Enter to open, tab to navigate, enter to select
CFPB Issues First Order for Unlawful Data Handling and Information Security Practices by Payment Processor
Practical Law Legal Update w-039-9366 (Approx. 4 pages)
CFPB Issues First Order for Unlawful Data Handling and Information Security Practices by Payment Processor
by Practical Law Finance
| Published on 29 Jun 2023 • USA (National/Federal) |
The CFPB issued an order against ACI Worldwide Corp., a nationwide payment processor, for unlawful data handling and information security practices in violation of federal consumer financial protection laws.
On June 27, 2023, the Consumer Financial Protection Bureau (CFPB) issued an order against nationwide payment processor ACI Worldwide Corp. (ACI) for improper data handling and information security practices that caused the initiation of more than 1.4 million erroneous debits totaling more than $2.3 billion from nearly 500,000 consumer bank accounts in violation of the Consumer Financial Protection Act (CFPA) and the Electronic Funds Transfer Act (EFTA) and its implementing Regulation E.
Specifically, on April 23, 2021, ACI contractors conducted performance tests on ACI's Speedpay payment system platform that involved simulating actual ACH entry processing. However, contrary to ACI policy the contractors failed to use "dummy" consumer data or ensure that any consumer data in the data files used for testing were scrubbed of sensitive consumer financial information. According to the complaint:
- ACI employees improperly accessed and used sensitive consumer financial information for internal testing purposes and without employing appropriate information safety controls.
- The internal tests created fake payment processing files that were treated as containing legitimate consumer bill payment orders by ACI's consumer bill payment platform.
- Due to weaknesses in its information security practices, ACI caused the erroneous bill payment orders to be sent to consumers' banks for processing.
ACI learned of its erroneous ACH entries after one of its largest mortgage servicer customers notified ACI of the growing number of complaints from its borrowers on April 24, 2021, noticing inaccuracies in their account balances and experiencing negative financial consequences. According to the CFPB press release announcing the order, "at one bank more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000 overnight."
As set forth in the order, the CFPB found that ACI:
- Failed to implement or enforce appropriate information security practices and controls relative to the sensitive consumer financial information it obtains, processes, and stores in connection with its Speedpay bill payment platform.
- Violated the EFTA and Regulation E by initiating ACH electronic fund transfers against consumers' accounts without valid written authorization.
- Violated the CFPA by engaging in unfair acts and practices when it:
- erroneously processed ACH entries meant for the test environment against actual consumer accounts; and
- failed to adopt and enforce reasonable information security practices to appropriately safeguard consumer sensitive financial information.
Under the order, ACI will be subject to the following:
- Pay a $25 million civil money penalty.
- Adopt and enforce reasonable information security practices.
- Is prohibited from processing payments without obtaining prior authorization.
- Is prohibited from using sensitive consumer data for software development or testing without documenting compelling business reasons and obtaining consumer consent.
In August 2022 the CFPB issued Circular 2022-04 confirming that financial entities with insufficient consumer data protection or information security may violate the CFPA prohibition on unfair acts or practices (see Legal Update, CFPB Advises That Insufficient Consumer Data Protection or Information Security May Violate CFPA Prohibition on Unfair Acts or Practices).