This text description is mine, not from the article. The article linked goes into much more detail.
This is an anti-scam/anti-fraud protection measure. This is apparently a method folks are getting their accounts cleaned out by thieves. They get your SSN, name, and account number from one of the many data breaches that happen today, they open an another account at another brokerage in your name, then transfer your funds out to the new brokerage they control. The system used to do this is called ACATS which is designed to easily let customers transfer funds from other accounts, but it is apparently easy to abuse.
Fidelity makes turning on the block crazy easy just by logging into your account and setting the “Money Transfer Lock” to “on”. If you ever do want to use the ACATS to legitimately move your money to another broker, you just need to go back in here and set it to “off”, complete your transfer, and turn it back “on” if you still have funds remaining.
Vanguard has this feature too, but its super sketchy to get it turned on. You have to call the vanguard agent, pass an OTP code, try to get them to understand what you’re asking for as the agent I talked to did, get transferred around again a few times, do another OTP to a different department and finally they enable it. However they say it takes 5-7 days to take effect. Better than nothing I suppose.
Currently Schwab doesn’t have a feature to block ACATS transfers at all in any capacity.
This should be enabled by default for security.
Why is it that finance companies all seem to have shit security options unless directly required by law? You’d think when handling things where they might have financial liability they would implement basic protections across the board.
I get that working with legacy systems often makes it hard to implement newer security measures, but at the same time I wonder if the finance sector just doesn’t understand or care about cybersecurity.
The last couple of times I’ve had to link accounts between different institutions, the fast recommended way is to provide my username and password to the external account to verify my account. You know, the thing that almost any decent site will tell you to never ever do under ANY circumstances when signing up.
The incompetence is infuriating.
Damn, cant they do the micro deposit verification banks do with external transfers?
That’s still an option, thankfully. Providing your password is just the new default that they recommend as the fastest.
It’s even better because instead of using the password themselves directly, they use a third party for verification. Yodlee is the example I found for PayPal, so if they ever got breached the financial sector would be in for a fun time. Hopefully they wouldn’t be storing the credentials long term, but again, it’s the financial sector, and they don’t have a good track record with security.