The Federal Trade Commission has announced a settlement with Venmo, after allegations that the app misled customers and enabled fraud through lax security practices. Charges were first brought against Venmo in 2016 after reports of account hacks and other transaction fraud. As part of the settlement, Venmo is required to make specific disclosures about its transaction and privacy practices, and will be subject to third-party compliance assessments for the next 10 years.
The FTC cannot compel monetary damages for FTC act violations and this settlement does not include any such damages, but state attorneys general have used similar settlements to launch separate lawsuits for monetary damages in the past.
“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” acting FTC chairman Maureen K. Ohlhausen said in a statement.
One of the FTC’s central complaints was Venmo’s notification policy, which told users money had been deposited in an account even when transactions were still under review. Scammers were able to exploit that practice by purchasing goods with fraudulent transactions, leaving sellers with no money and no goods after the transactions were reversed. The Verge found a single scammer who stole at least $125,000 in luxury goods using that technique, operating for years with no apparent interference from law enforcement. Los Angeles police finally brought charges against the alleged scammer earlier this month.
The FTC also alleged significant security failures by the app, despite promises of “bank-grade security.” According to the complaint, Venmo failed to notify users when passwords and email addresses were changed or new devices added to a given account, a practice that persisted through at least 2015. That allowed hackers to quietly hijack accounts and withdraw thousands of dollars, a practice reported by Slate at the time.
“We are pleased to conclude this process with the FTC in a cooperative way,” a Venmo representative said when reached for comment. “[Since the 2013 acquisition], we’ve taken steps to significantly strengthen our privacy and data security practices. The company will continue to invest heavily in programs designed to create better user understanding and to enhance privacy.“