This text description is mine, not from the article. The article linked goes into much more detail.
This is an anti-scam/anti-fraud protection measure. This is apparently a method folks are getting their accounts cleaned out by thieves. They get your SSN, name, and account number from one of the many data breaches that happen today, they open an another account at another brokerage in your name, then transfer your funds out to the new brokerage they control. The system used to do this is called ACATS which is designed to easily let customers transfer funds from other accounts, but it is apparently easy to abuse.
Fidelity makes turning on the block crazy easy just by logging into your account and setting the “Money Transfer Lock” to “on”. If you ever do want to use the ACATS to legitimately move your money to another broker, you just need to go back in here and set it to “off”, complete your transfer, and turn it back “on” if you still have funds remaining.
Vanguard has this feature too, but its super sketchy to get it turned on. You have to call the vanguard agent, pass an OTP code, try to get them to understand what you’re asking for as the agent I talked to did, get transferred around again a few times, do another OTP to a different department and finally they enable it. However they say it takes 5-7 days to take effect. Better than nothing I suppose.
Currently Schwab doesn’t have a feature to block ACATS transfers at all in any capacity.
This should be enabled by default for security.
Why is it that finance companies all seem to have shit security options unless directly required by law? You’d think when handling things where they might have financial liability they would implement basic protections across the board.
I get that working with legacy systems often makes it hard to implement newer security measures, but at the same time I wonder if the finance sector just doesn’t understand or care about cybersecurity.
The last couple of times I’ve had to link accounts between different institutions, the fast recommended way is to provide my username and password to the external account to verify my account. You know, the thing that almost any decent site will tell you to never ever do under ANY circumstances when signing up.
The incompetence is infuriating.
Damn, cant they do the micro deposit verification banks do with external transfers?
You have to call the vanguard agent
Every millennial / Gen-Z person is not going to do this and get their money stolen. Why do companies do this?? It’d be more secure to even do this over live chat for a logged in session if they can’t be bothered to add this to the account settings page.
As a GenXer, even I’m rolling my eyes at Vanguard.
Though as a bonus, in my poking around security settings to see if there really isn’t an option for this obvious feature, I found that they now support software Passkeys! They skipped right over TOTPs
Its slightly worse than you may think. Prior to about a year ago there were no mechanisms available to block this type of attack from a thief from any of the big three brokerages. I give a lot of credit to Fidelity for not only developing a tool, but making it easily user accessible through the customer’s web session.
Six months ago Vanguard also had no mechanism. However between then and now, they’ve at least developed a process on the backend to put the functionality in place, but they have yet to make a tool that can enable it from the customer’s web session. So while its a bother to call in (and many Vanguard agents don’t know about it yet like the one I initially talked to), I appreciate there is an avenue to put the block on now instead of just hoping and praying the theft doesn’t happen to you. I fully expect Vanguard to make accessing the tool much easier to turn it on an off in the near future.
Schwab hasn’t even built an internal tool yet, so phone call or not, all those customers are still at risk.
