CFPB Hits Dwolla With $100K Fine Over Data Security Practices

CFPB regulation

The Consumer Financial Protection Bureau said Wednesday (March 2) that it has taken action against Dwolla, an online payment platform company. The enterprise, said the bureau, deceived consumers about the firm’s data security and the safety of its payment platform.

As a result, said the bureau, Dwolla must pay out $100,000 in penalties and endeavor to repair its security initiatives.

In a statement released in tandem with news of the charges, CFPB Director Richard Cordray said: “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

The company, said the CFPB, had 650,000 users as of May 2015 and transferred as much as $5 million daily. Each transaction utilizes the customer’s name, address, Social Security number and other sensitive data. Yet, Dwolla, said the CFPB, used false claims when it said its data security practices were more stringent than industry standards and debuted applications without proper security testing. Some info was not encrypted, as had been claimed.

In order to provide redress, the CFPB’s ordered the firm to train its employees on data security and also on how to fix security flaws in its Web and mobile apps. The firm was also ordered to maintain accurate and consistent risk assessments alongside audits. The penalty itself is being paid to the CFPB’s Civil Penalty Fund, said the release. In addition, the CFPB continued, the firm was ordered to “stop misrepresenting” the extent and efficacy of its data practices, while continuing to strengthen the maintenance and safeguarding of sensitive consumer information.

UPDATE

Dwolla reached out to PYMNTS to provide clarification about the timeframe of the investigation, and noted that it has addressed the concerns noted above by the CFPB. Dwolla’s statement is provided below:

Dwolla is glad to have come to a resolution with the CFPB regarding its investigation.  The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012. Dwolla understands the Bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.

The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices. This is consistent with the fact that since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. During this time, Dwolla had many other layers of data security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers.