The Consumer Financial Protection Bureau (CFPB) issued an order Tuesday against ACI Worldwide and a subsidiary, ACI Payments, for improperly initiating approximately $2.3 billion in unlawful mortgage payments.
ACI’s data-handling practices negatively affected nearly 500,000 homeowners with mortgages serviced by Mr. Cooper (formerly known as Nationstar), the CFPB said. By processing erroneous and unauthorized transactions, ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions, the bureau said.
The order requires ACI to pay a $25 million civil money penalty.
“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”
ACI is a publicly traded firm headquartered in Elkhorn, Neb. The company offers payment processing services across a wide range of industries, including not just mortgages but also utilities, student loans, healthcare, education, insurance, and telecommunication. ACI has more than 6,000 firms as customers, and the company claims to process more than 225 billion consumer transactions annually.
The company processes mortgage payments through the Automated Clearing House (ACH) network. For 2022, ACI reported revenue of $1.42 billion and net income of $142 million.
Mr. Cooper was one of ACI’s largest mortgage-servicing customers until at least 2021, CFPB said. Mr. Cooper services the mortgages of more than 4 million borrowers and collects their monthly mortgage payments. Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.
On Friday, April 23, 2021, ACI conducted tests of its electronic payments platform, but instead of using de-identified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited, the CFPB said. During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts.
None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of the transactions until after they had been processed by their respective banks, the bureau said.
The next day, impacted account holders began noticing inaccuracies in their account balances, and consumers began experiencing negative financial consequences, the CFPB said. At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000 overnight.
The CFPB said it found that ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act and the Electronic Fund Transfer Act and its implementing rule, Regulation E. Specifically, the CFPB said, ACI harmed homeowners by illegally initiating the withdrawals from borrower bank accounts, and by improperly handling sensitive consumer data.
As one of the largest global providers of payment services, ACI handles sensitive financial data of millions of homeowners and other consumers, the CFPB said. The unlawful transactions, and the subsequent harm they caused, occurred as a direct result of the company’s inappropriate use of consumer data in its testing process, it said. Specifically, the company failed to establish and enforce reasonable information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network.
This is the CFPB’s first action addressing unlawful information handling practices in processing mortgage payments. Last year, the bureau issued an enforcement circular describing how shoddy data-handling practices can constitute violations of the Consumer Financial Protection Act.
Under the act, the CFPB has the authority to take action against companies that violate federal consumer financial protection laws, including engaging in unfair, deceptive, or abusive acts or practices. It also has authority to enforce the Electronic Fund Transfer Act and its implementing rule, Regulation E.
In a news release, ACI said it has "as consented to the issuance of a Consent Order" by the CFPB while calling the incident an "inadvertent transmission" during a test of its Speedpay bill payment platform.
"At the time, Speedpay was a recently acquired addition to ACI’s portfolio, and the inadvertent transmission occurred shortly after the company assumed management of Speedpay’s legacy data environment," ACI said in its release. "An internal review determined that ACI’s policies and procedures were not followed. ACI took swift action to reverse the ACH entries and prevent any consumer loss. At all times during and after the error, consumers’ money and personal information remained safe."
The company said it consented to the order "without admitting any wrongdoing to avoid the expense and distraction of litigation."
ACI said that it "believes the prompt conclusion of this matter is the best path forward and is in the interest of its employees, shareholders, and customers. The settlement of a consumer class action arising out of the error was approved in court last month. ACI expects most of the costs will be covered by third parties in both matters."
In addition to the $25 million in penalties, the order also requires ACI to halt its unlawful practices, and to adopt and enforce reasonable information security practices. It also prohibits ACI from processing payments without obtaining proper authorization, and from using sensitive consumer financial information for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.
The CFPB said it will deposit the $25 million into the bureau’s victims relief fund.
ACI said that, under its ownership, the Speedpay platform "complies with a rigorous set of controls and oversight. Immediately after the inadvertent transmission, ACI adopted additional controls, including automation, to prevent such errors from occurring within the Speedpay environment."
It added that it has "comprehensively implemented robust risk and information security programs that are routinely audited by regulators and assessed by independent third parties. ACI’s policies, procedures and information systems remain strong and are continuously improving, as the Company constantly takes steps to ensure it meets ongoing regulatory, business and security requirements.".
