A Word of Caution: Diversify Your Brokerage Firms

[2Birds1Stone]

A couple of days ago I got a nice surprise when trying to log into my Vanguard account;



I go to the Android app on my phone, use my biometric login.....same error

Type in password manually in Android App

"Your account access has been disabled, contact us immediately"

After a very long hold time, the customer service rep notified me that my account was flagged for review by the Vanguard "research team" and someone would get back to me in *72 business hours*, that's 9 business days folks.......

I called back after thinking about what this meant for people who didn't have the luxury of waiting 9 business days, waited on hold, got transferred to this "research team" and after 2 hours on hold got disconnected....

Further sleuthing reveals that there are many people impacted by this glitch, a few folks who were successful in speaking with a Vanguard rep from the research team had their account access restored with the huge "gotcha" of a 14 day hold placed on any account activity.....can't pull funds, close the account, etc.

I'm pretty pissed, luckily I don't need access to my funds immediately, but what if I did? Our down payment on future home is sitting in there.....many retirees may need to make transfers to bank account, etc.

Curious if anyone else here is impacted?

[Louise]

No, I logged in a couple days ago and was fine. That said, we split our assets between Vanguard and Fidelity. Plus we have a HYSA and Treasury money. I've heard of this happening to other people though.

[Dee18]

I also split my investments between Vanguard and Fidelity.  And when I travel abroad I take two credit cards and two debit cards from different banks.  But I recognize that is an indication that I am risk averse, at least when there is an easy option to reduce risk.

[EscapeVelocity2020]

I’ve never had an issue with Vanguard and I’ve used them for 25 years.  You should also post over at Bogleheads…. Just recently I’ve been consolidating to them because they are so investor friendly and dependable, so I’m interested to hear more if others have had problems. 

[Morning Glory]

I was able to log in yesterday and withdraw some cash I had in there from dividends. I did not know if the glitch.

[LifeHappens]

Dude. That sucks. We have Vanguard and Fidelity accounts. Wouldn't hurt at all to diversify a bit.

[dcheesi]

Regardless of whether you're affected by this issue [I'm not, so far], I think the larger point is that it could happen to any account, at any firm, at any time.

Online banking isn't flawless; security breaches, "glitches", and just simple site outages can happen at any time. And there's no guarantee that your funds will be quickly recoverable in those instances, especially if it goes beyond a superficial technological issue.

Diversification of holdings among providers is one (perhaps only) way to hedge against this particular risk.

I imagine most of us have at least some diversification built in, just from having different funding sources (401k, IRA, taxable, etc.), plus one or more day-to-day banking accounts. But it's worth considering more closely if you expect to need a larger chunk of cash at some point, e.g., for housing purchases etc.

[Louise]

I forgot to mention that a couple of years ago I logged into Vanguard and my balance was 0. That was a heart stopping moment. I attributed it to some kind of glitch because it was OK a few hours later.

[2Birds1Stone]

Looks like a wide spread issue.

https://www.bogleheads.org/forum/viewtopic.php?t=314069&start=100

Someone says their account was fixed without calling but I am still impacted with no access.

[MustacheAndaHalf]

I forgot to mention that a couple of years ago I logged into Vanguard and my balance was 0. That was a heart stopping moment. I attributed it to some kind of glitch because it was OK a few hours later.

That has happened to me many times before.  Sometimes I happen to login when Vanguard is updating accounts (typically late at night).  A few hours later, the update of your account has completed, and it shows non-zero balances again.

As an aside, something similar happens for regulation T violations (cash too low, sell and buy same security within settlement period, aka "free riding").

[MaybeBabyMustache]

We have several accounts at various firms, but haven't seen this with Vanguard. I log in pretty regularly. I'm not a huge fan of how they handle displaying vesting equity, and would switch if I had another option easily available via my employer, but I've never had trouble on the login side.

[mistymoney]

I would think 72 business hours meant 3 bus days, not 9...

[oneday]

I would think 72 business hours meant 3 bus days, not 9...

Right. Three business days. With the weekend and Monday being a banking holiday, that would mean Thursday. So...six regular days.

But it's a weird way to say it, so maybe it really does mean 9 business days???

@2Birds1Stone I hope your problem is resolved sooner than that.

