The FTC settles with Venmo over a series of privacy and security violations

The FTC announced today it has settled with PayPal over a complaint about the company’s handling of privacy disclosures in its peer-to-peer payments app Venmo, its lack of disclosure over the speed with which customers could access funds, as well as other issues related to the security and privacy of customer transactions.

News that the Federal Trade Commission was looking into Venmo’s business were disclosed back in spring 2016, when PayPal revealed through an SEC filing that it was under investigation. A week later, a settlement document between Venmo and the Attorney General of Texas, revealed more details about the government agency’s concerns.

The document described a variety of privacy issues, including an auto-friending feature that pulled in contacts from users’ phones and a setting that made all transactions public by default. It also said that Venmo should not inform users it offered “bank-grade security,” unless that claim was true.

According to a statement from the FTC, the issue with the speed of transfers had a direct impact on consumers, and caused financial hardships, in some cases. Venmo didn’t properly disclose to customers that their transactions could be subject to review, which could lead to funds being frozen or removed, the FTC explained.

While Venmo allows customers to transfer funds from the app to their bank account, they can undergo reviews that may cause delays. Customers complained that when funds were delayed, money they were counting on wasn’t available, leading them to be unable to pay bills or rent. At other times, people selling items – like concert tickets – delivered them to the buyer, then had the payments held or removed by Venmo, which led to a financial loss, the FTC said.

“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” said Acting FTC Chairman Maureen K. Ohlhausen. “The payment service also misled consumers about how to keep their transaction information private. This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”

In addition, the FTC said that Venmo’s statements about its security, including the “bank-grade security” it claimed to offer, were misleading. Until August 2014, Venmo didn’t have a written information security program, the FTC noted, and until March 2015, it didn’t inform users when their password or email had been changed or when a new device was added. This led to unauthorized users being able to withdraw funds before consumers noticed their account had been accessed. In addition, the FTC said that Venmo didn’t offer “adequate customer support” to respond to these complaints.

The FTC also said Venmo misled customers about its privacy settings around transactions published to its news feed. In the app, transactions can be set to public, private, or friends-only, but customers weren’t properly informed how this worked.

Venmo was also found to violate the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to have safeguards that protect the “security, confidentiality, and integrity of customer information,” and Privacy Rule, which requires the delivery of privacy notices to customers.

The proposed settlement addresses all the above, and forbids Venmo from further misrepresenting its service. It also requires the company to make disclosures to consumers in some cases. The FTC is giving Venmo 150 days to come into compliance.

For example, Venmo will now have to explain to consumers – including both new and existing users – how to limit the visibility of their transactions through privacy settings right in the app itself. It must also disclose that funds could be subject to review, and that means they could be frozen or held.

In addition to various disclosures to consumers about its privacy and security practices, the FTC says Venmo will now have to have third-party assessments of its compliance with the Privacy Rule and Safeguards Rule every other year, for the next 10 years.

The consent order released today does not have a fine attached to it, as the FTC doesn’t have the authority to obtain civil penalties for initial violations of the FTC Act or under Gramm-Leach-Bliley Act. But when it’s finalized, each subsequent violation could include a penalty of up to $41,484, the FTC noted in its announcement.

However, the settlement is not without financial impact to PayPal. The company will have to spend money now to hire outside auditors to monitor its privacy program going forward at a time when it’s seeing increased competition from tech giants like Apple and Google, with Apple Pay and Android Pay, respectively, as well as from U.S. banks with Zelle.

Venmo has issued the following statement about the settlement:

“Our users are the focus of everything we do and our goal is to ensure they have a positive experience when using Venmo, an app that is beloved by our customers. We are pleased to conclude this process with the FTC in a cooperative way. This brings to an end the investigation that included focus on Venmo platform issues and practices prior to acquisition by PayPal. Since then, as a core part of PayPal’s and Venmo’s business and operations, we’ve taken steps to significantly strengthen our privacy and data security practices. The company will continue to invest heavily in programs designed to create better user understanding and to enhance privacy. We believe these investments will further support Venmo’s unique user experience and the continuing growth of its role in the lives of our users.”