The CFPB’s action against online payment provider Dwolla – its first action related to data security – is a game-changer. The CFPB zeroed in on Dwolla for deceiving consumers about its data security practices and the safety of its online payment system.
The bureau ordered the Des Moines, Iowa-based Dwolla, an agent of the $65 billion Houston-based Compass Bank and $2.7 billion, Waterloo, Iowa-based Veridian Credit Union to pay a $100,000 penalty and fix its security practices.
“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
The CFPB said since December 2009, Dwolla collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. As of May 2015, it had more than 650,000 users and transferred as much as $5 million per day. For each account, Dwolla collected personal information including the consumer’s name, address, date of birth, telephone number, Social Security number and bank account, as well as routing numbers, a password and a unique four-digit PIN.
The CFPB’s action against Dwolla is significant in that it marks the bureau’s initial venture into an area that was the Federal Trade Commission’s province. It also creates apprehension for digital payment companies and other e-commerce providers in that it establishes an burdensome supervision level as the consent order requires a twice-annual risk assessment and annual audit, along with board approval of the company’s data security program, policies and procedures.
According to a CFPB press release announcing the action, from December 2010 to 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They also claimed that they encrypted all sensitive personal information and that its mobile applications were safe and secure, the CFPB said.
Rather than setting “a new precedent for the payments industry” as asserted, Dwolla’s data security practices in fact fell far short of its claims, the bureau continued, adding that such deception about security and security practices is illegal.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws,” the CFPB release disclosed. “This is the bureau’s first data security action, and builds off advances made by several other agencies.”
Under the terms of the order, Dwolla must:
- Stop deceiving consumers about the security of its online payment system and enact comprehensive data security measures and policies, including a program of risk assessments and audits.
- Train employees on the company’s data security policies and procedures, and on how to protect consumers’ sensitive personal information. Dwolla must also fix any security weaknesses found in its web and mobile applications, and securely store and transmit consumer data.
- Pay a $100,000 penalty to the CFPB’s Civil Penalty Fund.
“Dwolla is glad to have come to a resolution with the CFPB. The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012,” said an official statement. “Dwolla understands the bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.”
An old engineer adage “The good thing about standards is there are so many to choose from.” financial institutions and technology companies need regulatory consolidation with stronger and clearer direction and definitions.