According to the CFPB, this is the first enforcement action addressing unlawful information-handling practices in processing mortgage payments.
In addition to the civil penalty, the CFPB’s consent order, issued June 27, further requires the payment processing company to stop its unlawful practices. “ACI must adopt and enforce reasonable information security practices and is prohibited from processing payments without obtaining proper authorization,” the CFPB said. “It is also prohibited from using sensitive consumer financial information for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.”
According to the CFPB, ACI’s data handling practices “negatively impacted nearly 500,000 homeowners with mortgages serviced by Mr. Cooper (formerly known as Nationstar), which was one of ACI’s largest mortgage servicing customers until at least 2021. “By unlawfully processing erroneous and unauthorized transactions, ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions,” the CFPB said.
Case Facts
Mr. Cooper services the mortgages of more than four million borrowers and collects their monthly mortgage payments. Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.
On April 23, 2021, ACI conducted tests of its electronic payments’ platform, but instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, including names, bank account numbers, bank routing numbers, and amounts to be debited or credited.
“During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts,” the CFPB stated. “None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks.”
The following day, on April 24, 2021, account holders immediately began experiencing negative financial consequences. “At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000 overnight,” the CFPB said.
Compliance Violations
Broadly, as described by the CFPB, ACI harmed consumers by:
- Illegally initiating withdrawals from borrower bank accounts: ACI initiated approximately 1.4 million ACH withdrawals on behalf of Mr. Cooper from homeowners’ accounts on April 23, 2021, without a valid written authorization, including initiating electronic fund transfers on days when they weren’t scheduled and initiating multiple transfers from the same accounts on the same day.
- Improperly handling sensitive consumer data: The unlawful transactions, and the subsequent harm ACI caused, occurred as a direct result of its inappropriate use of consumer data in its testing process. Specifically, the CFPB said ACI failed to establish and enforce reasonable information-security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network.
Such actions consequently violated the Consumer Financial Protection Act and the Electronic Fund Transfer Act and its implementing rule, Regulation E.
ACI’s Response
In a statement, ACI said it consented to the issuance of the consent order without admitting any wrongdoing to avoid the expense and distraction of litigation. “The company believes the prompt conclusion of this matter is the best path forward and is in the interest of its employees, shareholders, and customers. The settlement of a consumer class-action arising out of the error was approved in court last month. ACI expects most of the costs will be covered by third parties in both matters.”
“At the time, Speedpay was a recently acquired addition to ACI’s portfolio, and the inadvertent transmission occurred shortly after the company assumed management of Speedpay’s legacy data environment,” ACI stated. “An internal review determined that ACI’s policies and procedures were not followed. ACI took swift action to reverse the ACH entries and prevent any consumer loss.”
“Under ACI’s ownership, the Speedpay platform complies with a rigorous set of controls and oversight. Immediately after the inadvertent transmission, ACI adopted additional controls, including automation, to prevent such errors from occurring within the Speedpay environment.”
ACI further added that it has “comprehensively implemented robust risk and information-security programs that are routinely audited by regulators and assessed by independent third parties. ACI’s policies, procedures, and information systems remain strong and are continuously improving, as the company constantly takes steps to ensure it meets ongoing regulatory, business and security requirements.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.