NACHA Phase 2 Compliance: IAL2 Real-Time Identity Verification and Audit Evidence
NACHA Phase 2, effective June 22 for mid-market recordkeepers, mandates IAL2-compliant real-time identity verification with auditable, machine-readable evidence to combat escalating AI-driven fraud and avoid severe penalties—ranging from warnings to $500,000 monthly fines—rendering traditional knowledge-based authentication, eSign, and manual reviews insufficient, while Proof uniquely offers ODFI-defensible audit sessions meeting these stringent requirements.
NACHA Raised the Bar on Identity Verification. Proof Already Cleared It.
NACHA Phase 2's False Pretenses mandate affects every mid-market recordkeeper on June 22, requiring IAL2-compliant, real-time identity verification as the compliance minimum. Proof is the only platform where every identity session becomes ODFI-defensible audit evidence.
The State of the Industry
AI scaled fraud. Analog controls have not caught up.
- 217%: ATO (Account Takeover) volume growth in the last 4 years
- $1.38B: Projected regulatory penalties in 2026
- $88.5k: Average fraudulent disbursement, deliberately below thresholds
- 1,254%: Regulatory penalty surge since 2022
The tools most firms rely on were built for a different threat.
Knowledge-based authentication
Confirms that someone knows certain information. Does not confirm who is actually initiating the transaction.
eSign and generic RON
Verifies a signature, not the identity behind it. Falls short of the biometric binding and government ID match NACHA Phase 2 requires.
Manual review
Creates 48-72 hour blind spots. Produces no machine-readable audit evidence. Gives ODFIs nothing to examine under Phase 2 scrutiny.
What Recordkeepers Face
The new compliance floor carries strict penalties.
- Phase 1: Activated March 20, 2026 for mega-recordkeepers.
- Phase 2: Hits the entire mid-market on June 22 with no volume exceptions.
The mandate requires documented, auditable "Risk-Based Procedures" for identity verification. Knowledge-based authentication and "Best efforts" are no longer sufficient, and penalties add up quickly.
Penalty Classes
- 1.Class 1: Warning/Minor
- Up to $1,000 for initial failure to document a process
- 2.Class 2: Repeat/Significant
- Up to $5,000 per occurrence
- 3.Class 3: Egregious/Willful
- Up to $500,000 per month for systemic failures that lead to high return rates or network risk
Under Phase 2, your ODFI bears direct legal liability for your fraud controls. Banks will audit your verification gaps and exit relationships with non-compliant originators. Loss of your ODFI relationship means loss of ACH access.
The Solution
Identity verification built for the false pretenses mandate
Proof runs IAL2 identity verification across three execution layers, and every session generates ODFI-defensible audit evidence.
Identify
Proof cross-references government ID against facial biometrics before a transaction moves. Liveness detection defeats deepfakes in real time. When a fraudster submits an impersonation request, the session flags it before money moves — and the evidence trail shows exactly what happened.
Verify
Every high-risk transaction runs through a live video session with a credentialed notary or verifier, replacing the manual callback process with an eight-minute digital experience your clients actually complete. MISMO RON-compliant and accepted in all 50 states.
Certify
Session records are cryptographically signed to a verified identity, making them AI-proof and digitally verifiable. Every ODFI auditor receives evidence that cannot be faked, altered, or disputed.
Defend
Every session generates an immutable recording with full audit metadata. The evidence is timestamped, tamper-proof, and machine-readable for ODFI review.
- 79%: NIGO (Not In Good Order) rate reduction
- $53M: Savings opportunity with Proof
- T+3: Processing speed, down from T+10
- 30+ min: FA (Financial Advisor) time recovered per transaction
Resources
Everything you need to comply before June 22
- What Your Bank Will Ask: Readiness Checklist
- The questions your ODFI auditors will ask, and what passing looks like.
- Audit-Ready Playbook
- A step-by-step implementation guide for Phase 2 compliance with Proof.
- NACHA Certification Pathway Guide
- Your path from readiness assessment through certification.
Common Questions
Does knowledge-based authentication or SMS OTP satisfy the False Pretenses mandate?
No. NACHA's False Pretenses mandate requires active identity verification, not passive authentication. KBA and SMS OTP confirm device access. They do not verify the person initiating the transaction. NIST 800-63 IAL2 requires government ID verification and biometric binding. That is the compliance floor, and that is what Proof delivers.
What happens if we miss the June 22 deadline?
Phase 2 enforcement triggers on Day 1. Tier 1 penalties start at $1,000/day per violation and Tier 2 escalates to $2,500/day for repeat findings. Beyond the daily penalties, a NACHA violation triggers mandatory ODFI review of all your fraud controls. ODFIs can and will terminate originator relationships rather than absorb the regulatory liability themselves.
How quickly can Proof be implemented?
A two-week implementation pathway exists from first conversation to live IAL2 IDV deployment. Proof's platform is built for this window, and we have done it before.
We already have an eSign or RON solution. Does that satisfy Phase 2?
eSign workflows and generic RON platforms verify a signature, not an identity. NACHA Phase 2 requires documented identity verification at the transaction layer, including biometric binding, government ID matching, and an immutable session record. Proof is built to that standard. Most eSign and RON platforms are not.
What is ODFI exposure, specifically?
Your Originating Depository Financial Institution bears direct legal liability for your fraud controls under Phase 2. A NACHA audit finding requires your ODFI to review your entire fraud control stack. Banks will exit relationships with non-compliant originators rather than share that liability. Loss of your ODFI relationship means loss of ACH access and operational shutdown for all disbursement workflows.