What Is Positive Pay? A Finance Leader's Guide to Check and ACH Fraud Defense (2026)
Positive pay is an automated bank service that matches checks (or ACH debits) presented for payment against an issued-payment file the business sends to its bank, then flags any mismatch for review before the bank clears it. It's the foundational fraud control on the disbursement side of a corporate banking relationship. Most banks offer some version, and most mid-market and enterprise treasuries already operate it on their check accounts.
The reason positive pay matters more in 2026 than it did a decade ago has nothing to do with the service itself, which has been around for years. It has to do with the fraud environment around it. Per the AFP 2025 Payments Fraud and Control Survey Report, 79% of organizations experienced attempted or actual payments fraud in 2024, and 63% experienced check fraud specifically. Checks are the most-targeted method and the least-recoverable when fraud succeeds. Positive pay is the control your bank already offers that closes the largest piece of that attack surface.
Key Takeaways
Positive pay matches presented checks (or ACH debits) against a file your treasury team sends to the bank. Anything that doesn't match gets held for review before it clears.
The main variants are check positive pay, payee positive pay (which also matches the payee name), reverse positive pay, and ACH positive pay. Each has different operational demands and catches different attacks.
The operational burden is real. Someone in AP has to maintain the issued-checks file, hit the bank's daily submission window, and review exceptions before the deadline. Missed deadlines mean false clears.
Positive pay handles counterfeit and altered checks at the bank. It does not stop vendor-impersonation BEC, authorized-but-fraudulent ACH outbound, or someone tricking AP into issuing a real check to the wrong payee.
Nacha's 2026 fraud-monitoring rules raise the bar on ACH risk controls. Positive pay on ACH is necessary, but more layered controls (validated vendor banking, dual approval, electronic remittance) increasingly handle attacks positive pay can't see.
What is positive pay and how does it work?
Positive pay is a service the bank runs to verify outbound payments against an authorized list before clearing them. The mechanics are straightforward. Your treasury team sends the bank a daily file listing every check issued (or every ACH debit authorized), with details like check number, amount, date, and payee. When a check is presented for payment, the bank compares it against the file. A clean match clears as normal. A mismatch holds the payment as an exception and notifies the business, which has a window to approve or reject the item before final settlement.
The four-step workflow runs the same way at every bank that offers the service:
Issue file submission. Treasury or AP transmits the issued-checks file to the bank, usually nightly or in batches throughout the day.
Presentment. A check (or ACH debit) is presented to the bank for payment, either at the teller window, through clearing, or via deposit.
Match. The bank's system compares the presented item against the file.
Exception or clear. Matched items clear normally. Unmatched items hold as exceptions, and the bank notifies the business for a pay/no-pay decision before the cutoff.
The file format and submission cadence vary by bank, but the logic is consistent. The hard part isn't the bank's side; it's keeping the issued-checks file accurate and current at your end.
What does positive pay actually catch?
Positive pay catches counterfeit checks, altered checks, and checks the business never issued. Those are the three attack patterns that show up as mismatches against an accurate issued-payment file. A counterfeit check (someone printed a check on your account that you didn't authorize) won't appear in the file at all, so the bank holds it. An altered check (someone changed the amount or payee on a check you did issue) won't match the file's amount or payee fields, so it also holds. A check the business never issued from that account triggers the same mismatch.
The variant with the strongest counterfeit defense is payee positive pay, which adds the payee name to the match logic. Standard check positive pay only matches check number and amount, so an altered payee on a real check (a fraudster changes the payee name while leaving the amount the same) will clear unless the bank's system also reads the payee field.
What does positive pay not catch?
Positive pay doesn't catch fraud that operates upstream of the payment file. If a fraudster compromises your AP team and tricks them into authorizing a legitimate-looking check to a fake vendor, that check goes into the issued-payment file because AP put it there. The bank matches it and clears it. The control is downstream of approval; it can't second-guess what AP authorized.
The same applies to BEC (business email compromise) where the attacker convinces AP to change a vendor's banking details and reroute legitimate ACH payments. The ACH outbound shows up in the file as authorized; the bank clears it. The fraud already happened upstream, in the vendor master. Positive pay is foundational, not sufficient.
What are the main types of positive pay?
