CFPB Takes First Action on Data Security, Hits Dwolla

LAS VEGAS — The Consumer Financial Protection Bureau on Wednesday ordered the online payment processor Dwolla Inc. to pay a $100,000 fine for deceiving customers about its security practices — the first action it has taken related to data security.

The agency said that the Des Moines company misrepresented its data security practices from December 2010 to 2014 by failing to encrypt some personal consumer information. On its website, the company had stated that its security practices ensured personal data was "safe" and "secure," when Dwolla released applications to the public before testing whether they were secure, the agency said.

"Consumers entrust digital payment companies with significant amounts of sensitive personal information," CFPB Director Richard Cordray said in a press release. "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices."

Though data security breaches typically fall under the jurisdiction of the Federal Trade Commission, the CFPB is authorized to take actions against institutions that engage in unfair, deceptive or abusive actions or practices, known as UDAAP. Both agencies share oversight of certain areas, including debt collection, payday lending and auto financing. Dwolla said in a statement that it was "glad to have come to a resolution with the CFPB regarding its investigation." The CFPB did not find that Dwolla caused any consumer harm or any indication of a data breach, the company said.

"The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012," the company said in a blog post. "Dwolla understands the bureau's concerns regarding the protection of consumer data and representations about data security standards, and Dwolla's current data security practices meet industry standards."

The CFPB's action may come as a surprise since Dwolla is a member of the Federal Reserve's faster payments task force. Last year, Dwolla teamed with the $89 billion asset BBVA Compass to offer real-time payments. But in 2013, the Department of Homeland Security issued a court order against Dwolla to cease operations with Mt. Gox, the largest bitcoin exchange.

Though the Dodd-Frank Act granted the CFPB enforcement authority under UDAAP, industry lawyers suggested the action was another sign of overreach.

"It ups the ante and escalates the concern that companies have in this area of data security and data breaches," said Alan Kaplinsky, who leads the consumer financial services group at Ballard Spahr. "My belief until this action was that the CFPB was going to let the FTC handle this area."

For reprint and licensing requests for this article, click here.
Consumer banking
MORE FROM AMERICAN BANKER