FTC Issues Proposed Consent Order to Online Payment Processing Company Over Allegations of Privacy and Security Violations
The FTC recently reached a settlement with a worldwide online payment processing company regarding the actions of its subsidiary, a peer-to-peer payment and social networking application and website, over alleged violations of the FTC Act and Gramm-Leach-Bliley’s Safeguards and Privacy Rules.
The subsidiary company permits consumers to make financial transactions with one another and share information about those transactions on a social networking feed. The FTC’s Complaint alleged that inadequate oversight and adherence to regulatory requirements led to numerous problems with funds transfers, marked by misrepresentations about consumer privacy and security.
After a user made a payment to another person using the service, the company sent payment notifications to consumers by various means, including via push notifications to their mobile devices, text messages, and/or by direct email, telling them that funds were ready to be transferred to an external bank account. According to the FTC’s Complaint, despite representations that funds were available, recipients of payments were often unable to transfer funds to their bank accounts.
The FTC’s investigation revealed that even though consumers were notified that funds could be transferred to external bank accounts, the subsidiary company often waited until consumers attempted to transfer funds to review the original transactions for fraud, insufficient funds, or other issues. These transaction reviews allegedly resulted in frequent delays in funds transfers, transaction reversals, and frozen accounts.
Numerous consumer complaints were made about delays or lost funds resulting in financial hardships and “user frustration,” according to internal company emails, but many consumer complaints were not addressed in a timely manner.
With regard to user privacy, consumers who did not want to share their transactions on a public feed believed they could restrict the privacy of their transactions using the service’s application or web-based privacy settings features. However, many consumers were led to believe they created the transaction privacy restrictions they wanted when, in fact, they had not due to misleading and/or confusing instructions.
With regard to information security, the FTC alleged the company failed to provide consumers with adequate security notifications about changes to account settings despite advertising the implementation of “bank grade security” systems. However, some consumer accounts were breached and funds withdrawn without notification to the affected consumers.
Under the proposed settlement, the company is prohibited from misrepresenting any material restrictions on the use of its service, the level of control provided by its privacy settings, and the level of information security it provides. The company must also make adequate disclosures to consumers about its transaction and privacy practices. The FTC is expected to publish its consent agreement package in the Federal Register, and, after a period of comment, the Commission will decide on whether to adopt a final consent order.
The FTC draft Complaint may be viewed here, and the Agreement Containing Consent Order may be viewed here.