Four variants matter for finance teams: check positive pay, payee positive pay, reverse positive pay, and ACH positive pay. The differences are in what the service matches against, who has to act first, and what attacks each one closes.
Variant | How it works | What it catches | Best for |
Check positive pay | Bank matches check number and amount against the issued-checks file. Exceptions held for business review. | Counterfeit checks, altered-amount checks, checks not issued by the business | Default for any business cutting more than a handful of checks per month |
Payee positive pay (Positive Payee) | Adds payee-name matching to standard check positive pay. The bank reads the payee field and compares it to the file. | Everything check positive pay catches, plus altered-payee fraud (fraudster changes payee on a real check) | Higher-fraud-risk environments; common for treasuries with high check volume |
Reverse positive pay | Bank sends a daily report of all checks presented; the business reviews and approves or rejects each one. No issued-checks file submitted. | The same items as standard positive pay, but the business carries the review burden every day | Smaller businesses with low check volume where building the issued-checks file is operationally expensive |
ACH positive pay | Bank matches inbound ACH debits against an authorized-debit list. Unauthorized debits held for review or blocked. | Unauthorized ACH debits hitting the account (third-party debit fraud) | Any business with vendors or services that pull from the account by ACH |
Each variant has trade-offs in operational burden vs. coverage. Most mid-market treasuries run check positive pay plus ACH positive pay at minimum.
What's the difference between check positive pay and payee positive pay?
Payee positive pay adds payee-name verification to the standard check-number-and-amount match. The practical effect is closing the altered-payee attack. A fraudster who steals a real, signed check from the mail and changes the payee field still has a check that matches your file on number and amount, so standard check positive pay clears it. Payee positive pay catches that one because the payee no longer matches.
Banks typically offer payee positive pay as an upgrade to standard positive pay, sometimes called Positive Payee. The cost is modest, but the operational requirement is real: payee names in your issued-checks file have to match what's printed on the actual check. AP teams that hand-correct payee names without updating the file create false exceptions.
When does reverse positive pay make sense?
Reverse positive pay makes sense for small businesses that can't reliably produce a daily issued-checks file. Instead of you sending the bank a file, the bank sends you a daily list of every check that hit the account. Your team reviews each one and tells the bank what to clear and what to reject. Coverage is similar, but the operational direction reverses. You bear the daily review burden instead of the daily file-submission burden.
The catch is risk asymmetry. If your team misses the review window, every check on the list clears by default. With standard positive pay, a missed window typically holds the exception (banks vary). For finance teams without a dedicated treasury function, reverse positive pay is often the only workable option, but it requires real discipline on the review side.
Protect cash flow with modern AP
Modernize AP to cut costs, speed approvals, and mitigate payment risk — gaining the real-time visibility to protect cash flow and scale with confidence.
Download the whitepaper
How is ACH positive pay different from check positive pay?
ACH positive pay matches inbound ACH debits to your account against an authorized-debit list, while check positive pay covers outbound checks. The fraud pattern is different: ACH positive pay defends against third parties pulling unauthorized debits from your account, not against fraudsters issuing fake outbound payments. The control surface is the depository side rather than the disbursement side.
The variants of ACH positive pay are worth knowing. Pure ACH positive pay holds any debit that doesn't match the list. ACH debit block flatly rejects all ACH debits to the account. ACH debit filters allow specific company IDs on an allowlist while blocking everything else. The right combination depends on which suppliers and services need ACH access to the account. The explainer on how ACH payments work covers the broader rail context if you're newer to it.
How do you set up positive pay with your bank?
Setting up positive pay runs through three workstreams: configuration on the bank's portal, file-format and submission cadence on your treasury side, and exception-handling process on the AP side. Most banks have it operational within a week of contract signature; the longer pole is usually getting AP's workflow to consistently feed the daily file.
Talk to your relationship manager about pricing, file formats accepted (CSV, fixed-width, BAI, ANSI X12 820, or proprietary), and submission cutoffs. Confirm the exception window (how long you have to pay/no-pay each exception before the bank decides for you), default behavior on missed exceptions, and how exception notification arrives (email, portal, file, or both).
What's in a positive pay file?
The file lists every check (or authorized ACH debit) you've issued and the metadata the bank uses for matching. Required fields almost always include account number, check number, issue date, amount, and (for payee positive pay) the exact payee name. Optional fields can include void status, MICR line details, and reference numbers. Format is bank-specific; some accept CSV, some require fixed-width or a flavor of BAI or ANSI X12.
