Dwolla, the payments startup, said that it “has never been the company’s intent to mislead anyone,” after the Consumer Financial Protection Bureau slapped it with a fine for its data security.
Dwolla offered the explanation after the CFPB hit it with the $100,000 fine. Dwolla is also required to fix its security practices.
Ben Milne, Dwolla’s founder and CEO, spoke at Bank Innovation 2016 just yesterday and made no mention of the impending consent order. The company added today that, “For any confusion we may have caused, we sincerely apologize.”
Based in Des Moines, Iowa, Dwolla, Inc. runs an online payment system and provides white-labelled payments services to financial institutions. The company has collected and stored sensitive consumer information since 2009, while simultaneously providing a platform for financial transactions.
The consent order relates to Dwolla’s practices from late 2010 to 2014. During that time, Dwolla claimed it protected consumer data from unauthorized transactions, regardless of their status as “safe” or “secure.” Dwolla claimed to have security practices outperforming that of the industry’s top-notch requirement of Payment Card Industry Data Security Standard, and also assured users that all sensitive personal information and mobile applications were completely removed from security risks.
But, according to the consent order, Dwolla failed to do what it promised. Specifically, the CFPB claimed that Dwolla failed to:
- adopt and implement data-security policies and procedures reasonable and
appropriate for the organization; - use appropriate measures to identify reasonably foreseeable security risks;
- ensure that employees who have access to or handle consumer information
received adequate training and guidance about security risks; - use encryption technologies to properly safeguard sensitive consumer
information; and - practice secure software development, particularly with regard to consumerfacing
applications developed at an affiliated website, Dwollalabs.
Cherian Abraham, the payments consultant, was quick to comment on the seriousness of these charges, should they be true. To wit, the list of data the CFPB said Dwolla did not encrypt, whether in storage or during transmission:
- first and last names;
- mailing addresses;
- Dwolla 4-digit PINS;
- Social Security numbers;
- Bank account information; and
- digital images of driver’s licenses, Social Security cards and utility bills.
However, in a blog post on its site today, Dwolla acknowledged the confusion it may have caused and apologized. It also pointed out that it has never been a victim of a data breach:
Since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We’ve continuously matured our data security practices since that snapshot in time and have never been more proud of our information security policies, procedures, and technologies.
This is the CFPB’s first action on data security. Dwolla’s $100,000 fine is due within 10 days.
* * *
The consent order included an interesting statistic about Dwolla. According to the consent order, as of May 2015, Dwolla had approximately 653,000 members and was transferring as much as $5 million per day.
This post was updated to note that Dwolla acknowledged it may have caused confusion in the past and apologized.