Agencies in 44 states announced they had reached a settlement with ACI Payments, Inc. for data misuse that impacted nearly half a billion consumers across the country.
The $20 million fine is in response to ACI initiating electronic transactions totaling more than $2.3 billion from the accounts of 480,000 million mortgage-holders serviced by Mr. Cooper, formerly known as Nationstar Mortgage, LLC. State regulators levied $10 million fines through a multistate enforcement action with support from the Conference of State Bank Supervisors (CSBS), and state attorneys general from all 50 states levied $10 million in fines to ACI Payments in coordination with state regulators.
“In today’s digital world, mistakes that happen at this scale can be devastating for consumers. Unfortunately, in this case, consumers paid the price for this company’s lack of internal controls,” Maryland Commissioner of Financial Regulation and CSBS Non-depository Supervisory Committee Vice-chair Antonio P. Salazar said. “Now that consumers have been made whole, state regulators are penalizing ACI Payments and sending a message to other companies that mishandling customer data will lead to stiff penalties.”
Mr. Cooper offered ACI Payments’ Speedpay product to its consumers as a way to schedule their monthly mortgage payments. The product enabled automatic transfers from customers’ bank accounts to Mr. Cooper to cover mortgage payments. The violations occurred when ACI Payments erroneously used live customer data to test the Speedpay platform, causing unexpected and sometimes multiple mortgage payments to be transferred out of customers’ accounts. The transactions, in some cases, resulted in overdraft fees and insufficient funds fees for consumers.
Once state regulators were notified of the incident by ACI Payments, a multistate money transmission investigation began that reviewed all aspects of the event. As a result, regulators order ACI Payment to maintain a comprehensive Enterprise Risk Management Program and a Third-Party Risk Management Program, to regularly report to state regulators for two years, and to pay fines for administrative costs and penalties.
“State regulators have a clear mission to protect consumers and support a safe and efficient financial services market,” North Dakota Department of Financial Institutions Commissioner and CSBS Chair Lise Kruse said. “This case is a fair warning to ACI Payments and other companies to use customer data with care. State financial regulators support innovation and diversity in the nonbank space but we will not tolerate any actions or practices that jeopardize consumers’ safety or prosperity.”