Q. I discovered that nine securities — valued at about $120,000 — had been transferred out of my wife’s Roth I.R.A. at Vanguard about four days earlier without our authorization. These transfers were made to an account managed by Merrill. The firms investigated and our stocks were returned. But we still don’t entirely understand how this happened, and whether Merrill took the proper precautions.
— Tien Tran, California
A. The day before the presidential election, Mr. Tran, who oversees his family’s retirement accounts, decided to sell a solar energy stock inside his wife’s Roth I.R.A. He was lucky he did.
Not because the stock would later fall, but because he discovered that half of the holdings inside that Vanguard account had vanished.
Mr. Tran called Vanguard, which froze the I.R.A. and began to investigate. The money, it turns out, had been whisked away four days earlier, and transferred to another brokerage platform, Merrill Edge.
A criminal impostor opened two accounts in Mr. Tran’s wife’s name at Merrill and requested the transfer from Vanguard, but the fraudster hadn’t yet run off with the money. Merrill, part of Bank of America, froze the funds.
“I was lucky it happened when I was at home and I caught it right away,” Mr. Tran said.
Mr. Tran’s wife received her money back within a week or so, but Mr. Tran said they never received a satisfying explanation. He is well aware of how easy it is for criminals to obtain sensitive personal data like names, addresses and Social Security numbers. But he was hoping for a full postmortem so they could better understand what may have left them vulnerable.
What if they had been traveling and hadn’t stumbled upon the crime scene? Was it really that easy to open a new account with stolen information and simply request a transfer?
It happens frequently enough: Regulators have issued notices in recent years warning that this type of crime — known as ACATS fraud — was on the rise.
The fraud is named after the Automated Customer Account Transfer Service, or ACATS, which is the behind-the-scenes plumbing system that financial institutions use to move money in its member network.
The ease with which criminals can open online accounts has made it simpler to perpetrate this type of fraud, but they’ve also exploited weak links around the efficiency of the ACATS system itself.
It often happens like this: The criminal opens up a new account in a target’s name, using stolen data, or a combination of stolen and false information (like an email address or mobile phone number). Opening an account at Merrill Edge, as well as many other online brokers, doesn’t require much. That’s what the fraudsters did here, and Bank of America said it received the all clear when it ran identify verification checks.
With the new account, the impostor can request a transfer from another existing account, just like a real customer, which the institutions complete through the ACATS framework.
But to pull off the heist, they need to know the other account’s details — and that’s what enabled the criminals to steal from the Vanguard I.R.A. belonging to Mr. Tran’s wife. That’s the most difficult information to steal, and it’s unclear how the impostor got it. But there are plenty of ways the theft can happen — from institutional breaches to individual ones, sophisticated scams and techniques and more.
With all of those pieces in hand, the transfer can then happen really quickly — ACATS is fast and largely automated.
Once a customer requests a transfer through the institution receiving the money, the firm holding the funds (in this case, Vanguard) has a day to validate that the assets are there for transfer and that the customer’s identifying information (name, Social Security number, account numbers) matches with the receiving institution (Merrill). Within three days, it must make the transfer.
“The ACATS process was designed for speed, and doesn’t really have good fraud controls in place,” said Gavin Holland, a financial crimes executive at SAS, a data and artificial intelligence company. The firm holding the assets rarely goes beyond a basic check, and it usually doesn’t even notify the customer that the transfer is about to happen. (Vanguard notifies customers after the transfer is completed.)
The brokerage initiating the request is responsible for verifying the identifying information and confirming the validity of the transfer. The fraudulent Merrill accounts were opened on Oct. 26, 2024, at which point the firm mailed a letter to the Trans’ home, notifying them an account had been opened. Mr. Tran’s wife called them on Nov. 4, the day Mr. Tran logged in and noticed the missing stocks.
Mr. Tran, who is otherwise a fan of Vanguard, decided to pull the money out and move it to Fidelity because it allows investors to lock down their accounts — money can flow in, but not out.
Mr. Tran said he reported the crime to his local police department, and filed a complaint against Merrill with FINRA, the industry’s self-regulatory organization. In response to the FINRA complaint, Bank of America said that it sent a letter to Mr. Tran’s wife with the details that were used to open the Merrill account.
In a digital world where sophisticated fraudsters are continuously fine-tuning their strategies, the couple’s situation underscores the importance of checking on your accounts — criminals may try to stay under the radar and siphon small amounts at time.
Ask your financial providers what sort of notifications they send if money was transferred out, make sure the alerts are turned on and ask the firms if they have locking features to prevent this type of activity. If they don’t, demand them. Always use two-factor authentication, guard your brokerage account numbers and shred paper statements if you absolutely insist on receiving them that way. Practice good email hygiene, too.
And if you receive paper mail from a financial institution that you suspect is just a solicitation, open it anyway. It might be alerting you that an account was opened in your name.
“It’s scary,” Mr. Tran said. “It can happen to anyone.”
Tara Siegel Bernard writes about personal finance for The Times, from saving for college to paying for retirement and everything in between.
The post Her Stocks Were Quietly Stolen From Her I.R.A. appeared first on New York Times.