The Consumer Financial Protection Bureau (“CFPB”) made headlines last week by taking action against Dwolla, an online and mobile payments platform. The CFPB imposed a $100,000 penalty against Dwolla, and while the dollar amount of the penalty may appear to be small compared to other civil money penalties, the action is significant because it is the first action the CFPB has taken in the data security area and provides insight into future enforcement activities surrounding data security by the CFPB. It also serves as a notable reminder of the CFPB’s broad enforcement powers, which go beyond financial institutions to non-FI companies that deliver financial products and services to consumers. While the CFPB lacks authority over the substantive data security requirements that are enforced by the federal financial regulators, that poses no obstacle to the CFPB’s ability to take an action, like this, initiated under its authority to police “deceptive” acts or practices.
Erin Fonté assists clients with a broad range of matters related to payments/payment systems, digital commerce, banking and financial services (including related legal and regulatory issues), technology/Internet products, privacy and data protection laws, and general corporate matters. Erin regularly advises financial institutions and alternative payment providers regarding mobile banking, mobile payments and mobile wallet products and services. She has been involved in the creation of new payment networks and has worked extensively on products, services and network operating rules related to emerging and mobile payment systems.