Operational reliability of the file is where most teams struggle. If AP voids a check and doesn't update the file before submission, the void check shows as an exception. If a check is reissued with a new check number, the old number stays on the file until removed. Disciplined file maintenance is more important than which variant you operate.
What happens when a check doesn't match?
When a presented check doesn't match the issued-checks file, the bank holds it as an exception and notifies your designated reviewer (usually treasury or AP). Your team has until the bank's cutoff (commonly 11 a.m. or 2 p.m. local time, depending on the bank) to approve or reject. Approve means the bank pays the check. Reject means the bank returns it as unauthorized.
Default behavior on a missed exception varies by bank. Some default to pay (the check clears unless you explicitly reject), some default to return. Read the contract carefully and configure default-to-return if your bank allows it; the asymmetry of fraud loss versus a returned legitimate check usually favors return as the safe default. The six security measures piece covers the broader fraud-prevention stack positive pay sits inside.
What does it cost to use positive pay?
Pricing varies widely. Some banks bundle positive pay into a treasury services package at no incremental cost; others charge a monthly fee plus a per-item exception charge. Typical ranges run $30 to $150 per account per month for the base service, with payee positive pay sitting on top for an additional fee. ACH positive pay is often priced separately. For most mid-market treasuries, the bank cost is small enough that the decision is straightforward. The real cost is the operational time to maintain the file.
Why positive pay matters more in 2026
The check-volume math sits at the center of the case for positive pay. Per the 2024 Federal Reserve Payments Study, Federal Reserve Banks processed nearly 3.0 billion commercial checks last year, about half the volume of a decade ago. Check usage is declining, but the per-check fraud rate is rising. AFP's 2025 survey put 91% of organizations still using checks (up from 75% in 2023) and 34% reporting more than a quarter of their payments are still by check. Fewer checks, more concentrated fraud.
Recovery numbers compound the urgency. Only 22% of organizations recovered more than 75% of funds lost to payments fraud in 2024, down from 41% the prior year per the same AFP survey. The window to claw money back is closing. Prevention controls (positive pay among them) carry more weight than they used to because the post-fraud remediation rate is collapsing.
How do the new Nacha rules change ACH fraud responsibilities?
Nacha's 2026 operating rules add explicit ACH fraud-monitoring obligations for originators. Phase 1 takes effect March 20, 2026, with full coverage by June 20, 2026, requiring all corporate ACH originators to operate risk-based fraud-detection processes. The rules also explicitly acknowledge that traditional controls (debit blocks, positive pay) can't catch every newer attack, particularly authorized-but-fraudulent outbound payments where the fraud happens inside the originator's environment.
The practical effect: ACH positive pay alone won't satisfy Nacha's framework for most originators. Larger controls (transaction monitoring, anomaly detection on outbound files, validated vendor banking) become standard. The Sage Intacct payment-fraud piece covers how AP-side controls fit alongside the bank's positive pay layer.
Where does positive pay stop being enough?
Positive pay stops being enough at the moment fraud succeeds upstream of the payment file. If a fraudster compromises a controller's email and authorizes a wire to a fake supplier account, no bank-side check or ACH match catches it; the payment was authorized. If BEC convinces AP to update a real vendor's banking details to an attacker-controlled account, the resulting ACH clears through positive pay because it matches the authorized list. The control is foundational, not complete.
Modern fraud defense layers positive pay underneath several other controls. Validated vendor banking, which checks supplier banking changes against authoritative records before they take effect, closes the BEC vector. Dual-control payment approval handles authorized-internal fraud. Electronic remittance to validated supplier records reduces the trust surface that paper-check fraud exploits. The healthcare AP fraud automation piece walks through how those layers stack in a high-volume environment, and vendor management best practices cover the controls finance teams should require of their AP system.
How payments automation reduces check exposure structurally
Positive pay is a bank-side safety net. Payments automation operates a layer earlier, structurally reducing how many checks you cut in the first place. Migrating eligible vendor spend onto validated ACH and virtual-card rails shrinks the surface area positive pay has to defend. The check program doesn't disappear (some suppliers will always require it), but it gets reserved for genuine tail volume rather than running as the default.
