NACHA Phase 2 compliance for accounting firms: ready-to-use templates and implementation guide
Run your entire firm on one platform
A new compliance rule is now in effect that affects every accounting firm collecting payments from clients via bank transfer. It’s called NACHA Phase 2, and while the name sounds bureaucratic, the reality is simpler than you’d expect.
Here’s what matters: as of June 22, 2026, if your firm processes ACH payments from clients, you now have a formal compliance obligation. The good news is you likely already have most of what the rule requires. What you need to do now is document it.
This guide walks you through what changed, what it actually means for your firm, and exactly what you need to add to your client agreements. If you’re an established firm managing ACH payments across multiple teams or departments, this matters even more. We’ll cover why as we go.
Table of сontents
What is NACHA Phase 2?
NACHA is the organization that governs how ACH payments (bank transfers) work across the US financial system. It’s the same network that processes direct deposits, bill payments, and the invoices your clients pay you through. And every business that initiates ACH transactions operates under Nacha’s rulebook, whether they know it or not.
In 2026, NACHA’s fraud monitoring rule reached full effect. Phase 2, which took effect June 22, 2026, extended the requirement to every business initiating ACH transactions, including accounting and tax firms, regardless of size.
The rule has three core requirements:
- Controls that catch suspicious or unauthorized payments
- Documentation of those controls
- Periodic review to confirm they still work
Here’s the important part: NACHA doesn’t prescribe one-size-fits-all controls. Instead, it requires controls that are proportionate to your situation. A firm processing five ACH payments a month to established clients faces a different risk level than a firm processing hundreds of payments. The controls need to match that risk level.
Implement fraud monitoring controls
Fraud monitoring controls are the systems and processes that detect, prevent, or catch suspicious or unauthorized transactions. They’re how businesses protect themselves and their clients from fraud, errors, and financial loss. For ACH payments specifically, fraud monitoring means having safeguards in place before payments leave your account.
They vary depending on your firm’s size and transaction volume, but they typically include:
- Identity verification: verifying that the person or business requesting the payment is who they claim to be
- Bank account validation: confirming the account exists and is legitimate before processing
- Return rate monitoring: tracking failed, disputed, or unauthorized payments to spot patterns
- Payment review: someone on your team reviewing transactions, especially unusual ones
- Dispute handling: a clear process for responding to client disputes or returned payments
That list might sound like a lot, but you don’t need to build these from scratch. For example, TaxDome has the infrastructure in place to support the compliance and fraud monitoring these controls require. TaxDome Payments covers bank validation, return monitoring, and identity verification — all running automatically on every transaction. Combined with the authorization language above, your firm’s compliance posture is covered.
All of this runs on SOC 2 Type II certification, the most rigorous security standard for service providers. Your firm’s data and client information are protected to the highest level.
Document your controls
NACHA requires that you write down what controls you have in place. This isn’t a formal audit or a compliance report. It’s simply proof that you thought about fraud and have a process.
The most straightforward way to document controls is through your client agreements. Clients need to authorize ACH payments anyway. That authorization language also serves as your documentation of intent and process. And it shows NACHA (and any auditor who asks) that you’ve informed clients about ACH and how you handle their payments.
We’ve prepared three templates that cover the most common places firms document client authorization for ACH payments. Choose the one that matches how your firm currently structures its client agreements. You do not need more than one.
Option #1: add to your client engagement letter
Insert this as a new paragraph under your existing payment terms section, or at the end of your engagement letter before the signature block.
Payment Authorization — ACH / Bank Transfer
By signing this engagement letter, you authorize [Firm Name] to initiate ACH debit transactions from the bank account you provide for the purpose of collecting fees for services rendered under this engagement. You confirm that you are authorized to provide this account information and to grant this authorization. ACH payments are processed through TaxDome Payments, a platform that employs industry-standard fraud monitoring, identity verification, and account validation controls. You have the right to revoke this authorization at any time by providing written notice to [Firm Name] with sufficient time to act before the next scheduled payment. Any unauthorized transactions should be reported to [Firm Name] immediately.
Option #2: add to your terms of service or client agreement
Insert this as a standalone section within your existing terms of service or master client agreement.
ACH Payment Authorization
Client authorizes [Firm Name] to initiate ACH debit entries to the bank account designated by Client for the payment of professional fees and related charges. Client represents and warrants that: (a) Client is the owner of, or is otherwise authorized to transact on, the designated account; (b) the account information provided is accurate and current; and (c) this authorization will remain in effect until Client provides written notice of revocation to [Firm Name] with reasonable advance notice prior to the next scheduled transaction. ACH transactions are processed through TaxDome Payments. [Firm Name] employs industry-standard controls through its payment platform, including identity verification, bank account validation, and ongoing transaction monitoring. Client agrees to notify [Firm Name] promptly of any transaction believed to be unauthorized or erroneous.
