Saturday, September 28, 2019

The Prevalent but Problematic Probability of Ruin

About 10 years ago, in the course of a conversation with two retirement researchers whom I greatly respect, someone mentioned the 4% Rule. One of those researchers said, "William Bengen did great work showing us that sequence risk exists but trying to turn it into a retirement plan was a huge mistake."

Bengen's work gave us the 4% Rule, derived from the so-called probability of ruin. Probability of ruin, or p(ruin) for short, is the estimated probability that a retiree spending a fixed real dollar amount from a volatile portfolio will outlive her portfolio. Somehow, despite its many shortcomings, p(ruin) has become the most common metric in retirement planning.

The 4% Rule provides a "sustainable withdrawal rate" (SWR) that a retiree can supposedly spend from a volatile portfolio with a 95% probability of not outliving his savings. How much is the SWR? Bengen estimated a range around 4.4%. Wade Pfau, Michael Finke and David Blanchett[1] found that the SWR is currently closer to 3%, primarily due to a low-interest-rate regime. If they are correct, that would result in annual withdrawals nearly 32% lower than Bengen's estimate. That's quite a range.

Some question the implications of that research, notably Michael Kitces, but interestingly, William Bengen believes that valuations are probably important and that "Pfau may be on to something."

The Shiller CAPE 10 ratio[2], a measure of stock market valuation, was around 10 when Bengen's data series began in 1926 and today suggests a much higher market valuation of around 30. A higher CAPE 10 suggests lower future market returns and vice versa. Had the market return data series studied by Bengen begun when valuations were relatively high, the results may have suggested a lower SWR. (It is not uncommon for economics studies to improperly ignore initial conditions like market valuations.)

I will toss yet another monkey wrench into these analyses and note that both studies make assumptions about future asset returns so neither can be proven to be correct ex-ante. Still, Pfau et al.  provides evidence that Bengen's SWR may be overestimated. This uncertainty is the essence of risk.

What are these shortcomings of p(ruin)? Let's start with p(ruin) being a one-dimensional measure of risk. By that I mean it estimates the probability (risk) of outliving a consumption portfolio, which I will define as a volatile portfolio of investments from which a retiree withdraws cash periodically to pay his bills, without measuring the magnitude of that risk.

Some research I'm currently coauthoring serves as an example. We compare two consumption-portfolio spending strategies. Each estimates a p(ruin) near 5%. On this basis, we would say that the two strategies are equally risky. However, when scenarios fail using the first strategy, the mean number of underfunded years is about 15. When scenarios fail using the second strategy, the mean number of underfunded years is about 21. The second strategy is riskier because when it fails, it leaves the retiree underfunded for 6 more years on average. This magnitude of risk isn't captured by p(ruin).

Another problem with p(ruin) is that it is based on a very limited sample of historical equity returns. Robert Shiller has reconstructed equity returns back to 1871, providing a little less than 150 years of data but this historical data contains very few unique long-term sequences of returns of 30 years or more that we need for retirement studies. We simply don't have enough data to draw statistically significant conclusions about the future probability of ruin. Many argue that only the more recent years of Shiller's historic returns are truly reliable.

Researchers have tried multiple strategies to get around this lack of data. Bengen used overlapping 30-year periods of returns. This strategy is flawed because the first and last years of the equity return time series are each used only once, the second and next-to-last twice, etc., while the returns in the middle of the series are included up to 30 times.

Another strategy is to generate 30-year series of returns by resampling, or randomly choosing returns from the entire historical data set with replacement. This strategy will provide results similar to the experience of the handful of available unique historical 30-year sequences of returns but doesn't generate "out-of-sample" series.

In other words, it assumes that the limited number of 30-year historical periods of data we have contain all of the information we will ever need to know about future market returns. It is more likely that the future will likely throw something at us that we have never seen before. Said a third way, our limited amount of historical long-term data series has very little predictive power. It can only tell us what might happen in the future if the future is very much like our limited past.

Let's focus now on a term I just introduced, "sequence of returns." The success or failure of a consumption portfolio is primarily a function of the sequence of the portfolio returns and not on the returns themselves. To quote BigErn at, "Precisely what I mean by SRR (sequence of returns risk) matters more than average returns: 31% of the fit is explained by the average return, an additional 64% is explained by the sequence of returns!"[4]

While we can generate realistic market returns from historical data using statistical methods like resampling, we cannot capture the most important characteristic of that data relative to portfolio ruin, the sequence of those returns. Resampling and most Monte Carlo models simply create random uniform sequences of returns and these are often quite unlike the few long sequences we observe from historical data.

This leaves two possibilities. One possibility is that the sequence of market returns is truly purely random as we most commonly model, in which case we have been extremely lucky not to have received a catastrophic sequence of returns over the past 150 years. Another possibility, and the one I favor is that sequences of returns are not purely random but are limited by market forces that we don't yet understand. In that case, we may never see catastrophic sequences of returns but our models are wrong.

I can't leave this topic without noting that consumption-portfolio failure doesn't require really bad negative returns. A long sequence of sub-par returns will do the trick. The worst-case series of 30-year returns beginning in 1964 that defines the 4% rule was simply a long period of mostly-positive but mediocre real returns.

Not long after the Great Recession, some SWR advocates were quick to note that the market had rebounded rather quickly, supporting the idea of a 4.5% SWR. While this is true, there are two important caveats. First, consumption portfolios recover much more slowly than a market index because we aren't spending from the market index. Second, the Great Recession was a three-year sequence and, as I note in the previous paragraph, portfolio failure typically results from long periods of mediocre returns and not short periods of negative returns.The Great Recession may not portend future portfolio failure for today's recent retirees.

Lastly, I think it is important that we consider the ability of humans to "internalize" probabilities. Clearly, there are some of us like Nate Silver, who can see a probability and intuitively interpret it. Most of us can't.

Most people tend to round small percentages to zero and large percentages to 100. The 2016 presidential election is a perfect example. On November 9, 2019, Nate Silver published a prediction that Trump had a 28.6% probability of winning the election and Hillary Clinton had a 71.4% probability. Many read this and concluded that Trump had no chance of winning, i.e., they rounded 28.6% to zero and 71.4% to 100%. When Trump won, they were outraged at Silver. I saw a poster at the Women's March saying, "I will never believe Nate Silver again."

The election was a one-time event and clearly not random. Silver's probabilities weren't based on counting who won past elections between Trump and Clinton. They represented Silver's belief that these were the odds and he believed that Trump's chances of winning were significantly greater than zero. It appears that many people didn't understand that.

This raises the issue of one-time events like a presidential election or your retirement. It's simple enough to look at a roomful of one hundred 65-year olds and say that a 4% Rule strategy means five of them will outlive their savings but it is impossible to say in advance which ive it will be. It is, therefore, difficult to internalize what 5% of retirees outliving their savings translates to your individual probability of failure.

(This is a poor analogy in one sense but I hope it makes the point. The 4% Rule says that 5% of 30-year periods will result in a failed portfolio, so if everyone in that room were 65 years old, they presumably all would go broke or none would. They will all experience the same future market returns.)

Your retirement differs from the 2016 election, although both are one-time events. We can use historical market data to count how often you might have succeeded in the past, given some withdrawal rate. The problem is that we don't have nearly enough of that data. Even if we did, we could only predict how many retirees would fail and not whether you would be one of them.

The point of our ability or inability to intuitively understand probabilities is that many people will round a 5% chance of ruin to zero and feel perfectly safe, while others (like me) will feel that a 1-in-20 chance of ending up destitute in their dotage is completely unacceptable. In either case, p(ruin) is frequently problematic because of our inability to intuit it.

There are a couple of other shortcomings of p(ruin) that I will briefly mention in conclusion. Many argue that no retiree would ever do what the 4% rule requires, that is, to continue to spend the same amount from a consumption portfolio even when it is obviously failing. First of all, I would note that if the retiree doesn't do this, then the 4% Rule is not predictive at all because the retiree isn't adhering to the strategy but I also have anecdotal evidence that there are rational reasons a retire would continue spending the same amount.

At some point, a retiree with a failing portfolio will reach an amount of spending that is necessary to meet non-discretionary expenses and spending too much to pay necessary expenses will be the rational response even if it will undoubtedly lead to portfolio depletion in the near future (see Why a Rational Retiree Might Keep Going Back to that ATM).

