The Consumer Financial Protection Bureau yesterday announced it had assessed a $25 million fine against ACI Worldwide for its role in a “fiasco” that impacted hundreds of thousands of borrowers worldwide.
A copy of the consent order can be accessed by clicking here.
This enforcement action appears to be a prime example of the importance of not using live data when conducting tests of your electronic payments platform. One Friday, back in April of 2021, the company conducted a test of its electronic payments platform. But instead of using fake data or deidentified data, the company used data it had received from one of its clients, which included names and bank account information. The test unlawfully initiated $2.3 billion in mortgage payments that were not expected or authorized.
The next day, customers began to notice the transactions and “experiencing negative financial consequences” as the CFPB put it, such as overdraft fees and insufficient funds fees.
Ultimately, the company violated the Consumer Financial Protection Act, and the Electronic Funds Transfer Act, and its implementing rule, Regulation E.
That one incident, that one test, led the CFPB to assess a $25 million fine against the company, which must also update its information security practices to no longer use sensitive consumer information for software development or testing purposes.
“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra, in a statement. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”