Kofi Ndaikate is a seasoned authority in the shifting landscape of Fintech, bringing a wealth of knowledge that bridges the gap between traditional banking structures and the cutting-edge worlds of blockchain and regulatory policy. With a career spent analyzing how money moves across digital borders, he has become a go-to voice for understanding the high-stakes evolution of payment security. In this conversation, we dive into the recent implementation of Nacha’s fraud monitoring rules, a move that signals a monumental shift in how financial institutions must guard the ACH network against increasingly sophisticated criminal tactics.
The discussion centers on the newfound responsibilities of receiving financial institutions, which are now tasked with a proactive role in sniffing out fraud before it settles. We explore the staggering rise of Business Email Compromise, a scamming method that has drained billions from the economy, and why these new rules focus on flexible risk-based processes rather than rigid technological mandates. Kofi also sheds light on the collaborative effort required across different departments within a bank to turn these regulatory requirements into a tangible defense against the rising tide of credit-push fraud.
Receiving financial institutions now have a defined role in monitoring incoming payments for fraud. How does this shift from a reactive to a proactive stance change the daily operations for a bank’s fraud department?
For the first time in the history of the ACH network, the burden of vigilance is shared equally at both ends of the transaction. Previously, receiving banks were often seen as passive repositories, waiting for a claim to be filed before they took any action on a suspicious deposit. Now, they are empowered—and expected—to delay the availability of funds or even return a transaction entirely if it smells like fraud, without waiting for the originating bank to sound the alarm. This creates a high-pressure environment where operations teams must develop a “sixth sense” for spotting anomalies in the flow of incoming credits. It’s a significant operational pivot that requires banks to move away from individual risk profiles toward a consistent baseline expectation of safety across the entire life cycle of a payment.
The FBI reported that Business Email Compromise losses exceeded $3 billion in 2025. What is it about these “credit-push” scams that makes them so difficult to intercept compared to traditional unauthorized withdrawals?
The primary challenge with credit-push fraud is that the transaction itself is technically “authorized” by the victim, who has been manipulated by a fraudster impersonating a trusted executive or vendor. When you look at the numbers, the growth is terrifying; complaints rose from 21,442 in 2024 to 24,768 in 2025, representing a jump in losses from $2.7 billion to over $3 billion. Because the victim voluntarily pushes the money out, traditional security filters often see a legitimate payment request. Once that money hits the ACH network, it moves with a speed that makes it incredibly difficult to reverse, especially as we see more same-day and instant payment options becoming the norm. The criminals are essentially weaponizing the trust and the efficiency of the banking system against the users themselves.
Nacha’s new rules are described as “not prescriptive,” meaning they don’t mandate specific software or tools. Why is this flexibility considered a strength, and what are the potential risks of leaving so much open to interpretation?
By choosing not to mandate specific technologies, Nacha acknowledges that a massive global bank and a small local credit union have vastly different risk appetites, transaction volumes, and operational budgets. This flexibility allows each institution to tailor its defense to its specific business needs, focusing on risk-based processes rather than a one-size-fits-all software solution. However, the flip side is that “not prescriptive” can sometimes lead to inconsistent enforcement or gaps in the network’s armor. As experts have noted, fraud detection is always a delicate balancing act between rigorous protection and the need for a smooth customer experience. If one bank interprets the rules loosely to avoid “friction” for its clients, it might inadvertently become a weak link that fraudsters exploit to funnel their illicit gains.
With the final implementation deadline having passed on June 22, what have we learned from the larger institutions that had to comply by the earlier March 20 deadline?
The early wave of implementation, which targeted larger-volume originators and major depository institutions, served as a crucial stress test for the entire framework. We saw that the March 20 deadline forced these heavy hitters to break down the internal silos that often exist between compliance, operations, and product management teams. The extension of the final deadline from June 19 to June 22, necessitated by a U.S. bank holiday, gave the remaining pool of users a tiny bit of breathing room, but the underlying pressure remained intense. These deadlines have reinforced the idea that successful fraud prevention isn’t just about a single department; it’s a holistic effort that must be woven into the very fabric of the organization’s relationship management and risk strategy.
Many experts argue that rules alone won’t stop fraud and that behavioral analytics are the missing piece of the puzzle. How should institutions combine these new policy requirements with advanced data tools?
Policy provides the bones, but behavioral analytics provide the eyes and ears that make the system truly effective. While the Nacha rules establish the legal and procedural framework, institutions that see the most success are those pairing compliance with cross-channel visibility and stronger authentication methods. By analyzing the “behavior” of a transaction—such as the time of day, the typical frequency of payments to a specific vendor, or even the typing patterns of the person authorizing the transfer—banks can spot red flags that a simple checklist would miss. It’s about creating a layered defense where the policy mandates the action, but advanced analytics provide the intelligence needed to make that action accurate and timely.
What is your forecast for the ACH network now that these standards are in place?
I expect we will see a “settling in” period over the next few months where the industry tests the boundaries of these rules to see how far they can push fraud prevention without alienating legitimate customers. We will likely see other payment networks closely watch the ACH experiment and adopt similar risk-based approaches to combat the 70% of organizations currently being hammered by BEC scams. While these rules won’t eliminate credit-push fraud overnight—especially as AI and impersonation techniques become more sophisticated—they create a much harder environment for criminals to operate in. Ultimately, the network will become more resilient as every participant, from the originator to the receiver, begins to see themselves as a primary defender of the system’s integrity.
