April 15, 2026

For most of banking history, the fraud problem was essentially unauthorized access. Someone got into an account they shouldn't be in. The controls were about authentication, detection, and reversibility.

That model still matters. But it's no longer enough.

I keep noticing a shift in how fraud conversations are framed inside credit unions. The old version of the problem was about keeping bad actors out. The new version is harder, because the member is often the one taking the action. The fraud growing fastest in 2026 isn't unauthorized. It's authorized. Members deceived into willingly sending money or approving transactions that benefit someone else. Business email compromise. Payroll redirects. Fake vendor invoices. Romance scams that end at the wire transfer screen. The member did everything "right." They just did it based on false information engineered by someone who knew exactly what to say.

What Nacha's New Rules Actually Mean

Nacha's 2026 risk management rules, effective in phases starting March 20, do something that feels incremental but is actually a meaningful shift in accountability. For the first time, both originating and receiving financial institutions are expected to have risk-based processes to detect ACH transactions initiated due to fraud, including those "authorized under false pretenses."

It's no longer acceptable for either side of an ACH payment to say "the member authorized it" and consider the conversation closed. Both sides of the highway now have a responsibility to watch for wrong-way drivers.

For credit unions, this has specific implications. Receiving institutions, which often felt shielded from APP fraud liability, now have explicit monitoring expectations. That requires looking at incoming ACH credit patterns with the same analytical rigor we've historically applied to outgoing debits. If the payments, fraud, and analytics teams haven't had that conversation yet, this is the moment.

Synthetic Identity: The Slow-Burn Problem

The fraud type getting the most attention in 2026 intelligence reports isn't the dramatic one. It's synthetic identity, where a criminal blends a real Social Security number (often belonging to a child, an elderly person, or someone with a thin credit file) with fabricated identity data to build a fictitious person over months or years.

These identities pass standard KYC. They build credit histories. They accept lower limits and pay on time, right up until the "bust out," when they max out every available credit line simultaneously and disappear. By the time the loss is booked, the identity has long since stopped responding to mail.

Recent analysis describes synthetic identity as one of the most complex and fastest-growing fraud typologies in 2026, enabled by AI-generated documents, deepfake verification images, and increasingly sophisticated fabrication tools. For credit unions, the exposure tends to concentrate in loan portfolios, new account fraud, and member-facing digital channels where identity verification is less rigorous than in-branch interactions.

Credit union-specific reporting this year notes something counterintuitive: as much as half of fraud can still occur in-branch using stolen or fake IDs, even as digital fraud dominates the headlines. Fraud is a multi-channel problem. Controls have to match.

The FinCEN Connection

Layer FinCEN's new AML/CFT Program NPRM on top of this, and the picture becomes clearer. The proposal's shift toward effectiveness, not just technical compliance, means your transaction monitoring, fraud analytics, and investigative processes will increasingly be evaluated on whether they're actually working against real-world typologies. Synthetic identity fraud and authorized push payment scams are exactly the kind of real-world typologies examiners will be thinking about.

The shared responsibility model from the February series applies directly here. Your fraud monitoring vendor owns the pattern recognition engine. You own the alert thresholds, the investigation process, and the decisions about what rises to a SAR. If you can't articulate where that line is and demonstrate that human judgment is in the loop where it needs to be, that's a governance gap. Not just a technology gap.

Member Impact Is the Point

The member impact is direct. Synthetic identity fraud harms real people, including children whose SSNs are misused years before they ever apply for their first loan. APP fraud and ACH scams directly cost members money they may never recover.

Your fraud program isn't just a loss mitigation function. It's a member protection function.

When you think about your fraud defenses as a member journey, from account opening through ongoing transactions, where are the gaps between what your members expect and what your controls actually catch?