On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced a consent order with Dwolla, Inc., a mobile payments company. In the order, the CFPB alleged that Dwolla deceived consumers when it touted its service as “safe” and “secure.” Although Dwolla marketed its data security practices as exceeding industry standards and featuring full data encryption, the CFPB alleged that Dwolla did not encrypt certain sensitive consumer data, did not test the security of its software before releasing it, and until recently, did not have written data security policies and procedures, conduct data security audits, or perform data security training. The consent order requires Dwolla to pay a $100,000 civil monetary penalty to the CFPB, to stop misrepresenting its data security practices, to train its employees on data security, and to take other steps to fix security weaknesses in its service.

The CFPB’s action against Dwolla marks the first instance in which the CFPB has publicly scrutinized the data security practices of a financial services provider. This action makes clear that the CFPB expects the industry to have an effective data security program, to establish a compliance management system that monitors the effectiveness of the program, and to be able to substantiate any and all claims it makes to consumers about the security of the data they share with the industry.