Compiled from Public Data by FairShake
The US government’s Consumer Financial Protection Bureau (CFPB) collects complaints against financial companies.
In 2020, the CFPB received 1592 complaints against USAA. USAA ranked Number 27 among all financial companies for the most complaints.
Date of Complaint: May 12, 2020
Company Official Name: UNITED SERVICES AUTOMOBILE ASSOCIATION
State: TX
Product: Checking or savings account
Sub-Product: Other banking product or service
Issue: Managing an account
Sub-Issue: Problem accessing account
Full Complaint:
Complaint from XXXX XXXX XXXX XXXX submitted to the Consumer Financial Protection Bureau in regards to abuse of the Patriot Act/Bank Secrecy Act.
My wife and I have been member/customers of USAA for over 27 years. During the last week we have had a more than disappointing experience, that in fact the evidence thereof seems to show that USAA is abusing the Patriot ACT/Bank Secrecy ACT with members in a way that is unreasonable, intrusive, unnecessary, and violates privacy. We were however, very pleased to be introduced to The Consumer Financial Protection Bureau and your work to help members like us to hold accountable inappropriate banking behavior.
It was also interesting to see that this is not the first time you will have received a complaint about such violations by USAA, in view of your class action XXXX} XXXX settlement last year with USAA after dealing with the issue that USAA violated the Electronic Fund Transfer Act.
Our Complaint Last week my wife attempted to use her USAA phone app for the purpose of transferring funds to one of our adult children. But, to her surprise, upon logging on to her app, she was prompted that she must answer questions about our Net Worth, Sources of Income and other privacy based questions not necessary for customer identification. Furthermore, she was told in writing that if you dont provide this private information within 3 visits you will be blocked from accessing your accounts, statements and effectively the ability to conduct personal banking of our private assets.
EXHIBIT About a year ago, we experienced a fraud event with our USAA accounts, known as an account takeover. USAA worked to try and explain how after multiple conversations with USAA employees, the fraudsters were able to gain the answers to my wifes security questions, which even I cant answer. Fortunately, after the criminals had already withdrawn money from our daughters account, opened new accounts and credit cards we became aware and intervened. As you might expect, we worked directly with USAA to reconfigure all of our security protocols including new passwords, pins, security questions and adding 2 step verification to insure this never happened again. All of this enhanced security re-engineering would have been impossible if USAA did not believe at that time that they had reasonable confidence that they were in fact dealing with us their members.
In addition to the account takeover, we have also experienced multiple attempts by other fraudsters to impersonate USAA in electronic communications with very authentic presentations, but in each case we called USAA to report and identify the fraud attempts.
As you would expect, all of these experiences had made me and my wife quite sensitive to anything that came digitally with USAA branding but did not seem like them. Therefore when my wife got these required questions we were concerned about more fraud and called USAA on XX/XX/XXXX.
XX/XX/XXXX : We first spoke with a USAA CSR about the questions to insure this was not fraud. To our surprise, the representative told us quite casually that these questions in fact did come from USAA and that we are required under the Patriot Act to answer them or USAA would unilaterally prevent us from accessing our accounts and funds. When I asked more questions on how such questions ( see screen shot exhibit below ) were necessary for customer identification after having already cleared verification she could not say and connected us to XXXX in the USAA Executive Resolutions Team. While waiting for XXXX to come on the line, I did a very quick cursory survey of the Patriot Act and the related Bank Secrecy Act as it applies to Anti-money Laundering and Customer Identification Programs required. Interestingly, it stated that institutions CIP ( Customer Identification Program ) programs are intended to enable the bank to form a reasonable belief that it knows the true identity of each customer. I learned that these CIP questions are applied under the act when customers open new accounts, apply for loans or perhaps apply for credit cards. Further that these questions as directed by the Bank Secrecy Act/Anti-Mondey Laundering Examination Manual ( see : XXXX : XXXX % XXXX % XXXX % XXXX XXXX call for : birthday address social security number drivers license When XXXX came on the line and we asked about these issues, he did not respond but asked for the opportunity to access and view our account. My wife, ironically, successfully answered all of XXXX security questions to be verified. Apparently he considered that sufficient to reasonably believe that my wife was a true member/customer because he went on later to help make the funds transfer for my wife. To his credit, XXXX seemed to sincerely understand our frustration that we were being asked questions like this after 27 years of membership and not opening a new account or loan application. In an effort to help, he tried to use his system to see how my wife was sent these demanding questions in the first place. Ultimately he made a very interesting comment. In effect, XXXX said, that he did not see any data or information on his side which would normally be there to engage sending the questions to a member. He was at a loss to explain how that could be, but could not unequivocally say my wife was not under suspicion for the Patriot Act guidelines. Please note my wifes name does not appear on any federal XXXX watch lists nor has she received a warrant.
XXXX then made the recommendation that to get the answers to our questions about USAAs intrusive questions we needed to talk to the MOET department on Monday XX/XX/XXXX. Further, he explained that the MOET group manages the Patriot Act compliance and operations for USAA.
On XX/XX/XXXX we called as instructed to the MOET department and were connected with XXXX. Once again XXXX verified us thru appropriate security questions which we happily answered without asking questions about our net worth, sources of income etc. We reviewed all of the above with XXXX including specific entries in the Bank Secrecy ACT/ Anti Money Laundering Examination Manual.
