The Consumer Finance Protection Bureau (CFPB) entered into its first consent order in the data privacy arena, joining the growing number of federal agencies that have asserted authority as privacy and data security regulators. The consent order imposes a $100,000 fine on Dwolla, Inc., an online payment system company that operates a payment platform that allows customers to transfer funds to third parties from their Dwolla account or linked bank account. The CFPB alleged that Dwolla made deceptive statements about its data security practices, essentially claiming that its practices “exceeded” industry standards when in fact those practices fell short of what the Bureau considered reasonable. The order is based on CFPB’s authority under the Consumer Finance Protection Act (Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act), which authorizes CFPB to take action against institutions that commit or engage “in an unfair, deceptive, or abusive act or practice” in connection with a transaction for or offering of a consumer financial product or service. Notably, the CFPB’s action was apparently not prompted by a data breach.