If the 4% Rule says I can spend no more than $1,000 or else I will probably go broke in the near future but my necessary expenses total $1,500, I will spend the $1,500. In this scenario of continued fixed spending, portfolio behavior is either chaotic or behaves chaotically and it doesn't matter much which (see Retirement Income and Chaos Theory).

Economist, Laurence Kotlikoff believes the 4% Rule estimates both the wrong amount to save and the wrong amount to spend compared to an economics approach. He explains it better than I could in The 4% Retirement-Asset Spend-Down Rule Is Rubbish.[5]

Lastly, probability of ruin is a number that we intentionally try to make as small as practical. It's a measure of "tail risk", or the area of low-probability outcomes of a model. Nassim Taleb, in testimony before Congress no less[6], stated that "the more remote the event, the less we can predict it." Taleb goes on to say, "Financial risks, particularly those known as Black Swan events cannot be measured in any possible quantitative and predictive manner; they can only be dealt with non-predictive ways." But, predicting unlikely events is precisely what p(ruin) purports to do.

The 4% Rule has achieved cult status to the extent that I hear retirees with virtually no other knowledge of retirement finance casually refer to it as if it is a universal law. It is not. It is a questionable but unfortunately prevalent retirement finance metric.

A better approach is recommended by life-cycle economics (see, for example, Risk Less and Prosper by Zvi Bodie), sometimes referred to as "safety-first." The safety-first strategy is to assume that portfolio failure is a (perhaps) small — Taleb would say unquantifiable — probability of an unacceptable outcome. It deals with the risk of portfolio depletion "in non-predictive ways." The retiree is encouraged to plan for an acceptable standard-of-living in the event of that outcome without having to roll the dice and simply hope the future looks a lot like the past.


[1] The 4 Percent Rule Is Not Safe in a Low-Yield World , Michael Finke, Ph.D., CFP®; Wade D. Pfau, Ph.D., CFA; and David M. Blanchett, CFP®, CFA.

[2] Shiller PE Ratio,

[3] Online Data, Robert Shiller, Yale Economics.

[4] The Ultimate Guide to Safe Withdrawal Rates – Part 15: More Thoughts on Sequence of Return Risk,

[5] The 4% Retirement-Asset Spend-Down Rule Is Rubbish, Laurence Kotlikoff,

[6] The Risks of Financial Modeling: VAR and the  Economic Meltdown, House Subcommittee on Investigations and Oversight, GPO.

Thursday, August 15, 2019

Why Can't We Stop Pfishing?

During my employee orientation at America Online in 1997, that day-long tradition of assaulting new hires with mundane and mind-numbing facts that are immediately forgotten, I was warned that AOL employees were constantly under threat of phishing attacks, though they weren't called that, and I admit that I didn't really understand the explanation.

By close of business the following day I had developed a full appreciation of the threat because I had unwisely clicked on a link in an Instant Message and unwittingly handed my employee login credentials to a hacker, something I had been told not to do just hours before. IT's "clean-up" process took two days, though I suspect that was a form of punishment, and during that time I wore the scarlet letter of being cut off from the rest of the company that functioned entirely around AOL Mail and Instant Messaging.

What a dunce. Lesson learned.

AOL finally put a huge dent in the phishing attacks by implementing two-factor authentication (2FA) for all employees, as I described in those previous posts, except that in 1997 we used hardware tokens because there were no smartphones.

Having dedicated my last two posts, You're Responsible for Your Own Online Security and How to Secure Your Online Financial Accounts, to securing online financial accounts, I realize my retirement finance blog has taken on a computer-geek air of late. My rationale is that retirement finance is primarily about dealing with risk and cyber security is a huge component of financial risk. describes phishing attacks as follows.
"Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there's more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgment by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence."
The term "phish" comes from fishing. A hacker dangles some bait in front of you in the form of a disguised hyperlink in an email or text message and hopes you will click on it hook, line and sinker.

Phishing attacks can be implemented with text messages, email, or even phone calls. It is actually a "social engineering" attack because rather than relying on technology to steal your vital information, it relies on you giving away that information in a moment of fear, confusion or just complacency.

Some people provide their sensitive information over the phone in spite of knowing that no bank, brokerage or government office like the Social Security Administration is going to call, text or email you and ask for your login credentials. The IRS does not announce an audit in an email.

Others click on a hyperlink in an email or text message because they believe they know the sender or because the link looks familiar or harmless. It isn't difficult for a hacker to change an email sender's address, using an attack known as "spoofing." You cannot trust an email's source simply by looking at the sender's email address or a phone call's source by checking Caller ID.

A lot of people who should know better get hacked by phishing attacks. It's a highly effective strategy.

Cyber security firm, CSO, lists three infamous phishing attacks.
  • Perhaps one of the most consequential phishing attacks in history happened in 2016 when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password. 
  • The "fappening" attack, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's iCloud servers, but was in fact the product of a number of successful phishing attempts.
  • In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
The Clinton Campaign phishing hack may have helped decide a presidential election.

(Note to political parties: Why are you sending unencrypted sensitive information over email systems like GMail when you can create a free, encrypted account at CERN's Proton Mail or spend a few bucks to encrypt your own mail server? More importantly, why are you saying things in an email that you wouldn't want the world to share? Emails never die. Your stupidity will be on the web forever. This is not the way you want to go viral.)

My goal is to help you protect yourself and your wealth from phishing attacks (if political organizations haven't figured out how by now then I have little hope for them in cyberspace).

Because phishing attacks are social engineering attacks that depend on tricking you, your diligence is the best protective measure. Think twice — no, make that three times — before you click on any link in an email or text message.

Check the context. My friend, Lex, send me lots of emails, text messages and messaging app thoughts. I normally click on all of his links but when I recently received an email from him that contained nothing but a hyperlink, I deleted it. It would be very unusual for Lex to send me a link with no explanation.

Needing no further clues, I checked the email's CC list and noticed it was quite long and included no one that I know. Not a confidence-building sign.

If I have any doubt that a link I receive is not legitimate, I will contact the sender and ask if the email or message was really from them but it is critical to contact them through a different channel and not by replying to the message. If the link really is phish, then replying may simply be me asking the hacker if he is legit. He'll probably say yes. If the link arrives in an email, for example, call or text the sender, instead.

When I receive an email or text message regarding the status of a credit card account,  I visit the card's website without clicking on the link.

It's quite easy to make a link look like a legitimate website when it actually points to a hacker's own malicious website. It's also quite easy to make that website look like Chase Bank's website, for example, and encourage you to "login" at the fake website and thereby hand your login credentials to the hacker.

Most email systems and websites allow you to view the actual link by hovering your mouse over the hyperlink. The underlying link will appear. Read the actual link closely to detect small changes that indicate you might not land where you expected.

You may find, for example, that a link that appears to point to (my website) actually points to, which could belong to anyone. Notice the subtle misspelling. Hover your mouse over each of these links and, depending on your browser, the actual destination hyperlink will show up somewhere on your screen.

Some anti-virus and anti-malware software also incorporates anti-phishing features. Check your software's website to know for sure. Still, it won't replace your own diligence in examining hyperlinks sent to you before clicking on them.

Why are phishing attacks still so successful though we've been exposed to them since the late 1990s? They prey on our fear, complacency, and familiarity. It should be really easy to always say, "I'm not 100% sure this is a legitimate link so I'm just not going to click it" or "no legitimate business would ask me to provide sensitive information through an email or a phone call," yet it remains a successful hacking strategy.

One last question you might ask yourself is what would happen if I don't click this link? If it is important, the sender will surely try other ways to reach you, even if it's a friend just making sure that you saw the link she sent to her latest baby pictures.

Phishing attacks aren't the only cyber threat to your wealth but they are one of the most common and they are very effective. The best way to protect yourself is to treat any link sent to you as a potential threat. Never click on them without stopping to think about possible bad outcomes. Err on the side of avoiding the pfisher. If you're not certain, don't click.

Tuesday, August 6, 2019

How to Secure Your Online Financial Accounts

In my previous post, You're Responsible for Your Own Online Security, I noted that online fraud protections from banks, credit unions, investment companies, and other financial services companies are significantly weaker than consumer protections for credit cards, debit cards, ATMs, and EFTs. The "100% online fraud guarantees" advertised by financial services companies can have a lot of fine print and they are backed by the companies, not by consumer protection laws.

