When more than $2 billion was withdrawn from consumer bank accounts without authorization, the AGs took notice. The root cause? A payment processor’s use of real customer data instead of dummy data to test one of its payment products and faulty internal data security controls. In Episode 7, Meghan Stoppel and Emily Yu talk about why AGs are particularly concerned about this kind of consumer harm, and what companies can do to prevent this kind of scrutiny.
PRODUCED IN COLLABORATION WITH:
Stephen Cobb, Member, Executive Producer
Suzette Bradbury, Director of Practice Group Marketing (State AG Group)
Elisabeth Hill Hodish, Policy Analyst
Transcript
Emily Yu
Welcome to the third season of State AG Pulse. In this season, we’re selecting one story every week from the state AG news. Over the next minutes, we’ll take a quick dive into that story to analyze the impact of AGs as regulators and consumer protection guardians, and provide tips to help your business work successfully with state AGs.
Meghan Stoppel
Hello and welcome back to the third season of State AG Pulse. My name is Meghan Stoppel. I am a partner here at Cozen O’Connor in our State AG Group, and it is my pleasure to be joined today by my colleague, Emily Yu. Emily, thank you for joining the podcast today and being part of this discussion.
Emily Yu
Hey, Meghan. Thanks for having me.
Meghan Stoppel
You’re welcome. Yeah. So Emily, you and I, we actually went back and forth quite a bit yesterday about which headline to select for this particular episode today. And we ultimately landed on a recently-announced multistate settlement that involved almost every single state, the District of Columbia, millions of dollars in settlement money. And I want to talk about why we picked this particular headline and what it tells us about how AGs operate, what they prioritize, and some of the similarities that we saw between this particular case and some of the other cases that we’ve seen in the headlines. So let’s just jump right in and do that.
Emily Yu
Yeah. So this case involves a payment processor company called ACI Worldwide, and they obviously process payments for a variety of clients. The client involved here is a mortgage servicer and, at issue here, is a payment platform called Speedpay, which ACI had previously acquired.
Meghan Stoppel
At first blush, this particular headline looked like it may have related to a cybersecurity incident. It involved what the New York Attorney General referred to in their press release as a testing error from a couple of years ago that led to the unauthorized withdrawal of over $ billion, and that’s billion with a B, from consumer bank accounts during a very short period of time. Was that on the Speedpay platform? Is that where this error originated, as a byproduct of this acquisition that you’re referring to?
Emily Yu
Yes. So the acquisition is important here because the testing errors were actually a result of some historical issues with Speedpay due to their prior IT vendors that they had been using even before ACI had acquired them. And as the investigation showed, these errors included faulty internal data security controls, and they found that there were failures to kind of keep testing protocols separate from payment processing protocols.
Meghan Stoppel
Yeah. And one of the things I remember from reading the press release that New York put out in particular is that instead of using, I think, what New York referred to as “dummy data” here to conduct some of the testing on this platform, ACI mistakenly used actual customer information from this mortgage servicer. And that is what caused them to accidentally withdraw mortgage payments from hundreds of thousands of bank accounts. It’s one of the reasons why this particular headline drew my attention. You had real customer impact here, real consumer harm as a result of this error. And even if you’ve got a regulator attaching the label of error or mistake to the company’s conduct, if it results in real harm to the customer, arguably, that’s something that the regulators are going to be very interested in looking into.
Emily Yu
Although ACI was able to reverse the erroneous debits and credits from these customers’ accounts within a day, there were still, I think, somewhere around , customers that had flagged to the AGs’ offices and to the state regulators that they had been impacted.
Meghan Stoppel
Right, right. Yeah, and I think that’s a really important takeaway here is that if you’ve got customers picking up the phone and calling the AG’s office or emailing in or filling out those complaint forms, it really is going to increase the scrutiny that’s placed on your business. So let’s talk a little bit about how the case ultimately resolved itself because, obviously, this hit the headlines. There was a settlement. There was a settlement payment, I think it was … Was it $ million, Emily? Is that correct?