[secondcor521]

I think the issue is overblown.

The big three (Vanguard, Schwab, Fidelity) all have occasional technical issues, but they are rare, short lived, and nearly always fixed with little customer impact.  I've had numerous accounts at all three at various times over the past 40 years.  I've experienced minor issues a handful of times and they were all resolved within a week at most, almost always with no effort on my part.

Diversifying has it's own costs, so for those diversifying they will have diversifying costs all the time even when issues, as mentioned, are rare.  Asset transfers between accounts between brokerages is slower and more cumbersome.  Asset allocation might be a bit harder to track.  Taxes would involve additional 1099s, which isn't a big deal but is another thing to do.  Management is trickier - if you have a house down payment like the OP, do you spread it across multiple brokerage firms?  If so, then you have multiple wires at closing, and your closing could be delayed by any of the multiple wires or brokerage firms messing up.  Spreading your assets might make it harder to reach relationship levels (like Flagship at Vanguard).  Finally, more accounts makes it easier to lose track of one and then having to deal with escheatment.

The chances of someone needing their down payment in the exact week that Vanguard (or the other two) has a glitch that also doesn't get fixed in time is even lower.  If you're concerned about ready access to down payment funds in the immediate next week, maybe move those funds from Vanguard to a local bank or CU.  And then hope that the bank or CU doesn't have issues.

TL;DR:  I think the cure is worse than the disease.

[Telecaster]

I diversity just for the reason.   It isn't hard to see how a glitch or some human error could lock you out of your account for some period of time.  In fact, I just checked Vanguard...yep there's a glitch. 

Indeed, this might be overly cautious because you can reasonably assume most glitches will be resolved in a timely fashion.  But what if it isn't?   The costs are diversification are very low and the potential upside is high.  So I'm happy with it. 

[EscapeVelocity2020]

I agree with what Secondcor said.  I will ideally have 2 brokerages to deal with in retirement, right now I have about 5.  Wasn't a big deal until sweep accounts became so important.  Vanguard has the best system that I know of.  I have to babysit everything else, not to mention the higher fees and less confidence in their customer service.  T Rowe Price is probably the other company I will continue to use, or maybe Fidelity, but E-Trade has gots to go.  Already jumped ship on UBS.

[MustacheAndaHalf]

Our down payment on future home is sitting in there.....

The chances of someone needing their down payment in the exact week that Vanguard (or the other two) has a glitch that also doesn't get fixed in time is even lower.  If you're concerned about ready access to down payment funds in the immediate next week, maybe move those funds from Vanguard to a local bank or CU.  And then hope that the bank or CU doesn't have issues.

There's a separate problem from glitches: Vanguard does not transfer money into escrow.  Anyone with a down payment at Vanguard needs to transfer it to a bank or credit union before it is needed at closing.

[stoaX]

Regardless of whether you're affected by this issue [I'm not, so far], I think the larger point is that it could happen to any account, at any firm, at any time.

Online banking isn't flawless; security breaches, "glitches", and just simple site outages can happen at any time. And there's no guarantee that your funds will be quickly recoverable in those instances, especially if it goes beyond a superficial technological issue.

Diversification of holdings among providers is one (perhaps only) way to hedge against this particular risk.

I imagine most of us have at least some diversification built in, just from having different funding sources (401k, IRA, taxable, etc.), plus one or more day-to-day banking accounts. But it's worth considering more closely if you expect to need a larger chunk of cash at some point, e.g., for housing purchases etc.

Agreed.
I haven't been effected by this issue at Vanguard, at least not yet.  Still, I am glad that I use 3 different institutions for my stache.

[2Birds1Stone]

@mistymoney  & @oneday, I asked the second Vanguard rep what they meant by 72 business hours and was told it was up to 9 business days!

I'll keep y'all posted. Glad no one here is impacted. Bogleheads has a thread for me to commiserate in ;)

[2Birds1Stone]

Spent two hours on hold after calling in around 9 AM ET today. Spoke with an "account maintenance representative" who guided me through the process of removing the block via MANY security questions involving my history with Vanguard, types of accounts with them, even asked about my beneficiaries on the accounts.

Once the block was removed they guided me through recreating an online account, which went smoothly. Was able to log in and verify that all the various accounts were linked and accessible.