You may be thinking, "That's a lot of trouble. In the unlikely event that my account is hacked, the financial services company will reimburse me." I think that's a mistake for a few reasons. First, even if the company covers your losses, recovering from the fraud is unlikely to be a pleasant experience. Second, if you don't meet the company's security requirements spelled out clearly on their websites, you might not be covered by their online fraud guarantee, at all. Do you want to take that risk with your savings?

My goals for this post don't include boring you to tears, though that is certainly a risk when one explains technology to people who just want things to work. The truth is that Internet passwords don't work. We need a very different solution for securing online access but unless and until we get that, we have to work with what's available.

One of my goals is to help you avoid losing your hard-earned wealth to online fraud. A second goal is to help you avoid the long, painful process of recovering from online fraud when recovery is possible — you'll find it much easier to stop fraud before it happens than to tidy up afterward. And, my third goal is to keep you from running afoul of requirements that might preclude those "100% online fraud guarantees" offered by financial services companies. I used to refer to them as "online financial services companies" but now almost all of them are.

I warn you up front that some of these measures can be complicated to implement and that they will complicate your financial life a bit. It won't be as easy for you to access your online financial services but it should be a lot more difficult for a thief to do so.

And finally, before diving into security measures, be aware that many online services offer different levels of security that you can implement depending on how much set-up work you are willing to do  and how much inconvenience you will tolerate to achieve greater security. You can improve security significantly with stronger passwords, for example. With more work and complexity, you can greatly improve on long-password security by adding two-factor authentication. You will need to decide if the extra security is worth the effort.

You might also think, "This is way too difficult. I'm just going to avoid online access to my accounts altogether."

While this might be achievable in some limited way, it will preclude most investment opportunities. I asked Fidelity Investments if it is possible to open an account with no online access. They thought I had lost my mind. And, should you decide to simply not set up the online access, a thief might well do it for you.

Wade Pfau and the gang at are seeking volunteers for a research project called the Retirement Income Style Awareness,™ (RISA™). Please consider following this link to the survey.  Participants will be able to get results from the survey in the fall.

First, if your computer, smartphone, or tablet is compromised, no other security process can be trusted. If someone installs a keylogger on your computer, for example, that person can watch you type in your log-in credentials from half a world away and it won't matter what other security measures you take, they're looking over your shoulder. Run anti-malware software on your computer and only download smartphone apps from your apps store. This step is essential. There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well.

Next, you probably have a lot of sensitive information on your smartphone. Many services will use your phone to reset your password, for example. A thief doesn't need to learn your password if she can more easily reset it. Actually, a thief doesn't need to physically steal your phone. He may be able to illegally "port-out" your phone number and receive all your phone calls and text messages. Your smartphone is a key to your online security whether or not you intended it to be.

You need to keep that key beyond the grasp of hackers. Bite the bullet and change your lock-screen passcode to at least 8-digits.[3] (Are you still using four digits?) This step is also essential. I'd recommend avoiding lock-screen patterns on Android phones.

For many financial services companies, the use of "third-party aggregators" like, Fidelity Fullview and Vanguard Portfolio Watch will violate your guarantee of fraud protection. Charles Schwab explicitly states next to the button to enable these services that they invalidate your guarantee. Stop using them. This is an essential step. You can go to the aggregator websites and turn off the feature but you can also change the passwords on all your financial services accounts (which you probably should do, anyway) and simply not update them at the aggregator website. If your financial data still shows up at your aggregator site, you know you're not finished. The aggregators will no longer have access to your data and you will no longer be in violation of the terms of your guarantee.

Creating strong passwords is an essential step. Make passwords to all your sensitive online accounts at least 12 random characters long. Use upper and lower case letters, numbers and special characters as allowed by the website. Here's an example: Wt4e-7B13^qS. As the saying goes, the best password is the one you can't remember. It has been estimated that an 8-character password can be cracked in hours, nine characters in months, and 12-character passwords in hundreds of years with a brute force attack. If your password contains recognizable words, a dictionary attack can be even faster.

Don't reuse passwords. This is essential because cracking one of your passwords compromises every other account using that password. Every sensitive account should have its own.

Never share your password with anyone other than a spouse on a joint account. That will almost certainly invalidate your online fraud protection. If you want an advisor or a spouse to have access to your individual accounts, grant that authority explicitly by filing the appropriate paperwork with your financial services companies instead of going through the "back door" of sharing your passwords. Recognize the risk you're taking by doing this and consider sharing "read-only" access and not authority to transact in your account.

If you write them down, store the list of passwords in a secure location and hide a backup in a different physical location. The next step isn't essential but I find it helpful. I use a password manager to both create random passwords and store them. LastPass, Dashlane,  and 1Password are perhaps the best known and you can access passwords from your computer, smartphone, and tablet.

The next level of security (and complexity to implement and use) beyond strong passwords is two-factor authentication. 2FA is perhaps not as essential as strong passwords but many experts would disagree. I consider it mandatory for my accounts but I also recognize that it is complicated for a "non-techie" to understand and implement. I can imagine that most will consider it too complex and that's a shame because it is a huge step up in security.

In essence, 2FA provides a second password that changes every minute and can only be read from an app on your smartphone (or a dedicated hardware token[4]). Unless a thief has access to your smartphone, she can't log in to your account even if she knows your password.

2FA is now offered by most, though not all, financial services websites. I even use 2FA at social media websites and on my email accounts. Two Factor Auth[5] provides a list of websites that support 2FA and[6] explains how to use many of them.

I have found that customer service departments of financial services companies will walk you through implementing 2FA over the phone if you ask and it only takes a few minutes. This is far and away the easiest way to implement 2FA on your account.

There are several ways in which 2FA can be implemented. The passcode can be sent to you in an email, sent to your phone in a text message (SMS), delivered by a voice phone call, or created by an app on your phone. If your financial services company offers a choice, the app approach (or a hardware token) is the safest.[7]

Some websites, like TreasuryDirect®, will email a one-time password (OTP) as a second layer of authentication after you enter the correct password. A lot of people know I can be reached at and that's the first place a hacker might search for my one-time password. It would be harder for a hacker to intercept my OTP if I have it sent to say,, which doesn't identify me.

If any of your accounts use 2FA by sending an email, consider setting up an email account with a random name solely to receive 2FA passcodes. Set up a notification in that email account to alert you anytime you receive an email.

Many websites have a "password recovery" process that will reset your password if you answer security questions like "What was your high school mascot?" It makes no sense to go to all this trouble to secure a password when someone can "recover" your password by answering these security questions after reading your social media posts or by Googling your name.[10]

(I checked my password recovery questions on an email account I use for junk and found that that a hacker would need to either spend hundreds of years guessing my password or simply guess the name of my favorite band to gain access to my account.)

I make up unrelated answers to these questions and store both the questions and the answers with my passwords. For example, I might choose the question "What was your school mascot?" ("Eagles" is a good guess for a hacker.) I might enter "bookbinder" as the answer.

Thieves can sometimes illegally "port-out" your mobile phone number to theiro phone and the only indication you will get that this has happened is that your phone will stop working. They'll receive your text messages and phone calls so they'll intercept any one-time passwords sent by either of those methods. Furthermore, many online accounts will allow you or a thief to recover your password by texting or calling your phone and the thief is now the recipient of both of those. You may have the physical phone in your hand but all of your voice calls and text messages will now go to the thief's phone.

To illegally port-out your phone number, a thief only needs some basic name and address information about you and a PIN that is set up at your wireless carrier's website. Better beef-up the security of wireless carrier passwords and PINS with your wireless carrier. Krebs on Security tells you how.

Log on to your wireless carrier online account and make sure your PIN isn't something obvious like "1234" or the last four digits of your social security number. Use a strong password on your wireless carrier's website. I added 2FA to mine. Otherwise, the fraudster can hack into your wireless carrier account and change that PIN. Your smartphone, one way or the other, is the key to much of your online security. If it is lost or stolen, take action immediately.[8,9]

Since this all began with a reader's comment regarding security at TreasuryDirect®, let's look at how we might secure accounts there.

