CFPB Orders Payment Processor to Implement Information Security Program and Pay $25 Million Penalty

Gabriela Chambi, Lucy Morris
Hudson Cook, LLP
Contact
LinkedIn
Facebook
X
Send
Embed

HIGHLIGHTS:

  • According to the CFPB, in a single event, a payment processor mistakenly initiated more than 1.4 million unauthorized mortgage payment transactions due to faulty information security practices, violating the Consumer Financial Protection Act, Electronic Fund Transfer Act, and Regulation E.
  • The processor neither admitted nor denied the CFPB's allegations, but consented to the entry of an administrative order that requires the processor to pay a $25 million penalty and develop and enforce certain information security practices.
  • According to the CFPB, the processor was a service provider to a large Mortgage Company. The Mortgage Company is not part of the Consent Order.

CASE SUMMARY:

On June 27, 2023, the CFPB filed an administrative consent order against a payment processor headquartered in Elkhorn, Nebraska. The order alleges that on a single date in 2021, the processor erroneously initiated about 1.4 million unauthorized ACH withdrawals from consumers' bank accounts, in violation of the Consumer Financial Protection Act, the Electronic Fund Transfer Act, and Regulation E.

The CFPB found that the incident occurred when the processor was conducting "performance tests" on one of the Company's payment platforms. The CFPB found that these alleged unlawful transactions were a result of the Company's failure to establish and enforce information security practices, which constituted unfair acts or practices. In the Consent Order, the Company did not admit to these allegations. To resolve the matter, the Company agreed to pay a $25 million penalty and to develop policies and procedures related to its information security practices and the use of sensitive consumer financial information. In addition, the Consent Order prohibits the use of sensitive consumer financial information for software development or testing purposes, unless the Company documents a compelling business reason and obtains consumer consent. In what appears to be novel, the Consent Order also requires the processor to register with the Bureau's Company Portal for receiving and responding to consumer complaints and inquiries.

RESOURCES:
You can review all of the relevant court filings and press releases at the CFPB's Enforcement page.

Written by:

Hudson Cook, LLP
Hudson Cook, LLP
Contact
more
less

Hudson Cook, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide