CFPB Takes Action Against ACI Worldwide for Illegally Processing $2.3 Billion in Mortgage Payments that Homeowners Did Not Authorize
June 27, 2023 / Source: CFPB
WASHINGTON, D.C. – Today, the Consumer Financial Protection Bureau (CFPB) issued an order against ACI Worldwide and one of its subsidiaries, ACI Payments, for improperly initiating approximately $2.3 billion in unlawful mortgage payment transactions. ACI’s data handling practices negatively impacted nearly 500,000 homeowners with mortgages serviced by Mr. Cooper (formerly known as Nationstar). By unlawfully processing erroneous and unauthorized transactions, ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions. Today’s order requires ACI, among other things, to pay a $25 million civil money penalty.
“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”
ACI (NASDAQ:ACIW) is a publicly traded firm headquartered in Elkhorn, Nebraska. The company offers payment processing services across a wide range of industries including utilities, student loan servicing, healthcare, education, insurance, telecommunications, and mortgage servicing. ACI counts more than 6,000 firms as customers, and the company claims to process more than 225 billion consumer transactions annually. The company processes mortgage payments through the Automated Clearing House (ACH) network. For 2022, ACI reported revenue of $1.422 billion and net income of $142 million.
Mr. Cooper was one of ACI’s largest mortgage servicing customers until at least 2021. Mr. Cooper services the mortgages of more than four million borrowers and collects their monthly mortgage payments. Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.
On Friday, April 23, 2021, ACI conducted tests of its electronic payments platform. But instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts. None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks.
On Saturday, April 24, 2021, impacted account holders began noticing inaccuracies in their account balances. Immediately, people began experiencing negative financial consequences. At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000—overnight.
The CFPB found that ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act and the Electronic Fund Transfer Act and its implementing rule, Regulation E. Specifically, the company harmed homeowners by:
- Illegally initiating withdrawals from borrower bank accounts: ACI initiated approximately 1.4 million ACH withdrawals on behalf of Mr. Cooper from homeowners’ accounts on April 23, 2021, without a valid written authorization. This included initiating electronic fund transfers on days when they were not scheduled and initiating multiple transfers from the same accounts on the same day.
- Improperly handling sensitive consumer data: As one of the largest global providers of payment services, ACI handles sensitive financial data of millions of homeowners and other consumers. The unlawful transactions, and the subsequent harm they caused, occurred as a direct result of the company’s inappropriate use of consumer data in its testing process. Specifically, the company failed to establish and enforce reasonable information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network.
This is the CFPB’s first action addressing unlawful information handling practices in processing mortgage payments. Last year, the CFPB issued an enforcement circular describing how shoddy data handling practices can constitute violations of the Consumer Financial Protection Act.
Under the Consumer Financial Protection Act, the CFPB has the authority to take action against companies that violate federal consumer financial protection laws, including engaging in unfair, deceptive, or abusive acts or practices. The CFPB also has authority to enforce the Electronic Fund Transfer Act and its implementing rule, Regulation E.
The order requires ACI to:
- Stop its unlawful practices: ACI must adopt and enforce reasonable information security practices, and is prohibited from processing payments without obtaining proper authorization. It is also prohibited from using sensitive consumer financial information for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.
- Pay $25 million in penalties: ACI is required to pay a $25 million penalty to the CFPB, which will be deposited into the CFPB’s victims relief fund.
Consumers can submit complaints about mortgage products and other financial products and services by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).
Employees who believe their companies have violated federal consumer financial protection laws, including the Electronic Fund Transfer Act and its implementing rule, Regulation E, are encouraged to send information about what they know to [email protected]. To learn more about reporting potential industry misconduct, visit the CFPB’s website.