The Consumer Financial Protection Bureau on Wednesday ordered online payment processor Dwolla Inc. to pay a $100,000 fine for deceiving customers about its security practices — the first action it has taken related to data security.
The agency said that the Des Moines-based company misrepresented its data security practices from December 2010 to 2014 by failing to encrypt some personal consumer information. On its web site, the company had stated that its security practices ensured personal data was "safe" and "secure," when Dwolla released applications to the public before testing whether they were secure, the agency said.
"Consumers entrust digital payment companies with significant amounts of sensitive personal information," CFPB Director Richard Cordray said in a press release. "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices."
Though data security breaches typically fall under the jurisdiction of the Federal Trade Commission, the CFPB is authorized to take actions against institutions that engage in unfair, deceptive or abusive actions or practices, known as UDAAP. Both agencies share oversight of certain areas, including debt collection, payday lending and auto financing.
Dwolla said in a statement that it was "glad to have come to a resolution with the CFPB regarding its investigation." The CFPB did not find that Dwolla caused any consumer harm or any indication of a data breach, the company said.
"It ups the ante and escalates the concern that companies have in this area of data security and data breaches," Alan Kaplinsky, who leads the consumer financial services group at Ballard Spahr. "My belief until this action was that the CFPB was going to let the FTC handle this area."