The Federal Trade Commission last week settled charges with Venmo and its owner, PayPal Inc., alleging that the peer-to-peer payment service misled users about how the app works ― including availability of funds, the control users have over the privacy of their transactions and the extent to which consumers’ financial accounts were protected by “bank-grade security systems.” According to the complaint, Venmo violated Section 5(a) of the Federal Trade Commission Act as well as the Safeguards Rule and the Privacy Rule of the Gramm-Leach-Bliley Act.
Availability of Funds
The peer-to-peer payment app creates an account connected to the user’s bank account or a credit or debit card. Venmo users can receive money from or transfer money to other Venmo users, as well as move money from their Venmo account to their bank account. According to the FTC’s complaint, Venmo sent payment notifications to users but failed to disclose that funds could be frozen, transactions reversed and transfers to users’ bank accounts delayed based on Venmo’s review of the user-to-user transaction. In many cases, users weren’t able to transfer the funds, even after being notified that funds were available, which caused financial hardships or losses.
The FTC maintained Venmo’s privacy practices were also misleading. By default, all peer-to-peer transactions are displayed on Venmo’s social news feed, including the names of the payer and the recipient. Venmo users also have a profile page that lists their transactions. The five most recent transactions were visible by default to anyone accessing that page, including visitors who did not have a Venmo account.
To limit who could see their transactions, users must change the “Default Audience Setting” in their privacy settings to limit viewers to specific groups, such as “Participants Only” or “Friends.” A user’s Default Audience Setting does not apply to the other party in the transaction, however. The FTC alleged Venmo failed to adequately disclose that users had to additionally change the “Transaction Sharing Setting.” In other words, both settings had to be adjusted in order to ensure that transaction visibility was limited as users desired.
According to the complaint, until at least March 2015, Venmo had been misrepresenting the security of users’ financial accounts, claiming that the service utilized “bank-grade security systems.” Venmo did not have a written information security program through at least August 2014, however. The service also allegedly did not notify users when their password or email address was changed, or when a new device was added to their account, until at least March 2015, according to the FTC. Unauthorized users were able to withdraw funds from Venmo accounts without the service notifying users. Venmo also did not have adequate customer support to respond to user complaints about the unauthorized access, the agency said.
In addition to violations of Section 5 of FTC Act, the FTC alleges that Venmo violated the Gramm-Leach-Bliley Act, specifically its Safeguards Rule and its Privacy Rule. The Safeguards Rule requires financial institutions to take measures to protect the security, confidentiality and integrity of customer information. The Privacy Rule requires financial institutions to ensure the delivery of privacy notices to its customers.
Under the settlement, Venmo must make certain disclosures to consumers about its transaction and privacy practices. It must also take certain steps to ensure that it does not violate the Safeguards and Privacy Rules. The settlement also requires Venmo to obtain biennial third-party assessments of its compliance with the rules for 10 years.
The Gramm-Leach-Bliley Act broadly defines what constitutes a “financial institution.” It includes all businesses that are “significantly engaged” in providing financial products or services. Many companies in the payments space, especially those that are consumer-facing, may be considered to be financial institutions. By way of example, the requirements and restrictions in the PayPal Consent Order apply to PayPal’s “Payment and Social Networking Service” applications.
Companies that may be considered to be financial institutions should follow these guidelines:
- Transparency is key. Be clear with consumers about when payments are sent and received, and disclose any material terms or limitations.
- Set appropriate data defaults. Determine default settings, disclose them to consumers and determine how best to educate users about those settings and how they may be able to change them.
- Be accurate. Make privacy options clear, easy to understand and straightforward to select.
- Establish and maintain compliance programs. Develop written information security, data privacy plans and compliance protocols. Designate one or more employees to coordinate them. And be sure to timely issue all required disclosures.