When you transfer investments in a brokerage account from one broker to another, it goes by a system called ACATS, which stands for Automated Customer Account Transfer Service. Some people call it ACAT. I’m going with the official name ACATS.
ACATS transfers keep the holdings intact and don’t trigger taxes. I used ACATS when I transferred a part of my account from Fidelity to US Bancorp Investments recently for the 4% rewards card.
With all the hacks and data leaks in recent years, fraudulent ACATS transfers have also become a problem. I read a report of this type of fraud from a poster ww340 on the Bogleheads forum.
I discovered that our taxable account at Vanguard had been slowly pilfered of approximately $100,000 in stocks transferred by ACATS to 2 different brokerage accounts that were not mine over a period of time.
These stock transfers were taken out of our account each time we received a dividend. … … Every few months 750 shares of that fund were transferred. Transfers were made 3 times before I realized it was happening.
Source: ACAT fraud with a twist – Vanguard, Bogleheads Forum.
We don’t want our investments stolen from us. How do we protect our accounts from ACATS fraud?
Fraudulent Account In Your Name
ACATS is a pull-only system. All transfer requests start at the receiving firm. A transfer requires a medallion signature guarantee if names don’t match between the receiving and the sending accounts. Therefore thieves usually start with creating a fraudulent account in your name at another broker. They don’t have to hack into your account when they could just pull from an account they control.
Opening a brokerage account doesn’t require a credit check. Freezing your credit doesn’t stop it. Freezing your ChexSystems report doesn’t stop it either because that’s only for banks and credit unions. If someone has your name, Social Security Number, address, and phone number, they have all the information to open a brokerage account in your name. All those pieces of information have been leaked in repeated hacks.
Because thieves can choose paperless delivery at many financial institutions, you may have no clue when a fraudulent account is opened in your name somewhere out there. Some brokers still send mail. You should be on alert if you receive mail from a financial institution you don’t use.
Account Number and Statement
An ACATS transfer request requires the account number of the source account. Some brokers ask for a recent account statement from the source account but it’s often optional. My recent transfer went through without a statement.
An ACATS transfer doesn’t require confirmation by the customer at the sending firm either. A transfer would go through if someone had your account number and the names matched on both accounts. Therefore you should safeguard your account number from falling into the wrong hands. That’s the critical piece of information for a successful ACATS transfer.
A partial transfer also requires knowing your holdings, which are listed in your online account or statements. Therefore you should protect your account statements.
Choose paperless statements and tax forms. They are more secure than hard copies sent by mail. Store those documents securely.
Your brokerage account should have the strongest 2-factor authentication. Don’t let thieves reset your password to get your account number or holdings. See Security Hardware for Vanguard, Fidelity, and Schwab Accounts. If you submit your statement to someone to qualify for a loan, black out the account number.
Your email should also have the strongest 2-factor authentication. Don’t let thieves find your account number or holdings in some emails. See Secure Your Email Account to Prevent Wire Fraud.
Enable Lockdown
Fidelity is the only broker I know that offers an optional Money Transfer Lockdown feature. It doesn’t stop all the ways money can go out of an account but a partial lockdown is better than no lockdown. Fidelity will reject all ACATS transfers when you turn on this setting on an account.
Enabling the lockdown also stops some legit transfers you initiate. You’ll have to disable the lockdown, do your transfer, and re-enable the lockdown. It’s a tradeoff between convenience and protection.
Transfer Alerts
An ACATS transfer doesn’t require an approval from you before it goes through but it’s helpful if your broker at least sends you an alert when it receives a transfer request or immediately after it processes a transfer. Some brokers don’t do any of that.
Fidelity sent me an alert when they received my legit transfer request through US Bancorp Investments. When I transferred from Vanguard last year, Vanguard didn’t send me anything either before or after they processed the transfer. A fraudulent transfer could’ve gone through without my knowledge. Vanguard only sent me a letter after a few weeks saying the account was closed. I would’ve received nothing if it had been a partial transfer and the account was still open, as was the fraudulent transfer against ww340.
If your broker notifies you by mail, it’s helpful if you open it. The poster ww340 said,
I had everything online and usually only get proxy votes or fund information sheets, so I do not always open Vanguard mail.
That was a mistake. Use a broker that sends you alerts about these transfers either before or after the transfer is processed. The sooner you know, the better chances you have to stop the transfer or reverse it. Make a habit of reading everything that comes from your broker.
