NYT: How Stocks Can Be Quietly Stolen From Your I.R.A.

I thought I'd share this article from the NYT as this is pretty terrifying to me, and second I know many people don't check their retirement / brokerage accounts that often. I don't think the problem is limited to Vanguard, it sounds like a problem with the ACATS system. FTA:

The day before the presidential election, Mr. Tran, who oversees his family’s retirement accounts, decided to sell a solar energy stock inside his wife’s Roth individual retirement account…he discovered that half of the holdings inside that Vanguard account had vanished.

Mr. Tran called Vanguard, which froze the I.R.A. and began to investigate. The money, it turns out, had been whisked away four days earlier, and transferred to another brokerage platform, Merrill Edge.

A criminal impostor opened two accounts in Mr. Tran’s wife’s name at Merrill and requested the transfer from Vanguard, but the fraudster hadn’t yet run off with the money. Merrill, part of Bank of America, froze the funds.

…

It happens frequently enough: Regulators have issued notices in recent years warning that this type of crime — known as ACATS fraud — was on the rise.

…

It often happens like this: The criminal opens up a new account in a target’s name, using stolen data or a combination of stolen and false information (like an email address or a mobile phone number). Opening an account at Merrill Edge, as well as many other online brokers, doesn’t require much. That’s what the fraudsters did here, and Bank of America said it had received the all clear when it had run identify verification checks.

With the new account, the impostor can request a transfer from another existing account, just like a real customer, which the institutions complete through the ACATS framework.

…

With all of those pieces in hand, the transfer can then happen really quickly — ACATS is fast and largely automated.

…

“The ACATS process was designed for speed, and doesn’t really have good fraud controls in place,” said Gavin Holland, a financial crimes executive at SAS, a data and artificial intelligence company. The firm holding the assets rarely goes beyond a basic check, and it usually doesn’t even notify the customer that the transfer is about to happen. (Vanguard notifies customers after the transfer is completed.)

…

In a digital world where sophisticated fraudsters are continuously fine-tuning their strategies, the couple’s situation underscores the importance of checking on your accounts — criminals may try to stay under the radar and siphon small amounts at time.

Ask your financial providers what sort of notifications they send if money was transferred out, make sure the alerts are turned on and ask the firms if they have locking features to prevent this type of activity. If they don’t, demand them. Always use two-factor authentication, guard your brokerage account numbers and shred paper statements if you absolutely insist on receiving them that way. Practice good email hygiene, too.