The Consumer Financial Protection Bureau (CFPB) has charged ACI Worldwide and one of its subsidiaries, ACI Payments, for improperly initiating unlawful mortgage payment transactions.
The order said ACI unlawfully processed about $2.3 billion in erroneous and unauthorized transactions, impacting nearly 500,000 homeowners with mortgages serviced by Mr. Cooper — formerly known as Nationstar. By doing so, ACI opened homeowners up to overdraft and insufficient funds fees from their financial institutions.
“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”
ACI, headquartered in Elkhorn, Neb., was ordered to pay a $25 million civil money penalty.
What happened was, many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product. Sppedpay allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.
On April 23, 2021, ACI conducted tests of its electronic payment platform, but instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper. This data included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During the testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts. None of the nearly 500,000 impacted borrowers were aware of these transactions until after they had been processed by their respective banks.
On April 24, 2021, impacted account holders began noticing inaccuracies in their account balances and immediately began experiencing negative financial consequences. Specifically, ACI initiated approximately 1.4 million ACH withdrawals on behalf of Mr. Cooper from homeowners’ accounts on April 23, 2021, without a valid written authorization.
The CFPB found that ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act and the Electronic Fund Transfer Act and its implementing rule, Regulation E. In addition, ACI failed to establish information security practices that would have prevented files created for testing purposes from ever being able to enter the ACH network.
In addition to the $25 million penalty, which will be deposited into the CFPB’s victims’ relief fund, ACI must adopt and enforce reasonable information security practices. Further, the company is prohibited from processing payments without obtaining proper authorization and using sensitive consumer financial information for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.