Digital Transactions Authoritative, insightful and timely information for payments professionals
With its enforcement action against Dwolla Inc., announced on Wednesday, the Consumer Financial Protection Bureau made plain it is expanding its writ to include data-security practices and putting digital-payments startups in its cross-hairs. The ripple effect could reach a number of payments providers if they are incautious about data protection or how they represent such protection to users, experts say.
The bureau cited Des Moines, Iowa-based Dwolla, which began operations in 2010, for, among other things, failing to encrypt user data in its system and misrepresenting its security policies. Its order hit the young firm with a $100,000 fine and required it to fix the alleged security flaws and train its employees in security procedures.
The order against Dwolla is the CFPB’s first such action regarding data security, according to the bureau, which in recent months has been especially active in policing such matters as faster payments, transaction processing’s relation with debt collectors, and prepaid card practices.
Perhaps the CFPB complaint’s most serious charge is that Dwolla “in numerous instances” stored or transmitted unencrypted user data, including names, addresses, Social Security Numbers, bank-account numbers, and passwords used to access accounts. To make user registration easier, Dwolla has also allowed users to email scans of such documents as Social Security cards and passports, the bureau alleges.
Dwolla’s platform allows consumers to pay each other and businesses via their accounts. The company relies on automated clearing house transfers to allow users to fund their Dwolla accounts from their bank accounts, a process it has spent considerable time and resources to speed up so that funds availability can be established in real time. Its most recent development is a service that allows consumers to make recurring payments via the ACH for subscription services and like service providers.
While Dwolla in recent years has refused to disclose how many accounts it has attracted, the CFPB says it had 653,000 as of May of last year, and that at that time users were conducting as much as $5 million daily in transactions.
Contacted by Digital Transactions News, a Dwolla spokesperson said the company is not commenting on the CFPB action beyond an official statement and a blog post on its Web site.
In its statement, the company stresses that it has had no indications over the years that it has sustained a data breach.
“The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data-security practices,” the statement reads. “This is consistent with the fact that since its launch over [five] years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. During this time, Dwolla had many other layers of data-security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers.”
Many of the CFPB’s allegations are hedged with references to specific time spans, leaving unclear whether the security flaws complained of are still active. In one instance, for example, the bureau’s consent order reads: “From its launch until at least September 2012, Respondent did not adopt or implement reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers’ personal information.”
Still, experts contacted by Digital Transactions News say the bureau’s action against Dwolla could have wider implications for payments providers and their claims about data security. “I think this [action] will have many [firms] double-checking to ensure their customer-facing assertions are backed by reality,” says Julie Conroy, research director at Aite Group, a Boston-based research firm.