To log on to a TreasuryDirect® account, a thief will need your account number, a password for that account, an email address to which TreasuryDirect® will send a one-time passcode each time we attempt to log on, and that one-time passcode.

First, create a random password at TreasuryDirect® that is at least 12 characters long. Then, create unrelated answers to password recovery security questions at TreasuryDirect®, as described above.

Create a new email address with a random name and direct TreasuryDirect® to send one-time passwords there instead of sending it to your public primary email address. Secure the email account with a long, random password.

Now, a hacker will need to learn your TreasuryDirect® account number, hack its long random password, figure out what e-mail account you have told TreasuryDirect® to send your one-time password, and hack that e-mail's long random password to learn your OTP. If he tries to hack your TreasuryDirect® account using password recovery, he will need to know that you told TreasuryDirect® that your father was born in the city of banjo.

I believe any web-based service is hackable but a thief could probably find an easier way to steal money than this.

If you only install anti-malware software on your computer and improve your passwords, you will greatly enhance your online security. If this seems overwhelming, start by improving all of your passwords on financial services company websites and do more later.

You can download a checklist in Word to organize your security enhancement project. I included a sample using a Charles Schwab account. Click the link to see the document, then click download to save a copy.

This is the world we live in. Practically all financial services companies have an online presence with fraud guarantees provided only if the company considers that you have adequately protected your login credentials.

I realize that most readers will find this all quite complicated even with the links I have provided but this is your retirement savings we're trying to protect here and i4 your security doesn't meet the standards of financial services companies, their "100% online fraud guarantee" might not be available to you. Follow these steps and you are far less likely to ever need to recover from online fraud or rely on a fraud protection guarantee.

Some readers are having problems posting comments anonymously. Please feel free to email comments to and request that I post them anonymously.


[1] Avast for Mac

[2] Windows Defender, Microsoft.

[3] Change Your IOS Passcode. or Change Your Android Passcode for Android.

[4] Some financial services companies will provide, often for free, a hardware "token" to generate the 2FA passcode instead of using your phone. See Protect Your Investment Accounts With A Security Token.

[5] Two Factor Auth list of 2FA supported websites.

[6] Two-Factor Authentication: Who Has It and How to Set It Up, PC magazine.

[7] This is why you shouldn’t use texts for two-factor authentication, Major SMS security lapse is a reminder to use authenticator apps instead,

[8] If your iPhone, iPad, or iPod touch is lost or stolen.

[9] Find, lock, or erase a lost Android device, Google Help.

[10] Time to Kill Security Questions—or Answer Them With Lies, Wired.

[11] This is why your six-digit iPhone passcode isn’t secure,

Wednesday, July 31, 2019

You're Responsible for Your Own Online Security

Credit cards, debit cards, ATMs, and electronic fund transfers (EFTs) offer excellent fraud protection but your bank, credit union and investment company's online protections aren't as strong.

In response to my post, The Best Inflation Protection You Never Heard Of, a reader commented that he/she avoids I Bonds due to security concerns with TreasuryDirect.® It didn't take long to find several threads on the topic. The primary concern seems to be this statement from the Code of Federal Regulations:
§363.17   Who is liable if someone else accesses my TreasuryDirect® account using my password? You are solely responsible for the confidentiality and use of your account number, password, and any other form(s) of authentication we may require. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost, or expense that you may incur as a result of transactions made using your password.[72 FR 30978, June 5, 2007]
Should you be concerned about security issues at TreasuryDirect,® the only place where you can purchase I Bonds? I think you should be concerned about the security of online access to your holdings at all financial services companies and I think your security is largely up to you.

Having your financial services company hacked is different than having your individual account hacked using Internet access. I'm addressing the latter but the former happens with amazing frequency and you will be protected from those breaches. You probably won't even know it happened to your company until you read about it in the paper.[1]

You will probably find wording similar to that of the TreasuryDirect® statement above at the websites of all of your banks, credit unions, investments companies, and other financial services.

First, let's look at where we are protected.

Electronic Fund Transfers.

According to the Federal Reserve, "Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems such as automated teller machine transfers, telephone bill-payment services, point-of-sale (POS) terminal transfers in stores, and preauthorized transfers from or to a consumer's account (such as direct deposit and social security payments). The term "electronic fund transfer" (EFT) generally refers to a transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs a financial institution either to credit or to debit a consumer's asset account."[2]

Section 205.6 of Regulation E states the liability of [the] consumer for unauthorized transfers, "[Regulation E] limits a consumer's liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited."

At first glance that would appear to cover online access to your account at a bank or credit union — they are both subject to Regulation E and it specifically mentions computers — but that does not appear to be the case. The catch seems to be in how your bank or credit union defines "unauthorized access."

Credit Cards.

According to[3],
"Under the Fair Credit Billing Act, your liability for unauthorized charges depends on whether the thief personally presented your card to make the purchase, or just stole the number.
    • If the thief personally presents your card to make the purchase, the card issuer can't hold you liable for more than $50 in fraudulent charges. (12 C.F.R. § 1026.12). Many card issuers waive this $50.
    • If the thief stole the number, but not the card, you have no liability.
In either of the above situations, however, it's important to notify the card issuer as soon as you know of the theft—by phone and in writing.
Additional information regarding how to report fraud is also available at the NOLO link.[3]

ATM and Debit Cards.

Also from,
"With ATM or debit cards, you must act quickly in order to avoid full liability for unauthorized charges when your card is lost or stolen. Under the federal Electronic Fund Transfer Act, your liability is:
    • $0 if you report the loss or theft of the card immediately and the card has not been used
    • up to $50 if you notify the bank within two business days after you realize the card is missing
    • up to $500 if you fail to notify the bank within two business days after you realize the card is missing, but do notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals, or
    • unlimited if you fail to notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals. (15 U.S. Code § 1693g).
If you can convince the bank that your notification failure was due to extenuating circumstances, it must extend the notification timeline for a "reasonable period."
If your card wasn't lost or stolen, but the number is used for unauthorized transactions, you aren't liable for those transactions so long as you report them within 60 days of the statement being sent to you.
In response to consumer complaints about the possibility of unlimited liability, some card issuers cap the liability on debit cards at $50. And some banks don't charge anything if unauthorized withdrawals appear on your statement. Also, some states have capped the liability for unauthorized withdrawals on an ATM or debit card at $50."
So, for ETFs, credit cards, debit cards, and ATMs, the fraud protections are pretty strong but what is the extent of our protection for accounts with other financial services?

Banks and Credit Unions.

As I previously mentioned, banks and credit unions are subject to Regulation E and that regulation seems to protect online access to your account. A review of a few online-fraud policies, however, reveals a loophole that limits their guarantees of "100% fund recovery" if you "share" your login credentials or don't "adequately" protect them.

My credit union states in its "Zero Liability Guarantee for Online Fraud" policy, "You should not share your UserID and/or password with anyone. If you share this information with anyone, any actions they perform on your accounts online are considered to be authorized by you."

I found similar statements at bank websites. Wells Fargo's states, "To qualify for the protections provided by the Online Security Guarantee, you must. . . Never disclose your personal account information to others (including your Personal Identification Number (PIN), online username, password, one time passcodes, RSA SecurID® token, or any other security credential you may use to access your accounts)"[4]

Wells Fargo's statement goes on to warn that, "If your device allows access to anyone other than you via fingerprint, that person will also be able to access your Wells Fargo Mobile downloadable applications on the same device when Touch ID® or fingerprint is enabled, and their transactions will be considered authorized."

So, if your phone's fingerprint access feature fails, allowing someone to gain access to your login credentials, Wells Fargo treats that as your authorization for that person to make transactions in your account. And, those fingerprint readers may not be as secure as you think.[5]

You can find your investment company's online-fraud protection policies, well. . . online.[6,7,8] Most of the investment companies I researched do offer full protection against fraud except for fraud committed when you share your login credentials. The problem is that most have a very broad definition of "sharing." Fidelity Investments states, for example,[6]
"What are examples of where I won't be covered?

If you grant authority to, or share your Fidelity account access credentials or information with, any persons or entities, their activity will be considered authorized by you. Losses of cash or securities transferred to outside accounts that are beneficially owned by you are not covered by this guarantee. Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
Fidelity also lists some types of assets that aren't protected:
"What assets may not be covered?

