Vanguard has sent out an ’Updated Bank Authorization Agreement’ that I thought made any form of telephone or Internet fraud the responsibility of the user. According to the Vanguard account representative I talked to however Vanguard's online fraud policy takes precedence. As I discuss below this is some comfort, but not as much as one might imagine. Vanguard’s online fraud policy is more of a wish list than a reality of how most users live.
Vanguard sent me an ’Updated Bank Authorization Agreement’ that I will quote in whole since it’s short. I have highlighted what I believe to be the key parts.
You authorize The Vanguard Group, Inc., and Vanguard Marketing Corporation, and any affiliates or subsidiaries of either (individually or collectively, "Vanguard"), upon telephone or online request, to pay amounts representing redemptions or withdrawals made by you, or to secure payment of amounts invested by you, by initiating credit or debit entries to your bank account(s).
You authorize the bank to accept any such credits or debits to your account without responsibility for the correctness thereof. You acknowledge that the origination of Automated Clearing House (ACH) transactions to your account must comply with U.S. law. You agree that Vanguard will not incur any loss, liability, cost, or expense in connection with your telephone or online request.
You understand that this authorization may be terminated by you at any time by written notification to Vanguard and to the bank, and that the termination will be effective as to Vanguard as soon as Vanguard has had a reasonable amount of time to act upon it.
You represent and warrant to Vanguard that you are an owner or authorized signer on the bank account(s) to which this authorization applies and that no other owner or authorized signer of such bank account(s) (other than the joint Vanguard account owner(s), if applicable) is required to sign in order to authorize the initiation of ACH entries to such bank account(s).
Vanguard claims that its online fraud policy (which is longer so just click on the link above) takes precedence. The Vanguard representative claimed the highlighted lines above are intended to address actual customer screw ups. For example, customers who type in the wrong number when transferring funds and want Vanguard to ’fix it’ or customers who transfer money to banks that charge wire fees and then claim they didn’t know and want Vanguard to cover the cost. This seems reasonable enough to me.
But it also got me to actually review Vanguard’s online fraud policy.
Go ahead, take a second, click the link above and tell me what you see.
What I see is a fantasy land that is beyond the reach of most people.
For example “Clear any temporarily stored copies of online information by closing your browser after signing off. Do not leave your computer unattended while logged on to Vanguard.com.” I’m sorry, but what? How many users close their browser after logging out of a site? As for leaving the computer unattended, if I run downstairs for a Tea do I lose my fraud protection if I don’t remember to log out of Vanguard? Yes, I suspect they mean computers in publicly accessible areas but they don’t say that.
Or how about “Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software.” How many people have any clue what antivirus or anti-spyware is much less use it on an OS like OS X? I happen to run antivirus (Sophos) because I’m paranoid. But anti-spyware? There aren’t any real anti-spyware programs for the Mac that I’m even aware of. Does that make me out of compliance?
Or there is a thread on Bogleheads about “Never share your user name, password, or other account-related information with anyone.” Mint.com users are scared they will lose their fraud protection. While it’s reasonable (in my mind anyway) for Vanguard to refuse to extend its fraud protection to Mint.com how in the name of all that is holy would any normal user even know there is a problem to be aware of? And does Vanguard share any liability since it doesn’t provide its users with a read only interface using a permission architecture (sorry, one of my specialities) so users aren’t forced to give out their names and passwords? Try an Internet search on password anti-pattern to see what I mean.
But the requirement that really made me laugh out loud is “Do not respond to, open an attachment in, or click on a link within an e-mail if you suspect the message is fraudulent.” Wow! They just solved phishing in one sentence. Because of course users have any possibility of knowing what a ’fraudulent’ email is or have any understanding of the potential consequences of clicking on links or attachments. I mean, really? We have an epidemic of Phishing because we can’t burn this one sentence into users minds but Vanguard is going to disclaim liability on something normal intelligent users consistently fail on? Seriously?
Vanguard’s online fraud policy seems reasonable in theory but in reality they are asking people who have no clue what they are talking about to do things they don’t understand in order to get protection they probably don’t realize they need. That isn’t what I would call the most ethical of behavior.