Saturday, March 23, 2024

Would you bank on Walmart?

Walmart bought a finance app and reduced fraud protections. Guess what happened next?

by Craig Silverman and Peter Elkind for ProPublica

Only a few hours elapsed between the time that Carl’s pay landed in his checking account and when online thieves pilfered it. “They took all of it but like 67 cents,” he said. Months before, Carl had signed up for One Finance, a banking app. It’s owned and promoted by Walmart, where Carl works in a grocery department.

He was enticed by features like cash back on purchases at Walmart and the chance to receive his pay two days early, as well as by low fees and high interest rates. Everything was fine until Carl used his One debit card — for the very first time — to buy a video game at Walmart last fall. 

The next time he checked the app, he saw a series of unauthorized transactions that had drained his account. To get by, he tapped his savings, which he said was “just enough to cover everything.” Carl asked to be identified by first name only out of concern for his job security.

Carl’s experience has been distressingly common. One Finance was plagued by fraud and customer dissatisfaction after a Walmart-controlled partnership acquired it in 2022. As Walmart began touting One to employees and others, the “neobank” — as such ultraconvenient, lightly regulated apps are called — weakened user security and outsourced customer support. 

Con artists took advantage, spurring a litany of customer complaints to regulators and the Better Business Bureau and across social media platforms. One froze some accounts and blocked access to its app and website from several countries, according to current and former customers and employees.

Frustrated users tanked One’s rating on Google Play from 4.6 to 2.8 stars. So many complaints inundated a Reddit community for One users that moderators made the page private “due to ONE fraud issue and their lack of customer support.” One’s Better Business Bureau page warns that scammers are using the One name and logo to steal money via “loan and impersonation scams.”

One’s problems echo the fraud and compliance issues revealed in a recent ProPublica investigation of Walmart’s financial services business. That article found that the company resisted calls to rein in fraud and skimped on employee training as more than $1 billion in consumer fraud losses were routed through Walmart’s financial systems over the past decade.

One had a higher rate of complaints lodged against it at the federal Consumer Financial Protection Bureau in 2023, its first full year under Walmart control, than most other large neobanks for which data is publicly available. 

The CFPB received 89 complaints about One, which has 1.6 million customers, according to a recent internal company presentation. That was six more complaints than Dave, a neobank with 9.9 million customers. 

One also has more complaints per customer than both Current and MoneyLion, two large neobanks. Chime, the largest neobank in the U.S., has by far the highest rate of complaints. (These comparisons are imperfect because neobanks don’t always use the same definitions of “customer.”)

To Carla Sanchez-Adams, a senior attorney with the National Consumer Law Center, the rate of complaints about One shows that “they don’t have the proper amount of resources dedicated to resolving customer disputes and complaints.”

The CFPB received 13 complaints about One in December, almost double the neobank’s monthly average for 2023. Five drivers for Spark, Walmart’s delivery service, have complained in the past two months that hackers stole their personal information, set up fake One accounts in their names, and then diverted their paychecks into those accounts. One was “telling me that they were going to escalate this issue, and weeks would go by and I’d never hear anything from them,” said one driver who requested anonymity to protect his job. Walmart eventually reimbursed his lost pay, he said.

There are signs that the peak of the One-related fraud may have passed. The Reddit page was made public again at the end of January, and the app’s Google Play rating has rebounded to 4.6 stars.

In a statement to ProPublica, One acknowledged blocking access in unspecified countries, due to “significant occurrences or patterns of fraud or cybersecurity risk.” But the neobank denied that problems with fraud, customer support or customer accounts were ever unusually frequent or have increased since the acquisition. When customer growth is factored in, One said, the rate of complaints has fallen “significantly.” The company declined to provide comparative data.

The company said it has taken “an industry-leading approach to protecting its customers and platform from bad actors” and added that it has enhanced its customer support, fraud and security operations. 

“We take our customers' feedback seriously and take pride in the investments we have made in our product and the ways in which we serve our customer base, which has grown substantially since we acquired the platform less than two years ago,” a One spokesperson said.

For its part, Walmart said in a statement that it works hard to protect customers and that it has “long been committed to bringing much-needed access and affordability to unbanked and underbanked consumers who have been locked out of traditional financial services, and our partnership with One to help develop and offer modern, innovative, and affordable financial solutions is no different.”

