How brokerage transfers actually work

Patrick McKenzie reads from his 2024 Bits About Money essay on ACATS, the Automated Customer Account Transfer Service that governs how Americans move investment accounts between brokerages, then updates it with regulatory developments (and industry infighting) from early 2026. The essay covers why a system underpinning trillions of dollars in assets was deliberately designed to skip verifying whether transfers are actually authorized, what the three-business-day shot clock means in practice, and how a bad actor armed with a stolen identity and a mobile app can drain someone's retirement account before they notice it's gone. (Good news, though: they’ll almost certainly get it back. Bad news: quite stressful, and it often isn’t obvious when staring at the zero that this is a recoverable condition.)

Presenting Sponsors: Mercury & Granola

Complex Systems is presented by Mercury—radically better banking for founders. Mercury offers the best wire experience anywhere: fast, reliable, and free for domestic U.S. wires, so you can stay focused on growing your business. Apply online in minutes at mercury.com.

If meetings consistently leave you with hazy action items and lost context, Granola handles the transcription so you can actually participate and gives you searchable notes afterward. Try it free at granola.ai/complexsystems with code COMPLEXSYSTEMS

Timestamps:

(00:00) Intro
(01:49) A brief digression into self-regulatory organizations
(03:04) FINRA regulates asset transfers between brokerages
(04:54) How does one transfer securities account assets?
(06:52) What does an ACATS request actually entail?
(09:44) Brokerages frequently do not verify incoming ACATS requests
(15:28) Recent developments in ACATS fraud
(19:13) Should I be terrified, Patrick?
(20:07) Sponsors: Mercury | Granola
(23:17) Should I be terrified, Patrick? (cont’d)
(24:46) Another fun wonky control
(28:29) A final ACATS story
(29:58) Regulatory updates: FINRA 26-02
(32:34) Comment letters from the industry
(43:20) Outro

Transcript

Welcome to Complex Systems, where we discuss the technical, organizational, and human factors underpinning why the world works the way it does.

Hideho, everybody. My name is Patrick McKenzie, better known as patio11 on the Internet. In 2024, for Bits About Money, I wrote an essay about ACATS, which governs the account transfers between brokerages in the United States of America. ACATS has some security properties which, as we'll discuss, are almost unbelievable to uninvolved people.

And so I thought I would read the essay and then tell you what is in the process of potentially changing. And so with that, Guys, what is wrong with ACATS? Originally published in Bits About Money on May 24th, 2024.

Many beginnings imply a contemporaneous ending. This is often bittersweet. Some personal news implies a tearful goodbye to soon-to-be-former coworkers. A new adventure of scholasticism and self-discovery means saying goodbye to your high school friends. And a new brokerage account often implies leaving a years- (or decades-!) long relationship with a firm that stuck with you, feels a bit like a jilted lover, and by the way, happens to constructively control most of your net worth.

This particular beginning and ending is mediated by a complex techno-legal system called ACATS: the Automated Customer Account Transfer Service. ACATS is quite impressive, underpins a very important part of the financial system, and some of the quirks of how it operates will probably surprise you.

Like many important parts of the financial system, ACATS is a work in progress. Since I originally wrote this essay in early 2024, there have been proposed regulatory changes regarding brokerage fraud. After setting the stage for what is still today the status quo, we'll discuss those developments.

A brief digression into self-regulatory organizations

Brokerages are regulated by FINRA. FINRA stands for many things, though these days FINRA might deny that it is an acronym. In previous years, though, it was definitely the Financial Industry Regulatory Authority. One reason FINRA is not an acronym, to the extent it is not an acronym, is that an unsophisticated investor might hear that and assume "Ah yes, FINRA is clearly part of the government," and FINRA will immediately swear up, down, and sideways that they are not. They are just a financial regulator overseeing trillions of dollars.

Self-regulatory organizations (SROs) are industry associations. There are many industry associations in the world. 

Some pool money to pay for a-rising-tide-lifts-all-bovines advertising. Some exist to get peers together for merriment, diversion, and some conspiracy against the public. (This is a joking reference to a famous passage from Adam Smith. On a completely unrelated note, please feel free to introduce yourself if you see me at a software conference. I'll be doing a talk about raising prices.)

SROs are the type of industry associations that partially exist as a blocking play. If we don't get our house in order, Dangerous Professionals from the government are going to barge into our house to order it for us. That will be disruptive to providing valuable services to customers at a price they are willing to pay.

