Payment Processor Agrees to $25 Million CFPB Consent Order

On June 27, 2023, a payment processor, without admitting or denying the allegations, agreed to a consent order with the CFPB to pay $25 million and to institute reasonable information security practices in connection with over $2.3 billion improperly processed mortgage payments. 

The alleged errors occurred when the payment processor internally tested its billing platform, using consumer data obtained from a national mortgage lender, which the processor failed to scrub to remove sensitive consumer financial information before running the simulation.  This error generated over 1.4 million ACH entries to occur that many borrowers were unaware of; leading borrowers to suffer insufficient funds or overdrawn account fees.

The CFPB asserted in the consent order that the payment processor violated the EFTA and its corresponding Regulation E, as well as the CFPA, which prohibits unfair acts or practices.  According to the CFPB, the payment processor’s alleged failure to adopt and enforce sufficient information security practices contributed to the testing error, put the billing platform at risk, and exposed consumers’ data in the process.