On June 27, 2023, the CFPB reached a consent order with the companies regarding the more than 1.4 million erroneous electronic fund transfer payment instructions initiated by ACI through the ACH Network. The CFPB considers this case to be its first addressing unlawful information handling practices in mortgage payment processing. Although ACI was able to offset most of the transactions before funds were debited, they are required to pay a $25 million civil money penalty. ACI Worldwide and its subsidiary, ACI Payments, have now been ordered to pay massive penalties after the Consumer Financial Protection Bureau (CFPB) found that the companies had improperly processed approximately $2.3 billion in unlawful mortgage payment transactions.
ACI’s actions negatively impacted nearly 500,000 homeowners whose mortgages were serviced by Mr. Cooper (formerly known as Nationstar), leading to financial difficulties and unexpected fees. As a result, ACI has been ordered to pay a $25 million civil money penalty. According to CFPB Director Rohit Chopra, ACI’s actions during the 2021 Mr. Cooper mortgage incident caused significant disruptions for borrowers nationwide. While the affected borrower accounts have since been resolved, ACI is being held accountable for its unlawful actions that created numerous challenges for hundreds of thousands of homeowners.
According to the consent order, the issues arose on April 23, 2021, when ACI conducted tests on its electronic payments platform. Instead of using deidentified or dummy data, ACI utilized actual consumer data received from Mr. Cooper, which included sensitive information like names, bank account numbers, bank routing numbers, and transaction amounts. During these performance tests, according to the consent order, ACI mistakenly transmitted several large files containing customer data into the ACH network, resulting in the unauthorized initiation of approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts. The impacted borrowers were unaware of these transactions until after their respective banks had processed them. One bank alone experienced over 60,000 accounts with a combined total of more than $330 million in unlawful debits by the morning of that day. Among these account holders, approximately 7,300 saw their available balances decrease by more than $10,000 overnight.
The CFPB determined that ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act and the Electronic Fund Transfer Act, along with its implementing rule, Regulation E. According to the CFPB, the company harmed homeowners by initiating withdrawals from borrower bank accounts without valid written authorization, including on days when withdrawals were not scheduled and multiple transfers from the same accounts on the same day. Additionally, the CFPB indicated that ACI mishandled sensitive consumer data, as it failed to establish and enforce reasonable information security practices to prevent test files from entering the ACH network.