FINRA regulates asset transfers between brokerages

Discount brokerages are large, trustworthy, competent institutions. But there are some brokerages which are not. There are wirehouses attached to large investment banks like, for example, JP Morgan (large, trustworthy, and competent, but not a discount brokerage), there is Robinhood (a large discount brokerage), but by far the most numerous are small boutiques which keep on keeping on.

Some of those boutiques have been known to be a bit grasping when assets under management attempt to walk out the door. They would refuse to let their customer leave. When told this was extremely improper, they whined and said it was really difficult to facilitate their customer leaving, and wouldn't the customer prefer staying, and Cindy who can actually take care of this will be back in the office the first Tuesday after the waxing moon.

And so FINRA listened to its members (brokerages), customers, advocates, and counterparts in government, and passed a rule. Cindy can go on vacation any time she wants, but it is the brokerage and not Cindy who is responsible for outcomes, and only one outcome is acceptable: if a customer wants to move their assets out, you must let them.

The full rule is necessarily more complicated than that gloss of the intent of the rule. It's not unknowable inside baseball; see FINRA Rule 11870. It is somewhat somnambulance-inducing:

When a customer whose securities account is carried by a member (the "carrying member") wishes to transfer securities account assets, in whole or in specifically designated part, to another member (the "receiving member") and gives authorized instructions to the receiving member, both members must expedite and coordinate activities with respect to the transfer.

But, by the standards of many regulations, it is short and actionable.

Rule 11870 doesn't itself establish a technical artifact but exists in tandem with one: ACATS.

How does one transfer securities account assets?

What is a share of stock, really? An abstracted right to ownership of a corporation? A legal contract promising the same? Some complex sociopolitical edifice where judges who are not yet born will of course automatically award surplus returns of an enterprise to an equity holder even when told not to by a nuclear-armed government? A share is all of these things.

But also, in a really important way, a share is an entry in a spreadsheet.

Whose spreadsheet? Everyone's spreadsheets. Stock that you own, and you really do own it, exists as the superposition of several spreadsheets. Your spreadsheets, for example. Those matter. Spreadsheets (or databases, or blockchains, or... actually no, probably not blockchains -- even crypto-enthusiast technologists don't believe that will happen anymore) at your brokerage. And then, in a fascinating wrinkle that Matt Levine has covered many times, a spreadsheet at the Depository Trust Company, which keeps almost all the stocks and simultaneously has very probably never heard of you.

So when you move stock between brokerages, nobody needs to print out a stock certificate and courier it across Chicago, New York, or the Pacific Ocean anymore. Thank goodness. (I have no stories, but I have friends who have stories, and the Die Hard steal-the-bearer-bonds plot didn't come from nowhere.) You just have to coordinate updating the spreadsheets. How hard could that possibly be?

ACATS is a system with technical and legal elements to it. It greatly decreases the number of moving parts required to coordinate updating spreadsheets. The pre-ACATS era meant needing to interface directly with the thousands of other brokerages in the United States. You had to care deeply about the operational differences at their firms. Sometimes your Ops and their Ops didn't use the same version of Excel. It was anarchy. ACATS puts very diverse firms behind a relatively consistent experience, while simultaneously codifying operations and reducing various forms of risk to the process. This is a very common way to create value in financial technology.

What does an ACATS request actually entail?

A customer selects a new brokerage and tells that brokerage they intend to move in assets. That brokerage, which very much wants to get those assets onto their own books (and spreadsheets, etc., as a necessary consequence), will assist them in operating ACATS on their behalf. The customer will very likely never care about nor understand a complex operational symphony happening in the background.

The receiving brokerage will kick off a few processes which don't necessarily happen in internet time and aren't strictly coupled, but might feel like they are to the customer. They will ask the customer to create a new account, which (extremely relevantly) will require the brokerage running their KYC (know your customer) process on the customer. They will very likely ask the customer for their last brokerage statement. And they will ask the customer to authorize them moving over the previous assets.

That authorization is customarily on a very templated rather short contract or form, and the template is almost inevitably going to rhyme heavily with the template in FINRA Rule 11870. But, in one of those fascinating rabbit holes about how the world actually works, authorization does not mean performing a particular ritual on a particular written instrument. Authorization means permitting something. You can permit something with words, most typically, or even a gesture.