One’s issues threaten to undermine Walmart’s biggest opportunity to enter consumer banking. Starting in 1999, Walmart made four bids to go into the banking business. All failed in the face of what a 2007 New York Times article called a “firestorm of criticism from lawmakers, banking industry officials and watchdog groups.”

Many feared that Walmart would use its power as the biggest retailer on the planet to become a financial behemoth that would wipe out small banks and suck up the profits of the big ones. In the face of stiff opposition, the company seemed to give up. The Times article quoted Walmart’s president for financial services saying, “We don’t plan to do this again. The bank is behind us. We will use our partners to roll out new products.”

Since then, Walmart has steadily expanded its financial services. The company now provides check cashing, money transfers, prepaid debit cards, gift cards and bill payment services in thousands of U.S. stores, typically at lower prices than those offered by competitors. Walmart managed to do that without becoming a government-approved bank, thus allowing it to avoid most regulatory oversight.

The rise of online-only neobanks provided a new opportunity: Essentially any company could offer checking and savings accounts, as long as it partnered with a traditional regulated bank, which would handle the underlying functions of holding deposits and insuring money. 

One launched as an independent operation in 2020 and sold itself with a brash anti-bank message. It created stickers with the slogan “Un*uck Your Money” and said it wouldn’t use customer deposits to invest in fossil fuel, tobacco or firearms companies.

In January 2022, Walmart announced that a partnership it majority owned was acquiring One and another company, Even, and merging them under the One brand. When the deal closed on March 31 of that year, Walmart valued the merged business at $3.67 billion, according to internal documents obtained by ProPublica.

Under Walmart, One expanded beyond its previous target market of middle-class users to focus on signing up Walmart’s 1.6 million employees and getting them to deposit their paychecks into One accounts. The goal was to keep associates’ pay in the Walmart ecosystem and induce them to spend it with the retailer, according to former One managers. 

“The idea that ‘Hey, how crazy is it that they’re going to be spending the money we give them with us? How perfect of a situation is that?’” a former senior manager said. A former One exec said she came to think of their company as “no longer One, but instead the Bank of Walmart.”

Walmart doesn’t require associates to use One. But the service has been overhauled to emphasize features that benefit Walmart employees and shoppers, such as free ATM withdrawals and cash back on purchases at Walmart stores. 

Walmart also incentivized the hundreds of thousands of contract drivers on its Spark platform, the company’s answer to delivery apps like Instacart, to use the app. Drivers get paid the same day if they use One as their deposit option, weekly if they don’t.

Soon after the acquisition, One eliminated some popular features, such as customer credit lines with low interest rates. It eliminated account overdraft coverage for some customers and reduced it to $200 for others. It also restricted the functionality of account “pockets,” a signature feature for budgeting, sharing and spending money. In a conversation with moderators of the One Reddit community, company reps said the restrictions were necessary to fight fraud.

But the company simultaneously made it easier for scammers to log in to and compromise accounts of Walmart employees and other customers. Previously, One users needed a username and password and a verification code sent by text message. 

After the acquisition, One removed the username and password requirement for mobile users. Instead, customers entered their phone number and received a login code via text. Nowadays, fewer companies require a password. 

They typically rely on a username, such as an email address, and a second form of authentication. But One uses the same telephone number both for the username and to deliver the login code, which makes it less secure, said Allison Nixon, the chief research officer of Unit 221B, a security research and consulting firm.

One also asks users to set up a PIN. But if you forget your PIN, you can reset it with the last four digits of your Social Security number, which Nixon said is easy for criminals to obtain. 

“It doesn't feel safe and it doesn't seem like the way we should protect people's entire bank accounts,” said Nixon, who tested One’s login flow at ProPublica’s request. “When the criminal underground realizes that there's a weakness, a lot of different parties jump on that.”

In its statement to ProPublica, One said that its accounts “require two-factor authentication.” Nixon disagreed. "Possession of a phone number plus a PIN that isn't really required because you can just reset it is one-factor authentication," she said.

