The Consumer Financial Protection Bureau (CFPB) ordered ACI Worldwide to pay a $25 million fine for improper data handling that led to approximately $2.3 billion in erroneous mortgage payment transactions.

The unauthorized transactions negatively impacted nearly 500,000 homeowners with mortgages serviced by Mr. Cooper, one of ACI’s largest customers, and caused many to incur overdraft fees, the CFPB said in a press release Tuesday.

The details: In April 2021, contractors conducted tests on ACI’s Speedpay payments system but failed to use “dummy” consumer data, contrary to company policy, the CFPB said in its consent order.

By using the information it received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited, ACI unlawfully initiated electronic mortgage payment transactions from homeowners’ accounts without their knowledge, the CFPB said.

This violated the company’s obligation to establish and enforce reasonable information security practices to prevent test files from entering the Automated Clearing House network, the CFPB said.

The agency found ACI’s actions violated federal consumer financial protection laws, including the Consumer Financial Protection Act and the Electronic Fund Transfer Act.

ACI was ordered to implement reasonable information security practices and obtain proper authorization for payment processing, per the CFPB’s order. The company is also prohibited from using sensitive consumer data for software development or testing without compelling business reasons and consumer consent, the agency said.

Compliance considerations: ACI must enforce a program of internal controls appropriate to its size, complexity, and “nature and scope of [its] activities related to the offering or provision of a consumer financial product or service and the sensitivity of any consumer information used or maintained,” according to the order.

ACI must also designate qualified individual(s) to oversee, implement, and enforce the order. The individual(s) will report to ACI’s chief information security officer, who shall be responsible for their day-to-day direction and oversight, per the order.

Within 45 days, ACI must hire an independent consultant with specialized experience in information security to review and validate enhancements to its third-party risk management or ensure its information security program complies with relevant obligations, per the order.

Within 180 days, the consultant must prepare a report detailing its independent review, the agency said. Within 25 days of receiving the report, the company’s board must develop a compliance plan to correct any deficiencies, according to the order.

Company response: “Immediately after the inadvertent transmission, ACI adopted additional controls, including automation, to prevent such errors from occurring within the Speedpay environment,” the company said in a statement. “… ACI’s policies, procedures, and information systems remain strong and are continuously improving as the company constantly takes steps to ensure it meets ongoing regulatory, business, and security requirements.”

ACI agreed to the order without admitting or denying wrongdoing.