Federal regulators on Thursday sent a major signal to financial technology companies, settling charges against an online payment firm for deceiving customers about data security.
The company, Dwolla, has agreed to pay $100,000 to settle the allegations.
The move is a new step for the Consumer Financial Protection Bureau (CFPB), and represents one of the first enforcement actions taken against a financial technology company for allegedly misrepresenting security practices.
“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray in a statement. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
The CFPB claims that from late 2010 until 2014, Dwolla falsely assured customers that its data security practices exceeded industry standards and guarded customer data with “safe” and “secure” transactions. The agency also said the company misled users about how much personal information was encrypted.
Dwolla told The Wall Street Journal that the CFBP’s allegations focus on practices employed in 2011 and 2012, and that the company’s current digital defenses meet industry standards. In a statement, the firm also stressed there was no indication of a data breach in the company’s five years of existence.
In the settlement, Dwolla neither admitted nor denied the allegations.
With Thursday’s enforcement action, the CFPB has positioned itself next to other federal agencies — such as the Federal Trade Commission and Securities and Exchange Commission — as a de facto data security regulator.
The CFPB last month issued updated guidelines for financial technology startups to help reduce regulatory uncertainty for the burgeoning industry.
“With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” Cordray said in his statement.