As a very concrete consequence of this, many of those forms will be filled out not by the customer, but by the brokerage employee working on onboarding them. This is not bad and is not fraud. That feels weird to say out loud but it is extremely important: they have authorization. They are doing the thing brokerages do, taking specific authorization for a specific action from a customer and translating it into a complex series of technical and legal processes to cause the physical result in the world that the customer wants to happen.

And so, the form that authorizes an ACATS request might have a signature blank at the bottom. Some of them are signed by the customer, in that the customer had that form physically presented to them and they affixed their signature with a pen. Some are signed by the customer via a solution like DocuSign, which might or might not imply that they actually saw an image which physically resembles the form that gets signed.

And some of them are signed on the customer's behalf. The exact form of that might look like the ASCII characters /s/ John Q. Public. Skeptical? Those are, and these words are carefully chosen to sound very rigorous, "an electronic signature in a format recognized as valid under federal law to conduct interstate commerce." You probably assumed there would be public key encryption involved in an electronic signature, and this is allowed but not required.

All of this is actually normal.

And, combined with the next bit, it will give many security-minded listeners an aneurysm.

Brokerages frequently do not verify incoming ACATS requests

ACATS is a network of trusted peers who have contractual (and other) relationships with a central organizing entity. One thing peers agree to do is to act upon incoming requests very, very quickly by the standards of financial institutions. One thing they do to accomplish this is very surprising: most ACATS requests will cause the brokerage losing the assets to not verify with their customer that the request is authorized.

"What," I hear you ask. No, this is true, and this is designed, and this is normal. It only sounds batshit insane.

Let's start with the timeline: a brokerage receiving an ACATS request must complete any investigation within three business days. FINRA doesn't get hyper-specific on any particular thing you must or mustn't do within those three business days, but that shot clock starts running instantly once your computer gets the message from the other computer.

"Cindy didn't check her mail because she was on vacation" is not a valid excuse. The brokerage gets only two options: validate (agree to) the request, or take exception to the request. Validation starts a second shot clock to actually complete the spreadsheet updates. It is not quite a no-takesies-backsies decision. True trapdoors are rare in finance. But reversing it is uncommon and unfun for all parties.

You cannot take exception simply because you feel like it. You must communicate one of twelve enumerated reasons. The general flavor of them is "that account has no assets in it," "that account number doesn't correspond to an account that exists in this universe," "the person who you claim has authorized this transfer doesn't own that account," etc.

Questions about title, about who really owns the assets in an account, sound really simple to non-specialists who are mostly familiar with individual accounts. John owns the money in John's accounts, right?

Hah, hah, hah.

The "edge cases" cover trillions of dollars.

John and Mary just divorced and while the account records reflect John as sole owner, the divorce decree says Mary owns half of the account. Your blockchain disagrees with an Article III judge? Then your blockchain is wrong. Fix your blockchain.

These determinations are fact-intensive and, again, are not necessarily obvious to either brokerage or even to the account owner themselves. John very likely thinks he owns his own money and may even think that in a sincere and innocent fashion. The brokerage doesn't have actual possession of a divorce decree and very likely has no actual knowledge of a contemplated divorce. It doesn't matter.

Tick tock tick tock. FINRA doesn't care. The orderly operation of capitalism must go on, private tragedies notwithstanding, and your brokerage must make a determination before three business days are up. Validate or take exception. Those are your only two options.

Now let's superimpose another difficult reality on this one: brokerages will, in the ordinary course of business, spend long periods of time happily having no real communication with their customers. Oh sure, their customer will receive account statements, and they might even place trades, but the last time a human talked to another human was... early in the 2010s?

Ping, ping, incoming message from ACATS. John purportedly wants to move his assets. The shot clock has begun. You have three business days.

Does the phone number on file from 2004 still work for John? FINRA doesn't care. Does John still use AOL? FINRA doesn't care. Can the United States Postal Service successfully put a piece of paper in John's hand within three business days? FINRA doesn't care. Will John pick up the phone for an unknown caller attempting to reach him on a matter of urgency? FINRA doesn't care. Is John in the hospital on his deathbed? FINRA doesn't care.

Brokerages are broadly competent and they know all of this. They know they cannot, at scale, successfully verify all of the transfers for all of the customers. And so they make a business decision to not contact customers for most transfers by count and reserve extraordinary efforts for contacting only very important customers, who might be most transfers by volume of assets.

The brokerage will absolutely not phrase this as "We don't verify outgoing transfers." They will check, and check most diligently, that the account number claimed is the account number, that the name matches the name on file, etc. And their Operations team understands that sometimes names do not match and that is OK, and sometimes it means Nope, That's A Specially Enumerated Exception Right There.