A Flood of Spam
Beware when you receive a sudden flood of spam emails and texts. It’s a telltale sign you’re under attack somewhere. Thieves flood you with spam to bury the notification emails and texts from your financial institution. This happened to ww340:
My email got hundreds or thousands of spam emails every time a fraudelent order was placed. My email had 73,000 emails with 99% of those were spam and spam subscriptions. So that hid the fraud when the notices were hidden among the spam.
Call your banks and brokers immediately and tell them to stop all transactions if you see a surge of spam emails or texts.
Check Your Accounts
Some people suggest not checking your investment accounts often. This helps you avoid trading on fear or greed. That’s good if your broker will notify you of outgoing activities and you’re on top of the notifications. Otherwise your account or shares could be long gone before you notice.
Brokers send you account statements monthly or quarterly for a reason. You don’t need to check your accounts daily. I suggest checking monthly for unusual activities.
Keep Independent Records
An ACATS transfer can be a full transfer of the entire account or a partial transfer of select holdings. A full account transfer is easier to detect when you see your entire account is gone. A partial transfer such as leeching 750 shares at a time is more difficult to see.
Portfolio values fluctuate with the market prices but you should match the number of shares in your account with your independent records. Don’t just look at the total value of your account. Look at the number of shares in each holding. Thieves that stole from ww340 tried to hide their theft by transferring out shares shortly after a dividend was paid. You may not detect it easily if you only look at the total value.
Many old-timers use Quicken to track their accounts. I use Microsoft Money, which was discontinued 10+ years ago but you can still find the last free release on archive.org. It still works on Windows 11. What system you use doesn’t matter as long as it helps you track your shares independently. An online aggregator such as Empower or Fidelity’s Full View isn’t the best tool for this purpose because they don’t maintain an independent source of truth. An online aggregator only reports what’s currently in your accounts.
You should know how many shares you should have in each holding at any time. Compare them with how many shares you see in your account. You’ll know when you see a difference. Having fewer accounts, fewer holdings, and fewer transactions will make this task easier.
***
ACATS was designed before all the hacks and data leaks. Now the account number is the only secret that prevents a fraudulent transfer. We must do everything we can to protect this secret. It helps to turn on the lockdown setting if your broker offers it. It also helps to use a broker that notifies you of pending and completed transfers.
Fraudulent ACATS transfers can be reversed. We want to detect them sooner rather than later. Check your account activities monthly and keep independent records.
[Image Credit: Gerd Altmann from Pixabay.]
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
Steve says
Excellent advice. Thank you.
Yan says
Excellent advice, thank you! Tracking shares of holdings isn’t that easy for me. Would it be easier if I just check the account activities to see if there are any outgoing transfers?
GaryK says
That’s the way I do it. Very easy to log in to Fidelity, select ‘All Accounts’ if that is not your default, and click on ‘Activity and Orders’, which defaults to most recent 30-days activity, with the latest at the top for you to look at. I’ve found Fidelity to be very good at posting even pending activity. My only caveat is that I’ve never used ACAT to take shares out of Fidelity, only to move into Fidelity, so I don’t know how quickly they post the transaction.
I do this from my laptop — takes all of a minute or so.
JM says
I also routinely check my account activity and have found that it is a quick way to keep track dividend payments, trades, transfers, bond redemptions, and deposits and withdrawals from the account I use for cash management.
A C says
I have called my Fidelity free advisor about security and FDIC-like insurance policy for my investment accounts, and he directed me to their site where they have a whole section regarding that if you check your holdings at least every 30 days, whatever your lost from fraud will be totally refund or replace.
The lock down is also very helpful, even though at some incontinence at times. I once tried to do a QCD & was stopped by the site & didn’t know why because I was at least 701/2 but not yet RMD age. So when I called Fidelity during the evening hours on that Saturday, I was told by the representative as he was gaggle that the reason was my tIRA was locked down. I have forgotten to unlock it before attempting the transfer.
The lock down is a very good feature but I told him that they should at least add a prompt or warning about that at the transfer site, and also add a personal PIN code for the unlock. He said he will add that suggestion to the IT stuff.
Harry Sit says
Yan – Checking the account activities also works if you know what to look for. I’ve seen a transfer of shares displayed with a zero amount because it doesn’t affect cash. You might miss it if you scan the activities for negative amounts.
GaryK says
At Schwab when a security position is transferred out, the ‘Action’ (transaction type) is ‘Security Transfer’, the ‘Quantity’ is negative, and the ‘Amount’ is blank. For cash, it is also ‘Security Transfer’, the ‘Quantity’ is blank, and the ‘Amount’ is negative.
Nikki says
This was an excellent article and I immediately went to Fidelity and locked down my accounts and updated my alerts. I’ve learned so much from you over the years, Harry! I am so grateful I subscribed and I always pay attention to anything you share. Thank you.
