On June 27, 2023, the Consumer Financial Protection Bureau (CFPB) issued an order against an electronic payment processor for its data handling practices. Allegations include that the company mistakenly triggered $2.3 billion in mortgage payments while conducting tests of its electronic payment platform, impacting nearly 500,000 homeowners. The company agreed to a $25 million penalty.
The company processes mortgage payments through the Automated Clearing House network. One of the company’s mortgage servicing customers allegedly allowed homeowners to schedule monthly mortgage payments with the company’s electronic payment processing product, which could automatically transfer mortgage payments from personal bank accounts to the servicing customer.
The agency asserts that, in April 2021, the company conducted tests of its electronic payment platform. But instead of using dummy data in its tests, the company used real consumer data received from the servicing customer. This data included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During testing, the company sent several large files including this data into the ACH network, which initiated the $2.3 billion in unauthorized payments from homeowners’ accounts.
The company’s internal review of the incident determined that “policies and procedures were not followed” during the test of its payment platform. The company claimed that it took “swift action to reverse the ACH entries and prevent any consumer loss”, and that at “all times during and after the error, consumers’ money and personal information were safe.” The company also stated that immediately after the occurrence, it adopted additional controls, including automation, to prevent a recurrence.
The CFPB generally has authority to take action against companies violating various consumer financial protection laws, including engaging in unfair, deceptive, or abusive acts or practices. The CFPB also noted its authority to enforce the Electronic Fund Transfer Act and its implementing rule, Regulation E.
This is the CFPB’s first action addressing unlawful information handling practices in processing mortgage payments of this type. The company is now prohibited from using consumer financial information for software development or testing purposes without documenting a “compelling business reason” and obtaining consumer consent and is also required to pay the hefty penalty to the CFPB. The company consented to the issuance of the Consent Order without admitting wrongdoing. This Order should signal to the industry that the Bureau is keeping a close eye on the use of consumer data. It is expected that the CFPB will further monitor the industry to hold more companies accountable.
Read the company’s statement.
Don’t forget all the things that you still have to do, even if resources are thin. We’re here to help talk you through it! Contact Firstline at (831) 325-3369 or info@firstlinecompliance.com.