On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 to prohibit deceptive acts or practices.

The CFPB’s consent order alleged that, between January 2011 and March 2014, Dwolla falsely represented through its website and communications with consumers that, among other things, its data security practices “exceed[ed]” or “surpass[ed]” industry data security standards, including Payment Card Industry (PCI) data security standards, and that “all information” Dwolla obtained from consumers “is securely encrypted and stored” both in transit and at rest.  The CFPB found these and similar representations false and misleading because Dwolla failed to:

  • Adopt or implement reasonable and appropriate data security policies and procedures until at least September 2012;
  • Adopt or implement a written data security plan to govern the collection, maintenance, or storage of consumers’ personal information until at least October 2013;
  • Conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks;
  • Use encryption technologies to properly safeguard sensitive consumer information, including names, addresses, Social Security numbers, bank account information, digital images of driver’s licenses, Social Security cards and utility bills, and Dwolla-issued PINs;
  • Practice secure software development for consumer-facing applications developed at an affiliated website, Dwollalabs; or
  • Provide adequate or mandatory employee training on data security.

The CFPB ordered Dwolla to pay a $100,000 civil money penalty, although the Bureau made no finding of any data breach or other compromise of consumer data.  The CFPB also ordered Dwolla to take a substantial number of steps to fix its security practices, including:

  • Establishing a written, comprehensive data security plan;
  • Implementing reasonable and appropriate data security policies and procedures;
  • Conducting data security risk assessments twice annually and evaluating and adjusting the data security program in light of the results of the risk assessments;
  • Designating a qualified person to coordinate and be accountable for the data security program;
  • Implementing, and updating security patches to fix security vulnerabilities, as required;
  • Developing and implementing an appropriate method of customer identity authentication at the registration and before effecting a funds transfer;
  • Adopting reasonable procedures for the selection and retention of service providers capable of maintaining security practices consistent with the consent order;
  • Conducting regular, mandatory employee data security training; and
  • Obtaining an annual data security audit from an independent, qualified third party acceptable to the CFPB’s Enforcement Director, develop a compliance plan to address audit findings and recommendations, and provide the compliance plan and the audit report to the CFPB for non-objection by the Enforcement Director.

The consent order, and its associated reporting requirements, will remain in effect for a period of five years from the order’s effective date.

This action is the CFPB’s first enforcement action related to data security and represents a noteworthy expansion of the CFPB’s jurisdiction into the data security area.  Data security historically has been considered a safety and soundness issue for financial institutions, not a consumer financial protection issue.  When Congress adopted the Dodd-Frank Act, it kept responsibility for data security, including the information security provisions of the Gramm-Leach-Bliley Act, with the federal banking agencies and the Federal Trade Commission (FTC), rather than transferring responsibility for those provisions to the CFPB.  The CFPB’s action blurs the line between safety and soundness regulation and consumer financial protection regulation.

In the CFPB’s press release, Director Richard Cordray stated:  “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.  It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”  Director Cordray’s statement signals that additional CFPB enforcement actions involving data security may be forthcoming. This action also represents the first time the CFPB has brought an enforcement action against a financial technology company engaged principally in developing payments innovations.

Finally, the CFPB’s action is significant because Dwolla is a participating provider of digital wallet services through Pay.gov, the Treasury Department’s electronic payment portal for individuals, businesses, and states to make non-tax payments to the federal government.  As a result of this action, Treasury and other federal and state agencies may scrutinize emerging payment providers more closely for data security compliance both before accepting them as partners or service providers and after onboarding them.

Tags: CFPB, Consumer Financial Protection Bureau, Cordray, Cybersecurity, Data Security, Federal Trade Commission, Financial Institutions, Financial Privacy, FTC, Mobile, mobile apps, Personal Information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stein David Stein

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and…

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

David has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. David is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

David previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. David draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.

Read more about David SteinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less