Emily Yu
Yeah, it was $ million to be distributed among the almost states and DC and Puerto Rico. So kind of in comparison to the amount that was withdrawn from borrowers’ accounts, $. billion, the $ million amount seemed relatively low to me. But maybe that’s because ACI was able to fix so many of these errors very quickly.
Meghan Stoppel
That’s a really good point about the responsiveness of the company. How quickly they, without intervention by the regulator, try to make it right for the customer or address the error or the oversight, is really important from the regulator’s perspective, and it’s certainly important from the state AG’s perspective. And I want to take a minute, just because we keep using the phrase regulators here intentionally. The reason is because this wasn’t just a state AG investigation. It was actually an investigation that involved the AGs and the other state regulators that license money transmitters. Why were the money transmitter regulators involved in this case, Emily?
Emily Yu
Yeah. So the state money transmission regulators of the bulk of those states and territories got involved because ACI is a licensed money transmitter, and the regulators actually entered a separate settlement agreement with ACI around the same time as the AGs entered their agreement.
Meghan Stoppel
Yeah. Yeah, and I think that is really noteworthy because this case is just one more example of how the state AGs work in tandem with their colleagues, with other regulators and other agencies, to bring enforcement actions, to conduct those investigations. We saw it years ago when the AGs were negotiating and investigating mortgage servicers on a national scale, leading to the national mortgage settlement. Those settlements back in , , were with the mortgage servicers and were often executed in tandem with the state banking regulators who, oftentimes, had jurisdiction over the same conduct. But we’re seeing it, also, in other contexts. We saw it just a few years ago in the environmental context, where you’ve got AGs working with their state environmental agencies and entering into parallel settlements. I think what’s really interesting about this case is that I suspect we’re going to continue to see it in the privacy and information security space, especially now that California has their own dedicated state agency enforcing their privacy laws. Let’s talk a little bit, Emily, about what it was about this case that really, I think, piqued our interest.
Emily Yu
I think the takeaway is if you’re going to run testing on some kind of software, do not use real customer data. In this day and age, where it is so easy to have AI-generated or just machine learning-generated data, I think companies would be wise to use those new tools to their advantage to generate similar data from actual customer data to avoid situations like this, where real individuals’ debit and credit card accounts are being tapped into when a company is just running some testing on their software.
Meghan Stoppel
It’ll be interesting to see if we, in future settlements, start to see that type of language embedded in some of these settlement documents. This settlement document does contain a number of those information security terms that I think a lot of our listeners maybe wouldn’t expect to see outside the context of a data breach investigation or a data breach settlement document. Data security, privacy, information security, that issue pervades state AG offices. And it doesn’t matter if you’re talking about it in the context of a data breach or a cybersecurity incident, a ransomware attack, right? They’re always looking at that issue from, really, the lens of, “How does it impact consumers?” When a regulator gets involved and they see what they believe to be a data security lapse, and especially a lapse that I think results in consumer harm, in this case, the unauthorized withdrawals, and they start digging and they find the root cause of that data security lapse, they’re going to take action to address it even if it was a mistake, even if it was error.
And I do think this type of settlement really raises the bar for companies, regardless of what industry they’re in, to keep an eye not only on what data are they using to test their products, but their vendors. Are their vendors adhering to their policies? Things like that. So it’s really just a fascinating story, and to the extent to our listeners to have a chance to go and look at the press releases, look at the settlement documents, I would encourage you to do so. Emily thank you. Thank you again for your time, for joining me for this conversation. Really appreciate it. It’s been a pleasure to have you on the podcast. And thank you to our listeners for tuning in. Please join us next time.
Emily Yu
You have been listening to State AG Pulse, brought to you by Cozen O’Connor’s State AG Group and The State AG Report. Please leave us a five-star rating and, of course, tune in again next week.
