State AGs and State Money Transmission Regulators Settle With Payment Processor Over Unauthorized Mortgage Withdrawals

Timothy Bado, Keith Barnett, Ketan Bhirud, Christopher Carlson, Clayton Friedman, Natalia Jacobo, Judith Jagdmann, Namrata Kang, Michael Lafleur, Carlin McCrory, Susan Nikdel, Stephen Piepgrass, John Sample, Avi Schick, Whitney Shephard, Trey Smith, Ashley Taylor Jr., Daniel Waltz, Michael Yaghi
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

[co-author: Stephanie Kozol]*

On October 17, 52 state and territorial attorneys general, in addition to state money transmission regulators, entered into settlements amounting to more than $20 million with ACI Worldwide (ACI), to resolve claims involving a money transmission error that led to the unauthorized withdrawal of $2.3 billion from Nationstar Mortgage (also known as Mr. Cooper) customers.

The state regulators’ allegations stemmed from a 2021 testing error wherein ACI — at the time a third-party payment processor for Mr. Cooper — inadvertently withdrew $2.3 billion from the bank accounts of Mr. Cooper mortgage holders. The error occurred on April 23, 2021, when ACI, while testing its Speedpay payment platform, mistakenly processed live consumer data of Mr. Cooper customers. The mistake resulted in consumers being subjected to the attempted withdrawal of multiple mortgage payments from their personal bank accounts on days when payments were not authorized. Although the vast majority of withdrawals were not effectuated, 1.4 million transactions were still processed and upward of 477,000 consumers were impacted — 14,629 of which were Virginians. The withdrawals led to consumers not being able to access funds and, in some instances, incurring overdraft or insufficient funds fees.

The state regulators’ investigation into the testing error determined a key component to be “significant defects in ACI’s privacy and data security procedures and technical infrastructure related to the Speedpay platform.”

In the wake of the incident, ACI initiated corrective measures to minimize the impact on customers and was ultimately able to restore all accounts. ACI has also provided restitution to effected customers both directly, and through related settlements.

In addition to the monetary payment to the states, the settlement requires ACI to employ more stringent measures to protect consumer data and funds in the future. For example, ACI is now required to use artificially created data during system tests, rather than real customer data that may lead to nationwide consumer exposure. ACI will now also be required to isolate testing and development work from its consumer payment systems.

Takeaway

Deficiencies in data security protocols and infrastructure remain primary sources of risk for companies nationwide. As evidenced by this settlement, the risks posed by insufficient systems are not merely limited to data breaches or the bad actions of nefarious third-parties. Rather, companies are routinely finding themselves victim to their own mistakes and inadvertent errors. Accordingly, it is paramount that businesses and their stakeholders review and supplement their data security infrastructure to identify gaps and take appropriate measures to address any shortfalls.

*Senior Government Relations Manager

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide