Blab Crypto
MiCA Licensing Crunch and Nachas New ACH Fraud Rules Tighten Compliance Nets for Crypto and Payments
The European Union’s Markets in Crypto‑Assets Regulation (MiCA) is moving from a regulatory draft to a hard deadline, while the U.S. payments industry has adopted stricter fraud‑control rules. Together, the two developments are reshaping how crypto firms and corporate payment departments operate.
MiCA’s July 1, 2026 deadline has already forced a wave of licensing activity. Only 14 exchanges have obtained full MiCA authorisation, according to a recent industry report. In Poland, where about 2,000 virtual‑asset service providers (VASPs) operate, only one has a MiCA licence. The Polish regulator has finished its grandfathering period, meaning that most of the country’s VASPs will need to shut down or apply for a licence before the end of the year. Mateusz Kara, founder of Ari10 and CEO of Morphic Financial Group, said the cost and complexity of the licensing process are “a big change of thinking” and that “there is no room for small players.”
The high cost and stringent requirements are already consolidating the market. Kara noted that new entrants will find it hard to start because they must obtain a licence that is expensive and time‑consuming. He added that the UK is not yet a target market for his company, but that the Financial Conduct Authority (FCA) is working on a regulatory framework similar to MiCA. “We will apply for a licence there, but it’s still a plan for the future,” Kara said.
MiCA entered into force in December 2024 and requires crypto‑asset service providers to meet capital, governance, and consumer‑protection standards. The regulation also imposes strict rules on stablecoins, market‑making, and asset‑backed tokens. Because the licensing process is still in its early stages, many firms are scrambling to meet the July deadline.
In the United States, the National Automated Clearing House Association (Nacha) updated its operating rules on June 20, 2026. The new ACH fraud rules apply to every organisation that sends ACH payments, regardless of volume. Nacha emphasises that the most damaging fraud schemes begin upstream, before the payment file reaches the bank. Vendor master fraud, payroll diversion, and segregation‑of‑duties violations are common vectors.
Vendor master fraud occurs when a fraudster gains access to a supplier portal or contacts accounts payable directly, impersonating a legitimate vendor and requesting a bank‑account change. If an organisation lacks controls to flag unauthorized changes to vendor payment records, the updated account number can flow through procurement and into the next payment run without scrutiny. The ACH transaction clears, and the loss is discovered weeks later.
Payroll diversion follows a similar pattern. Employees or attackers with compromised credentials can modify direct‑deposit details inside HR and payroll platforms. If payroll changes do not trigger independent review or audit alerts, the modifications can persist for multiple pay cycles before detection.
Nacha’s rules require risk‑based procedures that can identify potentially fraudulent transactions before they are submitted. The rules do not prescribe a specific technology, but they do require organisations to map the systems that originate ACH payments and assess where controls exist and where they do not.
Chris Radkowski, SAP GRC expert at Pathlock, highlighted two capability gaps that organisations should address immediately:
1. Continuous monitoring of payment‑relevant master data and access rights across ERP and financial systems. 2. Implementation and enforcement of segregation‑of‑duties controls across the systems that originate ACH payments.
Pathlock’s solutions provide real‑time alerts for changes to vendor banking records, payroll direct‑deposit details, and user access privileges. They also offer a comprehensive segregation‑of‑duties analysis that spans ERP, HR, procurement, and financial planning systems.
The new Nacha rules are a reminder that the bank‑side controls are only part of a broader fraud‑prevention strategy. Organisations must now demonstrate visibility across the full transaction lifecycle—from the initial data entry in an ERP or HR system, through approval workflows, to the final ACH instruction.
Both MiCA and Nacha’s updated rules illustrate a trend toward tighter regulatory oversight and higher compliance costs. Crypto firms face a licensing bottleneck that will likely consolidate the market around larger, well‑capitalised players. Corporate payment departments, meanwhile, must invest in upstream monitoring and segregation‑of‑duties controls to meet the new fraud‑risk requirements. The next few months will see a surge in licensing applications, compliance upgrades, and technology deployments as companies prepare for the July 2026 deadlines.
