On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) brought its first data security enforcement action, acting as federal data security regulator to ensure that financial companies and service providers adequately secure consumers’ information.
The CFPB, a federal agency – whose creation was authorized by the Dodd–Frank Wall Street Reform and Consumer Protection Act in response to the financial crisis – is responsible for protecting consumer in the financial sector, having jurisdiction on banks, credit unions, securities firms, lenders, mortgage-servicing operations, foreclosure services, debt collectors and other financial companies in the US.
The action was against Dwolla Inc., a Iowa-based online payment platform, for deceptive practices relating to false representations of data-security practices in violation of the Consumer Financial Protection Act of 2010 (CFPA).
According to the CFPB, Dwolla represented to consumers that its network and transactions were “safe” and “secure” and indicated that its data-security practices met or exceeded industry standards. As of May 2015, Dwolla had approximately 653,000 ,embers and transferred as much as $5,000,000 per day.
The CFPB alleged that Dwolla failed to (i) implement data-security policies appropriate for the organization; (ii) identify reasonably foreseeable security risks; (iii) adequately train employees accessing consumers’ information; (iv) use encryption; and (v) use secure software development.
As a result of the CFPB’s allegations, Dwolla agreed to pay a $100,000 penalty and to implement significant data security measures.
Dwolla agreed among others to:
- maintain a written security plan to protect sensitive consumer information;
- implement appropriate data security policies;
- designate a qualified person for the data-security program;
- conduct data-security risk assessments twice a year to identify internal and external risks to the security of its network;
- adjust the data security program in light of the results of the risk assessments;
- conduct regular employee training on data-security policies;
- implement an appropriate method of customer identity authentication at the registration phase and before effecting a funds transfer;
- implement reasonable procedures for the retention of service providers capable to maintain appropriate safeguards; and
- obtain an annual data-security audit from an independent party to validate the effectiveness of its periodic risk assessments and compliance with the order.
In addition, the CFPB placed significant responsibility directly on Dwolla’s board of directors. After receiving the independent auditor’s findings, the board of directors must, within 30 days, develop a plan to correct possible deficiencies. The Board has the ultimate responsibility for ensuring and reporting compliance with federal consumer financial laws and the order.