Compliance Blog

Apr 06, 2016

UDAAP Extends to Data Security

Written by Eliott C. Ponte, Regulatory Compliance Counsel

The Consumer Financial Protection Bureau (CFPB) recently settled its first data security enforcement action with Dwolla Inc. (Dwolla).  Similar to PayPal, Dwolla is an online payment platform that allows its members to transfer money to and from their bank accounts.  When consumers sign up for a Dwolla account, they are required to provide personal identifiable information, including their name, address, date of birth, and social security number. 

At issue in the consent order is whether Dwolla misrepresented its data security practices to consumers in violation of the CFPB's prohibition against deceptive acts or practices.  The CFPB alleged that Dwolla represented to consumers that it had a robust data security and encryption practices.  Specifically, the CFPB alleges that Dwolla made the following representations:

  • Dwolla's data-security practices exceed industry standards, or surpass industry security standards
  • Dwolla sets a new precedent for the industry for safety and security
  • Dwolla transactions [are] safer [than credit cards] and less of a liability for both consumers and merchants.
  • Dwolla encrypts all sensitive information that exists on its servers
  • Dwolla uses industry standard encryption technology
  • Dwolla is PCI compliant
  • Dwolla stores consumer information in a bank-level hosting and security environment; and
  • Dwolla encrypts data utilizing the same standards required by the federal government.

According to the consent order, Dwolla's statements that its payment platform was safe and secure were false.  In particular, the CFPB alleges that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from unauthorized access, maintain PCI compliance in its data centers, and encrypt sensitive personal information.  The CFPB also alleges that Dwolla failed to conduct regular risk assessments, and adopt and implement reasonable policies that would identify and prevent reasonably foreseeable security risks.  As a result of the consent order, Dwolla will pay a $100,000 fine, implement reasonable and appropriate security measures, and will designate a qualifies person to be responsible for its data security systems. 

While consent orders are not interpretations of law or regulation (consent orders are merely settlement agreements between two parties, and, unlike the opinion of a court, cannot be relied on in other enforcement actions), it is important that compliance officers pay attention to them because these orders help identify what acts or practices a regulator believes is a UDAAP violation.  The Dwolla consent order reminds credit unions that any claims about a robust data security system or a secure online banking system must be true.

The Dwolla consent order can be found here.