Peer-to-peer payment service Venmo, acquired by PayPal in 2013, promised users “bank-grade security systems.” But a Federal Trade Commission investigation has determined that the popular app failed to properly protect millions of users against fraud. Today, the U.S. Federal Trade Commission announced that it has reached a settlement with PayPal that will require the payments company to submit to biennial compliance audits for the next decade.
“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” Maureen K. Ohlhausen, acting FTC chairman, said in a statement. “Financial institutions like Venmo need to focus on privacy and security from day one.” It was a clear warning to other fintech startups that federal regulations apply to all financial actors.
The heart of the FTC’s complaint centers around Venmo’s use of notifications. As late as 2015, Venmo would alert users that money transfers had been deposited while they were still being processed. In one popular scam, fraudsters discovered they could “buy” luxury goods and concert tickets from unwitting sellers, exploiting the processing lag to their advantage.
The FTC—which has also reached settlements with large internet companies like Google and Facebook—also took issue with Venmo’s privacy settings. By default, transactions appear in Venmo’s social feed, a major source of the app’s popularity. In an effort to encourage social sharing, Venmo misled users about their privacy options, the FTC alleges.
“We’ve taken steps to significantly strengthen our privacy and data security practices,” a Venmo spokesperson said in a statement. “The company will continue to invest heavily in programs designed to create better user understanding and to enhance privacy.”
Under PayPal’s umbrella, Venmo has continued to grow. In 2017, the app processed nearly $35 billion in payments, nearly double the volume it processed in 2016.