The economics work in two directions. Fewer checks means lower fully loaded check-processing cost (postage, materials, AP labor) and lower fraud exposure (per AFP, checks remain the most-attacked rail). Virtual-card rails on the same dollars generate rebate revenue rather than incurring fee cost. Corpay's payments automation runs ACH, virtual card, check, wire, and cross-border through a single workflow against 4M+ accepting vendors and 180+ ERP integrations. The managed service handles the enrollment work that determines how aggressively the check program can be retired.
If you want to see how it fits with your existing positive pay setup, the Corpay payments automation product page covers the workflow and the integration story. The supplier payments automation explainer covers the enrollment side specifically.
Frequently Asked Questions
Is positive pay enough to prevent check fraud?
No. Positive pay catches counterfeit checks, altered checks, and checks that weren't issued from the account, which is most of the volume-based check fraud you face. It doesn't catch fraud that operates upstream of the issued-payment file, such as someone tricking AP into authorizing a legitimate-looking check to a fake vendor. Treat positive pay as foundational and necessary, but not as the entire fraud-defense stack.
Does positive pay cover ACH payments?
Yes, through ACH positive pay specifically, which is a separate service from check positive pay. ACH positive pay matches inbound ACH debits against an authorized-debit list and holds unauthorized debits for review. Outbound ACH (your business paying suppliers) isn't covered by traditional positive pay because the originator authorized it; protecting outbound ACH requires upstream controls like validated vendor banking and dual approval.
What's the difference between positive pay and reverse positive pay?
Standard positive pay works by you sending the bank a daily issued-checks file. Reverse positive pay works by the bank sending you a daily list of checks presented; you review and approve or reject each one. Coverage is similar, but reverse positive pay puts the daily-review burden on your team rather than the daily-file-submission burden. The risk profile differs on missed deadlines: standard positive pay typically holds exceptions; reverse positive pay often clears by default if you miss the window.
Do small businesses need positive pay?
Most small businesses do, especially any business cutting checks regularly. The fraud math is consistent across business sizes. Counterfeit and altered-check fraud doesn't discriminate by treasury size, and recovery rates are uniformly poor. The setup most small businesses can operate is reverse positive pay (lower file-maintenance burden) or, if check volume is very low, ACH-only via debit block plus ACH positive pay.
What does positive pay cost?
Pricing varies by bank. The base service typically falls within a low-three-figure monthly range per account, with payee positive pay adding incremental cost and ACH positive pay usually priced separately. Some treasury services packages bundle positive pay at no extra cost. The operational cost (AP or treasury time maintaining the file and reviewing exceptions) typically exceeds the bank fee, which is where the buy decision actually sits.
Do payments automation platforms replace positive pay?
They don't replace it; they reduce how much it has to defend. Payments automation runs the disbursement workflow upstream of the bank, moving eligible spend onto ACH and virtual-card rails so fewer checks get cut. Positive pay still runs as the bank-side control on whatever checks remain. The two layers stack: payments automation reduces the check program's footprint structurally, and positive pay catches the fraud that targets the remaining check volume.
What's a positive pay file and what format does my bank expect?
A positive pay file is a structured list of issued checks (or authorized ACH debits) submitted to the bank for use in the matching process. Required fields almost always include account number, check number, amount, and issue date; payee positive pay also requires the payee name. Format varies widely: CSV, fixed-width, BAI, ANSI X12 820, and proprietary bank formats are all common. Ask your relationship manager for the spec sheet and a sample file. Most modern treasury workstations and AP platforms can produce the file in any standard format on a scheduled cadence.
How does positive pay interact with Nacha's 2026 ACH fraud rules?
Nacha's 2026 rules raise the bar on ACH risk-monitoring for originators, requiring risk-based fraud-detection processes for all corporate ACH originators by mid-2026. ACH positive pay alone won't satisfy the framework for most originators. Larger controls on outbound ACH (anomaly detection, validated vendor banking, dual approval, segregation of duties) become standard. Positive pay on inbound ACH remains foundational; outbound ACH defense moves upstream into the AP and treasury workflow.
Switch to Corpay
Discover how making the move to Corpay streamlines payments and strengthens your business.
Talk to an ExpertSmarter payments. Stronger growth. Keep business moving.
Corpay powers payments for 800,000+ businesses worldwide. Let’s build what’s next for yours.