Unlike several poster on Bogleheads, my account was not placed under a 14 day restriction. My guess is that those users may have answered one or more of the questions they asked incorrectly or not to their liking and they still want to mitigate the chance of a bad actor moving the money out of the account.

When I asked the representative what happened, she read a script that stated (paraphrasing) "with the recent increase in identity theft and phishing, Vanguard took the responsibility upon themselves to protect their customers by blocking online access to accounts". I asked if my account was flagged for a reason specific to MY account and she incorrectly responded that this was happening to all/most of their customers with online access to accounts. We know this is wildly inaccurate because if EVERY Vanguard customer had to go through this process they would be out of business by next week.

YMMV.

[EscapeVelocity2020]

Spent two hours on hold after calling in around 9 AM ET today. Spoke with an "account maintenance representative" who guided me through the process of removing the block via MANY security questions involving my history with Vanguard, types of accounts with them, even asked about my beneficiaries on the accounts.

Once the block was removed they guided me through recreating an online account, which went smoothly. Was able to log in and verify that all the various accounts were linked and accessible.

Unlike several poster on Bogleheads, my account was not placed under a 14 day restriction. My guess is that those users may have answered one or more of the questions they asked incorrectly or not to their liking and they still want to mitigate the chance of a bad actor moving the money out of the account.

When I asked the representative what happened, she read a script that stated (paraphrasing) "with the recent increase in identity theft and phishing, Vanguard took the responsibility upon themselves to protect their customers by blocking online access to accounts". I asked if my account was flagged for a reason specific to MY account and she incorrectly responded that this was happening to all/most of their customers with online access to accounts. We know this is wildly inaccurate because if EVERY Vanguard customer had to go through this process they would be out of business by next week.

YMMV.

So it sounds like everything is back?  I wonder if this would have resolved without your intervention?

I have random times where my financial institution wants me to call in anyways just to be sure I'm still alive if I haven't touched my money in a long time.  It's a hassle, but I prefer the hassle to having to worry about their security being too lax.  I'm also pretty cautious not to access my accounts from overseas or from too many new devices if I can avoid it, that can trigger an unnecessary lockdown.  If I know I'm doing something that will look suspicious, I like to online chat sometimes while I'm getting the process started (like rolling over a big account)...

[mistymoney]

@mistymoney  & @oneday, I asked the second Vanguard rep what they meant by 72 business hours and was told it was up to 9 business days!

I'll keep y'all posted. Glad no one here is impacted. Bogleheads has a thread for me to commiserate in ;)

wow - that is very crazy!

Good luck!

[achvfi]

Thanks!  More and more reports of Vanguard customer service failures are being reported now a days. May be vanguard has become too big for their customer service infrastructure to function optimally.

Good wake up call to diversify.

[oneday]

@mistymoney  & @oneday, I asked the second Vanguard rep what they meant by 72 business hours and was told it was up to 9 business days!

Well fudge!

I'm sorry that this hit you & it too much of your time/effort to resolve. Glad it's all copacetic now, but this is jut over the top. Once they verified it was you, they should have told you what triggered it so that you can try to avoid that in the future, if possible. Like EV2020 mentioned, being overseas? Should be a way to get that cleared ahead of time.

It used to be that credit cards would need you to call in & tell them where you were traveling to, but now they have better algorithms to detect fraud. But at lease one would know ahead of time that there was a risk of shutdown.

[MrGreen]

We probably need to move some funds away from Vanguard. 99% of our money is there and we pull money every month to replenish the checking account. A two week delay wouldn't be tragic but it would be a real inconvenience. Better to just eliminate the choke point.

[2Birds1Stone]

@oneday, nope it had nothing to do with being overseas.

There's still no official communication from Vanguard but I have seen on Bogleheads someone post that this was the result of Vanguard getting information on compromised email addresses/accounts from another part of the web.

My guess is they got a list of known user names and/or passwords sort of how you can use Google to see if your email address was exposed in known breaches and then went on to lock the accounts of those customers whose information corresponded with their client list.

Based on the amount of people on social media, reddit, forums posting about this it was in the tens of thousands of customers.

