ACI Worldwide Corp. and ACI Payments Inc.
On June 27, 2023, the Bureau issued an order against ACI Worldwide Corp. and ACI Payments Inc. (collectively, ACI), a nationwide payment processor headquartered in Elkhorn, Nebraska. The Bureau found that ACI’s employees improperly accessed and used sensitive consumer financial information for internal testing purposes and without employing appropriate information safety controls. These internal tests created fake payment processing files that were treated as containing legitimate consumer bill payment orders by ACI’s consumer bill payment platform. Due to weaknesses in its information security practices, ACI caused the erroneous bill payment orders to be sent to consumers’ banks for processing. These actions initiated debits totaling approximately $2.3 billion in mortgage payments from nearly 500,000 borrower bank accounts without their knowledge or authorization. The Bureau found that ACI’s actions violated the Electronic Fund Transfer Act and its implementing rule, Regulation E, as well as the Consumer Financial Protection Act of 2010’s prohibition of unfair acts and practices. The order requires ACI to stop its unlawful activities and adopt and enforce reasonable information security practices. The order also requires ACI to pay a $25 million civil money penalty.