John says
Excellent article and gave me ideas to strengthen my security. I am a Fidelity customer and already use the account lockdown feature. It is easy to switch it on and off, and I get a message whenever it changes.
When I switched from Vanguard last year, Fidelity connected me to one of their security experts who explained their security options. I was impressed with their offerings and try to use as many as practical.
Jake says
Thank you! I used to work at a large discount broker and this never occurred to me. I never saw a fraudulent ACATS transfer but I did see some of the things you mention. E.g., people (who weren’t clients) would call up about paperwork they had received for an account that had been opened in their name. I wondered what the purpose of this fraud was and this certainly could have been it. Oftentimes we had already somehow detected it was sketchy and the account was already locked but there were plenty of times it wasn’t. This is really good to know and they certainly need to make improvements to the ACATS process to stop this. I like the idea of people not having to talk to their previous (bad/expensive) advisor to transfer their funds out, but ACATS fraud does seem like a risk that needs to be addressed.
GaryK says
Thank you so much Harry. We still get paper statements because my wife sees them as a security blanket.
So, would you believe that some of our 1/31/25 statements from Fidelity have gone missing? Our neighborhood’s mailboxes are secure, so either they were misdelivered, or are lost somewhere in the bowels of the PO after being scanned for the daily USPS Daily Digest email.
Definitely time to have another discussion.
Jeff says
Of the 4 Deep Risks mentioned by Bill Bernstein, confiscation (the others being hyperinflation, prolonged deflation, devastation) seems by far the largest in our modern world. Not by the government necessarily but by anybody on this planet with a computer or smartphone. Your tips on this site help protect us but I feel we remain extremely vulnerable. Thank you for what you do.
Harry Sit says
Hyperinflation, prolonged deflation, and devastation are society-wide deep risks. Confiscation can be selective and only affects you specifically. It’s more problematic than the other three.
GaryK says
This post sent me off to investigate Vanguard’s services. I did find an alert related to asset transfers, but it is only available via email (unlike their other alerts which can also be texted), and is unclear as to scope. I have sent a message to them asking two questions (see below) — will post back after I receive a response (but not holding my breath given previous experience with Vanguard).
1) Does “Initiated, in progress, and completed status messages for asset transfers” cover both inbound (initiated by me at Vanguard to transfer assets from another firm), and outbound (ACATS initiated from another firm)?
2) Why can you not provide this as a Text alert, only as an email alert?
Steve says
Good questions for Vanguard.
Another one is: Why doesn’t Vanguard provide account lockdown feature?
Vanguard claims to be “investor owned”, but it is only privately owned Fidelity that has lockdown.
GaryK says
Here are Vanguard’s responses to my two questions.
“Vanguard will notify you, based on your account alert settings, upon initiation, in progress, and completion for asset transfers of all types. At this time, Vanguard does not offer text alerts for status changes in transfer requests, so this notification can only be sent to you by email at this time.
Our development team is actively working on making text alerts available to be selected for asset transfers, however this change has not been implemented yet.”
Harry Sit says
Many of us didn’t receive anything when we transferred out of Vanguard last year. There are three possibilities:
1. This alert didn’t exist back then.
2. It existed but it’s default off and we didn’t turn it on.
3. It’s default on but it only affects transfers initiated at Vanguard to pull in assets but not transfers initiated elsewhere to pull out assets.
If I still had a Vanguard account I would want to test this with a small partial transfer.
Wade says
I have all the 2fa and money transfer locked at Fidelity. One thing im wondering Harry, i also have trading authorization on my wifes account so i dont have to log in separately to do rebalancing trades, dividend transfer etc. im thinking now maybe I should remove that so in the event my account is hacked, they can remove from both accounts. Its a nice convenience but not a big deal to have my wife separately log in.
JT says
FINRA finally got around to issuing an ACATS warning in Dec 2022
https://www.finra.org/rules-guidance/notices/22-21
Buts that’s all it is.
A warning.
No teeth. Not even any guidance on offering customers alterts or account transfer lockdowns.
Its like when , in 2023, my bank asked me why I was concerned about SIM-Swap fraud when I could “simply visit any branch to reestablish online access.”
JT says
FINRA did issue guidance in 2023 but still no required compliance or enforcement.
https://www.finra.org/rules-guidance/notices/23-06
Eric Gold says
Timely and most excellent article.
