Do I need to disclose Dwolla in my privacy policy?

Yes. Because Dwolla collects and processes sensitive financial data on your behalf—including bank account details and personal identity information—you must disclose it in your privacy policy. Dwolla is subject to the Gramm-Leach-Bliley Act (GLBA) and Bank Secrecy Act (BSA/AML) regulations, which require transparency about third-party financial processors. Failure to disclose may violate federal financial privacy laws and your customers' right to know how their data is handled.

What specific data does Dwolla collect?

Dwolla collects bank account details (routing and account numbers), transaction amounts and status, full customer identity information, and business verification data. It also performs Know Your Customer (KYC) and Know Your Business (KYB) verification, which may include government-issued IDs and business registration documents. This data is necessary to process ACH transfers and comply with anti-money laundering requirements.

Does Dwolla require a cookie consent banner?

No documented cookies are attributed to Dwolla's core payment processing function. However, you should review Dwolla's Privacy Policy at https://www.dwolla.com/legal/privacy/ to confirm current practices, as this may change. If Dwolla does use analytics or tracking cookies, you would need appropriate consent mechanisms under GDPR, CCPA, or similar privacy laws.

Who processes my data with Dwolla, and where does it go?

Dwolla Inc., a United States-based fintech company, is your third-party data processor. Customer data is transferred to and processed in the United States. Dwolla is PCI-DSS compliant for payment card security and operates under GLBA, BSA/AML, and SOX regulations. For international customers, data transfers to the U.S. may require additional legal mechanisms (e.g., Standard Contractual Clauses under GDPR).

Fintech

Privacy policy clauses for Dwolla

Dwolla is a fintech payment processor that enables ACH bank transfers and direct payment processing. Websites integrate Dwolla to securely facilitate customer bank transactions, account verification, and fund transfers while maintaining compliance with financial regulations.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Dwolla collects

Your privacy policy must disclose each of the following data types when you use Dwolla.

Bank account details for ACH

Transaction amounts and status

Customer identity information

Business verification data

When does Dwolla trigger privacy obligations?

Immediate Triggers

Integrating Dwolla into your platform triggers financial data processing obligations the moment you begin collecting bank account details, routing numbers, or transaction metadata—even in sandbox/testing. Dwolla's KYC/KYB verification requirements mean you are also collecting and processing customer identity information (name, address, business registration data, sometimes SSN/EIN) at enrollment.

Regulatory Thresholds & Jurisdiction

United States (primary): Dwolla subjects you to the Gramm-Leach-Bliley Act (GLBA), which requires a written privacy policy, data security safeguards, and opt-out rights for third-party information sharing. The Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) rules require you to implement customer identification programs (CIP) and suspicious activity reporting (SAR). If you hold or control funds on behalf of customers, Money Transmitter licensing may apply at state level.

Common compliance pitfalls

Pitfall 1: Omitting Dwolla from Privacy Disclosures or Vaguely Describing Payment Processing

The mistake: Founders often use generic language like "we use payment processors" without naming Dwolla or specifying that bank account numbers and identity verification data are collected. This violates GLBA's requirement for clear privacy notice and GDPR Article 13's specificity requirement for data collection disclosures.

Why it happens with Dwolla specifically: Dwolla's KYC/KYB flow is not always visible to end users as a separate step; it happens server-side during onboarding. Teams forget to audit what data Dwolla actually collects and assume their payment processor language is sufficient.

Consequence: Regulators (FTC, state AGs, or DPA) can cite unfair/deceptive practice violations under GLBA Section 501(b) or GDPR breaches of transparency. Users lose informed consent. If a breach occurs, you cannot demonstrate you told users their bank details were at risk.

Pitfall 2: Missing or Incorrect Data Processing Addendum (DPA)

The mistake: Using Dwolla without a signed DPA, or signing a standard services agreement that does not clarify data controller/processor roles and liability for GDPR/CCPA obligations.

Why it happens: Dwolla requires KYC verification but many indie founders treat it as a simple payment API and skip the legal docs. DPAs are often buried in Dwolla's legal portal and not flagged during onboarding.

Consequence: If you operate in GDPR jurisdictions and lack a DPA, you are in material breach of GDPR Article 28 (processor obligations). Fines up to €10M or 2% of global revenue apply. You cannot lawfully transfer personal data to Dwolla.

Pitfall 3: Failing to Document BSA/AML Compliance and Customer Identification

The mistake: Relying on Dwolla's KYC to satisfy your own CIP (Customer Identification Program) obligations, without documenting procedures, retention policies, or SAR (Suspicious Activity Report) workflows.

Why it happens: Dwolla handles KYC on your behalf, so teams assume compliance is automatic. In reality, you remain liable for CIP under the BSA; Dwolla is your service provider.

Consequence: FinCEN or state financial regulators can cite you for BSA violations, impose civil money penalties (up to $100k+), and require remediation. You must maintain audit trails showing you verified customer identity and reported suspicious activity.

Privacy policy clauses for Dwolla

What data Dwolla collects

When does Dwolla trigger privacy obligations?

Immediate Triggers

Regulatory Thresholds & Jurisdiction

First Concrete Steps

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting Dwolla from Privacy Disclosures or Vaguely Describing Payment Processing

Pitfall 2: Missing or Incorrect Data Processing Addendum (DPA)

Pitfall 3: Failing to Document BSA/AML Compliance and Customer Identification

Legal note

Sample privacy policy clause

What regulators look for

Primary Regulatory Audit Focus

Highest-Risk Audit Flag

Frequently asked questions

Do I need to disclose Dwolla in my privacy policy?

What specific data does Dwolla collect?

Does Dwolla require a cookie consent banner?

Who processes my data with Dwolla, and where does it go?

Don't ship without Bandit.