Without a password barrier, fraudsters were able to impersonate company representatives in calls and messages to gain access to customer accounts, according to interviews and online reports. Natasha Tabachnikoff, a One account holder who works in local government in Pennsylvania, said she received two calls from someone falsely claiming to work for One. 

The caller said her account, which she’d had for years, had unauthorized charges and asked her to confirm her identity by sharing the authentication code sent to her phone.

Tabachnikoff almost shared the code but instead hung up and contacted One. “I told them, ‘You have a very insecure system here.’ And they were basically like, ‘Well, we'll never call you and ask you to give us your code,’” said Tabachnikoff. She said she moved her savings out of One “to a more reputable bank.”

As fraud mounted, One took steps that weakened the human side of its defenses. Last May, it laid off nearly all of its U.S. customer support agents and replaced them with outsourced workers in India and El Salvador. Although many of the new workers weren’t fully trained, they were assigned to provide frontline support via chat and phone.

“They were trained to only handle the lowest intake questions that do not require advanced knowledge or support,” said a former One employee with knowledge of support operations. Every One user interviewed by ProPublica who had contacted customer service after being defrauded said that the outsourced agents could answer only basic questions. 

“These folks were really gatekeepers, they weren’t there to resolve your problem,” said James Scherber, an Oregon-based entrepreneur who had convinced several members of his family to join One.

Separately, One hired outsourced agents to assist with reviewing reports of fraud. This delayed the resolution of problems and has caused One to reject valid reports of fraud, according to the former employee and to transcripts of customer support chats provided by One users. One did not comment specifically on these criticisms, but it said it has “substantially grown its investment” and personnel in both customer support and fraud review.

Jae Bleiberg contends that One brushed off legitimate claims of fraud. Bleiberg, who has run customer service and operations for other neobanks for eight years, used One as their primary bank since 2021. (Bleiberg uses they/them pronouns.) 

Early in 2023, Bleiberg was unable to use their One debit card in Brazil, forcing them to cut their vacation short. A One support rep told Bleiberg that “all transactions in and out of Brazil were blocked due to ‘security concerns,’” 

Bleiberg said. When Bleiberg returned to New York, the card remained inactive and wasn’t replaced for another month. “Their response was ‘You can go to Walmart and get cash with your virtual One card,’ Bleiberg said. But, they added, “there are no Walmarts in New York City.”

Worse, multiple fraudulent transactions had been made using Bleiberg’s account. One reimbursed Bleiberg for those transactions, but rejected a subsequent claim. After weeks of back and forth, One eventually issued a $250 credit after Bleiberg threatened to complain to the CFPB and other agencies. Beliberg provided a screenshot of their bank statement showing the credit. 

“This clearly came with the understanding I would not seek regulatory action,” Bleiberg said. One said it’s “categorically false” to say that it pays customers to not file complaints. As their dispute with One escalated, Bleiberg filed complaints last month with several federal agencies. 

When Bleiberg asked for copies of their chat-support transcripts and call logs, screenshots show, One said it would provide the materials only if served with a subpoena. “I have spent the last year trying to obtain the records” of their interactions with One, Bleiberg wrote to the Federal Reserve Board. “My account was closed without consent a few days ago by a spiteful support agent.”

Scherber, the customer from Oregon who got his family to join One, said the company’s ineffective fraud response cost him thousands of dollars last fall. The company froze all of his money and stonewalled him after he reported a series of unauthorized charges. “They have a firehose of fraud and you have to wait for a response back from the relevant team,” Scherber said.

The account lockup meant his scheduled payments to American Express didn’t go through, he said. That lowered Scherber’s credit rating, causing a lender to raise the interest rate on a planned mortgage refinancing. “I had to postpone my refinancing,” he said. “Now it’s not going to happen.” Scherber and his family ditched One last year.

One said the rate at which it freezes or otherwise restricts customer accounts due to fraud “is down by more than 50% since the acquisition of One.” It declined to share the data or time frame used to calculate that statistic or to address specific customer accounts of fraud or poor service.

Carl, the Walmart employee whose paycheck was stolen by fraudsters, eventually got his money back. But he’s done with One. Now he gets his Walmart pay deposited in a traditional bank. As he put it, “After losing the whole check I wasn't going to risk losing it again.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.