Legal experts said they believe the CFPB's action against online payment provider Dwolla – its first action related to data security – could lead to considerable ramifications going forward. The CFPB targeted Dwolla Wednesday for deceiving consumers about its data security practices and the safety of its online payment system.
The bureau ordered the Des Moines, Iowa-based Dwolla, an agent of the $2.7 billion, Waterloo, Iowa-based Veridian Credit Union and the Houston-based Compass Bank, to pay a $100,000 penalty and fix its security practices.
"The CFPB's action against Dwolla is significant in that it marks the bureau's first foray into an area that up until now was the domain of the Federal Trade Commission and sets up the enforcement stage in this area for the bureau in 2016," Andrew L. Sandler, chairman and executive partner for the Santa Monica, Calif.-based BuckleySandler, said.
Margo Tank, a partner at BuckleySandler, warned, "The CFPB's opening salvo in this area creates concern for digital payment companies and other e-commerce providers. It also establishes an onerous level of oversight as the consent order requires a twice-annual risk assessment and annual audit, along with board approval of the company's data security program, policies and procedures. Clearly, this action should put data security even higher on companies' priority lists if it is not there already."
Sandler represents financial institutions and financial service companies during regulatory examinations and enforcement actions brought by federal and state banking and enforcement agencies, while Tank advises financial services organizations and technology companies on structuring online and mobile financial services product offerings to stay in compliance with state and federal laws.
Cybersecurity expert Ondrej Krehel, founder/CEO of the New York City-based LIFARS, likened cybersecurity regulation to the Wild West, with many different organizations fighting for attention.
"Yet with all the guidance and regulations, there is not one federal data breach notification law," he noted.
Instead, regulatory consolidation with teeth needs to take place, and clearer definitions need to be made, he said.
"Often, [firms] believe they are secure or deny that they aren't, and this prevents the budget for security from being sufficient," Krehel noted.
He added that labeling systems with the minimum required protection as secure is like saying WEP, a security standard first developed in 1997, makes a wireless network secure.
"They probably only mean that data was above industry standards and encrypted on select areas, and not on all, a common problem for those trying to minimize effort to pass audits by focusing only on select networks," he said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
