Regulators are serving notice a fast-growing online money-transfer business, stating that they must safeguard consumers' private data and live up to the promises they make about their security procedures.
The Consumer Financial Protection Bureau has ordered Dwolla to pay a $100,000 penalty for misleading consumers about its data security practices and instructed the company to fix its security practices.
Dwolla, based in Des Moines, Iowa, said the procedures questioned by the CFPB had taken place in earlier years and said it has improved its practices since then.
Dwolla, like others in the online payments business, takes much of the grunt work out of moving money online by simplifying the automated clearing house (ACH) process.
"Our ACH transfer platform securely verifies and connects your customers to their bank or credit union accounts for safe and quick transactions," the company says on its website, saying it offers "a fast, lightweight onboarding experience."
“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
Dwolla said it has more than 650,000 users and moves as much as $5 million per day. It noted it has not been hacked or experienced any known loss of consumer data.
Safe and secure?
From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. But the CFPB said that, rather than setting “a new precedent for the payments industry,” Dwolla’s data security practices fell far short of its claims.