All in all, I'm actually not upset that my account was locked at all.......an ounce of prevention is worth of pound of cure, but more so how Vanguard lacked communication about this and then pretended like nothing was wrong. I never got any information that my account was locked. Even unsuccessful login attempts through the website didn't notify you of that (it read technical difficulties), biometric on mobile app was also chalked off as "technical difficulties", it took a manual password entry on the mobile app to be prompted to call them.

Per @Mr. Green, it's just a reminder to keep more than 1% of your assets in otherwise accessible places. We're all good here, I have a few other small brokerages and CD's and HYS accounts with a few other institutions.....for me it was the principle of the matter.

[secondcor521]

All in all, I'm actually not upset that my account was locked at all.......an ounce of prevention is worth of pound of cure, but more so how Vanguard lacked communication about this and then pretended like nothing was wrong. I never got any information that my account was locked. Even unsuccessful login attempts through the website didn't notify you of that (it read technical difficulties), biometric on mobile app was also chalked off as "technical difficulties", it took a manual password entry on the mobile app to be prompted to call them.

If Vanguard suspected that your account information was compromised, how would you have expected them to communicate to you?  Call you on a phone number that may be compromised?  Send an email to an email address that may be compromised?  Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

[LightStache]

MS/ETrade locked my accounts twice within the span of two weeks. The process to unfreeze them wasn't smooth, so I transferred my HYS to another institution, but left my solo 401K at MS/Etrade.

There was some news on freezes happening with Apple/GS savings accounts earlier this year. My sense is that the KYC/AML groups are too unchecked and overzealous. Having worked in this space, I doubt these freezes are actually helping anything (except KYC/AML group budgets).

Originally I spread my accounts across three brokerages in case one suffers a breach or catastrophic failure. That could feasibly lead to months-long delays accessing funds. Having FIs freeze accounts now is just another reason to keep up the habit.

[MustacheAndaHalf]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

[secondcor521]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

[RWD]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

When you change your address with Vanguard they send a letter to both the previous address on file and the new address, to verify.

[neo von retorch]

Related(ish) note:
I use vanguard.com@<personal-domain>.com as my email address. Yesterday I received a letter stating that Vanguard has been unable to reach me at this address, and has unenrolled me from e-Delivery. I tested the email from a Gmail address, and it works fine. I suspect they implemented some horrible hard-coded filter on emails with "vanguard" in the address and botched their own email delivery system.

Though I logged in and was prompted to "enroll in e-Delivery" and I clicked the button, it said success, and sent a confirmation email... which I received. So I wonder why they think they were unable to reach me at my email address.

[MustacheAndaHalf]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

Do you seriously think hackers attack physical mail addresses?

[secondcor521]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

Do you seriously think hackers attack physical mail addresses?

In some scams and hacks, sure.

But my point was that Vanguard, in this situation, was cautiously smart to choose not to rely on their address for the affected customers being correct.  Another choice - to mail out 10,000 letters to the apparent address of record - has many more drawbacks than the approach Vanguard took.

[MustacheAndaHalf]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

Do you seriously think hackers attack physical mail addresses?

In some scams and hacks, sure.

But my point was that Vanguard, in this situation, was cautiously smart to choose not to rely on their address for the affected customers being correct.  Another choice - to mail out 10,000 letters to the apparent address of record - has many more drawbacks than the approach Vanguard took.

"some"?  It sounds like you're just making this up.  Speaking of which, where did you get 10,000?  Vanguard has 50,000,000 investors worldwide - serious hacks would involve orders of magnitude more accounts than your 10,000 guess.

In this ridiculous example, hackers change 10,000 accounts to new addresses - where?  To their home address, so the FBI can catch them instantly?  To a mail drop, which they have to monitor for days as FBI agents hunt them down?  None of this makes any sense, or happens in reality.  The percent of hackers targetting physical mail addresses is a rounding error from 0%.

[secondcor521]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

Do you seriously think hackers attack physical mail addresses?

In some scams and hacks, sure.

But my point was that Vanguard, in this situation, was cautiously smart to choose not to rely on their address for the affected customers being correct.  Another choice - to mail out 10,000 letters to the apparent address of record - has many more drawbacks than the approach Vanguard took.

"some"?  It sounds like you're just making this up.  Speaking of which, where did you get 10,000?  Vanguard has 50,000,000 investors worldwide - serious hacks would involve orders of magnitude more accounts than your 10,000 guess.

