The Consumer Financial Protection Bureau (“CFPB”) made headlines last week by taking action against Dwolla, an online and mobile payments platform. The CFPB imposed a $100,000 penalty against Dwolla, and while the dollar amount of the penalty may appear to be small compared to other civil money penalties, the action is significant because it is the first action the CFPB has taken in the data security area and provides insight into future enforcement activities surrounding data security by the CFPB. It also serves as a notable reminder of the CFPB’s broad enforcement powers, which go beyond financial institutions to non-FI companies that deliver financial products and services to consumers. While the CFPB lacks authority over the substantive data security requirements that are enforced by the federal financial regulators, that poses no obstacle to the CFPB’s ability to take an action, like this, initiated under its authority to police “deceptive” acts or practices.
Dwolla offers a service that allows users to direct Dwolla to transfer funds to another consumer or merchant, either from funds in the user’s Dwolla account or from the user’s personal bank account that is linked to the user’s Dwolla account. Users can send such transfers either online or through the Dwolla mobile application and, ultimately, the transactions typically are settled via the ACH network.
Users must provide various personal information to use Dwolla. To open a Dwolla account, users must provide their name, address, date of birth, telephone number, and Social Security Number. To link a bank account to a Dwolla account, users must also provide their bank account number and routing number.
Where Did Dwolla Go Wrong?
Despite making numerous representations regarding the safety and security of users’ personal information, the CFPB found that such representations were not true. According to the CFPB, Dwolla misrepresented its data security practices and deceived consumers. For example, the CFPB’s consent order states that Dwolla made the following representations either on Dwolla’s website or in direct communications with consumers:
- Dwolla’s data security practices “exceed industry standards” or “surpass industry security standards;”
- Dwolla “sets a new precedent for the industry for safety and security;”
- Dwolla stores consumer information “in a bank-level hosting and security environment;”
- Dwolla encrypts data “utilizing the same standards required by the federal government” and “all sensitive information that exists on its servers;”
- “All information is security encrypted and stored”;
- “100% of your info is encrypted and stored securely;”
- Dwolla uses “industry standard encryption technology;”
- Dwolla “encrypt[s] data in transit and at rest;”
- “Dwolla’s website, mobile applications, connection to financial institutions, back end, and even APIs use the latest encryption and secure connection;” and
- Dwolla is “PCI Compliant.”
In fact, Dwolla did not encrypt all sensitive personal information at rest and Dwolla was not PCI compliant. Specifically, Dwolla failed to encrypt the following data fields, either in transit or rest:
- First and last name;
- Mailing addresses;
- 4-digit PINs used to access Dwolla accounts;
- Social Security numbers;
- Bank account information; and
- Digital images of driver’s licenses, Social Security cards, and utility bills.
Dwolla also encouraged its users to submit sensitive personal information through email, in clear text, such as Social Security numbers and scanned images of driver’s licenses, utility bills, and passports. For several years, Dwolla failed to adopt or implement data-security policies and procedures or a written data-security plan. Dwolla also failed to conduct regular risk assessments to identify internal and external risks to consumers’ personal information and assess the safeguards in place to control such risks.
Dwolla employees lacked adequate data-security training, and despite hiring a third party auditor to conduct penetration testing of Dwolla’s website, Dwolla took no action to address findings in that audit pointing to inadequate data-security training.
The CFPB determined that Dwolla’s representations regarding its data security practices constituted deceptive acts or practices in violation of the Consumer Financial Protection Act. The Federal Trade Commission, which has enforcement authority over nonbank financial institutions under the Gramm-Leach-Bliley Act, has previously obtained several data security settlement agreements resulting from violations of the prohibition against unfair or deceptive acts or practices under the Federal Trade Commission Act, but this is a first for the CFPB. The enforcement action requires Dwolla to take the following actions:
- Stop misrepresenting its data security practices;
- Adopt and implement reasonable and appropriate data-security measures to protect consumers’ personal information;
- Establish, implement, and maintain a written, comprehensive data-security plan and appropriate data security policies and procedures;
- Designate a qualified person to coordinate and be accountable for the data-security program;
- Conduct data-security risk assessments twice annually;
- Evaluate and adjust the data-security program in light of the results of risk assessments and monitoring;
- Conduct regular, mandatory employee training on data-security policies and procedures, safe handling of consumers’ sensitive personal information, and secure software design, development and testing;
- Develop, implement, and update security patches to fix any security vulnerabilities;
- Develop, implement, and maintain an appropriate method of customer identity authentication at the registration phase and before effecting a funds transfer;
- Develop, implement, and maintain reasonable procedures for selecting and retaining service providers capable of maintaining adequate security practices; and
- Obtain an annual data-security audit from an independent, qualified third-party.
Dwolla must also pay a $100,000 civil money penalty and meet various reporting, recordkeeping, and compliance monitoring requirements for several years.
This enforcement action should serve as a wake-up call to any company that handles consumers’ personal and financial account information, including companies in the emerging/alternative payments and financial technology (“FinTech”) space. The CFPB is closely monitoring the data security practices of companies that offer financial services, even non-depository companies that are not regulated by other financial regulators like the Office of the Comptroller of the Currency (“OCC”), Federal Deposit Insurance Corporation (“FDIC”), or Federal Reserve. A company is not immune from CFPB scrutiny just because it has not suffered a data security breach incident.
Companies should review all advertising and marketing materials as well as content displayed on the company’s website and in the company’s mobile application. Any statements or representations regarding data security and privacy should be evaluated to determine whether they accurately reflect of the company’s data security policies and procedures. The list of actions that the CFPB is requiring Dwolla to take should also serve as guidance regarding the CFPB’s expectations in this area.