The opening regulatory salvo against the payments industry—has been fired by the Consumer Financial Protection Bureau, targeting online payments platform, Dwolla. Although they received a relatively nominal fine, $100,000, plus an array of required in-house systems and training fixes, this action has many potential ramifications affecting financial, payments, and e-commerce companies.
Legal experts said they believe the CFPB’s action against online payment provider Dwolla – its first action related to data security – could lead to considerable ramifications going forward. The CFPB targeted Dwolla Wednesday for deceiving consumers about its data security practices and the safety of its online payment system.
The bureau ordered the Des Moines, Iowa-based Dwolla, an agent of the $2.7 billion, Waterloo, Iowa-based Veridian Credit Union and the Houston-based Compass Bank, to pay a $100,000 penalty and fix its security practices.
“The CFPB’s action against Dwolla is significant in that it marks the bureau’s first foray into an area that up until now was the domain of the Federal Trade Commission and sets up the enforcement stage in this area for the bureau in 2016,” Andrew L. Sandler, chairman and executive partner for the Santa Monica, Calif.-based BuckleySandler, said.
Margo Tank, a partner at BuckleySandler, warned, “The CFPB’s opening salvo in this area creates concern for digital payment companies and other e-commerce providers. It also establishes an onerous level of oversight as the consent order requires a twice-annual risk assessment and annual audit, along with board approval of the company’s data security program, policies and procedures. Clearly, this action should put data security even higher on companies’ priority lists if it is not there already.”
With the CFPB, the question has always been “when, not if.” Given their sizable budget and resources, they have basically unlimited regulatory power, since almost everything involves the consumer. Dwolla, as CFPB’s first payments prey, was unwilling to contest this anticipating a protracted and costly legal battle, deciding it’s better to neither admit or deny wrongdoing, and just move on. Unfortunately, with these types of settlements, the actual facts may never be revealed, creating uncertainty for other industry players. Any firm that handles financial and payments data is put on notice that they will be scrutinized closely not only by the CFPB, but by the myriad of other state and federal regulatory agencies.
Overview by Raymond Pucci, Associate Director, Research Service at Mercator Advisory Group
Read the full story here