The Federal Trade Commission (FTC) entered into a Consent Order with an online payment system company, settling charges that its payment and social networking service violated the Gramm-Leach-Bliley Act (GLBA) and related regulations, as well as Section 5 of the Federal Trade Commission Act regarding unfair or deceptive acts or practices (UDAP).

What happened

The payment and social networking app permits consumers to make peer-to-peer payments. Because it is substantially engaged in financial activities, the company is a “financial institution” subject to the GLBA, the FTC said. Regulation P and the Privacy Rule—which implement provisions of the statute—require covered entities to provide customers with initial and annual privacy notices that are “clear and conspicuous,” that accurately reflect the entity’s privacy policies and practices, and that are provided in a manner such that consumers can reasonably be expected to receive them.

However, according to the FTC, the company failed to provide a clear and conspicuous initial privacy notice to its customers, instead simply informing users that by “signing up, you are agreeing to [the app’s] User Agreement and Privacy Policy.” This statement—delivered in gray text on a light gray background—did “not provide a clear and conspicuous initial privacy notice designed to call attention to the nature and significance of the information in the notice, as required by the Privacy Rule and Reg. P,” according to the FTC’s administrative complaint.

In addition, the privacy policy was inaccurate and was not provided in a way such that consumers could reasonably be expected to receive it, the FTC said.

The company also violated the GLBA’s Safeguards Rule, the agency said, which requires financial institutions to protect the security, confidentiality and integrity of customer information by developing a comprehensive written information security program that contains reasonable administrative, technical and physical safeguards. In this regard, the FTC stated that, until 2014, the company did not have any written information security program, and even when it did, it failed to assess the reasonably foreseeable internal and external risks or to implement basic security and confidentiality safeguards as required by the rule, the FTC claimed.

With regard to Section 5 of the FTC Act and UDAP issues, the agency found three areas of concern.

By default, all transactions are displayed on the app’s social news feed, even to visitors who do not have an account. Users may restrict the visibility of their transactions only through the app’s privacy settings.

The FTC took issue with the app’s “Default Audience Setting,” which the agency said would lead a reasonable consumer to believe that he or she could limit the visibility of all future transactions. However, consumers were required to make a second, additional change to their privacy settings in order to ensure that all transactions remained private, the FTC said. “These results are directly contrary to the expectations of a reasonable consumer,” according to the complaint.

By overstating its information security practices, the company also violated Section 5, the FTC said. The company made statements including, “[The app] uses bank-grade security systems and data encryption to protect your financial information” and “[The app] uses bank-grade security systems and data encryption to protect you and guard against unauthorized transactions and access to your personal or financial information.”

Until March 2015, however, the company did not implement sufficient safeguards to protect the security, confidentiality and integrity of consumer information, the FTC asserted. The company failed to provide consumers with security notifications regarding changes to account settings (such as when a password or email address was changed or a new device added), leading to instances where unauthorized users successfully took over consumers’ accounts, changed the password and/or email associated with it, and withdrew funds, all without any notification to the affected user.

The company also misrepresented how consumers could cash out a payment, the FTC said. When a payment is made, the company notifies the recipient and informs him or her the funds can be transferred to a designated external bank account linked to the app. In numerous instances, the company has stated that consumers can “cash out to any bank overnight” or “[q]uickly transfer money to your bank.”

Despite these representations, the company does not verify or approve a transaction until after consumers initiate a transfer of funds to an external account, which could result in either substantial delays in the transfer or reversal of the transaction, the FTC alleged.

The company failed to disclose this fact, which resulted in financial hardships for consumers who were then unable to pay their rent or other bills, the agency said, while some users incurred a loss after delivering an item to a purchaser only to find that the money that was purported to be credited had been removed from their account.

To settle the charges, the company—which neither admitted nor denied any of the allegations in the complaint—agreed to cease further violations of the GLBA and accompanying rules, and submit biennial assessments and reports from a qualified, independent third party for a ten-year period.

The company further agreed to cease any further misrepresentations of any material restriction, limitation or condition to the use of the app’s services, and in connection with its privacy and security measures, to cease misrepresenting the extent of control provided by privacy settings, or that it adheres to a particular level of security.

The company also agreed to clearly and conspicuously disclose that transactions are subject to review and that funds can be frozen or removed as a result of a transaction review. It will also provide users with information about using privacy settings to limit or restrict the visibility or sharing of their information.

To read the FTC’s administrative complaint, click here.

To read the agreement containing the consent order, click here.

Why it matters

“This case sends a strong message that financial institutions like [the company and its app] need to focus on privacy and security from day one,” cautioned FTC Acting Chair Maureen K. Ohlhausen in a statement about the action. An FTC blog post also advised businesses to be transparent about consumers’ payments, particularly where new financial technologies are involved. “[B]e clear [with consumers about] when payments are sent and when they’re actually received,” the agency wrote. “If there are material terms or limitations, disclose them clearly.” Companies should also think through their data defaults, keep privacy options accurate, and make sure to consider the application of the GLBA and its attendant rules, the FTC recommended. The statute defines the term “financial institution” broadly, with a scope that “extends beyond businesses with tellers, vaults, and ballpoint pens chained to the table,” the agency said, so companies in the rapidly growing peer-to-peer payment industry should keep the law’s requirements in mind.

Although the GLBA does not provide for a private right of action, this administrative action by the FTC shows that the GLBA nevertheless can have real teeth, so compliance with the GLBA and Regulation P continues to be important.