The Federal Trade Commission announced a settlement on Tuesday with Paypal over allegations that Venmo, its subsidiary, misrepresented security, privacy, and money-transferring features on the app. Among the charges, which the FTC first filed in 2016, were that Venmo failed to provide adequate instructions on the procedures required to keep transactions private and that it did not notify users when their account details changed, allowing hackers to go undetected.
The commission also claims that some affected users were unable to pay rent or other bills because Venmo had not accurately represented the amount of money available in their accounts, since the company could freeze or reverse certain transactions. Acting FTC Chair Maureen K. Ohlhausen said in a statement, “Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money. … This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.” The company will now have to make disclosures to its customers about its actual practices and submit to third-party assessments every other year for the next decade.
Slate’s Alison Griswold first reported on Venmo’s security flaws in 2015, finding that the company did not in fact have the “bank-grade security systems” it promised to users. Multiple people told Slate at the time that hackers had stolen money from their accounts and that they were initially unaware of the breaches because the app failed to notify them of unauthorized password and email authentication changes. One person said the app didn’t even alert him when a hacker added another device to his account. Plus, when these customers tried to report the fraud to Venmo via email—there was no customer service phone line back then—the company neglected to get back to them for days.
Venmo sent a statement to Slate on Tuesday’s settlement. It read, in part:
We are pleased to conclude this process with the FTC in a cooperative way. This brings to an end the investigation that included a focus on Venmo platform issues and practices prior to acquisition by PayPal. Since then, as a core part of PayPal’s and Venmo’s business and operations, we’ve taken steps to significantly strengthen our privacy and data security practices. The company will continue to invest heavily in programs designed to create better user understanding and to enhance privacy.