A high-profile mishap by ACI Worldwide in 2021 involving $2.4 billion in unauthorized withdrawals from mortgage holders’ accounts as part of a digital payments test was an expensive lesson for the company.
As part of its effort to optimize a payments system it bought a few years earlier, the company inadvertently triggered the release of money from almost half a million customers of Mr. Cooper, a mortgage servicer. Over the course of a day, billions of dollars moved through ACI’s automated clearinghouse network and, although the money was restored, customers faced charges for overdrawing their account and other credit penalties.
“ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions,” the Consumer Financial Protection Bureau said earlier this year when announcing a settlement with the company.
For the one-day mishap, the company agreed to pay penalties of $25 million to the CFPB and $20 million to attorneys general in 48 states and money transfer regulators in 44 states. It also faces a $5 million class action settlement and a lawsuit with Mr. Cooper is pending. The company’s CEO and the CTO at the time of the incident have since been replaced.
The company says it expects much of the penalty amounts to be covered by third-party vendors whose technology played a role in the release of funds.
“ACI is satisfied with the conclusion of this matter and is moving forward in the interest of its employees, shareholders and customers,” the company said in a statement after settling with CFPB and the state AGs and money transfer regulators earlier this year.
Risk management lessons
For companies, there are a handful of takeaways that stand out from the agreements, attorneys say.
1. Don’t conduct tests using real data. This is especially the case since testing data can be generated using artificial intelligence and machine learning.
“Companies would be wise to use those new tools,” Emily Yu, an attorney with Cozen O’Connor, said in a podcast hosted by the firm. “The takeaway is, if you’re going to run testing on some kind of software, do not use real customer data.”
2. Treat vendor risks like cybersecurity risks. Even though it didn’t involve malicious external actors, the incident has the character of a cybersecurity incident because it involved system access that led to consumer harm.
“Even if you’ve got a regulator attaching a label of ‘error’ to the company’s conduct, if it results in real harm to the customer, that’s something regulators are going to be very interested in looking into,” Meghan Stoppel, a member of Cozen O’Connor, said in the podcast.
Regulators appear to have approached the incident in the same way as a breach based on the language in their settlement agreement, Stoppel said.
“This settlement document does contain a number of … information security terms that I think a lot of [people] wouldn’t expect to see outside the context of a data breach investigation or a data breach settlement document,” she said. “It will be interesting to see if … that type of language [gets] embedded in some of these [future] settlement documents.”
3. Systems integration isn’t just a technology matter. When ACI acquired the payment platform at the center of the problem, called Speedpay, in 2019, it merged it with its own payment system and took over maintenance responsibility while it was still being hosted in the previous owner’s IT environment and services were still being provided by legacy vendors.
Although these legacy vendors were retained by ACI during a two-year ownership transition period that ended around the time the test was conducted, ACI never had a good picture of how the vendors operated within its controls, according to the state AG agreement.
“These legacy vendors, at the time of the transition and thereafter, were not adequately integrated into ACI’s risk and compliance framework,” the agreement says.
As a result, when the company conducted its test, the vendors were able to access customer accounts and move billions of dollars without triggering any kind of broader oversight that would be expected of such a large money transfer.
“During the Speedpay optimization project, the legacy vendors’ circumvention of internal data security controls and a lack of segregation between internal production and testing environments resulted in 1,432,821 ACH debit and credit entries to be unintentionally and erroneously sent to the ACH network,” the agreement says.
Bottom line: General counsel have a role to play in helping to manage risk by ensuring that an otherwise sensible testing operation doesn’t result in costly mistakes that, in hindsight, are reasonably avoidable.