Sometimes they will look at the signature card, because everyone enjoys live-action role-playing occasionally. If John cannot in 2024 reproduce his signature from 2004, I have an epic non-surprise for you: FINRA doesn't care. But, hey, it is the culture of the United States that financial institutions and expert witnesses in court sometimes do forensic analysis. Do we believe it is possible to compare signatures and gain useful information? Do we believe in the Tooth Fairy? Yes in some ways and no in others. We take no important decisions premised mostly on belief in the Tooth Fairy. And, again, "/s/ John Q. Public" is a normal and accepted way to represent John's consent to move assets.

Small account transfers with paperwork that has no glaring errors will be approved in the ordinary course. Sometimes those transfers will be fraudulent. Brokerages defrauded in this fashion will be annoyed, but not surprised, because they are competent financial institutions. They understand that the optimal amount of fraud is not zero.

So what, ultimately, is a brokerage relying upon when it sends money to /s/ John Q. Public? It is relying on chained trust in a community of practice, and on a web of contracts, and on a business decision, all at once.

And that means that if a bad guy can convince any brokerage in the U.S. that it is John, the bad guy can fairly reliably cause movement of all of John's financial assets.

Recent developments in ACATS fraud

You can probably guess the shape of the attack.

Get a copy of John's ID from, perhaps, a vendor specializing in "fullz" on the dark web. Figure out where John keeps his accounts by, for example, just guessing that it might be one of the places where 80% of Americans with assets keep their retirement accounts. Open up an app, tap tap tap, request to move "your" assets to "your" new account. And then lie about being John while telling some truths you know about John.

Now, wait five to seven business days.

Congrats, John's assets now appear to be in "your" brokerage account. Your brokerage is in the business of giving you access to "your" money swiftly when you want it. Now would be a great time to wire it out, take it out on that debit card connected to the account, place a trade which successfully transfers value to a confederate's account, etc.

Five to seven business days is much more frequent than many Americans, even many wealthy Americans, check their brokerage accounts, and so the money may be spendable before any involved human realizes it has been taken improperly.

This is, obviously, super-duper illegal. But in another sense it is just business. For you, as a criminal, this is Tuesday. And for brokerages, well, capitalism hopes they catch most people trying this.

Some brokerages have not successfully caught some people trying this. That is normal and expected. Some brokerages have not successfully caught a rather large number of people trying this.

That was a bit concerning. To FINRA, for example, which has a podcast episode about how it coordinated an industry-wide fact-finding process to issue a pair of Reg Notices to let the industry know about this new Wild West of criminality and how to deal with it. 

Now, the most sophisticated and competent brokerages already had large security teams working on this problem. But again, some brokerages aren't nearly as large and well-resourced as a non-specialist might suspect.

Also, how to say this delicately: competence is unevenly distributed in the world. Sometimes this is wonderful; you can pick diamonds in the rough out on the internet who have no institutional backing but nonetheless achieve incredible results in deep areas of human endeavor. And sometimes the odd spike is in the other direction: a regulated institution has an important function headed up by a well-credentialed, impeccably pedigreed, speaks-at-conferences, well-liked-by-colleagues-and-friends individual who capitalism should not want in the chair they currently occupy.

A digression: It is considered very impolite in the U.S. professional managerial class to observe that a particular, named professional manager is incompetent at their job. An individual who makes a habit of it will be optimized out of decision-making processes featuring PMC members, which is... all decision-making processes, effectively. That deviant is ipso facto disruptive to orderly operations and also a bit of a career risk to be in the same room with. And so, even if you know someone to be incompetent, part of being an effective PMC class member in an executive position is to learn the approved euphemisms and rituals.

Anyhow, FINRA issued Reg Notices after a drawn-out and somewhat ponderous process, for institutional reasons. They contain some mitigation recommendations that rhyme with "If a customer signs up for an account with you and doesn't know where their brokerage account currently is, and sequentially asks you to transfer accounts at each of the top 10 brokerages in the U.S., perhaps you might want to look into that."

When you phrase it like that, it might sound obvious. But for Seeing Like A Bank reasons, the actual screen in front of the actual operations professional who is actually making a the-shot-clock-is-ticking decision on John's accounts might not display that "John" has recently made four ACATS requests that were each rejected for non-existence. One objective of the Reg Notices is activating a ponderous machine that will eventually get a technologist deep in the bowels of the least sexy part of a brokerage to fix that screen.

