A federal agency has fined Des Moines-based Dwolla for misleading users about the company's data security practices.
In its first action regarding data security, the Consumer Financial Protection Bureau ordered the financial technology company to pay $100,000 and bolster how it handles security.
Dwolla started in Des Moines in 2009. It operates an online payments-transfer network.
In an order filed Wednesday, the CFPB said Dwolla misrepresented the security of its platform, which has users submit personal information to set up an account.
For example, from January 2011 to March 2014, Dwolla said on its website that its security exceeded industry standards and that it encrypted all personal information. The CFPB found that that was not entirely the case, though, according to its order.
In addition, the CFPB said Dwolla employees "received little to no" training on how to safely handle consumer data until at least December 2012. The company did not hold its first mandatory employee training until the middle of 2014, according to the order.
Dwolla had about 653,000 members and transferred up to $5 million per day as of May 2015, according to the CFPB order.
In a statement, Dwolla said it "understands the bureau’s concerns regarding the protection of consumer data and representations about data security standards, and Dwolla’s current data security practices meet industry standards."
"The CFPB has not found that Dwolla caused any consumer harm or created the likelihood of any consumer harm through its data security practices," the statement reads. "This is consistent with the fact that since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event."
The CFPB also said Wednesday it is not aware of any data breaches with Dwolla. It's order also does not make note of any breaches.
Dwolla also apologized and described its security standards in a blog post published on its website.
"It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize," the blog reads.