A few weeks ago I contacted Schwab and asked about account lockdown. I was told that the feature was not offered. Today (after reading Harry’s article) I called Schwab to update my ALERTS, and was fortunate to speak with a CSR named Kindel who took it upon himself to investigate further by speaking with the Schwab security dept. It turns out that Schwab DOES have an account lockdown feature, but it is manual and not well known to the tier #1 representatives. I’m feeling a lot better about Schwab now, and presuming things work out as expected, a lot more secure. Tangentially, Kindel found out that ACATS requests can be completed by Schwab in as little as one hour from receipt, so the ALERT system can easily fail.
To paraphrase Harry, PULL requests (and therefore ACATS) are a gaping hole in personal financial security. Being able to lock down accounts is a strong measure we can take to plug this hole.
Brad says
Eric, can you provide a brief description (or link to a help article on their site) on how to find the lockdown menu item at Schwab? That would be lovely! Maybe Harry can add it to his article?
AudreyH says
Very informative article, thanks!
Scott D says
Put me in the Check Your Accounts DAILY camp. I’ve used Mint and Empower (Full View has a quirk that makes it poor for this) to track things for over a decade. The key is knowing what tool to use. (It’s transactions not account balances). If you don’t know your transactions over a 2-3 day period, that’s scary.
If you see a transaction you can’t make sense of it’s time to get in touch with the bank/broker/credit card company, 99% of the time it’s just a naming thing, or additional transactional detail but every once in a great while (happened to me once in decades) there’s a fraudulent transaction by someone checking to see if the account is vulnerable.
Further it’s a really fast way to see if all your accounts link. If you get an error there are 2 possible causes, an error in Empower’s log in (like 90% of the time) or something has happened at your institution. Either way it takes maybe 10 minutes to log in to an account and make sure it’s all the way it should be.
Anyway, that’s my 2 cents, that these things are a reason to check activity every day not avoid it.
Oh and when it happened, the transactions were still pending, and my bank shut it down and changed my account numbers during a phone call, sent me some free new checks and new ATM cards.
Scott D says
Schwab will cover losses in any of your Schwab accounts due to unauthorized activity.
Pretty good protection if you check your account frequently.
Frugal Professor says
Fantastic article Harry! I’ve been thinking of this issue for some time now as well. I think the best solution is to transfer the assets to Fidelity & use lockdown feature. Too bad other brokerages don’t enable this feature. Seems like such an obvious deficiency.
Rita Glickman says
I posted a link to your article on EarlyRetirement.org and out of that discussion on member provided a link to a FINRA article from March, 2023 providing guidance to firms on how to reduce fraud in the broker system. https://www.finra.org/rules-guidance/notices/23-06
I guess the takeaway here is that before signing up with a new broker the owner should ask about their policies when transferring funds between brokers. I do appreciate the extra info you put in this blog to let users know how to secure their use of systems so their critical data is not exposed.
Harry Sit says
JT mentioned this same FINRA notice in comment #10. It’s more of a CYA. It doesn’t require the brokerage industry to do anything specific. From the notice:
“This Notice provides an overview of some indicators of ACATS fraud and the practices some firms apply to address it.
This Notice does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws and regulations. Member firms may consider the information in this Notice in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations.”
Member firms may consider … or they may not. Or they may merely consider and still not do anything.
Gail says
This is a reply that I received from the Vanguard Fraud Department regarding requesting a redemption freeze:
Request a Redemption Freeze
You can request a redemption freeze on your accounts by calling us. Redemption freeze requests made over the phone are temporary and are only valid for ten calendar days. No redemptions or exchanges will be processed for the account while the freeze is active. This includes any transactions placed on the same day the freeze is initiated.
The freeze will be automatically removed after ten days unless we receive a written request for a permanent freeze. If you wish to make the account freeze permanent, please send a written request to the following address:
For first class mail:
Vanguard
P.O. Box 982901
El Paso, TX 79998-2901
For registered, certified, or overnight mail:
Vanguard
5951 Luckett Court, Suite A1
El Paso, TX 79932
Be sure to include your name, address, account number, and dated signature in the letter.
If you need to remove a freeze, you will need to send a written letter stating your specific request and include the notarized signatures of all account owners.
Harry Sit says
Please confirm with Vanguard exactly which actions are blocked and which actions are still allowed under a redemption freeze. “No redemptions or exchanges will be processed for the account while the freeze is active.” I interpret it as you can’t sell (“redeem”) any shares in the account or sell one fund to buy another (“exchange”). Withdrawing cash from the account is technically selling a money market fund, which may also be covered by the redemption freeze but I’m not sure. However, an ACATS transfer doesn’t sell any shares. If that’s still allowed, a redemption freeze doesn’t address ACATS fraud.
