Thursday, December 26, 2019

End-of-Year Thoughts on Retirement Planning

Happy Holidays to you and yours. Here are just a few thoughts I want to share at year's end.

First, I would direct you to the post I wrote this time last year, My Year-End Review and Planning Regime, about steps you might want to take for a year-end review. As I warned then, don't bother being overly precise with your adjustments. This isn't an exact science.

I recall one reader whose adviser was suggesting she sell stocks and incur taxes just to correct an asset allocation by a percentage point or two. The process isn't that precise. It's impossible to know with any accuracy what your asset allocation should be unless you have a crystal ball that tells you next year's asset class returns. (If you do have a crystal ball, just allocate 100% of your assets to the asset class that will outperform all the others. But first, call me!)

I suspect that most retirees overthink the year-end adjustment process.

Next, President Trump signed the SECURE Act last week[1]. The age to begin RMD's was increased from 70.5 to age 72 beginning in 2020. However, "Americans who turned 70.5 years old in 2019 will still need to withdraw their required minimum distributions this year, and failure to do so results in a 50% penalty of their RMD", according to Jamie Hopkins, the director of retirement research at wealth management firm Carson Group.

Also, annuities can now be offered in 401(k) plans, though it may be a while before they actually become available. Thirdly, stretch IRAs are no longer available.[2]

Not everyone is convinced that the changes are dramatic. “The SECURE Act is a nice thing — anything we can do on a bipartisan basis in this day and age is something of value — but my sense is the changes in the act are really quite modest,” said Alicia Munnell, director of the Center for Retirement Research at Boston College and a columnist for MarketWatch.

I won't write yet another post on the topic because there are so many out there. I'll place some links in the references below and recommend that you start with Mike Piper's excellent piece at The Oblivious Investor.[3]

Wishing you a happy and prosperous 2020.


[1] SECURE Act, downloads PDF.

[2] Hello SECURE Act, Good bye Stretch IRA | Ed Slott and Company, LLC, Ed Slott.

[3] Retirement and 529 Changes from the SECURE Act — Oblivious Investor, Mike Piper.

[4] The SECURE Act is changing retirement — here are the most important things to know - 

[5] SECURE Act And Tax Extenders Creates Retirement Planning Opportunities And Challenges, Nerd's Eye View blog.

Friday, December 13, 2019

Evaluate Annuities as a Component of Your Retirement Income Portfolio

I wish I could convince more of you, retirees and advisers, to give lifetime income annuities strong consideration for your retirement income plan. They solve a lot of problems from eliminating longevity risk to reducing your portfolio's sequence-of-returns risk.

Purchasing a single-premium income annuity (SPIA) is the single most efficient way to maximize retirement income. According to Wade Pfau's Retirement Researcher Dashboard, a 65-year old couple with $100,000 today could spend about $5,750 annually from a life-only SPIA, $4,900 from a TIPS ladder, or $3,000 using the "4% Rule."[1] Of course, only the SPIA guarantees income for as long as you live but it also ends with no value. The TIPS ladder and portfolio can either be depleted prematurely or end up quite valuable depending on your longevity and investment results.

Sadly, it appears that the last company to offer CPI-linked annuities, The Principal, has stopped offering the product. A CPI-linked or "real annuity" also protected against inflation. But as Moshe Milevsky recently asked rhetorically, "Who says you have to get your inflation protection from an annuity?"

Nominal (not inflation-adjusted) annuities can still play an important role. Our goal isn't to ensure that inflation does not ravage our annuity income but to ensure that inflation doesn't ravage our retirement income. As Milevsky's comment suggests, the two need not necessarily be the same.

A frequent objection to lifetime income annuities is that they have no residual value after death, but the terminal net worth issue isn't straightforward. If we look at a simple SPIA in isolation from the remainder of a retirement plan, then clearly its terminal value will be zero. However, Pfau has shown that the most efficient way to generate retirement income for those with adequate resources is a combination of annuities and an investment portfolio. Furthermore, he has shown that purchasing an annuity can actually increase your terminal wealth by allowing your portfolio to grow more aggressively and by reducing sequence-of-returns risk.

For those of us with a bequest motive, our goal should be to maximize terminal wealth (net worth) from all assets whether or not an annuity is depleted. If an annuity provides no terminal value but allows a portfolio to grow larger, then the annuity will have done its job.

I wish I could convince more of you to consider annuities but, frankly, I understand why you might not.

First, unless your adviser also sells insurance, she isn't paid to sell annuities. In fact, your advisor may have a disincentive. An annuity takes away investable assets that do generate fees for most advisers. An uninspired and uncompensated adviser is unlikely to go out of his way to find you a great SPIA or to encourage you to purchase one.

