CFPB Targets Online Payment Platform in First Enforcement Action on Cybersecurity

The Consumer Financial Protection Bureau (“CFPB”) broke new ground last week with its Consent Order against Dwolla Inc. (“Dwolla”), an online payment platform, for deceiving consumers about its information security practices.The Consent Order alleges that Dwolla made public statements regarding the efficacy of its data security system and failed to fulfill those promises. The enforcement action is especially striking because the CFPB imposed a $100,000 civil monetary penalty on Dwolla despite the lack of any evidence that the payment processor experienced a data breach or any kind of cybersecurity incident, and also because the CFPB imposed significant — and expensive — new compliance obligations beyond what other federal regulators have demanded in similar situations. Most notably, the Consent Order provided that Dwolla must perform regular risk assessments and retain an independent third party to perform an annual cybersecurity audit for the next five years.