cml, consumers, cybersecurity, legal|

October 20, 2023

State regulators and state attorneys general levy combined fines of $20 million for data misuse impacting 480,000 consumers nationwide

[Topeka]—The Kansas Office of the State Bank Commissioner and 43 other state agencies have reached settlements with ACI Payments, Inc., for erroneously initiating electronic transactions totaling $2.3 billion from the accounts of 480,000 mortgage-holders serviced by Mr. Cooper (formerly known as Nationstar Mortgage, LLC). State regulators levied $10 million in fines while forcing the company to settle through a multistate enforcement action led by regulators from Arkansas, Connecticut, Maryland and Texas with support from the Conference of State Bank Supervisors. Additionally, 50 state attorneys general levied $10 million in fines to ACI, in coordination with state regulators.


ACI Payments, a subsidiary of ACI Worldwide Corp., is a state-regulated money services business licensed in Kansas and nearly all other U.S. states (NMLS ID 936777). Mr. Cooper offered ACI’s Speedpay product for its customers to schedule their monthly mortgage payments, enabling automatic transfers of authorized mortgage payments from their personal bank accounts to Mr. Cooper. The violations occurred when ACI Payments erroneously used live customer data in a test of its Speedpay platform, causing unexpected and sometimes multiple mortgage payments from customer accounts. In some cases, these transactions exposed consumers to overdraft or insufficient funds fees.


“This case is a clear-cut caution to all companies operating in Kansas to use customer data with care. The Kansas Office of the State Bank Commissioner supports innovation and diversity in the nonbank space but will not tolerate any actions or practices that jeopardize consumers’ safety or prosperity,” said Kansas Bank Commissioner David Herndon. “We have a clear mission to protect consumers and support a safe and efficient financial services market and are sending the message to other companies that mishandling customer data will lead to stiff penalties.”


Upon notification of the incident from ACI Payments, state regulators commenced a multistate money transmission investigation reviewing all aspects of the event, including investigating the facts and circumstances surrounding the erroneous transactions, evaluating consumer impact, analyzing the root cause of the incident, and evaluating the remedial steps taken by the company.


This enforcement action orders the following of ACI Payments, Inc.:

  • Risk and Compliance Programs – Maintain a comprehensive Enterprise Risk Management Program and a Third-Party Risk Management Program tailored to the nature, size, complexity and risk profile of ACI.
  • Agreement Monitoring – Regular reporting (for two years) to a state regulator monitoring committee to ensure both the adequacy of the risk management programs and compliance with the order.
  • Administrative Costs and Penalties – Payment of $10 million in fines for administrative costs and penalties.

State financial regulators license and supervise over 33,000 nonbank financial services companies through the Nationwide Multistate Licensing System (NMLS), including mortgage companies, money services businesses, consumer finance providers and debt collectors. Kansas consumers can submit complaints about nonbank financial services companies by visiting https://osbckansas.org. Consumers can also verify that a company is licensed to do business in their state, and view past enforcement actions, by visiting NMLS Consumer Access.


Read the enforcement action which includes the list of participating states here.


Media Contact:
Mike Enzbrenner
Deputy Commissioner, Consumer & Mortgage Lending
[email protected]

Comments are closed.

Close Search Window