Should I be terrified, Patrick?

This is all normal and working as designed! Capitalism will function on Monday pretty much like it did on Friday! Your assets are safe in an eventually consistent sort of way; your brokerage will eventually come around to agreeing with your view on the matter, regardless of what their first communication says.

If you get mugged in San Francisco, society expresses sympathy, kinda, but you are never going to see your wallet again.

Finance. Does. Not. Work. This. Way.

If your brokerage makes a mistake with your assets, and they have before and will again make many mistakes, then they will make you whole. Financial institutions have capital for a reason. There is a budget for operating losses. There is a budget for fraud losses. The aggregate expenditure of effort by society in solving this problem greatly exceeds the aggregate expenditure of effort by society in solving muggings.

If your balance suddenly goes to zero in a surprising fashion, that will be very stressful for you but they are eventually good for it, with very high probability.

Some people hire a lawyer to resolve this and it's just about the easiest letter for a lawyer to write: Here's my best understanding of what my client owns. You think they own nothing. Fix this immediately or tell me in writing why you have decided not to. Lawsuits subsequent to fraudulent transfers and the brokerage deciding that, on reflection, no, they did the right thing, are extremely uncommon, both in absolute numbers and as a percentage of all fraudulent transfers. But the nuclear option exists for those very, very, very few customers who need it to compel action.

Should we be satisfied with this? Probably not at the current margin.

Many people who own, and depend upon, assets are not competent enough to project manage the resolution pathway here, and may (largely wrongly) assume that they have been stolen from in a durable fashion. Some might come to this (mistaken) point of view because they talked to a front-line customer service representative of the brokerage who, and this is aggravating but it will happen at least once today even in a regulated institution, just makes stuff up rather than reading the Emergency Escalations list printed in their cubicle. Some might come to this (mistaken) point of view because their brokerage of choice is other-than-competent at answering utterly routine inquiries and instead they get their information about capitalism from the first person who replies on Reddit, who is not necessarily the custodian of Reddit's best answer to the question.

Another fun, wonky control

Brokerages control many accounts worth $20,000 and some accounts worth millions or much more. Frequently, the formal text of the rules will treat those accounts equivalently. Go read the rule if you have any doubt; there is no This User Is Rich exception anywhere in it. Three business days, FINRA doesn't care.

One (optional!) control that some institutions use is called a "medallion guarantee," and it's a fascinating combination of a physical artifact and a contractual risk transfer.

The receiving institution, who may be ultimately liable (to an action from the transferring institution, to recover the assets they already re-bought for the customer out of their risk budget) for a fraudulent transfer, can optionally require a customer to get a "medallion" issued to move the risk to another institution. Hilariously, that institution can in principle be totally uninvolved.

What is a medallion? A piece of paper that has a number on it and represents a promise. In brief form, that promise is "I, a financial institution who is absolutely good for this guarantee, warrant that I know this to be John. The paper attached to this medallion is authorized by John; he told me so. And if I was wrong, and I am not wrong, I will no-muss no-fuss reimburse you up to $___."

So John, when he tells a new company that he would like to move in about $1 million, might get asked to go get a $1 million medallion.

You might think this rhymes with notary services and it rhymes with insurance. All institutions involved will claim it is absolutely not notarization (a state function delegated to private individuals, who are almost universally not good for a million dollars if they screw up) and it is absolutely not insurance (a regulated industry).

Also, medallions are generally free. That surprises people, particularly people who model them as specialized insurance contracts.

The thresholds at which institutions request a medallion vary based on their own policies, but you might reasonably expect $500,000 or $1 million to be important thresholds. If you have an account with a million dollars in it, anywhere, your bank very probably loves you and wants you to be happy. Want a coffee? Stop by any time, they will happily give you a coffee. Charge for the coffee? Laughable. Oh you need an admissible proof of identity for a very wonky financial industry operations issue? Happy to oblige, sir, we are here for any of your diverse financial needs. Can I get you a coffee while you wait?

Yes, the bank is taking risk when issuing a medallion. But it's a tiny, tiny, tiny risk from their perspective, which insulates the receiving company from a huge risk. The bank has many years of history over which they've become thoroughly convinced that John is John. The receiving institution has somebody claiming to be John who spent six minutes filling out an onboarding form in a mobile app. And so the largest firms in capitalism somewhere have a spreadsheet for how much they spent on medallions, much like they can (with difficulty) come up with a pretty exact number for how much they spent on toilet paper.

