The Consumer Financial Protection Bureau said Tuesday it has fined payments provider ACI Worldwide Inc. $25 million for erroneously debiting from nearly 500,000 homeowners a total of $2.3 billion in mortgage payments through the automated clearing house network in 2021.
The agency’s order also said ACI must “stop its unlawful practices” that include “processing payments without obtaining proper authorization.” The company is also prohibited from using sensitive consumer financial information for software development or testing purposes without “documenting a compelling business reason and obtaining consumer consent.”
In a statement Tuesday, Coral Gables, Fla.-based ACI said the incident was the result of “policies and procedures” that were not followed during a test. The company said it consented to the CFPB’s order “without admitting any wrongdoing to avoid the expense and distraction of litigation. The company believes the prompt conclusion of this matter is the best path forward and is in the interest of its employees, shareholders, and customers.”
ACI also said it settled a class-action lawsuit stemming from the error, and that it “expects most of the costs will be covered by third parties in both matters.” The company didn’t give details of the settlement, and a spokesperson tells Digital Transactions News ACI has no comment beyond its press release.
The incident occurred when an ACI Worldwide subsidiary, ACI Payments, was processing mortgage payments for Mr. Cooper, a mortgage servicer with more than 4 million customers formerly known as Nationstar, according to the CFPB.
“Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper,” the CFPB said. “On Friday, April 23, 2021, ACI conducted tests of its electronic payments platform. But instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts.”
None of the nearly 500,000 affected mortgage holders anticipated or authorized the payments, the CFPB further said.
On the night of April 23, 2021, ACI initiated 1.4 million unauthorized ACH withdrawals, according to the CFPB. “At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning [April 24],” the Bureau said. “Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000—overnight.”
At the time, Speedpay was a recently acquired expedited bill-payment platform that ACI bought from The Western Union Co. for about $750 million.
“The inadvertent transmission occurred shortly after the company assumed management of Speedpay’s legacy data environment,” ACI’s release says. “An internal review determined that ACI’s policies and procedures were not followed. ACI took swift action to reverse the ACH entries and prevent any consumer loss. At all times during and after the error, consumers’ money and personal information remained safe.”
But the unauthorized withdrawals exposed the mortgage holders to overdraft and insufficient-funds fees from their financial institutions, according to the CFPB. “The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” CFPB Director Rohit Chopra said in a statement. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.” The CFPB said the fine will be deposited into its victims’ relief fund.
Besides the CFPB’s investigation, the incident triggered probes by attorneys general in 49 states, the District of Columbia, and some U.S. territories, as well as investigations by money-transmitter regulators in 46 states, a May 4 ACI regulatory filing says.
The company said it established a $5-million settlement fund, with another $1.5 million available if needed. The filing says ACI expects insurance will cover an undetermined amount of potential losses.