The US Consumer Financial Protection Bureau has made its first foray into financial cyber-regulation by fining a company that provides payment processing services to retail consumers. Its sin was to overstate the health of its cyber-defences when touting for business.

The bureau has reviewed the conduct of Dwolla Inc and has identified some deceptive acts and practices relating to false representations regarding its data-security practices in violation of sections 1031(a) and 1036(a)(1) Consumer Financial Protection Act 2010, 12 USC §§5531(a), 5536(a)(1). Under ss 1053 and 1055 CFPA, 12 USC §§5563, 5565, it has issued a consent order.

The payment network allows a consumer to become a member by registering for a Dwolla account at Dwolla.com. The new member can then access his Dwolla account through the Dwolla website or through individual applications. He can direct Dwolla to effect a transfer of funds to the Dwolla account of another consumer or merchant. The funds for the transfer can come either from funds stored in his Dwolla account or a personal bank account linked to his Dwolla account. In order to open a Dwolla account, he must submit his name, address, date of birth, telephone number, and Social Security number.

Dwolla, a Delaware corporation with its main place of business in Iowa, does not admit any criminality but does admit the facts of the case. These are that it told consumers that its network and transactions were 'safe' and 'secure.' It said that its data-security practices 'exceeded' and 'surpassed' industry standards and that it "sets a new precedent for the industry for safety and security." In fact, it did not encrypt all sensitive consumer information in its possession at rest, as it claimed. It told consumers that its transactions, servers and data centres were compliant with the standards set forth by the PCI Security Standards Council, but in fact they were not.

From its launch on 1st December 2009 until at least October 2013, the firm did not draw up a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information. It conducted its first comprehensive risk assessment in mid-2014.

Dwolla holds consumers’ funds in a single, pooled account at Veridian Credit Union, an Iowa-chartered, federally-insured credit union, or at Compass Bank, a federally-insured bank.