Assets including certain annuities and insurance products, Fidelity Advisor Fund accounts, and Fidelity Advisor 529 accounts are not covered because they are held away from or maintained by someone other than Fidelity."
In a timely email, Charles Schwab just this week sent me the following information:
"We want you to have the highest level of confidence when you do business with Schwab. That's why we offer you this simple guarantee: Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity. Read more about our Security Guarantee at"[7]
That sounds excellent until you click on that link and see the limitations of the guarantee:
"Does the guarantee apply to my account if I use a financial application ("app") or program that retrieves my account data from Schwab for things like financial planning or to help me manage my finances?

Yes, with some conditions. You must not share your Schwab login credentials with anyone or through a non-Schwab app. A firm that retrieves, aggregates, and presents account information to a customer for financial activities is known as an "aggregator." When you authorize an aggregator and instruct Schwab to allow the aggregator access to your account information, the aggregator as well as its employees, agents and financial apps and companies the aggregator does business with who receive your Schwab account information ("aggregator third parties") are considered your authorized persons. The guarantee only applies to unauthorized activity in your account. What an aggregator or an aggregator third party does in connection with your account and your information is authorized, so the guarantee does not apply to their actions."
Sharing login credentials typically invalidates that "100% guarantee" that your loss will be recovered. How broad can a financial service company's definition of "sharing" be?

  • Providing your login credentials to any other person, such as a financial advisor, is generally considered sharing. One company's website suggested that giving your login credentials to your spouse is sharing and recommended that spouses submit paperwork to give one another access to their accounts, instead.
  • Providing login credentials to a third-party aggregator is typically considered sharing. Popular third-party aggregators include, Vanguard's Portfolio Watch, and Fidelity Investments Fullview.
  • As mentioned above, Wells Fargo assumes that you have shared your login credentials with anyone who can fool your smartphone's fingerprint ID feature.
  • Fidelity Investments assumes that someone who learns your login credentials by a security breach or malware is authorized to access your account.
  • TreasuryDirect®'s statement above appears to state that anyone who has your login credentials is authorized to make transactions in your account regardless of how the credentials were obtained.
The message is quite clear: if you want a guarantee against online fraud, don't share your login credentials with anyone or anything and don't let them be stolen. Some recurring themes run through these policies.

  • You have no fraud protection guarantee at any investment company I have researched if you share your login credentials,
  • The company's definition of "sharing" can be quite broad,
  • Investment companies can have vastly different descriptions of what they consider "adequate" protection of your credentials, and
  • Some company's don't protect all types of accounts.

When I began research for this post, I had hoped to be able to provide some general guidelines for all banks, credit unions and investment companies regarding their online fraud protection. Unfortunately, I found that they vary so much that I needed to read every policy for every financial services company that I use to understand my protections and what I am required to do to be eligible for their "100% online guarantees." I changed my passwords at each one, in part so I no longer run afoul of "third-party-aggregator sharing" rules and to be completely honest, in part because the protections weren't as ironclad as I had assumed. I strongly suggest that you do the same.

So, bottom line, fraud protection at investment companies, banks and credit unions is significantly weaker than for credit cards, debit cards, ETFs, and ATMs.

But what about SIPC, you ask? Isn't it the equivalent of FDIC for banks? No, SIPC offers protection of assets at failed brokerage firms. According to their website[9], "SIPC protects against the loss of cash and securities – such as stocks and bonds – held by a customer at a financially-troubled SIPC-member brokerage firm. The limit of SIPC protection is $500,000, which includes a $250,000 limit for cash. Most customers of failed brokerage firms are protected when assets are missing from customer accounts."

Unless it is failing, your investment company backs your brokerage accounts, not SIPC.

Having read this post, extremely risk-averse investors might be tempted to try to find financial services companies with no Internet access. They may be surprised by how difficult that has become. This is the world we live in: we're forced online but not adequately protected from online security problems. Security is largely in our own hands.

Fortunately, there are steps we can take to secure our accounts. Unfortunately, none is perfect.

Here's my advice. Google "online fraud protection company name" for every bank, credit union, investment company or other financial services company you use online. (Links to a few are provided below in REFERENCES.) Search their websites for the following information:
  1. Is there an online fraud guarantee?
  2. Under what conditions are you not covered?
  3. What types of accounts are covered?
  4. What actions does the company require on your part to ensure that your login credentials are "adequately" secured?
Here's a tech hint that will help when they play the fine-print game. Command+ on a Mac or CTRL+ on Windows will usually increase that tiny font as much as you'd like. (I'm looking at you, Fidelity.)

Because this post is already, as my grandfather would say, longer than a horse's face, I have posted  some recommend security measures you should implement with all of your financial accounts, including TreasuryDirect® at How to Secure Your Online Financial Accounts.


[1] For Big Banks, It’s an Endless Fight With Hackers, New York Times.

[2] Regulation E, federalreserve.

[3] Your Liability for Unauthorized Credit and Debit Card Charges,

[4] Wells Fargo online fraud policy.

[5] That Fingerprint Sensor on Your Phone Is Not as Safe as You Think, New York Times.

[6] Fidelity Investments online fraud policy.

[7] Charles Schwab fraud policy.

[8] Vanguard Investments Online Fraud Policy

[9] Securities Investor Protection Corporation (SIPC) website.

Tuesday, July 23, 2019

Navigating the TreasuryDirect® Maze

In a previous post, The Best Inflation Protection You Never Heard Of, I wrote about U.S Series I Savings Bonds. Like Treasury Inflation-Protected Securities (TIPS), I Bond returns compensate for inflation, as measured by the CPI-I Index.

I like Series I Bonds but the TreasuryDirect® website, not so much.

The two types of bonds (I Bonds and TIPS) are otherwise significantly different. I Bonds have some unique features as I previously explained, but they also have significant maximum purchase restrictions that make them cumbersome for wealthy retirees to accumulate.

Those maximum purchase restrictions were one of two issues raised by readers of that post, the other being difficulty in navigating the TreasuryDirect® website to purchase the bonds.

Individuals can purchase up to $10,000 of I Bonds per social security number per (calendar) year, which means a couple can purchase $20,000 annually. A single, retired friend complained that it would take decades to buy enough I Bonds at $10,000 per year to fill his bond portfolio. I suppose I can somewhat sympathize with that "problem" except that I know a lot of people who would love to have it.

I, too, need to own TIPS in addition to the I Bonds I purchase but I don't think of my inability to buy as many I Bonds as I'd like as a reason not to purchase any. Other than the maximum purchase limitation, they have some very attractive features.

TreasuryDirect® e-commerce capabilities could use some work. I just spent two weeks working with a couple of well-educated clients who struggled mightily but were ultimately successful in purchasing I Bonds for both spouses. I will offer some tips that might help you navigate the website (and therein lies the first tip: don't go to or

The first step to purchase I Bonds at TreasuryDirect® will be to open an account for yourself and one for your spouse if you are married. You can submit your application(s) online by clicking here and then click the "Go" button. But, there is some prep work you will need to complete first.

For each account that you will open at TreasuryDirect® you will be required to submit a TreasuryDirect® Account Authorization Form, FS Form 5444, and snail-mail those completed forms to the Treasury Retail Securities Service address on the form. The form requires a bank's signature guarantee or a brokerage's signature guarantee or Medallion Guarantee. Certification by a notary isn't acceptable. Do not fill out the form until you are in the presence of the guarantor.

You will need a source of funds to purchase the bonds, of course, and you have two options. Typically you will want to purchase bonds using an account at a bank that accepts Automated Clearing House debits and credits. (There is a second way using a "Zero-Percent Bond" to make payroll purchases or a recurring bank debit.) You will provide your banking information when you create the TreasuryDirect® account, so have check(s) available to provide the routing and account numbers.

One of the clients I helped was notified that his account application "needed further security checks." About a week later, he was informed that his application had been accepted, though he was unable to find out why additional checks had been necessary.

You may also need to move funds into the bank account before the bond purchase. If you need to sell stocks or funds, for example, to purchase I Bonds, then be aware that it may take a few days for the brokerage sale to clear and another few days to transfer the sale proceeds to the bank account. There are sometimes ways to link bank accounts and brokerage accounts to make this work faster in subsequent years.