MiCA’s July 1, 2026 deadline has already forced a wave of licensing activity. Only 14 exchanges have obtained full MiCA authorisation, according to a recent industry report. In Poland, where about 2,000 virtual‑asset service providers (VASPs) operate, only one has a MiCA licence. The Polish regulator has finished its grandfathering period, meaning that most of the country’s VASPs will need to shut down or apply for a licence before the end of the year. Mateusz Kara, founder of Ari10 and CEO of Morphic Financial Group, said the cost and complexity of the licensing process are “a big change of thinking” and that “there is no room for small players.”
The high cost and stringent requirements are already consolidating the market. Kara noted that new entrants will find it hard to start because they must obtain a licence that is expensive and time‑consuming. He added that the UK is not yet a target market for his company, but that the Financial Conduct Authority (FCA) is working on a regulatory framework similar to MiCA. “We will apply for a licence there, but it’s still a plan for the future,” Kara said.
MiCA entered into force in December 2024 and requires crypto‑asset service providers to meet capital, governance, and consumer‑protection standards. The regulation also imposes strict rules on stablecoins, market‑making, and asset‑backed tokens. Because the licensing process is still in its early stages, many firms are scrambling to meet the July deadline.
In the United States, the National Automated Clearing House Association (Nacha) updated its operating rules on June 20, 2026. The new ACH fraud rules apply to every organisation that sends ACH payments, regardless of volume. Nacha emphasises that the most damaging fraud schemes begin upstream, before the payment file reaches the bank. Vendor master fraud, payroll diversion, and segregation‑of‑duties violations are common vectors.
Vendor master fraud occurs when a fraudster gains access to a supplier portal or contacts accounts payable directly, impersonating a legitimate vendor and requesting a bank‑account change. If an organisation lacks controls to flag unauthorized changes to vendor payment records, the updated account number can flow through procurement and into the next payment run without scrutiny. The ACH transaction clears, and the loss is discovered weeks later.
Payroll diversion follows a similar pattern. Employees or attackers with compromised credentials can modify direct‑deposit details inside HR and payroll platforms. If payroll changes do not trigger independent review or audit alerts, the modifications can persist for multiple pay cycles before detection.
Nacha’s rules require risk‑based procedures that can identify potentially fraudulent transactions before they are submitted. The rules do not prescribe a specific technology, but they do require organisations to map the systems that originate ACH payments and assess where controls exist and where they do not.
Chris Radkowski, SAP GRC expert at Pathlock, highlighted two capability gaps that organisations should address immediately:
1. Continuous monitoring of payment‑relevant master data and access rights across ERP and financial systems. 2. Implementation and enforcement of segregation‑of‑duties controls across the systems that originate ACH payments.
Pathlock’s solutions provide real‑time alerts for changes to vendor banking records, payroll direct‑deposit details, and user access privileges. They also offer a comprehensive segregation‑of‑duties analysis that spans ERP, HR, procurement, and financial planning systems.
The new Nacha rules are a reminder that the bank‑side controls are only part of a broader fraud‑prevention strategy. Organisations must now demonstrate visibility across the full transaction lifecycle—from the initial data entry in an ERP or HR system, through approval workflows, to the final ACH instruction.
Both MiCA and Nacha’s updated rules illustrate a trend toward tighter regulatory oversight and higher compliance costs. Crypto firms face a licensing bottleneck that will likely consolidate the market around larger, well‑capitalised players. Corporate payment departments, meanwhile, must invest in upstream monitoring and segregation‑of‑duties controls to meet the new fraud‑risk requirements. The next few months will see a surge in licensing applications, compliance upgrades, and technology deployments as companies prepare for the July 2026 deadlines.
