Venmo has gotten into trouble—of the embarrassment sort—before with aggressive compliance efforts. That was specifically when it created a list of words that could delay transaction processing, such as the word Persian. And PayPal-owned Venmo was hardly alone, with Chase was caught doing similar word scans, as a man who had a dog named Dash discovered.

But the U.S. Federal Trade Commission has now launched a formal investigation into Venmo. With the FTC, phrasing is critical. An investigation is very different than an FTC study, such as the one the FTC launched to look into practices of the PCI Council.

PayPal disclosed the investigation in an SEC filing last week. What exactly is being investigated?

Let’s look at the wording: “On March 28, 2016, we received a Civil Investigative Demand (“CID”) from the Federal Trade Commission (“FTC”) as part of its investigation to determine whether we, through our Venmo service, have been or are engaged in deceptive or unfair practices in violation of the Federal Trade Commission Act.  The CID requests the production of documents and answers to written questions related to our Venmo service. We are cooperating with the FTC in connection with the CID.  The CID could lead to an enforcement action and/or one or more consent orders, which may result in substantial costs, including legal fees, fines, penalties, and remediation expenses and actions, and could require us to change aspects of the manner in which we operate Venmo.”

Historically, the FTC has used “deceptive or unfair practices” to cover a wide multitude of sins, but it usually comes down to a company not doing what it told consumers it would do. This tactic has been copied by other federal agencies, including when the Consumer Financial Protection Bureau slapped down Dwolla.

The probe could be exploring almost anything, but given the recent attention to these interpretations of The Patriot Act’s rules about watching for money laundering and money transfers to terror groups, it’s quite likely that the job is examining privacy promises from Venmo to consumers. How are these transactions scanned? What people are informed? What confidentially is that data held? Is the information being strictly limited to those on a need-to-know basis?

When it comes to the Venmo and Chase incidents, some have ridiculed the incidents, saying they lacked common sense. That line of thinking is that these rules are almost guaranteed to harass innocent consumers, while having a minuscule chance of detecting true criminal behavior. After all, they ask, would a terrorist truly sending money to Daesh be stupid enough to type that into the Venmo screen?

The counter to that is that, well, given that there are plenty of stupid criminals, it stands to reason that there are also likely a lot of stupid terrorists. And what if it turns out to actually be a terrorist money transfer? Do you want to be the one explaining to a congressional investigating committee—or, for that matter, your boss—that it send the money was going to a terrorist group but you chose to not believe it?

But the real problem happens before that decision is made. That involves software looking for patterns and word choices. And then employees looking at and reviewing what they find. Do they let the name of the customer influence what they do next? Should they?

It’s not known yet what the FTC is precisely looking for, but it’s highly unlikely that this won’t be part of the questions they are asking.