In this ridiculous example, hackers change 10,000 accounts to new addresses - where?  To their home address, so the FBI can catch them instantly?  To a mail drop, which they have to monitor for days as FBI agents hunt them down?  None of this makes any sense, or happens in reality.  The percent of hackers targetting physical mail addresses is a rounding error from 0%.

This will be my last reply to you on this thread and I will give you the last word.

I would be very surprised if you're not familiar with frauds or scams involving US Mail.  And I never suggested mail fraud was what happened in the present situation; I only meant to say that Vanguard couldn't rule it out as a possibility.

I thought I saw the number 10,000 earlier in this thread and that's what I was alluding to.  I can't find it now so perhaps I read it somewhere else or someone edited their post.  Apologies for making up a number if I did so.

Anyway, it sounds to me like you're setting up and knocking down straw men very efficiently, and I don't need to be your foil for that.  My central point, which I haven't articulated well and seems to have been missed in our exchange, is this:
 Vanguard acted reasonably, extremely cautiously, in a fiduciary manner, and cheaply in their response to this apparent data breach.  Expecting them to act differently probably would result in lower security of customers' assets, a great increase in costs in addressing the issue, or both.

I hope you have a good day and an enjoyable weekend.

[MustacheAndaHalf]

Send a letter to a physical address that may be compromised?

If your account had been compromised and the hacker attempted to log in, would you have preferred Vanguard to say to the hacker "This account has been compromised by a hacker" or "We're having technical difficulties"?

I had to move - a hacker took my house?

How does Vanguard know they have your real address and the hacker didn't change it to theirs?  Or do you think Vanguard would spend their time and effort cross checking county property records for 10,000 of their customers?  Cheaper and more efficient to do it the way they did.

Do you seriously think hackers attack physical mail addresses?

In some scams and hacks, sure.

But my point was that Vanguard, in this situation, was cautiously smart to choose not to rely on their address for the affected customers being correct.  Another choice - to mail out 10,000 letters to the apparent address of record - has many more drawbacks than the approach Vanguard took.

"some"?  It sounds like you're just making this up.  Speaking of which, where did you get 10,000?  Vanguard has 50,000,000 investors worldwide - serious hacks would involve orders of magnitude more accounts than your 10,000 guess.

In this ridiculous example, hackers change 10,000 accounts to new addresses - where?  To their home address, so the FBI can catch them instantly?  To a mail drop, which they have to monitor for days as FBI agents hunt them down?  None of this makes any sense, or happens in reality.  The percent of hackers targetting physical mail addresses is a rounding error from 0%.

This will be my last reply to you on this thread and I will give you the last word.

I would be very surprised if you're not familiar with frauds or scams involving US Mail.  And I never suggested mail fraud was what happened in the present situation; I only meant to say that Vanguard couldn't rule it out as a possibility.

I thought I saw the number 10,000 earlier in this thread and that's what I was alluding to.  I can't find it now so perhaps I read it somewhere else or someone edited their post.  Apologies for making up a number if I did so.

Anyway, it sounds to me like you're setting up and knocking down straw men very efficiently, and I don't need to be your foil for that.  My central point, which I haven't articulated well and seems to have been missed in our exchange, is this:
 Vanguard acted reasonably, extremely cautiously, in a fiduciary manner, and cheaply in their response to this apparent data breach.  Expecting them to act differently probably would result in lower security of customers' assets, a great increase in costs in addressing the issue, or both.

I hope you have a good day and an enjoyable weekend.

If this is a "straw man", why do we have 5 messages discussing it?

me) "I had to move - a hacker took my house?"
you) "How does Vanguard know they have your real address and the hacker didn't change it to theirs?"
me) "Do you seriously think hackers attack physical mail addresses?"
you) "In some scams and hacks, sure."
me) "In this ridiculous example, hackers change 10,000 accounts to new addresses - where?"

And now you try and change the topic.  Instead of admitting you're wrong about hackers and real addresses, you bring up "frauds or scams involving US Mail".  Notice in our messages, that was never the topic - we were discussing hackers changing physical mail addresses.

Maybe next time, when someone asks "Do you seriously think hackers attack physical mail addresses?", admit you're wrong instead of digging yourself into a hole with silly claims.