CFPB fines ACI Worldwide $25 million for mortgage servicing error

The Consumer Financial Protection Agency hit ACI Worldwide and its subsidiary ACI Payments with a $25 million fine Tuesday for illegally initiating withdrawals from borrower bank accounts totaling over $2.3 billion in April 2021.

According to the government watchdog, the payment software company accidentally triggered "erroneous bill payment orders to be sent to consumers' banks for processing," while contractors conducted internal testing of Speedpay, a payment system ACI acquired from Western Union in 2019.

This snafu impacted close to 500,000 borrowers with mortgages serviced by Mr. Cooper. Roughly 100 of those impacted incurred non-sufficient funds fees from their banks as a result of ACI's error, the mortgage servicer previously said.

This error stemmed from the company's lack of security protocols and training and "caused substantial consumer harm including significant frustration, confusion, and monetary loss," the government watchdog's consent order read.

"The CFPB's investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country," said CFPB Director Rohit Chopra in a written statement Tuesday. "While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers."

Per the CFPB's order, ACI contractors testing the company's electronic payment platform used data containing sensitive consumer information, contrary to ACI policy. 

Further, during its performance testing, ACI improperly sent several large files filled with Mr. Cooper's customer data into the ACH network, unlawfully initiating electronic mortgage payment transactions from homeowners' accounts. As a result, many borrowers unknowingly had multiple debits for monthly mortgage payments scheduled to hit their bank account on a single day.

The Elkhorn, Nebraska-based company responded to the consent order by highlighting that "Speedpay was a recently acquired addition to ACI's portfolio, and the inadvertent transmission occurred shortly after the company assumed management of Speedpay's legacy data environment."

The company noted that it "consented to the issuance of the consent order without admitting any wrongdoing to avoid the expenses and distraction of litigation." 

Apart from paying a penalty, the CFPB is requiring ACI to beef up its information security practices, while prohibiting the company from processing payments without obtaining authorization and using sensitive consumer information for software development for testing purposes without having a good reason for it.