Baby boomer bloggers give their opinions on movies, politics, art, and travel
Consumer groups urge alcohol industry to stop advertising to kids

Federal agency takes action against company for false statements about data security


The Consumer Financial Protection Bureau took action Wednesday against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said Richard Cordray, director of the bureau. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Since December 2009, Dwolla has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions.

As of May 2015, it had more than 650,000 users and had transferred about $5 million a day.

For each account, Dwolla collects personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a 4-digit PIN.

From December 2010 to 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. It also claimed that it encrypted all sensitive personal information and that its mobile applications were safe and secure. 

But rather than setting “a new precedent for the payments industry,” Dwolla’s data-security practices fell far short of its claims, Cordray said, adding deception about security and security practices is illegal.

Enforcement action

This is the bureau’s first data security action. Under the terms of the order, Dwolla is required to:

  • Stop misrepresenting its data security practices.
  • Train employees properly and fix security flaws.
  • Pay a $100,000 civil money penalty.
Copyright 2016, Rita R. Robison, Consumer Specialist


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)