Millennial-favorite Venmo is cleaning up its act.

The Federal Trade Commission (FTC) said today (Feb. 27) that it has settled with Venmo parent PayPal over allegations that the mobile-payments app misled customers about account transfers, as well as basic privacy and security. The main charge is that Venmo led customers to believe that funds in their mobile accounts could immediately be transferred to external bank accounts, when in reality the transactions were still subject to review, and could be frozen or reversed.

“Consumers suffered real harm when Venmo did not live up to the promises it made to users about the availability of their money,” acting FTC chairman Maureen Ohlhausen said in a statement. “This case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”

Venmo connects to credit cards and bank accounts to allow people to send money to each other using their phones. It also has a social component, with a feed of recent transactions that show what your “friends” have been up to. Founded in 2009, Venmo became popular quickly among millennials and on college campuses because it made things like splitting a bar tab easy. PayPal bought Venmo in 2013 and it’s been a valuable addition to the portfolio. In the fourth quarter of 2017, Venmo processed $10.4 billion, up 86% from the same period a year earlier.

In February 2015, I reported for Slate that Venmo might not be as secure as it had led users to believe. At the time, Venmo was processing about $1 billion a quarter, but it only employed about 70 people. The company’s customer support, which couldn’t be reached by phone, was slow and often unresponsive. Venmo also didn’t offer multi-factor authentication to secure accounts, or notify users when their password or email credentials were changed from within the account.

A second report for Slate found that Venmo was rife with scams. The schemes exploited a common misconception that funds sent between two users on Venmo, or transferred from the app to an external bank account, are moved immediately. Venmo’s app interface can make it look like funds move instantaneously, when in reality they don’t. The company knew about these setups but at the time had little sympathy for users who fell victim to them.

Per today’s FTC settlement, Venmo has been ordered not to misrepresent restrictions on its service, or the strength of its privacy and security measures. It must also make clearer to users when their transactions are subject to review. A spokesman for Venmo said there was no monetary fine.

“We are pleased to conclude this process with the FTC in a cooperative way,” the spokesman said in an emailed statement. “This brings to an end the investigation that included a focus on Venmo platform issues and practices prior to acquisition by PayPal.”