In these times, double down — on your skills, on your knowledge, on you. Join us Aug. 8-10 at Inman Connect Las Vegas to lean into the shift and learn from the best. Get your ticket now for the best price.
An electronic payment processor that accidentally initiated $2.3 billion in mortgage payments from 500,000 homeowners’ bank accounts in 2021 has agreed to pay a $25 million penalty to the Consumer Financial Protection Bureau (CFPB) to resolve allegations that the incident violated federal law.
In a statement, ACI Worldwide Corp. said it agreed to settle with the CFPB “without admitting any wrongdoing to avoid the expense and distraction of litigation.”
ACI Worldwide subsidiary ACI Payments Inc. was conducting tests of its electronic payments platform on April 23, 2021, the CFPB alleged in a consent order filed Tuesday.
But instead of using dummy data, the CFPB found that ACI sent actual consumer data, including names and bank account numbers to the ACH network, an automated clearing house for electronic funds transfers.
That move — which the CFPB attributed to weaknesses in ACI’s information security practices — initiated approximately 1.4 million ACH withdrawals on behalf of an ACI client, Mr. Cooper, one of the nation’s biggest mortgage loan servicers.
“While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers,” CFPB Director Rohit Chopra said in a statement.
The CFPB concluded that ACI’s use of consumer data in its testing process violated the Electronic Fund Transfer Act and its implementing rule, Regulation E, as well as the Consumer Financial Protection Act of 2010, by using consumer data in its testing process.
“Specifically, the company failed to establish and enforce reasonable information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network,” the CFPB alleged.
ACI says it took “swift action to reverse the ACH entries and prevent any consumer loss. At all times during and after the error, consumers’ money and personal information remained safe.”
ACI said its internal review of the incident determined that the company’s “policies and procedures were not followed” during the test of its recently acquired Speedpay bill payment platform.
“Under ACI’s ownership, the Speedpay platform complies with a rigorous set of controls and oversight,” the company said. “Immediately after the inadvertent transmission, ACI adopted additional controls, including automation, to prevent such errors from occurring within the Speedpay environment.”
According to the CFPB, Mr. Cooper — which was not accused of wrongdoing — was one of ACI’s largest mortgage servicing customers until at least 2021. Many homeowners with mortgages serviced by Mr. Cooper used Speedpay to schedule their monthly mortgage payments.
The CFPB says that the morning after ACI’s test transmitted consumer data to the ACH network, “impacted account holders began noticing inaccuracies in their account balances.” At one bank, “more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000 — overnight.”
While those and other account holders were ultimately made whole, “None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks,” the CFPB said.
The CFPB said the $25 million penalty ACI agreed to pay will be deposited into a Civil Penalty Fund that’s used to compensate victims and fund consumer education and financial literacy programs.
ACI also faced seven class action lawsuits filed on behalf of consumers whose Mr. Cooper mortgage accounts were affected. In its most recent annual report to investors, ACI said it had agreed to pay up to $6.5 million to settle those lawsuits, subject to final court approval.
The settlement with ACI was the CFPB’s first enforcement action over information handling practices in the processing of mortgage payments. But last year the CFPB warned that “shoddy data security practices” could constitute violations of the Consumer Financial Protection Act.
Issued in the wake of the 2017 Equifax data breach and settlement, the Aug. 11 circular on data security notes that the Consumer Financial Protection Act does not require “particular security practices,” failure to implement data security measures “might increase the risk that a firm’s conduct triggers liability” under the act.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” Chopra said at the time. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.