Vanguard online fraud protection

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
pkcrafter
Posts: 13098
Joined: Sun Mar 04, 2007 12:19 pm
Location: CA
Contact:

Vanguard online fraud protection

Post by pkcrafter » Sat Apr 04, 2009 4:23 pm

Most of you are probably aware that Vanguard has an online fraud protection policy. The policy is very similar to ones provided by Fidelity and Schwab. Surprisingly, TRPrice does not provide this protection.

Vanguard's policy can be found here. Be sure to read the small print. Note that there are some responsibilities that the investor must follow.

https://personal.vanguard.com/us/help/S ... ontent.jsp

Some of these investor responsibilities seemed rather vague to me, so I wrote to Vanguard for clarification. Specific questions I asked about were as follows:

Check your account frequently. (What does frequently mean?) Promptly and completely review all information we send you.

Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software.(Up to date means? Any specific software? What about freeware?)

Here is Vanguard's response pertaining to those specific issues:

In the event assets are taken from an account in an unauthorized online transaction on Vanguard.com, and the client has followed the steps described in the "Your responsibilities" section of the Online Fraud Policy in our Security Center, we will reimburse the assets taken from the account in the unauthorized transaction.

I can tell you that in determining whether a client has met these responsibilities, Vanguard looks to whether the client has taken reasonable, appropriate measures to secure his or her account in light of the client's broader computer environment, activity,and configuration.

Vanguard does not require the use of a particular operating system. However, many older operating systems leave computers more vulnerable to attacks because they do not receive security software updates and have difficulty operating newer software. Vanguard does not recommend the use of an operating system that is no longer supported by the manufacturer.

We cannot recommend a specific time or frequency for updating your antivirus and firewall software due to many variables, including your computer configuration and the current threats at any given point in time. We do recommend that you turn on all automatic update features of your operating system, antivurus and other software. We also recommend that you only use antivirus and firewall software from reputable manufacturers, and that you follow all manufacturer recommendations on using and maintaining your computer and software.

Please understand that there are a number of appropriate products available - both for a fee and for free - but we do not review or recommend a particular security software solution. We do recommend that you only use products from reputable sources.
-------------------------------------------------------

Vanguard's reply, while still not specific, gives me enough confidence to believe that if an online investor uses diligence and common sense in a reasonable fashion, his or her account will be made whole in the event of online theft.



Paul
When times are good, investors tend to forget about risk and focus on opportunity. When times are bad, investors tend to forget about opportunity and focus on risk.

nyblitz
Posts: 354
Joined: Mon Apr 09, 2007 7:33 am

Post by nyblitz » Sun Apr 05, 2009 1:32 am

Paul,
Thanks for the post. Very helpful.
Wasn't Vanguard's stance on internet fraud a major issue with some posters on the old morningstar board?

User avatar
Karl
Posts: 1074
Joined: Sun May 13, 2007 5:52 pm
Location: Milwaukee, WI

Re: Vanguard online fraud protection

Post by Karl » Sun Apr 05, 2009 7:20 am

pkcrafter wrote:In the event assets are taken from an account in an unauthorized online transaction on Vanguard.com....
How exactly does some criminal take assets from your account in an unauthorized transaction? It doesn't strike me as easy.

Vanguard will only transfer redemptions by wire or ACH to bank accounts that have your name on them (except for written request with a signature gurantee). So a criminal could I guess transfer assets to an account that I suppose has both their name & yours on it (as only one name has to be the same in the case of a joint account). Of course, that criminal someone has to set up that account and I presume they'd have to use fake ID since it's probably a bad idea for a criminal to use their real identity if they don't want to be caught. Of course, Vanguard always sends you a letter when a bank account is added to your account as a redemption option.

I guess a criminal could request a redemption by check, but again they get a check sent your address & name. They could change your address, but doesn't that prevent the mailing of checks for 15 days and a notice of new address is sent to your old mailing address to inform you of this and they still have to deal with a check made out in your name.

In any case it would seem that checks or ACH & wire transfers would leave trail for law enforcement to follow, so what am I missing?

CaptMidnight
Posts: 757
Joined: Tue May 15, 2007 5:58 am

Re: Vanguard online fraud protection

Post by CaptMidnight » Sun Apr 05, 2009 9:41 am

Karl wrote: How exactly does some criminal take assets from your account in an unauthorized transaction? It doesn't strike me as easy.
The method of choice, at least for looting a brokerage account, is to buy penny stocks that are being dumped by the thief often in concert with a pump-and-dump scheme.

While it behooves us to be scrupulous in securing our own computers and logon credentials, we should not forget that 97% of the attacks do not originate from users' computers, but at the other end, the financial or, in the case of credit cards, retail institution. And we can't protect ourselves against that other than by spreading our assets around among companies we believe to be reputable.
The history of thought and culture is ... a changing pattern of great liberating ideas that inevitably turn in suffocating straightjackets... | --Isaiah Berlin

pkcrafter
Posts: 13098
Joined: Sun Mar 04, 2007 12:19 pm
Location: CA
Contact:

protection

Post by pkcrafter » Sun Apr 05, 2009 10:44 am

There have been many successful attempts to gain access to investors accounts, and with the increasing number of attempts and newer sophisticated malware, a threat is real. If you carefully read Vanguard's policy, including the small print at the bottom, much of the responsibility lies with the investor. It pays to be careful here.

I am confident that Vanguard will follow procedure when it comes to withdrawals, but criminals find ways to beat the system. And worse, some mutual fund companies have been fined for not notifying customers of requested address changes.

http://www.finra.org/Newsroom/NewsReleases/2009/P118173
FINRA found that the failures by Wachovia Securities and First Clearing were the result of various computer programming and operational problems that went undetected by the firms' internal controls procedures and supervisors. Those failures included over 300,000 notifications of changes in investment objectives and approximately 340,000 notifications of changes of address.