Toilet paper is substantially more expensive in aggregate even though no individual square of toilet paper has ever caused a $1 million wire.

And, thus, medallions. Most Americans will never see one in their lives. The typical mass affluent user is most likely to see one precisely once, right around retirement age, when, for example, moving their 401(k) to a new custodian.

But if you're reading Bits About Money, you are much more likely to get asked for this quaint ritual than the population is at large, and now you know why. And perhaps you won't be as frustrated as the typical person asked for a medallion, who fumes "Why do I have to walk into a bank just to get them to write 'Yeah, that's John' on a piece of paper? Everyone knows I'm John. My driver's license says I'm John. I already gave that to the brokerage. I swear, the entire financial industry is staffed by incompetents."

A final ACATS story

Once upon a time there was a financial technologist.

He made it his routine practice to buy just a few shares of every bank he worked with. This was not to make money; it was so that he could write a letter to Investor Relations if there was ever an issue he needed to escalate out of Customer Service purgatory. Investor Relations is highly placed in the org chart of banks and does not relish telling Investors they Relate to that their princess is in another castle.

Some time later, that customer caused another financial institution to ACATS out some assets, including the shares of that bank. Unfortunately, that bank had in the interim had a spot of trouble, and their stock had ended up on a "penny stock" list.

Many large, competent financial institutions have a rule about penny stocks, and it rounds to "absolutely not." And so the financial institution objected to its customer, claiming that it could not process the ACATS request, because it contained a trivial amount of equity in a bank.

In a bit of potent irony, the objecting financial institution owned the bank it objected to holding equity in.

Sometimes, the behavior of a financial institution in the moment looks insane. Often, if you play back history, the insanity is explicable as emerging from individually reasonable actions by several separate parties with only a partial view of the facts.

And, of course, playing history forward, this was trivially resolved. Just another day at the office.

So that was the original ACATS essay. But there's been movement with respect to brokerage fraud, and I'd like to catch you up on it. 

Regulatory updates: FINRA 26-02

In January 2026, FINRA issued a regulatory notice, FINRA 26-02, which proposes two mechanisms aimed at two different fraud typologies.

One of them is an amendment to the existing Rule 2165. Rule 2165 essentially gives the ACATS apparatus, receiving brokerages, and transmitting brokerages an extended period of time to do investigations with regard to accounts held by certain specifically designated adults. This is largely meant to cover vulnerable populations. The actual definition of that vulnerable population is buried a little bit, but in sum it means anyone 65 and older, regardless of circumstances, and also anyone who the institution has reason to believe might be operating under some form of impairment, perhaps because of a disability, perhaps even because of a temporary condition.

One of the things that the regulatory notice flags is that, for example, addiction to drugs could be considered an impairment if a brokerage were to know or reasonably suspect that the user was addicted to drugs.

Anyway, the existing Rule 2165 gives a maximum hold of 55 days in the case where the person who owns the brokerage account might be one of these specially designated adults. The amendment lengthens it via three 30-day periods, to a total of 145 days, allowing the firm the opportunity to conduct complex multi-party investigations with, for example, state-based adult protective care services and similar, which might not exactly operate at Internet speed and certainly won't operate within the three-day confines of a routine ACATS process.

Proposal number two is a new speed bump: Rule 2166. It is an optional safe harbor which says that if a firm receiving an ACATS request has any suspicion of fraud, they can just hit a pause button, and they get five extra days.

Why have these two very separate proposals? One reason is that a lot of fraud, and a lot of the dollar-denominated value of the fraud, is perpetrated against senior citizens and other people with diminished capacity. Rule 2165 is specifically designed to shore up protections for them. Rule 2166 is a catch-all over this area. The industry is coming to a realization that its fraud controls are inadequate. They want to build in a new fraud control while minimizing disruption to legitimate operations.

Comment letters from the industry

So what happens when FINRA does a regulatory notice? Well, among other things, everyone gets a chance to weigh in. You or I, in principle, could have sent them a comment letter. I don't remember sending FINRA a comment letter. I bet you didn't either. But some people very definitely did, and so FINRA received comment letters from a swath of firms in the financial industry.

