized debit almost immediately, which is why daily account monitoring and ACH debit blocks or filters matter so much for businesses.
What this window does not cover is the more common and more expensive case: a payment your own company originated. R29 is for debits pulled from you, not for credits you pushed out. If you were tricked into sending an ACH credit to a fraudster, there is no unauthorized-debit return to file, because you authorized it. With the FBI reporting $3.046 billion in business email compromise losses in 2025, 86 percent of it moving by wire or ACH2, the originated-credit case is where most of the money is actually lost, and it is exactly the case the two-day debit window cannot help. If you want the payment checked before it leaves, you can request access.
Why a credit you send cannot simply be clawed back
Once your business originates an ACH credit and it settles, pulling it back is not a right you hold; it is a favor you have to ask for. Nacha does allow reversals, but only for specific, provable errors: a duplicate payment, a wrong dollar amount, a wrong account number, or a payment sent on the wrong date. A reversal must be transmitted within five banking days and the originator has to make the correcting entry available, and even then the receiving bank and account holder can decline if the money is already gone. A payment you were deceived into approving is not an error in this sense, because the instruction was exactly what you intended at the time.
That distinction is the whole problem with authorized-payment fraud. The system did what you told it to do. A fraudster who receives your ACH credit moves it onward through other accounts quickly, so even when a bank is willing to attempt recovery, there is usually nothing left to recover. This is why recovery is a backstop, not a plan: the FBI’s Recovery Asset Team can sometimes freeze funds when a victim reports immediately, but that path reaches only a fraction of losses and depends on speed most teams cannot manage. On the origination side, ACH behaves far more like an irreversible rail than the myth admits.
What the 2026 Nacha rules now require from businesses
Nacha has moved the expectation from reacting to fraud toward detecting it before the payment goes out. Its fraud-monitoring rules, whose second phase took effect in June 2026 for all remaining non-consumer originators and third parties1, require businesses that originate ACH payments to maintain risk-based processes to identify transactions initiated under false pretenses. Nacha defines false pretenses as inducing a payment by misrepresenting an identity, an authority to act, or the ownership of an account, which is a precise description of business email compromise and vendor impersonation.
The practical effect is that fraud screening on ACH is no longer optional or reserved for large banks. If your company sends ACH payments, you are now expected to have a process that looks for payments you were tricked into authorizing, not just entries that are technically unauthorized. The rule pulls the control earlier in the flow, toward the moment before a payment is released, because that is the only point where detection changes the outcome. The 2026 AFP Payments Fraud and Control Survey found that 76 percent of organizations faced attempted or actual payments fraud3, so this is a screen against the normal case, not an edge case.
ACH debit blocks, filters, and daily monitoring: controls that fit the short window
The two-day return window only helps if you catch an unauthorized debit in time, so the most practical ACH controls are the ones that either stop bad debits outright or surface them fast. An ACH debit block tells your bank to reject all ACH debits on an account, which suits accounts that should never be debited, such as a payroll-funding or reserve account. An ACH filter, sometimes called ACH positive pay for debits, is less blunt: it lets through only debits from a list of company IDs and dollar limits you pre-approved, and holds or returns everything else. Pairing a block or a filter with daily account review is what turns the R29 window from a right on paper into one you can actually use.
On the origination side, where the larger losses happen, those debit tools do not apply, because the risk is a credit you send rather than a debit pulled from you. There the defenses are different: dual approval, so the person who enters a payment is not the one who releases it; out-of-band verification of any banking-detail change, using a channel the requester did not provide; and a hold on the first payment to new details. These are the controls the FBI and Nacha both point to, and they work right up until a deceived approver under deadline skips them, which is exactly the condition the scam engineers. That gap, between a control that depends on someone remembering to be careful and one that runs on its own, is what the final control closes.
How to stop ACH fraud before it settles
Since the return windows are short and an originated credit is effectively final, the durable defense is to verify the payment before it settles rather than to chase it after. That means checking the payer, payee, amount, and purpose against the records you already trust, requiring proof that a real, authorized person approved this specific payment, and holding anything that does not match rather than releasing it on the next run. It is the same logic behind ACH debit blocks and dual approval, made automatic and unskippable so it holds under the deadline pressure that fraud depends on.
This is where RankShield Financial fits. It sits in the authorization path as a verification and attestation layer, not a wallet or a processor, and it never takes custody of your funds; your bank and the ACH network still move the money. It verifies the payee and proves an authorized approval before release for ACH and other rails, and seals a signed, tamper-evident record of the decision. Unlike a private fraud score you must trust, that verdict is independently verifiable, so an examiner, an insurer, or a partner can check it rather than take it on faith. That shared signal compounds as members join, rather than claiming a scale we have not yet reached, and the signing is quantum-safe by construction, not quantum-proof. The rule now expects this screening, the return windows are shorter than the myth suggests, and the goal is straightforward: hold a suspect payment before it settles and keep evidence of who approved it.