The CFPB took action against the online payment platformprovider Dwolla for deceiving consumers about its data securitypractices and the safety of its online payment system.

The bureau ordered the Des Moines, Iowa-based Dwolla, an agentof the $2.7 billion, Waterloo, Iowa-based VeridianCredit Union and the Houston-based Compass Bank, to pay a$100,000 penalty and fix its security practices.

“Consumers entrust digital payment companies with significantamounts of sensitive personal information,” CFPB Director RichardCordray said. “With data breaches becoming commonplace and moreconsumers using these online payment systems, the risk to consumersis growing. It is crucial that companies put systems in place toprotect this information and accurately inform consumers abouttheir data security practices.”

The CFPB said since December 2009, Dwolla collected and storedconsumers' sensitive personal information and provided aplatform for financial transactions. As of May 2015, it had morethan 650,000 users and transferred as much as $5 million per day.For each account, Dwolla collected personal information includingthe consumer's name, address, date of birth, telephone number,Social Security number and bank account, as well as routingnumbers, a password and a unique four-digit PIN.

According to a CFPB press release announcing the action, fromDecember 2010 to 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and“secure” transactions. On its website and in communications withconsumers, Dwolla claimed its data security practices exceededindustry standards and were Payment Card Industry Data SecurityStandard compliant. They also claimed that they encrypted allsensitive personal information and that its mobile applicationswere safe and secure, the CFPB said.

Rather than setting “a new precedent for the payments industry”as asserted, Dwolla's data security practices in fact fell farshort of its claims, the bureau continued, adding that suchdeception about security and security practices is illegal.

“Dwolla is glad to have come to a resolution with the CFPBregarding its investigation. The investigation covers a snapshot intime that ended almost two years ago, and the claim focuses onpractices that trace to 2011 and 2012,” Jordan Lampe, director ofcommunications and policy affairs for Dwolla, said in an officialstatement emailed to CU Times. “Dwolla understands thebureau's concerns regarding the protection of consumer data andrepresentations about data security standards, and Dwolla's currentdata security practices meet industry standards.”

The statement continued, “The CFPB has not found that Dwollacaused any consumer harm or created the likelihood of any consumerharm through its data security practices. This is consistent withthe fact that since its launch more than five years ago, Dwolla hasnot detected any evidence or indicators of a data breach, nor hasDwolla received a notification or complaint of such an event. We'venever been more proud of our information security policies,practices and technologies, and have gone to great lengths toimplement them up, down, and across the company. The data securityassessments that are part of the settlement will validate thatimplementation process.”

Specifically, the CFPB found, among other issues, that Dwollamisrepresented its data security practices by:

• Falsely claiming its data security practices “exceed” or“surpass” industry security standards: Contrary to its claims,Dwolla failed to employ reasonable and appropriate measures toprotect data obtained from consumers from unauthorized access.
• Falsely claiming its “information is securely encrypted andstored”: Dwolla did not encrypt some sensitive consumer personalinformation, and released applications to the public before testingwhether they were secure.

“Under the Dodd-Frank Wall Street Reform and Consumer ProtectionAct, the CFPB is authorized to take action against institutionsengaged in unfair, deceptive or abusive acts or practices, or thatotherwise violate federal consumer financial laws,” the CFPBrelease disclosed. “This is the bureau's first data securityaction, and builds off advances made by several otheragencies.”

Under the terms of the order, Dwolla must:

• Stop deceiving consumers about the security of its onlinepayment system and enact comprehensive data security measures andpolicies, including a program of risk assessments and audits.
• Train employees on the company's data security policies andprocedures, and on how to protect consumers' sensitive personalinformation. Dwolla must also fix any security weaknesses found inits web and mobile applications, and securely store and transmitconsumer data.
• Pay a $100,000 penalty to the CFPB's Civil PenaltyFund.

Dwolla also posted the following comment on its blog:

“When we first started in Iowa, we were a young companytrailblazing new technologies, possibilities, and concepts inpayments. Our biggest challenge was describing to customers theinnovation and value we were creating for them.

“One item we were specifically proud of was the way we wererethinking payments and developing a system that did not disclosesensitive financial information at the time of transaction, such ascredit card numbers on file with merchants, and bank accountnumbers printed on checks.

“Dwolla was incorporating new ideas because we wanted to build asafer product, but at the time, we may not have chosen the bestlanguage and comparisons to describe some of our capabilities. Ithas never been the company's intent to mislead anyone on criticalissues like data security. For any confusion we may have caused, wesincerely apologize.

“Since its launch more than five years ago, Dwolla has notdetected any evidence or indicators of a data breach, nor hasDwolla received a notification or complaint of such an event. We'vecontinuously matured our data security practices since thatsnapshot in time and have never been more proud of our informationsecurity policies, procedures and technologies.”