Recent changes to Nacha (National Automated Clearinghouse Association that governs the ACH network) requirements are forcing controllers to take a harder look at how supplier bank account details are verified and documented. During the Controllers Council webinar, New Nacha Rules, New Risks: What Every Controller Must Do Now to Verify Supplier Bank Details, Phil Binkow, CEO at VendorInfo, and Mark Brousseau, President at Brousseau & Associates addressed the convergence of stricter validation expectations and a sharp rise in sophisticated fraud targeting accounts payable teams. From the outset, the discussion made clear that these pressures are not theoretical. As Mark Brousseau explained, “there are two very big things happening at the same time.” Bank account change fraud continues to accelerate, while Nacha has “raised expectations for how it is that bank account details should be validated and monitored and reported on.”
Why Legacy Verification Practices Are Breaking Down
One of the most candid moments of the session came when Phil Benko addressed common validation habits he still sees inside finance organizations. “The most ‘cringeworthy’ is when we see, when we hear that people are telling us that they’re validating bank accounts with their vendors through email,” he said. He went on to warn that when a vendor’s email system is compromised, “using email to try to validate it is basically giving the gun back to the burglar.” Polling during the webinar reinforced this concern. Eighty percent of attendees indicated they were not fully confident their current controls would stop a sophisticated fraud attempt. Manual steps, phone callbacks, and informal exceptions remain widespread, even as fraud tactics become harder to detect.
Fraud Has Evolved Faster Than Controls
Several speakers emphasized that today’s fraud is fundamentally different from what many AP processes were designed to handle. Brousseau noted that fraud is no longer opportunistic, describing how one dismantled fraud ring “had an HR department to recruit fraudsters, had 500 employees, a marketing department to sell their ill-gotten data.” Artificial intelligence has further narrowed the margin for error. “AI-generated emails and even videos and phone calls now can mimic the tone of actual vendors, of actual coworkers,” Brousseau said. As a result, familiar red flags are disappearing, particularly for teams already stretched thin or experiencing staff turnover. This shift exposes a deeper structural issue. “Many AP workflows were designed for trust, not for deception,” Brousseau explained. When controls rely on judgment, memory, or informal steps, fraud does not need to break the process. It simply moves through it.
What the New Nacha Rules Actually Demand
A recurring theme throughout the session was that Nacha’s updated requirements are not about intent. They are about defensibility. As Brousseau put it, “Nacha isn’t just evaluating intent anymore. They’re evaluating defensibility.” In practical terms, that means validation must be repeatable, consistent, and provable. One vendor cannot receive rigorous scrutiny while another receives a lighter touch because they are familiar. “Inconsistency is now a control weakness,” Brousseau said. Documentation also takes on new importance. Evidence must be retrievable months later and able to withstand external review. As the speakers cautioned, if audit preparation depends on searching inboxes or screenshots, the process is unlikely to meet Nacha expectations.
Why Automation Is Becoming a Control Requirement
Throughout the discussion, automation emerged as less of a technology upgrade and more of a control layer. Manual methods were repeatedly described as vulnerable to error, fatigue, and variability. “Everything that’s manual is subject to error for all kinds of reasons,” Benko said. By contrast, automated bank account validation enforces the same steps every time, regardless of vendor, geography, or workload. Benko described the goal succinctly: “It’s proof coming from a source of truth that the bank account is owned by the person who you believe is presenting the information.” This consistency matters even more for organizations with international suppliers. Relaxed controls for global accounts, the speakers warned, create precisely the gaps fraudsters look for.
From Incident Response to Prevention
One of the more pointed observations of the webinar centered on the controller’s role. In a manual environment, teams often find themselves explaining what went wrong after funds have moved. With preventive controls in place, that dynamic changes. As Brousseau noted, “Preventive controls stop fraud before money moves.” The speakers encouraged controllers to start with an honest assessment of current processes, identify informal exceptions, and define what valid proof looks like under today’s risk conditions. Waiting for fraud to force change, they cautioned, is the costliest path forward. To learn more about the new Nacha rules, view the complete webcast here. ABOUT OUR SPONSOR: VendorInfo, part of Financial Operations Networks (FON), provides specialized self-service vendor portals that bring focused, comprehensive and timely tools and support for collecting, verifying and managing vendor information. VendorInfo meets the changing internal and external requirements for security, controls, compliance, efficiency and scalability. FON was founded by the leadership team behind PayTECH and The Accounts Payable Network and has been instrumental in helping thousands of senior financial professionals keep their operations ahead of the risk, efficiency and cost-avoidance curves since 2001. Learn more at www.vendorinfo.com
