Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, March 3, 2016

CFPB takes down digital payment processor for deceptive practices

By Katalina M. Bianco, J.D.

The Consumer Financial Protection Bureau has ordered Iowa-based online payment company, Dwolla, Inc, to pay a $100,000 civil money penalty for allegedly deceiving consumers about its data security practices. The bureau also ordered the company to “fix its security practices.” This is the bureau’s first data security enforcement action.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

According to the CFPB, since December 2009, Dwolla has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. As of May 2015, it had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collects personal information—including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

Consent Order. According to the bureau’s consent order, Dwolla violated Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act (12 U.S.C. §§ 5563, 5565) by engaging in deceptive acts and practices relating to false representations about its data security practices. The bureau charged that Dwolla falsely claimed its security practices “exceed” or “surpass” industry standards while failing to employ “reasonable and appropriate measures’ to protect consumers’ data. Further, Dwolla claimed that “its information is securely encrypted and stored” while failing to encrypt the data and releasing applications to the public before testing whether they were secure. However, the CFPB charged that the company’s security practices “fell far short of its claims.”

Under the order, in addition to paying $100,000 to the CFPB’s Civil Penalty Fund, Dwolla is required to: (1) stop misrepresenting its data security practices; and (2) properly train employees on company data security policies and procedures and on how to protect consumers’ personal information.

Stipulation. Without admitting or denying any wrongdoing, Dwolla stipulated to the facts described in Section IV of the order and consented to the issuance of the order.

Companies: Dwolla, Inc.

MainStory: TopStory CFPB EnforcementActions IdentityTheft IowaNews Privacy UDAAP

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.