The latest company in the fintech space to find that innovation doesn’t come without the need for a compliance function is US-based online payment platform Dwolla which at the start of March was ordered to pay a $100,000 fine by the US Consumer Financial Protection Bureau after it found that the company was deceiving its customers with regard to its data security practices.
Dwolla is an online payment network that deals largely with ACH payments, enabling its clients to power bank transfers within their own online platform. The CFPB said that as of may 2015 the company had collected various pieces of personal data, including social security numbers and bank account details and passwords, of over 650,000 customers.
In collecting this data, Dwolla claimed it was fully PCI DSS-complaint (Payment Card Industry Data Security Standard), adding on its website that it adding on its website that it encrypted all personal information and that it mobile applications were safe and secure.
However, the CFPB found that Dwolla “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access”.
It added that the company also falsely claimed that the information it gathered was securely encrypted and stored and instead found that the company in fact didn’t store some consumer personal information and also released applications to the public before testing whether they were secure.
As well as the fine, Dwolla has been told to “stop deceiving consumers about the security of its online payment system” and enact new more comprehensive data security measures. It also has to show an enhanced commitment to compliance: it has to train its staff on the company’s data security policies and procedures and on how to protect sensitive personal information.
The response of the CFPB is the latest example of fintech or payments forms coming up short when it comes to the compliance expectations of the financial regulators. Another high-profile instance occurred in May last year when virtual currency provider Ripple Labs was caught up with the US Treasury Department for failures related to its anti-money laundering (AML) measures, or lack of them. The US Financial Crimes Enforcement Network (or FinCEN) fined Ripple and its subsidiary XRP II $700,000 for violating the Bank Secrecy Act.
Ripple made some basic errors: it failed to register with FinCEN despite clearly being a money services business and further was found not to have an AML programme in place. It also failed to report some suspicious transactions to the authorities.
The company has since moved to bolster its compliance team and in acknowledging its failures, the chief executive Chris Larsen made an interesting observation that resonates well beyond the confines of the fintech space. “The industry is seeing the emergence of new technology but the rules all still apply,” he said at a public event in the wake of the fine. “There is no grace period and start-ups need to be following the rules form day one of operating. They need to have compliance officers in place before the tech is even launched.”
The European-based payments service providers have also had their fair share of issues surrounding data security. When Paysafe (formerly optimal Payments) moved to the main market of the London Stock Exchange in November last year, the company admitted in its prospectus to two historic data breaches Neteller and Skrill dating back respectively to 2009 and 2010. The breaches affected a total of 7.6 million customers. Unlike with Dwolla, the breaches were the result of hacks. Notably, 2% of the affected customers were active with Paysafe in the six months to November.
The story highlighted the vulnerabilities of payments firms. By their nature they handle huge amounts of sensitive personal data, making them an obvious target for criminals. As part of the company’s capital markets day presentation to analysts late last year, Paysafe made much of its own compliance efforts.
General counsel and chief compliance officer Elliot Wiseman made the point that Paysafe had 17 legal professionals and lawyers within the company and a further 40 compliance staff (out of a total staff as of the end of last year of over 1,500). This presentation made the point that they deal with a complex regulatory landscape, including financial services regulation, gambling regulations (online gambling merchants represent circa 44% of Paysafe’s 2015 fee revenues of £613.4m) and further regulations around privacy laws and data laws, consumer law and intellectual property.
But on the plus side, Wiseman told the analysts that the company’s experience in compliance also provided it with a competitive edge. “Yes, compliance is a challenge; it’s a complex world they are throwing more and more regulations at us. But we feel we have the experience to do it well. It takes time to get licenses. It takes time to build the teams to ensure compliance with those licences. In gambling the legislative interplay is complex… Because of all that experience, we feel we are well set up to facilitate growth, and ultimately we fell that means compliance can be a competitive edge and work as a barrier to entry to others looking to get into the space.”