According to a CFPB press release announcing the action, from December 2010 to 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They also claimed that they encrypted all sensitive personal information and that its mobile applications were safe and secure, the CFPB said.

Rather than setting “a new precedent for the payments industry” as asserted, Dwolla's data security practices in fact fell far short of its claims, the bureau continued, adding that such deception about security and security practices is illegal.

“Dwolla is glad to have come to a resolution with the CFPB regarding its investigation. The investigation covers a snapshot in time that ended almost two years ago, and the claim focuses on practices that trace to 2011 and 2012,” Jordan Lampe, director of communications and policy affairs for Dwolla, said in an official statement emailed to CU Times. “Dwolla understands the bureau's concerns regarding the protection of consumer data and representations about data security standards, and Dwolla's current data security practices meet industry standards.”

The statement continued, “The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices. This is consistent with the fact that since its launch more than five years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We've never been more proud of our information security policies, practices and technologies, and have gone to great lengths to implement them up, down, and across the company. The data security assessments that are part of the settlement will validate that implementation process.”

Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data security practices by:

• Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
• Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

“Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws,” the CFPB release disclosed. “This is the bureau's first data security action, and builds off advances made by several other agencies.”

Under the terms of the order, Dwolla must:

• Stop deceiving consumers about the security of its online payment system and enact comprehensive data security measures and policies, including a program of risk assessments and audits.
• Train employees on the company's data security policies and procedures, and on how to protect consumers' sensitive personal information. Dwolla must also fix any security weaknesses found in its web and mobile applications, and securely store and transmit consumer data.
• Pay a $100,000 penalty to the CFPB's Civil Penalty Fund.

Dwolla also posted the following comment on its blog:

“When we first started in Iowa, we were a young company trailblazing new technologies, possibilities, and concepts in payments. Our biggest challenge was describing to customers the innovation and value we were creating for them.

“One item we were specifically proud of was the way we were rethinking payments and developing a system that did not disclose sensitive financial information at the time of transaction, such as credit card numbers on file with merchants, and bank account numbers printed on checks.

“Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time, we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company's intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.

“Since its launch more than five years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We've continuously matured our data security practices since that snapshot in time and have never been more proud of our information security policies, procedures and technologies.”