Use care when describing how you do your Financial Services security. This seems especially relevant as some in our industry attempt to drive down costs by extending their operations into low cost consumer-heritage cloud services and onto other types of opaque Internet platforms of all kinds. Consultants, pundits, analysts, and hucksters are all attempting to make a living by selling schemes that incorporate one or many of these options. What they tend to omit, are the impacts that their ideas may have on the truthfulness of your public and contractual security assurances.
The Consumer Financial Protection Bureau (CFPB) just fined Dwolla $100,000 U.S. for misleading users about the company’s data security practices. In addition, Dwolla must report virtually all security-related activities to the CFPB and request permission for certain types of security changes for the next 5 years. The CFPB also put the Dwolla Board of Directors on notice that they must demonstrate more intense and more regular involvement in and oversight of Dwolla security measures and their effectiveness.
The CFPB also required Dwolla to implement a long list of measures to improve the safety and security of its operations and the consumer information that is stored on, or transmitted through, its network(s). [see pages 12-13 for just the initial summary]
A key mandate seems to be that these security measures must evolve as Dwolla grows. The CFPB wrote that Dwolla must protect the confidentiality, integrity, and availability of sensitive consumer information with “administrative, technical, and physical safeguards appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the personal information collected about consumers.” So this is not a simple once-and-done mandate at all.
Dwolla operates an online payments-transfer network.
The CFPB said Dwolla misrepresented the security of its platform, which collects users’ personal information at account set up. All Financial Services enterprises collect users’ personal information at account setup…
The CFPB wrote that Dwolla had failed to:
- Adopt and implement data-security policies and procedures reasonable and appropriate for the organization;
- Use appropriate measures to identify reasonably foreseeable security risks;
- Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
- Use encryption technologies to properly safeguard sensitive consumer information; and
- Practice secure software development, particularly with regard to consumerfacing applications developed at an affiliated website, Dwollalabs. (Note: Under this heading, the CFPB also included ending the use of customer information in the non-production environment.)
Would your Financial Services organization hold up against a thorough review of these two areas of secure operations?
In response, Dwolla wrote:
Dwolla was incorporating new ideas because we wanted
to build a safer product, but at the time we may not have
chosen the best language and comparisons to describe
some of our capabilities. It has never been the
company’s intent to mislead anyone on critical issues
like data security. For any confusion we may have caused,
we sincerely apologize.
In that blog entry, they go on to describe how they implement security today. They use careful words to describe their current status and strategy.
Dwolla has been an optimistic, agile, cloud-friendly, fast-evolving financial services specialist company for years. The CFPB fine is a signal that optimism and its close relative in some approaches to ‘risk management‘ — hope — are not going to be tolerated as effective protections for customer personal information. I understand that we must always attempt to better serve our customers (real and prospective) and partners, but keep this reminder about how ‘security cannot only be words’ in mind as you explore wildly hyped technology options with enthusiasts who promote them.
Administrative Proceeding File No. 2016-CFPB-0007
In the Matter of: Dwolla, Inc. Consent Order
“We are Never Done.” http://blog.dwolla.com/we-are-never-done/
“Dwolla fined $100,000 for misleading data security claims.”
Federal agency orders D.M.-based financial technology firm to bolster security
Matthew Patane, The Des Moines Register, page 11A. 3/3/2016 (from the physical paper copy)
“CFPB Fines Fintech Firm Dwolla Over Data-Security Practices — Online-payment company agrees to improve how it protects customer data.”
By Yuka Hayashi, March 2, 2016