Option #3: standalone ACH authorization form
Use this if your firm prefers a separate one-page authorization document, or if you want clients to sign a dedicated payment authorization independent of the engagement letter.
ACH Payment Authorization Form
[Firm Name] | [Firm Address] | [Firm Contact Email]
Client Name: _________________________________
Business Name (if applicable): _________________________________
Bank Name: _________________________________
Account Type: ☐ Checking ☐ Savings
Routing Number: _________________________________
Account Number: _________________________________
By signing below, I authorize [Firm Name] to initiate ACH debit transactions from the bank account identified above for the payment of professional fees and related charges for services rendered. I confirm that I am authorized to provide this account information and grant this authorization. I understand that ACH payments are processed through TaxDome Payments using industry-standard fraud monitoring and account validation controls. This authorization will remain in effect until I provide written notice of revocation to [Firm Name] with sufficient advance notice prior to the next scheduled transaction. I agree to promptly notify [Firm Name] of any unauthorized or erroneous transactions.
Client Signature: _______________________ Date: ___________
Printed Name: _________________________________
Implementation timeline: Add this language to all new client agreements immediately. For existing clients, incorporate it at your next engagement renewal or when you update your standard agreement. You don’t need to retroactively chase down every existing client.
The easiest way to manage this is to use a platform that handles the entire client flow in one place. With TaxDome, for example, you can add ACH authorization language to your engagement letter or proposal template once, and it goes out to every new client automatically. Clients sign directly in the TaxDome client mobile app, TaxDome collects payment, and the rest of your work continues in the same place. No chasing, no separate tools. Everything stays connected.
Review your controls periodically
Documentation is just the first step. NACHA also requires that you review your controls periodically to confirm they still fit your operation and that your documentation stays current.
What you’re reviewing:
- Are your controls still appropriate? If your payment volume doubled this year, do your current controls still match your risk level? If your client base changed, do your processes still work?
- Is your platform still secure? Has your payment processor updated their fraud monitoring? Are there new features you should be using?
- What disputes or issues came up? Look at returns, disputes, or unusual activity from the past period. Did your controls catch them? Did anything slip through?
Review your controls annually, ideally before your fiscal year ends or at your next client agreement renewal cycle. Set a calendar reminder so it actually happens. Pull a report of ACH activity from your payment processor and review it with whoever handles payments on your team.
When you do this review, document it. A simple note in your files like “Reviewed ACH controls on [date], no changes needed” or “Updated process on [date]” is all you need. It proves you’re taking compliance seriously if questions ever come up.
You don’t need to make big changes every year. Most firms find their process works fine and just confirm that’s still true. The point is that you checked.
Frequently asked questions
Do I need to register with NACHA or file anything?
No. There’s no registration, filing, or formal notification required. The rule is a documentation and controls requirement, not a licensing regime. Adding the authorization language to your client agreements and using a secure payment platform covers your obligation.
I collect only a small number of ACH payments. Does this apply to me?
Yes, but the requirements are scaled. NACHA’s rule applies to all ACH originators, regardless of volume. However, the rule explicitly states controls must be “proportionate to your transaction volume and client profile.” A firm processing 5 ACH payments a month with established clients faces a much lower bar than a firm processing 500 payments a month to new clients. For larger volumes, you’ll likely need automated controls built into your payment platform — manual processes alone won’t provide the visibility you need across your operation.
I’ve been collecting ACH this whole time. Do I need to update agreements right now?
Yes, but you have a grace period. NACHA requires documentation going forward. Start adding the authorization language to all new client agreements immediately. For existing clients, incorporate it at your next engagement renewal or when you next update your standard agreement.
What if a client refuses to sign the updated authorization language?
That’s a business decision for your firm. The language protects both parties — it gives your firm a documented record of consent, and it gives clients clarity on how their banking information is used. Walking them through this guide usually addresses concerns. If a client still refuses, consider offering an alternative payment method (credit card, wire transfer, check).
What happens if a client disputes an ACH transaction?
Direct them to contact your firm first. Then report the dispute to your payment processor immediately. Most platforms have dispute and return handling processes. The sooner you flag it, the better the outcome for everyone.
Does this rule affect credit card payments or other payment methods?
No. This rule applies specifically to ACH bank transfers. Credit card payments, wire transfers, checks, or other payment methods are not affected.
Do I need a lawyer to implement this?
For most firms, no. The templates in this article are written to be clear and proportionate for typical accounting firm operations. If your firm has specific state-level requirements, handles unusually large transactions, or has existing agreements reviewed by counsel, it’s worth having legal review the addition before rolling it out. But for most firms, these templates work as-is.
Mari develops TaxDome content by combining customer insights, industry research, and real-world trends. Her structured, automation-driven approach ensures messaging is clear, relevant, and supports more connected and efficient accounting firms.
Recommended articles
Referral program strategies for accounting firms: driving growth from loyalty
Free bank reconciliation template + guide to automating account reconciliation
How to make a profit and loss statement: free template, examples, and step-by-step instructions