As I pointed out in the aforementioned post, you will normally want to purchase I Bonds from a taxable account. If you withdraw retirement account funds, the transaction will be taxable at ordinary income rates and may be subject to penalties. TreasuryDirect® accounts cannot be retirement accounts.

TreasuryDirect® sells several different types of bonds. Once you reach the purchase page, be sure to select "Series I", the second radio button from the bottom of the page.

To summarize the steps:
  1. Collect social security numbers for each of the spouses.
  2. Find a check for each of the bank accounts(s) from which you will make the purchase of I Bonds.
  3. Go to TreasuryDirect® Open Individual Accounts and open an account for each spouse. Set up strong passwords for the accounts, write them down and store them safely (A strong password is very important so please don't ignore.) Save copies of all confirmations for a paper trail.
  4. If you are asked to submit FS Form 5444, download it and take the blank form(s) to your bank or brokerage for signature guarantee(s). Mail the completed form(s) to the address stated on the form. (Update: I edited this after a reader comment below. Though I was unable to find a definitive statement online, it appears that this form is only required if 1) your submission can't be validated online or 2) you are randomly selected to submit it. Regardless, you will be instructed to submit it as part of the application submission process if it is required.)
  5. If you will use funds from a brokerage account instead of a bank, sell the appropriate amount of assets. Use funds from a taxable account — TreasuryDirect® accounts cannot be registered as retirement accounts.
  6. When the brokerage trade is completed and funds are available, transfer those funds to the bank account(s) that you registered during the TreasuryDirect® account creation process in step 4.
  7. When the bank deposits are available, log onto your TreasuryDirect® account(s), click the red "BuyDirect" tab, select "Series I Bonds" from the options, and enter your purchase. Your registered bank account number from which funds will be drawn will be in a drop-down box.
When you return to purchase more I Bonds next calendar year, you will be able to skip steps 1, 2, and 3.  TreasuryDirect® e-commerce software and paperwork requirements are a bit of a maze but the steps are necessary to protect your account. These instructions should help and you can console yourself with the thought that next year's purchases should be a lot easier.

Wednesday, July 10, 2019

My Preferred Planning Software is MaxiFi

I've been working on a research paper with UNC econometrician, Neville Francis for the past year and that has given me the opportunity to look at several free online retirement planners. Overall, I have to say that most were disappointing.

I have also worked for several years with another online retirement planning tool that is not free but is quite affordable, economist Laurence Kotlikoff's MaxiFi.[1] I recently asked Dr. Kotlikoff some questions about his product.

Dr. Kotlikoff, you say that MaxiFi is based on "consumption smoothing", the "proposition that households want to have a stable standard of living through time as well as across good times and bad times." What does that mean to a retiree or to someone saving for retirement?
Consumption smoothing is at the heart of economics-based financial planning. It's firmly anchored in human physiology. None of us wants to splurge today and starve tomorrow. Nor do we seek the opposite. Whether retired or still working, rich or poor, we're after the same thing — a highly stable living standard. Leaving aside issues of investment risk, the core financial planning question is how much to save each year to achieve a smooth consumption ride. MaxiFi calculates this directly based on your lifetime resources net of future taxes and gross of future Social Security benefits. In so doing, MaxiFi eliminates the guesswork in planning your retirement finances. It also helps you find investment strategies that limit your investment risk. In contrast, conventional financial planning asks you to set a goal for annual retirement spending. My goal is $1 billion.
A retirement planner recently commented to me that retirees don't all want "smooth consumption"; some want to spend more early in retirement. But spending more at some ages than others isn't inconsistent with "smooth" consumption, is it?  
MaxiFi has a Standard of Living Index that lets you tell the program you'd like to have a higher living standard earlier in life and a lower one later on. The tool will recommend discretionary spending that follows your desired living standard path as closely as possible subject to not putting you in debt. You can also specify special expenditures, like a major trip when you reach 70. MaxiFi will budget for this and have you pay for it by spending less ever year before and after the trip.
Most retirement planning tools measure success with "probability of ruin", or the percentage of simulated future scenarios in which a retiree can expect to not outlive their savings. Please explain why you prefer consumption smoothing.
Conventional planning is built on three mistakes. First, it asks people their retirement spending targets. Mine is $1 billion a week. So right away I've made a mistake. But even if I guess a "reasonable" number, I'm going to be miles off the level that MaxiFi will calculate. Second, conventional planning assumes you'll keep saving what you are now saving. That's mistake number 2. What you are now saving is surely wrong. The third mistake is assuming you'll spend your targeted amount year after year in retirement whether your assets go through the roof or fall through the floor.

Conventional planning's "probability of ruin" Monte Carlo simulations calculate the chance you'll run out of money if you make all three mistakes, i.e., if you a) save the wrong amount each year before retirement, b) spend the wrong amount year after year after retirement, and c) never adjust your annual spending once you retire. I can't fathom why anyone would wish to know the probability of financial survival in the context of making three major financial mistakes. Financial planning is supposed to help us make the right financial decisions, not tell us something we don't want to know about something we shouldn't be doing.
I can find lots of free "single-purpose" planning tools on the internet, tax planners, sustainable withdrawal rate calculators, life expectancy calculators, Social Security optimizers, RMD calculators, asset allocators, etc. Is there an advantage to incorporating them into a single program like MaxiFi?
All our financial decisions are interconnected. Take life insurance. You can't decide how much to buy until you know the living standard you need to insure. But your sustainable living standard (if no one dies) depends on the amount of insurance premiums you'll be paying. So, your living standard and life insurance needs must be jointly calculated. MaxiFi does this. It jointly handles all the factors you mention and more. The advantage of MaxiFi's integrated financial planning is that all its suggestions and calculations, including federal and state taxes, are absolutely internally consistent. If you use piecemeal calculators you'll get a set of suggestions that don't add up.
MaxiFi asks for only a few of my expenses as input. Why is that?
MaxiFi asks you to specify your "off the top" expenses on housing and other must-spend items, like alimony payments, out-of-pocket medical expenses, or college tuition. These expenditures are like negative income. Your other resources less a) these off-the-top expenses and b) your lifetime taxes determine your lifetime budget — what you can spend on a discretionary basis over the rest of your life. MaxiFi then smooths this spending. If we were to ask you to specify everything you were going to spend each year, year in and year out, you'd give us amounts that were either a) unaffordable or b) left some of your lifetime budget on the table.
Is MaxiFi a "Monte Carlo" simulator?
MaxiFi does Monte Carlo simulations on your living standard. It calculates 500 living standard trajectories you might experience based on how you are investing. It then compares these 500 trajectories with 500 based on investing more safely and 500 based on investing at greater risk. These trajectories take into account that you'll adjust your spending annually in light of how well your investments fare, always with the goal of having a stable living standard. Best yet, MaxiFi combines all of the 500 trajectories in a single index of your average lifetime happiness — what economists call your Expected Lifetime Utility. This index, which takes into account your tolerance for risk, lets you compare in terms of three numbers (one for each of the three sets of 500 trajectories) how your current investment strategy stacks up against investing at less or more risk. Lifetime expected utility maximization is the gold standard of economics-based portfolio guidance.
Can MaxiFi tell me if I should purchase life insurance or an annuity?
Absolutely. It calculates how much term life insurance you need to hold each year to ensure survivors have the same living standard to the dollar had you not died. It also shows you how much higher or lower your living standard will be if you purchase an annuity.
Can I perform what-if analyses with MaxiFi? What kinds of things can I test?
You can set up as many alternative profiles as you'd like and compare them against your base case in terms of their lifetime discretionary spending. For example, you can easily learn how much more you'll get to spend if you downsize or if you go back to work or if you switch jobs or if you annuitize your retirement accounts or if you wait to take your Social Security benefits.

But MaxiFi also does its own what-ifs for you. Once you run your base plan, MaxiFi asks you to MaxiFi It. When you run this report, MaxiFi looks for safe ways to raise your living standard by maximizing your lifetime Social Security benefits and finding the retirement account withdrawal strategy that will reduce your lifetime taxes.
Where can I learn more about how MaxiFi works?
Go to Check out the videos, the case studies, and other descriptions posted there. And then try it! I promise, you'll get hooked on its ability to safely raise your living standard and finally take the guess work out of financial planning.
(Note: If you prefer video instruction, I have added two links below to recent MaxiFi Webinars.)[2,3]

Those are some of the reasons Dr. Kotlikoff believes MaxiFi's economics-based approach is best. Now, here's why I like it.

