BLUF: For a 120-person credit union in Fresno we tightened ACH origination controls by adding rule-based filters + SIEM-powered anomaly alerts + stepped wire/ACH approval workflows — stopping fraudulent ACH attempts during a simulated attack and reducing payment-risk exposure by an estimated 70% within the first quarter.
Opening: a real operating situation in Fresno, not theory
When a mid-sized credit union in Fresno (120 employees, commercial and consumer ACH origination) survived a near-miss — a single fraudulent ACH instruction that reached the accounting queue but was caught before settlement — the board asked one narrow question: can we hold to NACHA Operating Rules expectations for originators and still process same-day payroll and vendor ACH on schedule? That problem forced a practical architecture: detection at the EDI/ACH gateway, rapid human verification inside the treasury workflow, and retained evidence for later examiner review.
We built that architecture around three constrained requirements the credit union demanded: (1) no more than 15 minutes added to high-volume payroll processing windows, (2) retain audit evidence for 180 days, and (3) escalate any anomalous originations over $10,000 to a two-person approval before transmission. Those numbers drove tooling choices and runbooks — for example, retention targets sized our log-storage tier and the two-person approval set the workflow rules in the core banking integration.
Why NACHA rules + FFIEC guidance matter for a local credit union
NACHA Operating Rules govern ACH participants’ obligations for origination and return procedures; those rules set the contractual expectations inside the ACH Network (we discuss them in operational terms in this post rather than attempt to republish NACHA text). The FFIEC’s retail payments guidance (the Retail Payments Systems booklet of the IT Examination Handbook) establishes what examiners will look for when they evaluate an institution’s controls over ACH and other retail payment channels1. If examiners ask for an ACH-control narrative, you must show both the detection controls and the monitoring evidence chain — logs, alerts, and the retention policy that ties them together1.
What the credit union actually changed (concrete workflow + controls)
- Front-end validation at the ACH origination gateway (syntactic and semantic checks; blocked if mismatch to known vendor ACH file format).
- Rule-based velocity filters: per-originator daily count and dollar thresholds; automatic hold when either metric crosses the configured threshold.
- SIEM correlation and near-real-time alerting for anomalous originations (new payee + elevated dollar amount + off-hours submission) tied to a 2-person approval workflow in the accounting system.
- Evidence retention: transaction payload + authentication logs + e-mail / approval artifacts retained for 180 days to support examiner requests or forensic analysis.
These steps are not hypothetical. They map to the FFIEC/IT-exam expectations for retail payments systems (examiners expect an institution to design, monitor, and retain evidence for payment-channel controls)1, and to continuous monitoring practices identified by NIST as core to effective detection and response2.
How we layered technical controls (tool categories and a decision table)
| Option | Best fit | Specialty / strengths | Location (Datapath service) | Buyer-relevant differentiator |
|---|---|---|---|---|
| Rule-based ACH gateway filters | Credit unions, banks with predictable vendor lists | Cheap, deterministic, fast | /services/managed-it-services/ | Minimal latency for payroll; low cost to tune |
| SIEM + analytics (NIST ISCM alignment) | Mid-market finance, multi-branch banks | Correlation across sources; anomaly scores | /services/managed-cybersecurity-services/ | Detects behavioral anomalies rather than single-rule hits |
| Two-person approval + workflow engine | Any regulated payer (K-12 payroll, healthcare) | Human-in-loop approval for high-risk transfers | /services/co-managed-it-services/ | Operational control that reduces escalation risk |
| 3rd-party ACH monitoring / fraud consortium | Larger institutions with many corporate originators | Shared telemetry across banks | /services/vendor-risk-management-services/ | Faster detection of emerging fraud patterns across peers |
How this ties to FFIEC, NIST, FBI and CISA guidance (four evidence-backed claims)
- The FFIEC Retail Payments Systems booklet is part of the IT Examination Handbook and frames examiner expectations for retail payments risk management and related evidence1.
- NIST defines Information Security Continuous Monitoring (ISCM) as ongoing awareness of information security, vulnerabilities, and threats — the core idea behind SIEM + analytics in payments monitoring2.
- The FBI describes Business Email Compromise (BEC) as a vector that frequently results in fraudulent payment instructions (BEC is one of the common scams that leads to ACH fraud), which is why we add human verification for high-dollar ACHs3.
- CISA’s guidance on ransomware and incident reduction emphasizes practical steps organizations should take to reduce impact and likelihood of payment-channel compromise — a reminder that payment monitoring is part of resilience planning, not just fraud detection4.
1 See the Retail Payments Systems booklet (FFIEC IT Examination Handbook) for examiner expectations on retail payment controls.
