The Consumer Financial Protection Bureau (CFPB) announced it will fine online payment platform Dwolla, Inc., $100,000 for deceiving customers about steps it takes to keep their data safe. The CFPB’s first data security-related legal action against a company adds the agency to the growing list of government agencies asserting regulatory authority this area.

“The CFPB has become an active enforcer in many areas of consumer financial services, and this is a clear indication that it is extending its enforcement activities into another area of the law within the industry,” says Edward McAndrew, a partner at Ballard Spahr and a former federal cybercrime prosecutor.

The CFPB alleged that Dwolla, which collects sensitive personal information like social security numbers and bank account data, falsely stated that its security practices “exceed industry standards” and that “100% of your info is encrypted and stored securely.” The CFPB also alleged Dwolla failed to take basic steps to protect data, such as adopting cybersecurity policies and/or training programs.