At $99 per year with $70 renewals, it's quite affordable for the do-it-yourselfer.

Dr. Kotlikoff and his team have steadily improved and refined the product, beginning with E$Planner, for over 25 years. That leaves the others with a lot of catching up to do with both the economics and the technology.

As a computer scientist, I know from experience that Dr. Kotlikoff has a top-notch technical staff and their help desk has always been available when I needed it with real people who know their product.

MaxiFi completely avoids the limitations of probability-of-ruin estimation. Instead, it incorporates consumption smoothing and maximizies the utility of achievable spending.

Many retirement planning tools address only the decumulation phase, when we retire and begin spending down our wealth. MaxiFi is a life-cycle planner and is useful at any stage.

Lastly, as Dr. Kotlikoff mentions, MaxFi integrates many calculations into a single model. Most free online simulators handle only a part of the problem, like maximizing Social Security benefits or modeling investment returns. Retirement planning isn't a problem that can be solved by solving many individual sub-problems independently.

If you're interested in financial planning software, give MaxiFi a try. You can use it to build a retirement plan or to create a "second opinion" of one you already have. It's also a good tool for your annual retirement plan checkup.

I rarely promote products at my blog but I know that many of my readers are do-it-yourselfers and many have expressed interest in software tools. I have a lot of confidence in MaxiFi. A multi-client version called MaxiFi Pro is available for advisors.

There are a number of new entrants into the online retirement planning field and I'll keep looking for free or affordable, unbiased, comprehensive planning tools. If you are especially fond of another tool that shares these attributes, please add a comment below.

To be clear, I don't believe that software can effectively replace a good human retirement planner given the current state of the technology, though the latter will no doubt cost more. I think you'd be way better off using a good human planner who uses good planning software. But for now, at least, I prefer MaxiFi for the do-it-yourselfer.


Economist, Zvi Bodie now links to his "trusted sources" at I find the entire website very useful and particularly the videos. provides a wealth of retirement planning software. I encourage you to take a look. Full disclosure, I act as an advisor to NewRetirement.


[1] MaxiFi web-based planner, website.

[2] MaxiFi Webinar, June 26, 2019, VIDEO.

[3] MaxiFi Webinar, June 13, 2019,VIDEO.

Wednesday, July 3, 2019

The Best Inflation Protection You Never Heard Of

In a recent post, I discussed inflation's potential impact on your retirement income (see Remember Inflation?) and I warned against letting three decades of low inflation lull us to sleep.

Inflation rates are low right now, about 1.9% per year according to the U.S. Department of Labor. Even at that rate, a 2019 dollar in 2049 would purchase only $0.56 worth of goods and services in constant dollars of 2019 by the end of a 30-year retirement. Assuming the long-term average inflation rate of 3.15%, that dollar in 2049 would be worth only $0.38 in 2019 dollars.

Of course, there isn't a strong argument that inflation rates won't be significantly worse than average sometime in the next thirty years as they have been in four of the past eleven decades. The reality is that no can predict future inflation, mean or worst-case, with any certainty.

It is nearly certain that we will see some level of inflation over several years of retirement and even low levels will erode the purchasing power of nominal annuities and pensions. The only real question is how much.

Economist, Zvi Bodie and I recently published a paper[1] recommending that retirees consider purchasing CPI-adjusted annuities and CPI-adjusted bonds (TIPS)[2] instead of their nominal alternatives.

Retirees with pensions rarely enjoy inflation protection and when they do it is limited. I have several friends and family members covered by the Kentucky Teachers' Retirement System, for example. According to their website, their pensions currently offer a 1.5% cost of living adjustment which is much better than nothing but won't adequately compensate for historical average inflation or even today's low rate.

Annuities, whether CPI-adjusted or nominal, aren't the best solution for every household but there are other inflation-protecting alternatives to consider. TIPS are another choice for consideration but for this post I'll suggest U.S. Treasury Series I Savings bonds, or I Bonds.[3]

I Bonds are meant to be used as inflation protection for individual households and can only be purchased online at®.[4] The interest rate they pay consists of a fixed rate, currently 0.5% plus a variable inflation rate, currently 1.4% per year, that is recalculated twice a year. The fixed rate has been as high as 3.4% in 1998. These components constitute a "composite rate" that is currently 1.9% per year. Before you lose interest in a 1.9% return, consider several additional features of I Bonds that distinguish them from CDs or money market funds that don't compensate for inflation.

The best inflation protection you never heard of.
[Tweet this]

CD's typically can be purchased with terms up to five years. I Bonds pay interest for 30 years.

The early withdrawal penalty for a CD depends on its term. A 5-year CD, if redeemed before the end of its term, will typically incur a penalty of about nine months of interest and a 1-year CD typically three months. I Bonds can't be redeemed for one year after purchase but there is no penalty for redemption after five years and only a 3-month penalty for redemptions between one and five years.

If I Bond interest rates decline, you have locked in your rate for up to 30 years. If rates increase, you can sell your old bonds and buy new ones, subject to annual purchase limits described below.

According to Dr. Bodie, "...another advantage of I Bonds is that [should interest rates rise,] investors could then cash out their existing I Bonds (and keep principal plus accrued interest) and buy new ones at the higher rate of interest. In other words, whether interest rates go up or down, the investor is protected. (But note that if you buy new I Bonds you would be subject to the $10,000 limit.) If you have the money, you would have to be nuts not to invest in I Bonds up to the limit."

I Bonds can never yield less than zero, so in the worst case your investment will maintain its purchasing power. In the event of deflation, I Bonds would increase in value.

From a tax perspective, according to®.[4], I Bonds are somewhat similar to a non-deductible IRA in that tax on interest can be deferred. You don't have to pay taxes on earnings until the bonds are redeemed, though you can choose to pay annually if that benefits you. I Bonds are subject to federal income taxes but not state or local income taxes. CD and money market fund interest can be subject to all three if held in a taxable account and interest is taxed as it accrues annually.

I Bonds do have some drawbacks. A household can purchase a maximum of $10,000 per Social Security number per year. Still, that's $20,000 per year for a couple. Additional purchases can be made up to $5,000 per Social Security number per year if the purchase is made from a federal tax refund.

Some advisors suggest that the maximum annual purchase limitations mean I Bonds will be less interesting to households with a lot of savings. Perhaps, but I find them too good a deal to pass up even if I'd like to buy more (and I would).

I Bonds can't be purchased in a retirement account. Certain entities in addition to individuals, however, are permitted to open®.[4] accounts including a personal trust, such as a revocable or "living trust."[5]

The real interest rate on I Bonds will be relatively low because they are extremely safe, backed by the U.S. Treasury and protected from inflation.

With the very low early-withdrawal penalties, I Bonds can be an excellent solution for investing an emergency fund or for any other future liability beyond one year and for protecting that investment against inflation. They are accessible by retirees with limited resources in denominations as low as $25. Even households with large retirement savings may want to max out I Bond purchases before buying TIPS.[6]

It's a struggle to find retirement strategies for under-saved households but I Bonds provide one. Households that are able to save some of their early-retirement income from pensions and Social Security benefits could use those savings to purchase I-bonds that would then provide inflation-protected consumption later in retirement.

To find out more about Series I Savings Bonds and how to purchase them, go to®.[4]. Creating an online account at®.[4] is currently the only way you can purchase them. If you prefer video explanations, please see the links below.

TIPS: (the old-fashioned kind)®.[4] is an excellent informational website but it could be a better e-commerce site. Don't enter "" into your browser (it's ""). Likewise, don't enter "", that's a different website. To purchase I bonds, go to the homepage "" and click on the green "Open an Account" link toward the upper right.

For more help creating an account and funding it, see Navigating the®.[4] Maze.


[1] Hedging Against Inflation with Real Annuities, Zvi Bodie and Dirk Cotton.

[2] TIPS in Depth,

[3] Series I Savings Bonds,

[4] America’s Best Kept Financial Secret: I Bonds, Zvi Bodie on PBS.

[5] How To Transfer I Bonds to an Entity Account,

[6] Comparing I Bonds to TIPS,

[7] How to Buy Digital Savings Bonds Online, VIDEO.

