.svg)
ACI Worldwide has agreed to pay $20m to state regulators and attorneys general to end legal cases accusing the fintech giant of initiating nearly $2.4bn in payments without authorisation while in testing mode.
The settlement puts an end to a multi-state enforcement action, involving 44 state regulators and attorneys general (AGs) from 50 states.
The states alleged that ACI Payments, the payment processing subsidiary of ACI Worldwide, had accidentally used actual consumer data while running a test.
ACI offers payment processing to numerous third parties, including mortgage servicer Mr. Cooper, which was using ACI’s Speedpay platform to allow its customers to schedule and pay monthly mortgages online.
In April 2021, ACI was conducting a test on Speedpay, which it acquired in 2019 from Western Union, and at the time was still in the transition period. Although ACI had already assumed IT responsibility for the platform, it was hosted in the previous owner’s IT environment with certain services still being provided by legacy vendors.
While carrying out the test, ACI accidentally submitted live Mr. Cooper consumer data into the US Automated Clearing House (ACH) system, mistakenly attempting to withdraw mortgage payments from hundreds of thousands of Mr. Cooper customers.
According to a court document, the incident involved 1.4m ACH debit and credit entries related to 478,500 borrowers to the value of $2.39bn.
However, ACI noticed the error quickly and took steps to reverse the debits and credits, offsetting around 99.998 percent of the payments before any funds were moved from consumer accounts.
State regulators claimed that the transactions resulted in “unexpected” and “sometimes multiple” mortgage payments, which exposed around 2,710 consumers to overdraft or insufficient funds fees.
They said such an error could happen because of “significant defects” in ACI’s privacy and data security procedures and technical infrastructure.
Although the states generally acknowledged that ACI had a “relatively detailed” enterprise risk management framework, including third-party risk management policies, it did not sufficiently supervise and train the personnel of Speedpay vendors.
ACI also failed to ensure that its vendors followed procedures, such as validating that the databases were scrubbed, and did not have sufficient technological safeguards to enforce its policies and procedures, according to the document.
Hefty penalties for misusing customer data
Commenting on the settlement, Maryland Commissioner of Financial Regulation Antonio Salazar claimed that the scale of this error “can be devastating” for consumers.
“Now that consumers have been made whole, state regulators are penalising ACI Payments and sending a message to other companies that mishandling customer data will lead to stiff penalties,” he added.
The settlement concludes the investigation by state regulators and follows a federal enforcement action by the Consumer Financial Protection Bureau (CFPB) and a class action lawsuit, all of which had been settled earlier this year.
In April, ACI agreed to pay $5m to all claims, attorneys’ fees and costs and a further $1m for borrowers who can prove they had suffered unreimbursed damages.
In June, ACI also settled the case with the CFPB for a $25m civil money penalty.
ACI said it is “satisfied with the conclusion of this matter” and “is moving forward in the interest of its employees, shareholders and customers”.
The company added that the previous settlements resolved all consumer claims and it expects most of the costs associated with the state lawsuits to be covered by third parties.
ACI holds money services business licences in nearly all US states, has more than 6,000 business customers and processes more than 225bn consumer transactions annually. It reported revenue of $1.4bn and net income of $142m in 2022.
The fintech has recently replaced its ex-president and CEO, Odilon Almeida, with Thomas Warsop, former non-executive chair of the ACI board.
Warsop was first appointed as interim CEO last November when Almeida quit and was promoted to permanent president and CEO in May.
At the time, the company said Almeida’s employment ended “without cause” and the change was needed because the board believed it was “the right time to transition to a new leader focused on accelerating our technology transformation and delivering operational excellence across our business”.
Growing turnover in the C-suite
Such unexpected departures are becoming more common in the payments scene.
In mid-August, Discover CEO Roger Hochschild was asked to leave. In a subsequent investor call, c-suite executives hinted at potential compliance issues as a reason for the departure, emphasising that Discover now puts “compliance excellence” before profit.
In September, Square also announced the departure of Alyssa Henry as CEO and said Jack Dorsey, CEO and co-founder of parent company Block, would assume her role.
Although the company did not provide any details about the potential reasons behind the change, the announcement was made while the fintech giant was struggling with the aftermath of a major global outage that was estimated to cost merchants $2.4bn in lost and failed transactions.
Vixio reached out to ACI but the company declined to comment.
