Protect Your Brokerage Accounts From ACATS Transfer Fraud

When you transfer investments in a brokerage account from one broker to another, it goes by a system called ACATS, which stands for Automated Customer Account Transfer Service. Some people call it ACAT. I’m going with the official name ACATS.

ACATS transfers keep the holdings intact and don’t trigger taxes. I used ACATS when I transferred a part of my account from Fidelity to US Bancorp Investments recently for the 4% rewards card.

With all the hacks and data leaks in recent years, fraudulent ACATS transfers have also become a problem. I read a report of this type of fraud from a poster ww340 on the Bogleheads forum.

I discovered that our taxable account at Vanguard had been slowly pilfered of approximately $100,000 in stocks transferred by ACATS to 2 different brokerage accounts that were not mine over a period of time.

These stock transfers were taken out of our account each time we received a dividend. … … Every few months 750 shares of that fund were transferred. Transfers were made 3 times before I realized it was happening.

Source: ACAT fraud with a twist – Vanguard, Bogleheads Forum.

We don’t want our investments stolen from us. How do we protect our accounts from ACATS fraud?

Fraudulent Account In Your Name

ACATS is a pull-only system. All transfer requests start at the receiving firm. A transfer requires a medallion signature guarantee if names don’t match between the receiving and the sending accounts. Therefore thieves usually start with creating a fraudulent account in your name at another broker. They don’t have to hack into your account when they could just pull from an account they control.

Opening a brokerage account doesn’t require a credit check. Freezing your credit doesn’t stop it. Freezing your ChexSystems report doesn’t stop it either because that’s only for banks and credit unions. If someone has your name, Social Security Number, address, and phone number, they have all the information to open a brokerage account in your name. All those pieces of information have been leaked in repeated hacks.

Because thieves can choose paperless delivery at many financial institutions, you may have no clue when a fraudulent account is opened in your name somewhere out there. Some brokers still send mail. You should be on alert if you receive mail from a financial institution you don’t use.

Account Number and Statement

An ACATS transfer request requires the account number of the source account. Some brokers ask for a recent account statement from the source account but it’s often optional. My recent transfer went through without a statement.

An ACATS transfer doesn’t require confirmation by the customer at the sending firm either. A transfer would go through if someone had your account number and the names matched on both accounts. Therefore you should safeguard your account number from falling into the wrong hands. That’s the critical piece of information for a successful ACATS transfer.

A partial transfer also requires knowing your holdings, which are listed in your online account or statements. Therefore you should protect your account statements.

Choose paperless statements and tax forms. They are more secure than hard copies sent by mail. Store those documents securely.

Your brokerage account should have the strongest 2-factor authentication. Don’t let thieves reset your password to get your account number or holdings. See Security Hardware for Vanguard, Fidelity, and Schwab Accounts. If you submit your statement to someone to qualify for a loan, black out the account number.

Your email should also have the strongest 2-factor authentication. Don’t let thieves find your account number or holdings in some emails. See Secure Your Email Account to Prevent Wire Fraud.

Enable Lockdown

Fidelity is the only broker I know that offers an optional Money Transfer Lockdown feature. It doesn’t stop all the ways money can go out of an account but a partial lockdown is better than no lockdown. Fidelity will reject all ACATS transfers when you turn on this setting on an account.

Enabling the lockdown also stops some legit transfers you initiate. You’ll have to disable the lockdown, do your transfer, and re-enable the lockdown. It’s a tradeoff between convenience and protection.

Transfer Alerts

An ACATS transfer doesn’t require an approval from you before it goes through but it’s helpful if your broker at least sends you an alert when it receives a transfer request or immediately after it processes a transfer. Some brokers don’t do any of that.

Fidelity sent me an alert when they received my legit transfer request through US Bancorp Investments. When I transferred from Vanguard last year, Vanguard didn’t send me anything either before or after they processed the transfer. A fraudulent transfer could’ve gone through without my knowledge. Vanguard only sent me a letter after a few weeks saying the account was closed. I would’ve received nothing if it had been a partial transfer and the account was still open, as was the fraudulent transfer against ww340.

If your broker notifies you by mail, it’s helpful if you open it. The poster ww340 said,

I had everything online and usually only get proxy votes or fund information sheets, so I do not always open Vanguard mail.

That was a mistake. Use a broker that sends you alerts about these transfers either before or after the transfer is processed. The sooner you know, the better chances you have to stop the transfer or reverse it. Make a habit of reading everything that comes from your broker.

A Flood of Spam

Beware when you receive a sudden flood of spam emails and texts. It’s a telltale sign you’re under attack somewhere. Thieves flood you with spam to bury the notification emails and texts from your financial institution. This happened to ww340:

My email got hundreds or thousands of spam emails every time a fraudelent order was placed. My email had 73,000 emails with 99% of those were spam and spam subscriptions. So that hid the fraud when the notices were hidden among the spam.

Call your banks and brokers immediately and tell them to stop all transactions if you see a surge of spam emails or texts.

Check Your Accounts

Some people suggest not checking your investment accounts often. This helps you avoid trading on fear or greed. That’s good if your broker will notify you of outgoing activities and you’re on top of the notifications. Otherwise your account or shares could be long gone before you notice.

Brokers send you account statements monthly or quarterly for a reason. You don’t need to check your accounts daily. I suggest checking monthly for unusual activities.

Keep Independent Records

An ACATS transfer can be a full transfer of the entire account or a partial transfer of select holdings. A full account transfer is easier to detect when you see your entire account is gone. A partial transfer such as leeching 750 shares at a time is more difficult to see.

Portfolio values fluctuate with the market prices but you should match the number of shares in your account with your independent records. Don’t just look at the total value of your account. Look at the number of shares in each holding. Thieves that stole from ww340 tried to hide their theft by transferring out shares shortly after a dividend was paid. You may not detect it easily if you only look at the total value.

Many old-timers use Quicken to track their accounts. I use Microsoft Money, which was discontinued 10+ years ago but you can still find the last free release on archive.org. It still works on Windows 11. What system you use doesn’t matter as long as it helps you track your shares independently. An online aggregator such as Empower or Fidelity’s Full View isn’t the best tool for this purpose because they don’t maintain an independent source of truth. An online aggregator only reports what’s currently in your accounts.

You should know how many shares you should have in each holding at any time. Compare them with how many shares you see in your account. You’ll know when you see a difference. Having fewer accounts, fewer holdings, and fewer transactions will make this task easier.

***

ACATS was designed before all the hacks and data leaks. Now the account number is the only secret that prevents a fraudulent transfer. We must do everything we can to protect this secret. It helps to turn on the lockdown setting if your broker offers it. It also helps to use a broker that notifies you of pending and completed transfers.

Fraudulent ACATS transfers can be reversed. We want to detect them sooner rather than later. Check your account activities monthly and keep independent records.

[Image Credit: Gerd Altmann from Pixabay.]