[8] How to Buy Digital Savings Bonds as Gifts, VIDEO.

[9] How to Protect Your Nest Egg from Inflation, Zvi Bodie, VIDEO.

[10] Guided Tour for Opening an Individual Treasury Direct account,

Friday, June 28, 2019

The Real Cost of Nominal Annuities

There are a number of ways that a retiree could speculate on the direction of future inflation but I doubt that many would want to. I imagine that most retirees would prefer to "inflation-proof" their retirement plan to the extent possible, instead. It’s possible to speculate on inflation, however, without even being aware that you are.

My last post, Remember Inflation?, was intended as preparation for this one and I recommend you read it first unless you feel you have a good understanding of the topic.

I recently co-authored a paper entitled, “Hedging Against Inflation Risk with Real Annuities” with economist, Zvi Bodie. Dr. Bodie has made key contributions to Life-Cycle economics and pension planning. If you’re studying retirement finance and are unfamiliar with his work, then you need to remedy that. I’ll provide links in the references below to get you started but the obvious places would be his website[1] and two of his books, “Risk Less and Prosper”[2] and “Worry-Free Investing.”[3]

Here's the crucial point of the paper in a nutshell. We obtained annuity quotes recently for a nominal (no inflation protection) income annuity, a nominal income annuity with a 3% annual cost-of-living adjustments, and a "real" annuity with no caps that is adjusted annually for inflation based on the Consumer Price Index for All Urban Consumers (CPI-U).[4]

Table 1.

I can purchase a nominal annuity that pays out $6,440 a year but because I can't predict future inflation, I have no idea how much purchasing power it will have in the future. Its future purchasing power might be a lot more or a lot less than $4,550 will purchase today in 2019 (see the first row of Table 1).

The rightmost two columns of Table 1 show the purchasing power in today's dollars twenty years from now if future inflation should mimic the high inflation of the 1970s and 1980s (column 5) and the same if future inflation looks like the low-inflation 1950s and 1960s (column 6). Both real payouts, $,1723 and $4,109, would have been significantly lower after twenty years than the initial $6,440 payment of the nominal annuity.

I can purchase a nominal "graduated-payment" income annuity that pays out $4,670 for the first year with a payout that increases 3% each year thereafter regardless of the rate of future inflation. Like the level-payment nominal annuity in row one, I have no idea how much purchasing power it will have in the future.

I can purchase a CPI-adjusted annuity today that pays out $4,550 a year for as long as I live (row three). If I live for 30 years or more, it will still provide $4,550 of purchasing power in 2019 dollars. This is the only annuity I can purchase from among these three for which I can predict future purchasing power.

Which annuity will provide more lifetime purchasing power, the nominal annuity that pays $6,440 per year or the real annuity that pays $4,550?

That's a trick question. The correct answer is that we can't know until the end of retirement. Nominal and real dollars are apples and oranges so we can't compare them directly. We need to convert the nominal dollars to real dollars — their future purchasing power — to compare the two. That's easier said than done because it requires that we make a guess about unpredictable future inflation rates.

If future inflation is benign, as it was from 1950-1970, then both the nominal level-payment annuity and the nominal annuity with a 3% COLA seen in Chart 4 would end up purchasing more at today's annuity prices than the CPI-adjusted annuity.

On the other hand, if future inflation is historically high, as shown in Chart 3 of the 1970s and 1980s, then the CPI-adjusted annuity would end up purchasing more than either of the two nominal annuities.

Charts 3 and 4 represent historically high and low inflation rates for 20-year periods since 1913 so other periods would have shown results of inflation ranging between those two.

The question this raises is whether that potentially large difference in a nominal annuity or bond's future purchasing power is a risk you want to take. Do you prefer a lifetime of $4,550 of near-certain 2019 purchasing power or would you be happier with a lifetime of 2019 purchasing power that ends up somewhere, unpredictably, between $2,257 and $5,381 after 20 years for the COLA annuity or between $1,723 and $4,109 for the nominal level-payment annuity?

Do you purchase an annuity to provide guaranteed purchasing power for life, or to provide a fixed number of dollar bills whose future purchasing power is unknowable? Is this something you want to speculate on?

The CPI-adjusted annuity has no inflation risk. It is a true inflation hedge. Purchasing a nominal annuity (or a nominal bond) is a bet on future inflation that you probably don't want to make.

Where does the graduated-payment (COLA) annuity fit in? The annual increases are chosen when you purchase the annuity. Adjustments are not linked to inflation but increasing income would offset some inflation, though it would provide a lower initial payment.

Joe Tomlinson did an analysis for the Journal of Retirement Income and concluded that "An inflation-indexed SPIA would be ideal. A COLA-SPIA may be the next best alternative.'[6]

In a separate analysis, Tomlinson found that at today's annuity prices, inflation needs to average 3.57% for the real annuity to outperform the level-payment nominal annuity. Inflation averaged 7.3% in the 1970s, 5.8% in the 1980s, 4.9% in the 1940s, and nearly 10% in the 1910s. All are significantly higher than the long-term average rate of inflation of 3.15%.

I have two concerns regarding inflation. First, even today's low inflation rate of around 2% will roughly halve a retiree's purchasing power over a 30-year retirement. Every retirement plan should consider inflation risk but after three decades of low inflation, it may not get the attention it deserves.

My second concern, also expressed by Tomlinson at Advisor Perspectives, is not the risk that inflation runs a little more than average but that it substantially exceeds average inflation for a prolonged period, as it has done in four of the last eleven decades (see Chart 1), and decimates the purchasing power of a nominal pension or a nominal annuity with or without a COLA. This is a potentially catastrophic outcome that isn't adequately addressed by nominal annuities even with a COLA. As I have often said, I believe retirement plans should take unacceptable outcomes off the table.

If you don't want to buy a CPI-adjusted annuity, have already purchased a nominal annuity, or have a pension without inflation protection, it's important to understand your inflation risk exposure and to try to mitigate it in other ways. You can do this by stress-testing your retirement plan to make sure you would retain minimum-acceptable income even in a period like the 1970s and 1980s. If you would not, you then need to look for other ways to mitigate inflation risk.

You can stress test this easily with planning software like Maxifi Planner[7] or ask your planner to run a high-inflation scenario for you.

The risk of purchasing a nominal annuity or owning a nominal pension has to be considered within the context of the rest of your retirement plan. For example, if a severe loss of the purchasing power of the pension or annuity would not compromise your standard of living because they represent a small portion of your income-producing assets, then they pose less risk to your plan. A nominal annuity or pension that is a major source of your plan's income would obviously be riskier. Purchasing a nominal annuity can be a rational choice in some scenarios and the best way to see that is to run the stress test.

Social Security benefits have historically been adjusted for inflation but most pensions are not. If you have a nominal pension or annuity then its purchasing power will almost certainly decline significantly over a long retirement.

The key takeaways are these. Express your retirement plan in real dollars or insist that your planner do so. Understand your retirement plan's exposure to inflation risk. Consider the possibility and ramifications of not enjoying three more decades of low inflation. Decide if you're willing to speculate on future inflation rates.

So, which annuity has the largest payout, the nominal or the CPI-adjusted? Unfortunately, only time will tell. The only meaningful comparison is based on purchasing power, not first-year payments. You can only be sure about the real annuity's purchasing power.

Unless you're a gambler, why bet on low future inflation? You can completely hedge inflation risk with a no-cap, CPI-U-adjusted annuity. The same logic applies to TIPS and I Bonds instead of nominal bonds.

I'll describe U.S. Series I Savings Bonds in my next post.


[1], Dr. Bodie's website.

[2] Worry-Free Investing at Amazon, by Zvi Bodie.

[3] Risk Less and Prosper at Amazon, by Zvi Bodie.

[4] We obtained recent quotes for income annuities for an unmarried 65-year old male. The nominal annuity quotes were provided by New York Life and the CPI-adjusted annuity quote was obtained from The Principal. The Principal is currently the only U.S. provider of CPI-adjusted annuities. (We found one additional provider that only sells to its group members.) The Principal sells a "real" annuity through the purchase of a CPI rider for a single payment income annuity (SPIA). Quotes for these annuities are available through and

[6] Making the Case for a COLA-SPIA, Kerry Prechter, The Retirement Income Journal.

[7] Maxifi Planner  online planning tool.