You've been redirected from to In March 2021, Mobile Payments Today became a part of Payments Dive. For the latest payments news, sign up for the daily newsletter.

CFPB: Dwolla misled users about security practices

The agency ordered Dwolla to pay a $100,000 penalty and fix its security practices.

The Consumer Financial Protection Bureau Wednesday took action against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system, according to a press release.

The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.

"Consumers entrust digital payment companies with significant amounts of sensitive personal information," said CFPB Director Richard Cordray. "With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices."

The CFPB said in a statement that from December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with "safe" and "secure" transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that the company encrypted all sensitive personal information and that its mobile applications were safe and secure.

But the CFPB said rather than setting "a new precedent for the payments industry" as asserted, Dwolla's data security practices in fact fell far short of its claims. Such deception about security and security practices is illegal, the agency said. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:

  • Falsely claiming its data security practices "exceed" or "surpass" industry security standards — Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
  • Falsely claiming its information is "securely encrypted and stored" — Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing to determine whether they were secure.

Dwolla said in a statement that it understands the agency's concerns regarding the protection of consumer data and representations about data security standards, and its current data security practices meet industry standards. 

"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices," Dwolla said. "This is consistent with the fact that since its launch over five years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event."

Dwolla also noted that it has added other layers of data security practices and technologies in place that were not found to be deficient and the company believes helped prevent harm to consumers.

The CFPB said that under the Dodd-Frank Wall Street Reform and Consumer Protection Act, it is authorized to take action against institutions that engage in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws. This is the agency's first data security action, and builds on advances made by several other agencies. Under the terms of the order, Dwolla is required to:

  • Stop misrepresenting its data security practices — Dwolla must stop deceiving consumers about the security of its online payment system and enact comprehensive data security measures and policies, including a program of risk assessments and audits.
  • Train employees properly and fix security flaws — Dwolla must train employees on the company's data security policies and procedures, and on how to protect consumers' sensitive personal information. Dwolla must also fix any security weaknesses found in its Web and mobile applications, and securely store and transmit consumer data.
  • Pay a $100,000 civil monetary penalty — Dwolla must pay a $100,000 penalty to the CFPB's Civil Penalty Fund.

Read the CFPB order regarding Dwolla.