On February 27, the Federal Trade Commission filed an Agreement Containing Consent Order (“Agreement”) with respect to an administrative Complaint that the FTC had filed against PayPal, Inc. The Agreement requires PayPal to correct the issues that the FTC alleged in the Complaint as violations of the Gramm-Leach-Bliley Act, the Privacy Rule and Regulation P, the Safeguards Rule, and the FTC Act through PayPal’s ownership and operation of Venmo, a peer-to-peer payment service.

Some peer-to-peer payment applications state that they are not “financial institutions” under the GLB Act because they are not traditional brick-and-mortar banks or lenders. The FTC’s Complaint, however, stated that PayPal is a “financial institution” under the GLB Act because PayPal “is significantly engaged in ‘transferring money,’ one of the activities listed as financial in nature under the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k)(A), … and … in data processing and transmission, financial activities listed by the Consumer Financial Protection Bureau (“CFPB”) in Regulation Y, 12 C.F.R. § 225.28(b)(14), as covered by GLB.”

The conclusion that PayPal is a “financial institution” allowed the FTC to further allege that PayPal violated the Privacy Rule and Reg P by allegedly failing to provide a clear and conspicuous initial privacy notice to its customers, failing to provide an accurate privacy notice, and failing to deliver the initial privacy notice so that each customer could reasonably be expected to receive actual notice. For instance, the mobile app did not require customers to acknowledge receipt of an initial privacy notice as a necessary step to obtaining a particular financial product or service.

The Complaint also alleges that PayPal violated the Safeguards Rule until approximately March 2015 by failing “to have a written information security program,” failing “to assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information,” and failing “to implement basic safeguards to protect the security, confidentiality, and integrity of consumer information,” including failing “to provide security notifications to consumers … and … to maintain adequate customer support to timely investigate and respond to users’ reports concerning account compromise or unauthorized transactions.”

The Complaint alleges that PayPal violated the FTC Act by telling its users that money credited to their Venmo balances could be transferred to their external bank accounts, but Venmo failed to disclose that the transactions were still subject to review and that the funds could be frozen or removed. Venmo allegedly waited until users attempted to transfer funds to review the transactions for fraud, insufficient funds, and other problems. Many users experienced a delay in transfer or reversal of the transaction once the final review took place. This practice allegedly led to significant financial hardship for many consumers. The Complaint also alleges that PayPal violated the FTC Act by allegedly misrepresenting the extent to which users could control the privacy of their transactions, and the extent to which users’ financial accounts were protected by “bank grade security systems.”

In the Agreement Containing Consent Order, PayPal neither admitted nor denied the allegations in the Complaint. The key parts of the Agreement are the following:

  • PayPal is prohibited from misrepresenting any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which Venmo implements or adheres to a particular level of security.
  • PayPal is required to disclose to consumers, clearly and conspicuously, that when transferring or withdrawing funds to a bank account such funds could be frozen or removed as a result of transaction reviews performed during the bank transfer or withdrawal process. PayPal must issue a notice to users that when a user attempts to withdraw funds to a bank account, PayPal will perform transaction reviews, and based on such review, may block or delay the transfer or withdrawal, and/or reverse a payment transaction. PayPal is further required to disclose, clearly and conspicuously, how a user’s transaction information will be shared with other users and how the user can use privacy settings to limit or restrict the visibility or sharing of the user’s transaction information.
  • PayPal is also required to “obtain initial and biennial assessments and reports … of the Venmo Payment and Social Networking Service from a qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession.”

The Complaint and Agreement Containing Consent Order reveal that the FTC is continuing to pay close attention to privacy and data issues and the representations that a company makes about its security systems and data integrity. The Complaint and Agreement also reveal that the FTC is scrutinizing the payments industry to make sure that a company’s representations about the availability of funds is clear, conspicuous, and accurate.