The CFPB announced this week that it has entered into a consent order with ACI Worldwide Corp. and one of its subsidiaries, ACI Payments, Inc., in connection with more than 1.4 million erroneous electronic fund transfer payment instructions initiated by ACI through the ACH Network (ACH Entries).  In its press release, the CFPB calls the matter its “first action addressing unlawful information handling practices in processing mortgage payments.”  Even though the consent order recites that ACI was able to offset the ACH Entries before funds were debited from the majority of consumers’ accounts, the order nevertheless requires ACI  to pay a $25 million civil money penalty.

ACI provides payment processing services to mortgage servicers.  The erroneous ACH Entries were initiated on April 23, 2021 as part of performance testing conducted on ACI’s payment platform.  The testing involved simulating actual ACH Entry processing.  However, instead of using “dummy” consumer data that did not contain sensitive consumer financial information (SCFI) or using files that were scrubbed of SCFI, ACI’s contractors “circumvented ACI policies and processes related to the access and use of SCFI and were able to obtain and use actual, unaltered, SCFI that ACI previously obtained for legitimate debit and credit transactions” of borrowers whose mortgages were serviced by one of ACI’s largest mortgage servicer customers. 

Because the platform recognized the test files as authentic and containing legitimate ACH Entries, the contractors’ actions resulted in the transmission of more than 1.4 million ACH Entries to ACI’s originating depository financial institution (ODFI), some of which resulted in electronic fund transfers (EFTs) from borrowers’ accounts.  These EFTs were not authorized by the borrowers whose accounts were affected.  After learning of the erroneous ACH Entries on April 24, 2021, ACI sent reversing ACH files to its ODFI which were submitted to the ACH Network on April 25, 2021.  The initial ACH Entries and the correcting ACH Entries settled on April 26, 2021.  The erroneous ACH Entries reduced the available balance of some consumers’ bank accounts, making some consumers unable to complete purchases or other transactions and resulting in the imposition of NSF and overdraft fees on some accounts.  In addition, many consumers had to spend significant amounts of time to have corrections made to their accounts.

The CFPB found that ACI’s actions violated  the Electronic Fund Transfer Act and Regulation E by initiating EFTs from consumers’ accounts without a valid written authorization.  In addition to violating the Consumer Financial Protection Act (CFPA) based on its EFTA/Regulation E violations, ACI was found to have engaged in unfair acts and practices in violation of the CFPA by “erroneously process[ing] ACH Entries meant for the test environment against actual consumer accounts” and by having deficient information security practices that allowed the improper use of SCFI and did not provide adequate training and oversight of contractors “who played a critical role in its payment processing operations and had access to SCFI.”

In addition to payment of a $25 million civil money penalty, the consent order requires ACI to adopt and enforce an information security program (ISP) to ensure “Reasonable Security” appropriate to its size and complexity, the nature and scope of its activities related to providing consumer financial services, and the sensitivity of any consumer information it maintains.  The term “Reasonable Security” is defined in the consent order to mean “information security policies and human and technical internal control measures that are technically substantiated by the latest knowledge, widely held within the Information Security Research Community,” and that are appropriately documented and “sufficient to defend and ensure the Confidentiality, Integrity, and Availability of SCFI and [ACI’s] systems.”  (“Information Security Research Community” is also a defined term as are “Confidentiality”, “Integrity,” and “Availability.”)  The consent order specifies what actions the ISP must require ACI to take, including in connection with the oversight of service providers.  The consent order also prohibits ACI from using  SCFI for software development or testing purposes without documenting a compelling business reason and obtaining consumer consent.