Banner Bank ACH Originator Guide

Fraud Monitoring Requirements Beginning in 2026, the Rules will require Originators to implement risk-based processes to identify and prevent fraudulently originated ACH entries. This means you must review outgoing entries to detect scams such as business email compromise and fake invoices. You may already have use tools like anomaly detection or fraud “flags” but it is important to evaluate and update your processes to ensure compliance with these new requirements. The Rule will be implemented in two phases: Phase 1 – Effective March 20, 2026, for Originators with ACH volume greater than 6 million in 2023 Phase 2 – Effective June 19, 2026, this will apply to all other Originators that did not fall into Phase 1 Most ACH originations are recurring (same employee, vendors, utilities). Focus on situations that differ from your normal pattern: 1. New Receivers a. Perform due diligence b. Verify identity c. Transmit account information securely with encryption 2. Existing Receivers with sudden account changes a. Confirm using contact information on file (not from a suspicious email) b. Apply Know Your Customer (KYC) checks Receiver authorizations must be signed or similarly authenticated and are legally binding. Unsecured communication such as email or text, both unencrypted and unsecure, does not fit compliance with applicable legal requirements.

Examples of acceptable ACH credit authorizations: • Written authorization form • Secure HR portal • Voided physical check

Best Practices: • Use micro-entries to validate account details and build trust with Receivers • Watch for atypical activities, such as:

o New payment recipients o Sudden account changes o Unusual dollar amounts o Multiple payments to same Receiver o Usual email addresses asking for payments to be send to a different account

29