If my interpretation is correct, a redemption freeze might be useful for younger people who will only buy shares and never sell. It’s inconvenient for retirees who will sell and withdraw from the account. They can write a letter to freeze now, write another letter with notarized signatures to unfreeze, sell shares and withdraw once a year, and write another letter to freeze again. It’s quite cumbersome.
GaryK says
And speaking of CYA, I can write a regular letter to initiate the freeze, but need a letter with notarized signatures to remove it. That’s really customer-friendly. (eye-roll)
Another reason that this very long-term Vanguard shareholder has been slowly but surely reducing his family’s exposure to the bureaucracy.
Boris says
So, in order to reduce the chance of this happening, would it be a good idea to create an account at the big 3 (Fidelity/Vanguard/Schwab) where you don’t already have an account? (Using a username that isn’t related to your own name, a strong password and any 2FA methods they allow.)
Normally I want to have as few accounts as possible, but would having these extra accounts be worth it?
If I have an account at those 3, should I create an account at any other firms? Some options are E*TRADE, T. Rowe Price, Interactive Brokers, Robinhood… It could be a very long list.
Harry Sit says
I don’t think that’s an effective strategy. Criminals don’t care which brokers have the largest market share. They’ll shop around and go to a place that makes it easy for them to pull off the theft. If one place makes it difficult, they’ll go to the next, maybe to a place you haven’t heard of.
JOHN PAVEZA says
Hi Harry,
Is there anything we can do to prevent a fraudulent ACH transfer if someone discovers your account number (routing numbers are easily found using Google)?
Harry Sit says
Prevent, no, but you have multiple layers of defense against a fraudulent ACH transfer. A security freeze at ChexSystems stops someone from opening a new bank account in your name. Banks require micro-deposits or Plaid-style instant verification before allowing ACH pulls. Not holding much cash naturally limits the amount that can be pulled by ACH. Banks have alerts for ACH debits. You have a well-established right to dispute unauthorized debits within 60 days after receiving an account statement.
JT says
As Harry Said, No.
But there are several things one shouldnt do if they wish to limit their exposure.
1. Do not use your brokerage account for banking. Do not enable check writing or debit cards on it.
2. Keep the balance on your cash management account (CMA) as low as possible and dont use it as a brokerage account for buy&hold/trading even though it technically is one too.
3. Do not enable overdraft “protection” on your CMA to your main or any other brokerage account.
David says
Another mode of fraud that has recently been of attention is (bad actor) using the “Forgot Userid” or “recover forgotten userid” or “recover forgotten password” using some information obtained from recent data breeches or from the “Dark WEB” to discover your userid which you had carefully patterned with a mix of digits and letters and symbols in the hope of effectively adding a second password in effect to your account. I suggest that Vanguard provide an “opt out” button or security setting choice on the logged in web access that would disable “recover forgotten userid”
As to using “two factor authentication” I think it better to just say no to using cell phones to access financial providers although I do have set up an authentication call to my old fashioned home phone line if someone tries to log on from a computer other than mine.
Dan says
You mentioned that you don’t need to check your accounts daily for unusual activity but that checking monthly should be sufficient. Since an ACATS transfer can be initiated and complete within a week, couldn’t your money be gone and the thief liquidate/transfer out the funds during the month that you weren’t checking your account?
JOHN says
As Harry said…
Fidelity is the only broker I know that offers an optional Money Transfer Lockdown feature…Fidelity will reject all ACATS transfers when you turn on this setting on an account.
I take advantage of this feature.
Dan says
JOHN – not sure if you meant to respond to someone else, but your response doesn’t answer my question at all. I don’t use Fidelity as my brokerage. I was asking Harry, really, since he wrote the article and he knows why he suggested checking monthly.
Harry Sit says
The receiving broker is responsible unauthorized ACATS transfers. I don’t know the specific time limit but if you notify your broker shortly after receiving the monthly statement, that should be timely enough for them to claw back the shares from the receiving broker. ww340 said in the linked post:
“We got the October transfer returned to us in November. I was told we might not get the May and July transfers back because they were done over 60 days before I discovered them.”
I think checking monthly strikes a good balance between being attentive and being overly concerned. Of course it’s OK if you’d like to check your accounts more frequently.
Eric Gold says
Good to read, but I am not going to rely on the good graces of the receiving broker. My read of the FINRA directive was that the receiving broker is liable for ACATS not carried out as regulation dictates. I suspect that anything past that is YMMV, and will depend on a host of factors, not least the amount of money involved.
I’m a staunch believer in taking measures to *avoid* problems, rather than rely on some 3rd party to make things right after the fact.