I'd like to talk about three of those comment letters specifically, because they're great windows into how the sausage gets made generally with respect to regulatory issues. Comment letters are broadly just impressive documents. They're a firm documenting, in a pretty short and sweet written artifact, typically two or three pages, some relatively complex cross-cutting concerns about various parts of their operations, about their moral priorities, and about how they think the industry should work.

The three letters I'd like to highlight are from Fidelity, which is one of the largest brokerages in the U.S.; from Apex Clearing, which is a major clearing and custody provider behind many fintech brokerages; and from Robinhood, a discount broker that popularized free trading. Let me be very upfront here: I've been publicly critical of Robinhood on many occasions because I view Robinhood as a casino which wears the skin suit of a discount brokerage. So weight my read on them accordingly.

[Patrick notes: Robinhood’s product and marketing motion is to attract users to doing options trades, which are broadly lucrative for Robinhood because marketmakers are extremely willing to pay to face Robinhood flow. This is more lucrative than payment for order flow for stock trades because options spreads are wider as a percentage of trade size than spreads are for equities. Also, not to put too fine a point on it, Robinhood users are not considered likely to be informed even by the standards of retail traders and marketmakers relish the chance to sell them financial services at the going prices for those services. This is negative expected value for investors that use Robinhood, and Robinhood is—and please accept this as a surmise that I do intend to be damning—intentionally oblivious to this fact.

The one kind thing I will say about them is that a colleague once relayed the opinion that no one in his generation would be in the public markets in any capacity but for Robinhood, and that perhaps after they get the DraftKings-with-different-flavor-text out of their system in their 20s, they will invest responsibly in their thirties and beyond. That is the exoneration offered for them.]  

What Fidelity asked for, in sum, in their comment letter: they want the fraud speed bump, the new Rule 2166, extended from five days to 20. Their rationale is that in their experience, actually getting in touch with a customer, discussing a potential fraud, and potentially having multiple callbacks as they try to determine who has actual authority for an account -- in cases more complicated than the simple "John owns John's accounts," such as a joint account or a trust account -- these take time. They don't necessarily operate at Internet speed. So they think 20 business days would be a better speed bump than five business days.

They also want the trusted contact notification to be discretionary and not mandatory for non-specified adults. Specified adults, again, are people who there is a presumption under this regulation might possibly be operating at diminished capacity. Non-specified adults are “everyone else.”

The trusted contact notification is this: when you set up a brokerage account, you might be asked, "Is there a person in your life who you trust to make financial decisions in the event that you are incapacitated?" Currently, in the proposed regulation, it is mandatory that in the case of suspected fraud, you contact the trusted contact. Fidelity says, "Well, wait, that isn't always a great option," because very frequently, trusted contacts don't know that they've been identified as trusted contacts with respect to an account.

As an example, when I'm asked for a trusted contact, I frequently nominate my father. He is a responsible adult and, unlike my wife, he's very good at reading financial English. Under the proposed text of the rule, my father would routinely receive pings from random financial institutions saying, "By the way, Patrick wants to transfer assets from institution A to institution B. Are you cool with that?" And Dad might be quite confused by this. He probably doesn't explicitly know that he is a trusted contact in institution A's records, and he might have no context whatsoever on my relationship with A or my proposed relationship with B. What Fidelity is saying is, "Look, we're sort of the experts here. If we think that calling in the trusted contact is useful for someone who is not presumptively dealing with impairment issues, we'll do that. But if we don't think that's useful, then we won't. You should give us the authority to make that call."

Here's what Apex Clearing really wanted. Apex said in broad strokes that the speed bump is a good idea, but they have some comments with regard to underlying financial plumbing. Specifically, NSCC Rule 50, subsection 17, has an indemnity for the receiving side, but Apex wants that indemnity reformed. Their argument is that it's not the receiving side that is best positioned to determine whether an account transfer is fraudulent. Their argument is that the sending side, the existing brokerage, is the one that has the best information to determine that the account transfer is fraudulent.

Their position, as they articulate it, is that you basically can't do an ACATS transfer without having detailed information from the sending brokerage. You need a list of their positions, their account number, and so on, and the only way to get that information is by successfully logging into the sending brokerage. So in the case of a compromise by a third-party unaffiliated actor, someone had to compromise the sending brokerage's account. The sending brokerage has the mobile app telemetry, the account records, and the normal pattern of access for the account, and they should be able to identify if the access that obtained the information needed to put in an ACATS transfer request was authorized or unauthorized. And so, Apex argues, the sending brokerage should hold the liability on deciding whether the transfer is authorized—not the receiving brokerage, which has almost no information about this new user other than the minimum required to open a mobile app.

