FOR IMMEDIATE RELEASE FROM
THE WASHINGTON DEPARTMENT OF FINANCIAL INSTITUTIONS

Contact
Lyn Peters, Director of Communications
PH (360) 349-8501 or CommunicationDir@dfi.wa.gov

10/17/2023
ACI Payments agrees to pay combined fines of $20 million to state regulators and state attorneys general and to maintain a comprehensive risk management program

OLYMPIA – The Washington State Department of Financial Institutions (DFI) joined regulators from 43 other states and entered a legal settlement with ACI Payments, Inc. (ACI) imposing $10 million in fines and affirmative action requirements for initiating unauthorized electronic transactions. Additionally, 50 state attorneys general, including Washington State Attorney General Bob Ferguson, levied $10 million in fines against ACI, in coordination with state regulators for a total combined fine of $20 million.

ACI, a subsidiary of ACI Worldwide Corp., is a state-regulated money services business licensed in Washington and nearly all other U.S. states (NMLS ID 936777). ACI acted as a vendor for a mortgage servicing company to regularly process mortgage payments for borrowers through its Speedpay Platform. The state regulators determined that ACI erroneously used live customer data in a test of its Speedpay Platform, causing unauthorized mortgage payments to be processed from customer accounts. Adverse consequences experienced by 9,833 impacted Washington consumers were addressed by ACI prior to entry of the settlement.

The state regulators commenced a multi-state money transmission investigation reviewing all aspects of the event. The state regulators believe that the error was possible due to defects in ACI’s privacy and data security procedures and technical infrastructure.

“Washington will use its enforcement authority against companies that fail to have sufficient data security and internal controls in place to protect Washington consumers,” DFI Director Charlie Clark said. “This settlement demonstrates how state regulators and state attorneys general can work together to hold companies accountable, and to ensure consumers can confidently and securely pay their loans online without fear of unauthorized payments being made on their behalf.”

This enforcement action orders ACI Payments, Inc. to do the following:

  • Risk and Compliance Programs – Maintain a comprehensive Enterprise Risk Management Program and a Third-Party Risk Management Program tailored to the nature, size, complexity, and risk profile of ACI.
  • Agreement Monitoring – Regular reporting (for two years) to a state regulator monitoring committee to ensure both the adequacy of the risk management programs and compliance with the order.
  • Administrative Costs and Penalties – Payment of $10 million in fines for administrative costs and penalties.

Documents