The Consumer Financial Protection Bureau (CFPB) has issued an order against ACI Worldwide [1] and one of its subsidiaries, ACI Payments, for improperly initiating approximately $2.3 billion in unlawful mortgage payment transactions.
ACI’s data handling practices negatively impacted nearly 500,000 homeowners with mortgages serviced by Mr. Cooper (formerly known as Nationstar).
By processing erroneous and unauthorized transactions, ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions. The CFPB’s order requires ACI, among other things, to pay a $25 million civil money penalty.
“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra [2]. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”
ACI is a publicly traded firm headquartered in Elkhorn, Nebraska that offers payment processing services across a range of industries, including utilities, student loan servicing, healthcare, education, insurance, telecommunications, and mortgage servicing. ACI counts more than 6,000 firms as customers, and the company claims to process more than 225 billion consumer transactions annually. The company processes mortgage payments through the Automated Clearing House (ACH) network. For 2022, ACI reported revenue of $1.422 billion and net income of $142 million.
Mr. Cooper was one of ACI’s largest mortgage servicing customers until at least 2021. Mr. Cooper services the mortgages of more than four million borrowers and collects their monthly mortgage payments. Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.
On Friday, April 23, 2021, ACI conducted tests of its electronic payments platform. But instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts. None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks.
On Saturday, April 24, 2021, impacted account holders began noticing inaccuracies in their account balances. Immediately, people began experiencing negative financial consequences. At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000—overnight.
The CFPB found that ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act [3] and the Electronic Fund Transfer Act [4] and its implementing rule, Regulation E [5]. Specifically, the company harmed homeowners by:
- Illegally initiating withdrawals from borrower bank accounts: ACI initiated approximately 1.4 million ACH withdrawals on behalf of Mr. Cooper from homeowners’ accounts on April 23, 2021, without a valid written authorization. This included initiating electronic fund transfers on days when they were not scheduled and initiating multiple transfers from the same accounts on the same day.
- Improperly handling sensitive consumer data: As one of the largest global providers of payment services, ACI handles sensitive financial data of millions of homeowners and other consumers. The unlawful transactions, and the subsequent harm they caused, occurred as a direct result of the company’s inappropriate use of consumer data in its testing process. Specifically, the company failed to establish and enforce reasonable information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network.
Under the Consumer Financial Protection Act, the CFPB has the authority to take action against companies that violate federal consumer financial protection laws, including engaging in unfair, deceptive, or abusive acts or practices. The CFPB also has authority to enforce the Electronic Fund Transfer Act and its implementing rule, Regulation E. The order requires ACI to:
- Stop its unlawful practices: ACI must adopt and enforce reasonable information security practices, and is prohibited from processing payments without obtaining proper authorization. It is also prohibited from using sensitive consumer financial information for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.
- Pay $25 million in penalties: ACI is required to pay a $25 million penalty to the CFPB, which will be deposited into the CFPB’s victims relief fund.
ACI consented to the issuance of the Consent Order without admitting any wrongdoing to avoid the expense and distraction of litigation said the company in a release [6].
“ACI believes the prompt conclusion of this matter is the best path forward and is in the interest of its employees, shareholders, and customers,” read a statement from ACI [6]. “The settlement of a consumer class action arising out of the error was approved in court last month. ACI expects most of the costs will be covered by third parties in both matters.”
ACI has stated that it comprehensively implemented robust risk and information security programs that are routinely audited by regulators and assessed by independent third parties.
“ACI’s policies, procedures and information systems remain strong and are continuously improving, as the company constantly takes steps to ensure it meets ongoing regulatory, business and security requirements,” read a release from ACI [6].