June 27, 2023

Enforcement Alert from Hudson Cook; CFPB Orders Payment Processor to Implement Information Security Program and Pay $25 Million Penalty

Lucy E. Morris and Gabriela Chambi


  • According to the CFPB, in a single event, a payment processor mistakenly initiated more than 1.4 million unauthorized mortgage payment transactions due to faulty information security practices, violating the Consumer Financial Protection Act, Electronic Fund Transfer Act, and Regulation E.
  • The processor neither admitted nor denied the CFPB's allegations, but consented to the entry of an administrative order that requires the processor to pay a $25 million penalty and develop and enforce certain information security practices.
  • According to the CFPB, the processor was a service provider to a large Mortgage Company. The Mortgage Company is not part of the Consent Order.


On June 27, 2023, the CFPB filed an administrative consent order against a payment processor headquartered in Elkhorn, Nebraska. The order alleges that on a single date in 2021, the processor erroneously initiated about 1.4 million unauthorized ACH withdrawals from consumers' bank accounts, in violation of the Consumer Financial Protection Act, the Electronic Fund Transfer Act, and Regulation E.

The CFPB found that the incident occurred when the processor was conducting "performance tests" on one of the Company's payment platforms. The CFPB found that these alleged unlawful transactions were a result of the Company's failure to establish and enforce information security practices, which constituted unfair acts or practices. In the Consent Order, the Company did not admit to these allegations. To resolve the matter, the Company agreed to pay a $25 million penalty and to develop policies and procedures related to its information security practices and the use of sensitive consumer financial information. In addition, the Consent Order prohibits the use of sensitive consumer financial information for software development or testing purposes, unless the Company documents a compelling business reason and obtains consumer consent. In what appears to be novel, the Consent Order also requires the processor to register with the Bureau's Company Portal for receiving and responding to consumer complaints and inquiries.

You can review all of the relevant court filings and press releases at the CFPB's Enforcement page.

Enforcement Alerts by Hudson Cook, LLP, written by the attorneys in the firm's Government Investigations, Examinations and Enforcement and Litigation practice groups, are provided to keep you informed of federal and state government enforcement actions and related actions that may affect your business. Please contact our attorneys if you have any questions regarding this Alert. You may also view articles, register for an upcoming CFPB Bites monthly webinar or request a past webinar recording on our website.

Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.