InfoBytes Blog
CFPB levies $25 million penalty for EFTA violations
On June 27, the CFPB entered a consent order against a Nebraska-based payment processor and its Delaware-based subsidiary for alleged violations of the EFTA (Regulation E), and the Consumer Financial Protection Act’s prohibition against unfair acts and practices. According to the Bureau, in 2021 the respondent’s employees allegedly used sensitive consumer financial information while conducting internal testing, without employing the proper information safety protocols. The internal tests allegedly created payment processing files that were treated as containing legitimate consumer bill payment orders. According to the Bureau, the erroneous bill payment orders were allegedly sent to consumers’ banks for processing, which resulted in approximately $2.3 billion in mortgage payments being debited from nearly 500,000 borrower bank accounts without their knowledge or authorization. The Bureau alleged in its order that some consumers accounts were depleted, “depriving Affected Consumers of the use of their funds, including by being prevented from making purchases or completing other legitimate transactions, and many were charged fees, including fees for insufficient funds or overdrawn accounts.” While neither admitting nor denying any of the allegations, the respondent has agreed to pay a $25 million penalty, stop activities the Bureau deemed unlawful, and adopt and enforce reasonable information security practices.