6 July 2023
/ Larry R. Rothenberg
Are You Keeping Pace for Security of Sensitive Consumer Financial Information?
Here is an example: On June 27, 2023, the Consumer Financial Protection Bureau (CFPB) filed a consent order on imposing penalties and requiring strict oversight of ACI Worldwide Corp., a large provider of software products and services that facilitate electronic payments to mortgage servicers.
What Happened?
Contractors for ACI had conducted performance testing on its platform that involved simulating actual electronic funds transfer Automated Clearinghouse (ACH) entry processing. The contractors handling the testing project did not use “dummy” consumer data or ensure that any consumer data in the data files used for testing were scrubbed of sensitive consumer financial information (SCFI), contrary to ACI’s policy. Instead, the contractors used actual SCFI that ACI previously obtained for legitimate debit and credit transactions for the mortgage company’s borrowers. ACI did not verify that SCFI was removed from the files before the tests were run.
As a result, an enormous number of ACH entries resulted in problematic electronic funds transfers in borrowers’ accounts. Naturally, this occurred on a Friday, so when it came to light after the mortgage company received a growing number of borrowers’ complaints the next day, the correction and reversals were not settled until Monday. Notwithstanding the correction, borrowers had to expend significant time and effort, and deprived some borrowers of the use of their funds, impacting their ability to pay other expenses.
The Regulations Violated
The consent order describes the incident as a violation by ACI of the Electronic Fund Transfer Act (15 U.S.C §1693 et seq.) and its implementing Regulation E (15 U.S.C §1693e(a), 12 C.F.R. §1005.10(b). Hence, the CFPB determined that ACI’s conduct in failing to prevent the problem constituted unfair, deceptive or abusive acts or practices causing harm to consumers in violation of the CFPB’s regulations.
Was ACI at Fault?
The problem was directly caused by a contractor retained by ACI, not by ACI’S own employees. However, the consent order states that ACI failed to provide “reasonable security” in the form of adequate oversight of contractors who had access to the data. They failed to appropriately segregate the production environment from its non-production testing environment or properly use standard human or technological controls.
The CFPB Brings the Hammer Down
The consent order mandates affirmative steps and imposes a stinging fine.
The ACI must:
- Obtain authorization for ACH debit entries for any transfer from a consumer’s account.
- Adopt practices to ensure that unauthorized, duplicate, or erroneous ACH entries can be detected prior to transmission, and maintain a training program.
- Refrain from using SCFI in testing, or create an exception report.
- Obtain a consumer’s authorization prior to initiating a consumer electronic payment transaction.
- Enforce and document a program of internal controls to ensure reasonable security and designate a qualified individual responsible for oversight and monitoring.
- Register for the CFPB’s consumer complaint portal.
- Have independent consultants review and certify the security program, and submit a written report regarding its review.
- Develop a compliance plan to correct any revealing in the report.
- Revise the compliance plan as may be required by the CFPB’s Enforcement Director.
- Have all plans, reports, and submissions reviewed by ACI’s board, president, and chief information security officer prior to submission to the CFPB.
- Submit a progress report one year of the consent order’s effective date.
- Pay a $25 million fine to the CFPB.
- Retain for six years all records necessary to demonstrate full compliance with each provision of the consent order.
No doubt ACI agreed to the consent order’s bitter medicine, in the hope of being able to move forward without even worse punishment through litigation. However, notably, the consent order expressly states that it does not bar or otherwise prevent any other person (i.e. the affected consumers) or governmental agency from taking any action against ACI.
What Is “Reasonable Security” for Mortgage Servicers and Their Providers?
It goes without saying that entities must develop, implement, and document thorough and effective policies to try to prevent any possible violation a consumer’s right to have their confidential information protected. ACI incurred the wrath of the CFPB due to ACI’s alleged failure to have “reasonable security” in place to attempt to prevent the problem from occurring.
What is “reasonable security?” The consent order defines it as meaning the adoption and enforcement of information security policies and human and technical internal control measures that are technically substantiated by the latest knowledge, widely held within the information security research community and that are:
- Documented in human-readable format by internal corporate threat modeling documents, incident response policies, and other relevant documentation; and
- Sufficient to defend and ensure the confidentiality, integrity, and availability of sensitive consumer financial information, and ACI ‘s (read: servicer’s) systems.
The Pace of Change is Striking
The pace of change in this regulatory environment continues to accelerate. Policies and procedures implemented years ago may be obsolete.
The Weltman firm’s compliance department keeps up to date with all changes in pertinent requirement as interpreted by the CFPB’s publications and case law. Weltman has implemented numerous physical, electronic, and procedural safeguards to protect nonpublic personal information, including:
- Implementation of a risk management policy, disaster recovery plan, and security incident response team to identify, measure, and manage risk to operations, safety, confidentiality, integrity or availability
- Reviewing and monitoring policies on a regular basis to ensure compliance with federal and state laws and regulations
- Submitting to an annual audit of its security measures by an independent firm
- Being subject to regular client audits, as well as internal audits conducted by Weltman’s compliance audit department and its business units to ensure compliance with applicable statutes, regulations, and client requirements
- Auditing by internal, client, and third parties to ensure that the programs are audited at least annually, and those risks are recorded and mitigated in accordance with Weltman’s risk management program
For information about Weltman’s security policies and programs, feel free to contact shareholder and compliance officer Eileen Bitterman at any time. For a copy of the CFPB – ACI consent order, click here.
This blog is not a solicitation for business and it is not intended to constitute legal advice on specific matters, create an attorney-client relationship or be legally binding in any way.
