A Consumer Financial Protection Bureau (CFPB) enforcement action this week marked the agency’s first foray into regulating cybersecurity and is seen as a shot across the bow of the growing online-payment industry.

Dwolla Inc., a Des Moines-based digital payment startup, agreed to pay a $100,000 penalty and improve its data security practices as part of a CFPB consent order.

John Culhane, a partner at Ballard Spahr, said the bureau appears to be stretching its authority over “unfair, deceptive or abusive acts or practices” to regulate cybersecurity. The Dodd-Frank Act gave the bureau jurisdiction over privacy but left data security with the FTC and prudential regulators, he said.

“It’s their first step in this area, and they’re really pushing the boundaries of their authority,” Culhane said. “It sure looks like they’re using their [unfair acts] authority to make an end run around that restriction.”