In these times, double down — on your skills, on your knowledge, on you. Join us Aug. 8-10 at Inman Connect Las Vegas to lean into the shift and learn from the best. Get your ticket now for the best price.

An electronic payment processor that accidentally initiated $2.3 billion in mortgage payments from 500,000 homeowners’ bank accounts in 2021 has agreed to pay a $25 million penalty to the Consumer Financial Protection Bureau (CFPB) to resolve allegations that the incident violated federal law.

In a statement, ACI Worldwide Corp. said it agreed to settle with the CFPB “without admitting any wrongdoing to avoid the expense and distraction of litigation.”

ACI Worldwide subsidiary ACI Payments Inc. was conducting tests of its electronic payments platform on April 23, 2021, the CFPB alleged in a consent order filed Tuesday.

But instead of using dummy data, the CFPB found that ACI sent actual consumer data, including names and bank account numbers to the ACH network, an automated clearing house for electronic funds transfers.

That move — which the CFPB attributed to weaknesses in ACI’s information security practices — initiated approximately 1.4 million ACH withdrawals on behalf of an ACI client, Mr. Cooper, one of the nation’s biggest mortgage loan servicers.

“While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers,” CFPB Director Rohit Chopra said in a statement.

The CFPB concluded that ACI’s use of consumer data in its testing process violated the Electronic Fund Transfer Act and its implementing rule, Regulation E, as well as the Consumer Financial Protection Act of 2010, by using consumer data in its testing process.

“Specifically, the company failed to establish and enforce reasonable information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network,” the CFPB alleged.

ACI says it took “swift action to reverse the ACH entries and prevent any consumer loss. At all times during and after the error, consumers’ money and personal information remained safe.”

ACI said its internal review of the incident determined that the company’s “policies and procedures were not followed” during the test of its recently acquired Speedpay bill payment platform.

“Under ACI’s ownership, the Speedpay platform complies with a rigorous set of controls and oversight,” the company said. “Immediately after the inadvertent transmission, ACI adopted additional controls, including automation, to prevent such errors from occurring within the Speedpay environment.”

According to the CFPB, Mr. Cooper — which was not accused of wrongdoing — was one of ACI’s largest mortgage servicing customers until at least 2021. Many homeowners with mortgages serviced by Mr. Cooper used Speedpay to schedule their monthly mortgage payments.

The CFPB says that the morning after ACI’s test transmitted consumer data to the ACH network, “impacted account holders began noticing inaccuracies in their account balances.” At one bank, “more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000 — overnight.”

While those and other account holders were ultimately made whole, “None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks,” the CFPB said.

The CFPB said the $25 million penalty ACI agreed to pay will be deposited into a Civil Penalty Fund that’s used to compensate victims and fund consumer education and financial literacy programs.

ACI also faced seven class action lawsuits filed on behalf of consumers whose Mr. Cooper mortgage accounts were affected. In its most recent annual report to investors, ACI said it had agreed to pay up to $6.5 million to settle those lawsuits, subject to final court approval.

The settlement with ACI was the CFPB’s first enforcement action over information handling practices in the processing of mortgage payments. But last year the CFPB warned that “shoddy data security practices” could constitute violations of the Consumer Financial Protection Act.

Issued in the wake of the 2017 Equifax data breach and settlement, the Aug. 11 circular on data security notes that the Consumer Financial Protection Act does not require “particular security practices,” failure to implement data security measures “might increase the risk that a firm’s conduct triggers liability” under the act.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” Chopra said at the time. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter

Show Comments Hide Comments
Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription