The FTC filed a complaint against PayPal over its Venmo peer-to-peer payment service back in 2016. The trade commission alleged that Venmo did not adequately disclose that customer transfers to external bank accounts were subject to review and could be frozen or removed. The FTC's filing also said that Venmo misled consumers around privacy as well as how protected their accounts were and violated the Privacy and Safeguard Rules of the Gramm-Leach-Bliley Act. PayPal has just settled with the FTC around these allegations. No monetary penalties have been levied for the infractions.
The original complaint stated that many customers were unable to pay real bills like rent when they were unable to transfer their Venmo funds. Other customers complained that they had delivered items (like tickets or other items) to others, taken payment via Venmo, then had the funds removed, resulting in a loss.
The FTC settlement agreement requires that Venmo not misrepresent any material restrictions or levels of security involved with using its service. In addition, Venmo must make disclosures about how it handles transactions and privacy, and it can no longer violate the Gramm-Leach-Bliley Act, which requires financial institutions to provide customers with a privacy notice up front an annually thereafter (Financial Privacy Rule) and must have a written security plan to describe how it protects personal information of its clients (Safeguards Rule). As with other cases in which violations of the Gramm-Leach-Bliley Act have occured, Venmo must also have a third party assess its compliance every other year for the next 10 years. The FTC will take public comment on the agreement for the next 30 days, after which it will decide whether to make the proposed consent order final.