Consumer data security claims by many businesses seek to settle the fears and doubts of many consumers engaging in electronic payments. Those representations should be tempered with an accurate description of its practices to keep consumer information and transaction data secure. Several agencies have been tasked with a different scope of authority. Data security has been allocated to be under the auspices of the Dodd-Frank Act. Information protection regarding consumer confidential information has been the responsibility of the Federal Trade Commission under Gramm-Leach-Bliley Act. Deceptive business practices of covered financial institutions fall under the Consumer Financial Protection Bureau (CFPB), section 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, for the purposes of enforcing federal consumer financial laws.
The veracity of business claims of protecting consumer data and payment processing is scrutinized. Failure to meet the security claims will be deemed as a deceptive business practice. The CFPB has stressed the importance of attending to the integrity of digital payment system security. It has as well emphasized the growing reliance and trust that consumers are displaying entrusting their private information and financial information as they execute electronic transactions. In a recent press release, it has stated: “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
While the FTC, Office of the Comptroller of Currencies (OCC) and other federal banking agencies are authorized to police the handling of data security, consumer information of financial institutions, the CFPB had reviewed the claims made by Dwolla, Inc., an online payment transaction platform that providing payment processing services through the Department of the Treasury’s payment portal. In an Order issued in the administrative proceeding of the CFPB, Dwolla, Inc. was determined to have committed deceptive data security representations to the public. The consent order states that Dwolla, Inc.’s communications made false statements about its data safety processes, e.g., of its use of encryption, that its practice surpassed the Payment Card Industry (PCI) standards. Conversely, the CFPB asserts that Dwolla, Inc. did not among several issues: provide acceptable data security training to its employees, establish acceptable and appropriate date security policies and practices, timely and regular risk assessments, and use encryption. These aspects are considered crucial in the pursuit of providing data security.
The order also outlined a list of actions required to address the findings with a five-year horizon within which the Dwolla, Inc. is ordered to comply with the stipulated items, report the actions taken to remedy the findings, and to record all implementations and findings, and continuously submit as scheduled monitoring compliance reports. From this case financial technology businesses involved in payment processing should carefully screen their representations on their communications, websites, advertisements, and press releases, related to their practices and standards. Failure to apply what is claimed to be in practice and failure to not exercise due diligence in safeguarding confidential financial consumer information will be punishable devoid of there ever being consumer harm. Advertisements and marketing efforts in this competitive and growing payment processing industry should be tempered with a sober realization of what is actually implemented in the daily cycle of transactions and in the keeping of records. As a result, a fine was imposed on Dwolla, Inc. to be paid within ten days of the order and they will be monitored for the next five years.
Advertisements and marketing efforts in this competitive and growing payment processing industry should be tempered with a sober realization of what is actually implemented in the daily cycle of transactions and in the keeping of records. As a result, a fine was imposed on Dwolla, Inc. to be paid within ten days of the order and they will be monitored for the next five years.
 The Dodd–Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111–203, H.R. 4173; commonly referred to as Dodd-Frank) was signed into federal law July 21, 2010.