The trick is to find an adviser who will provide unbiased recommendations regarding both investments and annuities and who also has a deep understanding of annuity contracts. That sounds like a big ask but I know a few that I trust. They're out there.

Even the simplest SPIAs are complicated. The contracts are not standardized so each has to be evaluated on its own merits. Pfau's recent book, Safety-First Retirement Planning[2], explains this in a chapter dedicated to different types of annuities and suggests questions you need to consider before purchase. You can also find these questions in an article by Pfau at Advisor Perspectives.[3]

Second, a SPIA purchase is a one-time, lump sum irreversible transaction. That's a tough sell for any product, financial or otherwise.

An annuity needs to be evaluated as a component of the entire retirement income plan and not as a standalone purchase. This means that an annuity contract is neither good nor bad but that it might or might not improve your overall plan.

It's like adding a new risky stock to a portfolio. Whether the portfolio's results are improved depends on how that stock's performance correlates with the existing portfolio of stocks. A stock can be a poor investment on its own but a welcomed addition to a portfolio.

The entirety of the retirement plan includes all household assets available for retirement funding including retirement accounts, taxable accounts, emergency funds, and even home equity. All of these may play a role in deciding to annuitize. You might, for example, elect to generate maximum income by purchasing a lifetime income annuity and then fund a bequest with your home equity.

Should you decide to purchase an annuity a big question will be when to do so. An annuity is basically a bond portfolio with an insurance risk pool that provides mortality credits. These credits are provided to annuitants who live a long time by those that don't. Mortality credits increase over time but are minimal for younger annuitants.

The following chart created by actuary and retirement researcher, Joe Tomlinson shows the expected bond portfolio return for an annuity (blue line) and expected mortality credits by age (orange line) for a 65-year old female.[8]  Keep in mind that the graph will change based on the annuitant's age, gender, marital status, and interest rates, so this chart is only for demonstration purposes.

Moshe Milevsky has studied the issue of when to optimally purchase annuities for nearly two decades and the advice is, well... complicated. He recently noted, however, that annuitizing too much too early seems highly suboptimal. This is because mortality credits are minimal at lower ages, annuity purchases are irreversible, many households have significant annuitized income from Social Security benefits, and annuity payments are exposed to inflation. Most households may be better off holding those assets in TIPS bonds for a while instead of annuitizing at the beginning of retirement. Laurence Kotlikoff's MaxiFi Planner is one of the tools available to help with the timing decision.[4]

Many retirees have strong reservations about the risk of an insurer failing. Tomlinson has also researched the number of annuities that have failed to deliver on their commitments historically. He found that very few have actually failed and those were from weaker insurers.[5] Purchase your annuites from a highly-rated insurer and you are very unlikely to encounter problems down the line.

Some express concerns about a massive failure of the insurance industry like the housing market crash in 2007. Tomlinson points out that insurance contracts are backed primarily by bonds and that there is no macroeconomic scenario in which a massive failure of the bond market wouldn't have an even worse impact on stocks.

While CPI-adjusted annuities may no longer be available, many insurers offer graduated-payment options or "Cost of Living Adjustments." Although these options suggest otherwise, they have no link to actual inflation. Regardless, researchers David Blanchett[6] and Joe Tomlinson[7] find that many annuities with a COLA option are currently priced more attractively than annuities with level payments, in other words, the insurers are accepting a smaller profit margin. The potential savings are worth investigating.

This raises the issue of how to calculate an annuity's expected value and compare it with other annuity options. This is a somewhat complicated process that Tomlinson explains in What Advisors Need to Know About Annuity Mortality Credits.[8] A retirement planner who knows his annuities should be able to perform this calculation for you.

The best annuity purchase you can make will be to defer your Social Security retirement benefits for as long as possible. If that doesn't provide an adequate floor of safe income, then you really should consider filling the gap with annuities. Integrated into your retirement plan, an annuity can solve a several retirement funding problems and mitigate those purchase objections.

To be clear, I don't think that everyone needs to purchase an annuity. Some households will have significant annuitized income from Social Security benefits. Wealthy households may not need them, although they may find the tax benefits attractive. But my guess is that a lot more households would benefit from annuities than purchase them.

I also encounter retirees who fear the stock market and have a strong preference for a dependable, budgetable "paycheck" each month. I generally advise them not to wait to annuitize. It isn't worth the angst to delay.

There are several common objections to life annuities but many of these objections can be mitigated if the purchase is properly integrated into the full retirement income plan and properly timed.

On a personal note, I have some challenges over the next few months that will make it difficult for me to post as regularly as I have in the past or to respond as quickly as I would like to your comments. Please bear with me and know that I will publish and respond to your comments at my first opportunity.  Thanks.