In addition to the points made to XXXX regarding appropriate CIP questions under the Patriot Act for new accounts or loans, we pointed out and asked why USAA was ignoring or apparently not in compliance with certain parts of the Examination Manual? Examples were : 1. On page 45 it states : The CIP is intended to enable the bank to form a reasonable belief that it knows the true identity of each customer.. With our enhanced security questions, new passwords, new pin numbers, and now 2 Step verification, we asked how could that not be reasonable belief we were a true customer? Furthermore, how could USAA possibly use, much less verify our identity as a customer based on estimated answers to questions like net worth, other sources of income etc.?
2. As pointed out above, we have been member/customers of USAA for over 27 years with multiple accounts, services and children account holders. on page 46 of the Manual, it states that the Customer Identification Program rule applies to a customer. In the same paragraph it states : The definition of a customer also does not include an existing customer as long as the bank has a reasonable belief that it knows the customers true identity. In footnote 44 it goes on to explain : The bank may demonstrate that it knows an existing customers true identity by showing that before the issuance of the final CIP rule, it had comparable procedures in place to verify the identity of persons who had accounts with the ban as of XX/XX/XXXX.
By this definition, since my wife and I have been customers since XXXX and because USAA obviously accepted our verification / security questions for 6 years prior to XX/XX/XXXX, there is no reason that they can claim they need to know our net worth or other sources of income for the purpose of reasonable belief that we are customers.
3. On Page 50 of the manual it addresses Adequate Customer Notice. It is interesting to note that the whole discussion and questions are connected to opening an account. My wife was was not opening a new account. This new account language is reinforced on page 47 of the manual with the addition of direct examples of appropriate identifying information.
All of those listed we have always been willing and have complied in sharing for security verification. BUT what is NOT found in this list on page 47 are the questions in the exhibit provided threatening blocked access of personal accounts if not answered.
4. I also asked if based on required CIP record retention policy ( page 54 ) if there was an indication that my wife had been flagged as high risk.
At this point XXXX at the MOET department stated that he would need to refer us to his manager XXXX for these answers and in regards that these questions be waived for us in view of of all the above and our clear success in answering all identifying and security questions. XXXX went on to say that he & USAA took our complaint very seriously and we would hear back by the end of the day. I replied that we would be glad to wait until XXXX XXXX before filing a complaint with the CFPB as a last resort for customer advocacy for privacy rights and intrusive questions outside the direction of the Bank Secrecy Act.
At approximately XXXX after NOT receiving the promised call from manager XXXX XXXX an attempt XXXX more time to reach resolution, we talked with XXXX XXXX the MOET group. XXXX reported that unfortunately her manager XXXX had left work for the day and we would not be able to talk to her until the next day XX/XX/XXXX. We voiced our dissatisfaction with this customer service failure and she then connected us to XXXX in the Executive Resolutions Team. XXXX carefully listened as we reviewed all the conversation above and the unanswered questions especially regarding the incongruity with the Bank Secrecy Act Examination Manual. Interestingly, XXXX response was that USAA is very conservative and always complies with federal regulations and that under the Patriot Act we are required to answer these questions regarding net worth, sources of income and other non identifying based questions. Even more surprising, XXXX stated to us, that USAA will be asking every member these same questions.
Assuming that XXXX was correct in this assertion and if found to be true that these questions are at odds with Federal examination rules, it would seem to imply that all USAA members could potentially be considered included in a a class action response.
At the point we asked XXXX if Senior Leadership would be concerned about a 27 year member who feels that privacy is being violated by questions not required by the Patriot Act he replied yes and offered to connect us to the CEO Member Relations Team, which we did. So at the close of the day after multiple attempts to resolve this issue, we spoke with XXXX on this team. XXXX was very courteous and listened carefully promising to forward our concerns to the Member Advocacy Team. Also, surprising to us like XXXX, XXXX basically said that in regards to our filing a complaint with the CFPB or The Financial Crimes Enforcement Network we have to do what we have to do.
CONCLUSION It is obvious, that USAA staff all the way up the chain to the CEOs office know that these questions are being asked and are told that the Patriot Act requires them to do so and that customers must answer them.all this with no staff training on why or how to provide support for this. They also have no responses to the challenge questions we posed from the Bank Secrecy Act /Anti-Laundering Examination Manual provided by the Federal Financial Institutions Examination Council .
We believe to threaten customers of blocked access to personal private accounts is abusive with these intrusive questions. Further, we have demonstrated that for 27 years we have answered all reasonable security and customer identification questions. Therefore it is inconceivable that USAA had any reason to believe that we were not in fact customers.
We would request your help in evaluating if these actions by USAA are indeed in violation of the Federal regulations and that it ultimately implies that all USAA members of have been negatively impacted by this action in terms of right of privacy, and potential identity theft related risks.
As a footnote to this chain of events, as of XXXX XXXX CST Tuesday XX/XX/XXXX, we never have received the follow up call from MOET manager XXXX as communicated by the CEOs office much less the employees in the MOET.
We are grateful for your advocacy and counsel on next steps.
XXXX XXXX & XXXX XXXX
Response Type: Closed with explanation
Public Response:
Company believes it acted appropriately as authorized by contract or law
FairShake accessed this complaint from the public archives of the Consumer Financial Protection Bureau (CFPB). You can file your own complaint with the CFPB here.