I have qualified disagreement with Apex Clearing on this point. “Fullz” are all over the dark web. 

[Patrick notes: “Fullz” are the industry term of art for “all the information we could possibly want to complete a financial compromise”, if your industry is financial fraud. This distinguishes them from “leaked credit card numbers with a few other bits attached.” You might have addresses, SSNs, account numbers, and similar in fullz. The packages can get arbitrarily sophisticated; the industry is not a small one. For more, read the Fraud Supply Chain in Bits about Money. Krebs on Security is also a great read if you’re interested in the function of the counterparties to your bank’s fraud department, though they’re not his only beat.]

As a matter of actual industry practice, you don't necessarily need all the positions in an account to put through an ACATS request. Again, the dominant use for ACATS is to transfer all of the assets across all accounts. You also don't necessarily need to specify the account number. You also don't necessarily need to know the Social Security number -- at many brokerages that optimize for onboarding, like fast-growing fintechs, you might ask the user for their name and address and then use commercially available databases to look up their Social Security number for them, and then say, "Can you confirm the last four of your Social, please?" And given that all that information is all over the dark web, someone can bootstrap from what's available for purchase to everything they need to put in a facially valid ACATS request, which then goes to the sending brokerage. The sending brokerage will not have any anomalous access in their logs, because the bad actors never needed to log in to the sending brokerage at all. ACATS is the only thing they need, and they can get access entirely through the receiving brokerage.

[Patrick notes: I don’t dispute that Apex is correct for the not-small number of compromises which use, as one step, an ATO (account takeover) against the existing brokerage account. That said, as previously discussed by FINRA in their podcasts about this, frequently the bad guys are just firing blind; they have the fullz, they don’t know where the accounts are custodied, and they just name the usual suspects sequentially.]

Robinhood's argument essentially optimizes for onboarding customers, which is unsurprising given their business model. Broadly speaking, the largest financial firms in the world have relatively stable week-to-week and month-to-month inter-firm transfers. Moving away from brokerages for a moment to deposit accounts, because I think they're easier to reason about: Chase and Bank of America are sending money back and forth every day across many, many retail accounts. And broadly, in any given couple of weeks or months, they expect those transfers to basically cancel out. If you bleed plural percentage points of all retail deposits at Chase to Bank of America in a small interval, it is someone's job to notice that on a screen and inquire what happened.

So for the largest institutions, ACATS is just physics. Customers leave sometimes. Customers come in. It basically nets out. These are responsibilities the responsible adults have to take care of every day.

Robinhood does not have the same posture.

Robinhood is a quickly growing neo-brokerage, and one of the ways they grow very quickly is getting accounts which existed elsewhere and convincing people to move to Robinhood. Their marketing apparatus includes large inducements for doing this, which isn't invidious in particular -- many brokerages offer inducements for moving accounts to them in the ordinary course -- but it is much more structurally important to Robinhood than it is to, say, Fidelity, Schwab, or Chase.

And so what Robinhood says in their request is: we've already spent a lot of time on this anti-fraud effort. We think we're pretty good at it. And we want your five-day cooling-off period for fraud to be optional. We want you to clarify in writing that if we don't take advantage of that option, that won't be held against us in any way. And Robinhood is not just signaling how they want to run their own business. On the face of this, they want to water down the requirements for other brokerages as well. Because Robinhood is not worried about transferring assets out of Robinhood all that much. They're worried about how easy it is to transfer assets into Robinhood. And Robinhood does not hate the world in which you can transfer assets into Robinhood in six minutes on a mobile app. Tap, tap, tap.

And so that's the position of a few industry participants with respect to this regulation. I think, finger to the wind, as an informed observer, it is highly likely that we get some movement here, and that in broad strokes it matches the proposed regulation. But of course, these things get tightened over time. With the timelines, it could be later this year, could be next year. The financial industry moves very, very slowly, but it does move over time. And this infrastructure does improve gradually as we realize that there are attacks being made against it.

This is not novel in the experience of brokerages. We realize that checking account infrastructure, which Bits About Money and Complex Systems have talked about many times, had tens of billions of dollars of fraud run against it over decades. And we gradually got much, much better at dealing with that sort of fraud. And while it continues, we are in a much more tightened posture on it than we used to be.

And with that, we'll leave you for the week. Thanks much for listening to Complex Systems, and we hope to be back next week.