"These notices are an important form of investor protection — they help protect against changes that are erroneous, unauthorized, or, in the worst case, indicative of an effort to conceal misconduct involving a customer's account," said Susan L. Merrill, FINRA Executive Vice President and Chief of Enforcement. "It is crucial that firms meet their customer notification obligations."
Also from FINRA

http://www.finra.org/Investors/ProtectY ... /index.htm

One of the questions I had was about using freeware, and I was glad to see Vanguard permits it's use.

I asked Vanguard how many accounts had been tampered with and how many Vanguard did not back up, but they declined to answer.


Paul
When times are good, investors tend to forget about risk and focus on opportunity. When times are bad, investors tend to forget about opportunity and focus on risk.

2b2
Posts: 278
Joined: Sun Sep 28, 2008 7:21 am
Location: Location: Location:

Post by 2b2 » Sun Apr 05, 2009 11:32 am

...and on the subject of security, although not specifically related to 'online' access; you can establish a 'phone password' with Vanguard to further protect your account from intrusion.

Your password will be required at the beginning of any transaction to be conducted by telephone.

...it couldn't hoit.

2b2

User avatar
Karl
Posts: 1074
Joined: Sun May 13, 2007 5:52 pm
Location: Milwaukee, WI

Post by Karl » Sun Apr 05, 2009 1:49 pm

2b2 wrote:...and on the subject of security, although not specifically related to 'online' access; you can establish a 'phone password' with Vanguard to further protect your account from intrusion.

Your password will be required at the beginning of any transaction to be conducted by telephone.

...it couldn't hoit.

2b2
I'm not a fan of how SS#s are used to ID you at Vanguard and most other financial firms. These numbers used to be tossed about so freely that it now looks insane in hindsight. Were we begging for identity theft by having it used as a student ID number at universities? I carried a student ID for four years that had my SS# on it. Every test I took at that university had my SS# upon it and that number could have been seen literally anybody.

I've seen tests graded in the past and somebody, generally a grad student, just brings home a pile of them. Literally hundreds of SS#s along with names readily available to that person and anybody they happen to live with or buddies they let in their home.

I still remember a time when it was standard practice for banks to list your SS# on every monthly statement. Until about 18 months ago Medicare had my mothers fully SS# in BOLD print displayed on every page -- they've since cut out all but the last 4 digits.

I remember a time when tax packages from the IRS contained your SS# on the mailing label (for postal workers or anybody who might receive delivery of your mail by accident or theft to view.)

pkcrafter
Posts: 13098
Joined: Sun Mar 04, 2007 12:19 pm
Location: CA
Contact:

Update

Post by pkcrafter » Wed Apr 15, 2009 8:56 pm

I got a call today from a rep in Vanguard Retail Resolution Services wanting to know if the letter I received in response to my questions had fully answered those questions. I said it did not.

If you review Vanguard's Online Fraud Protection Policy you will realize much of the guarantee is mostly dependent on behavior and actions of the computer user (the client). The final decision on whether the guarantee will be good is ultimately Vanguard's. Without clearly defined responsibilities to follow, you have no leverage at all.

Some may argue that Vanguard is safe, that computer raiders can't do much with the information, etc. My response is I don't want to put it to the test.

What I'm after is more clearly defined definitions of responsibility. The rep said he would take the question to the legal department and get back to me in two or three weeks.

Paul
When times are good, investors tend to forget about risk and focus on opportunity. When times are bad, investors tend to forget about opportunity and focus on risk.

User avatar
rob
Posts: 2985
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Post by rob » Wed Apr 15, 2009 11:42 pm

I agree that Vanguards response is bad as it's not specific but so are almost all of financial companies..... What do you do.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

User avatar
Opponent Process
Posts: 5157
Joined: Tue Sep 18, 2007 9:19 pm

Re: Update

Post by Opponent Process » Tue May 04, 2010 3:00 pm

pkcrafter wrote:The rep said he would take the question to the legal department and get back to me in two or three weeks.

Paul
did they ever get back?
30/30/20/20 | US/International/Bonds/TIPS | Average Age=37

User avatar
grabiner
Advisory Board
Posts: 22890
Joined: Tue Feb 20, 2007 11:58 pm
Location: Columbia, MD

Re: protection

Post by grabiner » Tue May 04, 2010 11:57 pm

pkcrafter wrote:There have been many successful attempts to gain access to investors accounts, and with the increasing number of attempts and newer sophisticated malware, a threat is real. If you carefully read Vanguard's policy, including the small print at the bottom, much of the responsibility lies with the investor. It pays to be careful here.

I am confident that Vanguard will follow procedure when it comes to withdrawals, but criminals find ways to beat the system. And worse, some mutual fund companies have been fined for not notifying customers of requested address changes.

http://www.finra.org/Newsroom/NewsReleases/2009/P118173
FINRA found that the failures by Wachovia Securities and First Clearing were the result of various computer programming and operational problems that went undetected by the firms' internal controls procedures and supervisors. Those failures included over 300,000 notifications of changes in investment objectives and approximately 340,000 notifications of changes of address.

"These notices are an important form of investor protection — they help protect against changes that are erroneous, unauthorized, or, in the worst case, indicative of an effort to conceal misconduct involving a customer's account," said Susan L. Merrill, FINRA Executive Vice President and Chief of Enforcement. "It is crucial that firms meet their customer notification obligations."
And Vanguard handles this correctly. When you change your address, Vanguard sends a notification to both your old and new address, and freezes redemptions by mail for 15 days. (You can still write checks on your money-market fund or transfer money to an established bank account to get money out of Vanguard, but you can't have a check sent to your unconfirmed new address.)
Wiki David Grabiner

Post Reply