Dwolla fined $100,000 for misrepresenting its data-security practices

Online payment processing startup Dwolla has been hit with a $100,000 penalty by the Consumer Financial Protection Bureau (CFPB). The CFPB, a government agency, said in a consent order that Dwolla misrepresented the safety of its data-security practices.

Dwolla launched in December 2010 and is a competitor to PayPal and other online payment networks. Its technology allows users to send money to one another without paying money transfer or bank fees. According to CrunchBase, the startup has raised $32.45 million in equity funding from investors including Andreessen Horowitz, CME Group, and Union Square Ventures.

The CFPB claims that Dwolla “did not adopt or implement reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers’ personal information” from its launch to at least September 2012.

In a lengthy blog entry titled “We are never done” and posted after the CFPB levied its fine, Dwolla did not directly reference the bureau, but defended its data-security practices before detailing some of its data protection and encryption measures:

“Since its launch over five years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received notification or complaint of such an event,” it said. “We’ve continuously matured our data security practices since that snapshot in time and have never been more proud of our information security, procedures, and technologies.”

This is the first time that the CFPB, which was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, has fined a company for data-security reasons. TechCrunch has contacted Dwolla to see if it has additional comment beyond its blog entry. Dwolla sent us the following statement about the case:

Dwolla is glad to have come to a resolution with the CFPB regarding its investigation. Dwolla understands the Bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards.

The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices. This is consistent with the fact that since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. During this time, Dwolla had many other layers of data security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers.

We’ve never been more proud of our information security policies, practices, and technologies, and have gone to great lengths to implement them up, down, and across the company. The data security assessments that are part of the settlement will validate that implementation process.

We are confident in the capabilities of our system and welcome the opportunity to demonstrate it to the market.