2 See NIST SP 800-137 on Information Security Continuous Monitoring.
3 See the FBI description of Business Email Compromise (BEC) scams.
4 See CISA ransomware guidance on organizational steps to reduce incident impact.
A practical checklist we ran in Fresno (actionable, repeatable)
- Map every ACH origination source (core system, online portal, batch EDI).
- Assign a risk profile to each originator (payroll, vendor payments, customer-initiated debits).
- Configure rule-based velocity plus dollar thresholds per originator; set automatic hold above thresholds.
- Forward holds to a 2-person approval queue integrated with the accounting system (telephone out-of-band verification for new payees).
- Send correlated alerts to SIEM and trigger an IR playbook if combined signals indicate account compromise.
- Retain payload + audit trail for 180 days and make it searchable for examiners (size storage accordingly).
Common buyer questions (and our short answers)
How much latency will monitoring add to payroll runs?
We engineered the Fresno credit union’s rule checks to run in under 60 seconds per batch; high-risk holds were the only actions that required manual review, and we constrained those reviews to a 15-minute window during payroll cutover. That design preserved payroll SLAs while adding a human checkpoint for the riskiest items.
Which controls are examiner-visible vs. operational-only?
Examiners focus on design and evidence: the policy that defines thresholds, the runbook describing the 2-person approval workflow, and the retained logs and audit trail showing a sample hold and resolution. Operational-only items (e.g., tuning thresholds for false-positive reduction) matter to you but are secondary in an examiner review1.
Do we need real-time machine learning to be compliant?
No — FFIEC and NIST both emphasize risk-based, evidence-backed monitoring and continuous awareness, not a specific technology. Rule-based controls + robust logging + a defined incident/playbook meet the supervisory expectations; ML is a force-multiplier for detection but not a regulatory requirement12.
Sizing and cost signals — how we decided what to buy
We used three inputs to size monitoring and retention: transaction volume, peak payroll batches per month, and the two-person approval dollar threshold. For the Fresno credit union: daily ACH originations averaged ~1,200 entries; peak payroll window had 30,000 records monthly; the board set the approval threshold at $10,000. Those numbers dictated (a) log ingestion tier (hot/cold), (b) SIEM license tier, and (c) human FTE for approving holds.
A simple decision rule we used: if you process >20,000 ACH entries per month OR your average origination dollar exceeds $25K, choose SIEM + analytics; otherwise start with gateway rules and co-managed monitoring and scale later. That sizing rule is operational (not regulatory) and is meant to align cost to measurable throughput.
A short incident playbook (what happens when an alert fires)
- Automated hold at gateway; transaction moved to pending state.
- SIEM correlator tags event (new payee + off-hours submission + anomalous IP).
- Automated message to accounting with required two approvers; if both approve, transaction proceeds; otherwise, transaction stays on hold and IR team investigates.
- If fraud confirmed, notify ODFI and file required returns per NACHA timelines (Datapath helps assemble the evidence packet for the return and examiner review).
Why we keep logs for 180 days (and why our examiners liked it)
Examiners ask for the sample evidence trail that shows the full chain: origination payload, authentication logs, alert history, approval emails, and resolution notes1. For a local examiner team that visits quarterly, 180 days of searchable evidence provides enough retrospective depth for both fraud trend analysis and a production incident review without forcing immediate long-term storage costs on a small institution.
What Datapath does for you in this stack (our value, not a commodity pitch)
We design the control architecture (rules, SIEM use-cases, and workflow) and operate it under an outcomes SLA: uptime for the monitoring pipeline, verified evidence retention, and a named team you can call during examiner visits. For finance customers in Fresno and the Central Valley we combine on-site integration with co-managed security operations so your treasury team keeps control while we manage detection and retention. See our managed cybersecurity and co-managed IT offerings for how we split responsibilities.
Final decision guide: when to call Datapath
- You operate ACH originations in Fresno or Central Valley and want an examiner-ready evidence trail.
- You have a payroll or vendor window that cannot tolerate more than 15 minutes of manual delay.
- You want a named team (not a ticketing queue) that owns the SIEM-to-payments correlation and examiner handoff.
If that describes you, book a consult with our local team; we pair a vCIO to map policy and a vCISO to map controls, then run a 30-60-90 day plan to get you examiner-ready while preserving daily operations. See vCIO and vCISO for those engagements.
Quick takeaway
Monitoring ACH fraud requires more than rules or ML in isolation: you need detection, an auditable human-in-loop workflow, and an evidence-retention plan that aligns with examiner expectations. We built that for a Fresno credit union with measurable reductions in exposure and a repeatable runbook you can copy.
Need help designing ACH monitoring tuned to your payroll windows or EHR billing cycle? Contact our Fresno team via [/contact/].