[1] Retirement Researcher Dashboard, Wade Pfau.

[2] Safety-First Retirement Planning,, Wade Pfau.

[3] Safety-First Retirement Planning, Advisor Perspectives, October 18, 2019, Wade Pfau.

[4] MaxiFi Planner software, Laurence Kotlikoff.

[5] How Safe Are Annuities?, Joe Tomlinson, Advisor Perspectives, August 14, 2012.

[6] Inflation-Linked SPIAs Are a Bad Deal, Advisor Perspectives, by David Blanchett, 5/20/19.

[7] Which Annuities Offer the Best Inflation Protection?, Advisor Perspectives, Joe Tomlinson


[8] What Advisors Need to Know About Annuity Mortality Credits, Advisor Perspectives, by Joe Tomlinson, 7/31/17.

Thursday, October 24, 2019

Two Pitfalls at Age 70½ That You'll Want to Avoid: Missed RMDs and the Tax Torpedo

It seems like hardly a week goes by without someone emailing me to ask, "who is the pinko-Commie wealth-confiscator who created RMDs and why do I have to disturb my nest egg and pay taxes on it?" or something to that effect. With my contemporaries approaching the key age of 70½ (well, more accurately the contemporaries of my imaginary much older sister), maybe it's time for one more post on required minimum distributions (RMDs).

In case you bail on this post after a couple of paragraphs, there are two very important things to know before you go. First, you are required to pay required minimum distributions on all employer-sponsored retirement plans, including:
  • profit-sharing plans,
  • 401(k) plans,
  • Roth 401(k) plans,[1]
  • 403(b) plans,
  • 457(b) plans, and
the RMD rules also apply to traditional IRAs and IRA-based plans,  including
  • traditional Individual Retirement Accounts (IRAs),
  • SEPs,
  • SARSEPs, and
The RMD rules do not apply to Roth IRAs while the owner is alive but may apply to an inherited Roth. The rules differ for a spouse and other beneficiaries.[10]

If you have one or more of these accounts, heads up!

Second, the penalty for missing an RMD due date or withdrawing less than the correct RMD is 50% of the amount not withdrawn by the due date.[11] Your read that correctly — 50%.  Your first RMD will be due by April 1st of the year after you reach age 70½. After that, RMDs are due on December 31st every year. Kiplinger has a calculator if you want to double-check your calendar math.[2]

OK, having been suitably warned, you can now feel free to bail at your own risk.

Congress created the IRA in 1974 with a pretty simple deal. Eligible workers under the age of 70½ could contribute to an IRA annually the lesser of $1,500 (a little over $7,000 in today's dollars) or 15% of compensation and not pay income taxes on these contributions or their investment earnings until funds were withdrawn from the IRA when we retired, which, at the time, seemed eons in the future.

Since withdrawals would be taxed at whatever the ordinary income tax rate (the rate we pay for work income) might be on the future date of the withdrawals, we were essentially allowed to defer income taxes on the amount of the contributions for four decades or so, at which time we would finally begin to pay income taxes on the original income and any earnings on that income. (The taxes were deferred, not avoided.)

This sounded like a pretty good deal and a lot of people jumped at it. Contributions totaled $1.4B in the first year. It was a good deal but after 44 years of tax deferral, shock of shocks, a lot of people don't want to pay the taxes now, either!

Go figure.

By 1987, Congress apparently realized that wealthier households might not need to spend the money in their IRAs so they created RMDs to discourage taxes being deferred forever. The goal of RMDs is to help ensure that most retirement account savings are actually spent during retirement, which was the original intent of Congress.

As I mentioned, the penalty can result from missing a deadline but also from miscalculating the RMD and withdrawing too little even if the deadline is met.

RMDs are calculated by dividing the balance of your IRA account on December 31st of the previous year by a factor that is based on your current age from IRS tables.[4] This is definitely the hard way.

You can Google a plethora of RMD calculators on the web that will make the calculations simpler. Your account custodian's[12] website probably has one. You will need to calculate the RMD for all retirement plans except Roth IRAs held with all custodians and withdraw their sum.

Easier still is to sign up for automatic RMD services with the investment companies that act as custodians for your accounts. Vanguard[8], Fidelity[7] and Charles Schwab[9], for instance, offer these services. They will withdraw the correct RMD by the correct deadline and eliminate that source of stress.

If you do make an error, Kiplinger explains that the error can be fixed and the penalty waived under certain circumstances.[3]

The second potential pitfall that can occur at age 70½ is directly related to RMDs but involves the taxation of your Social Security benefits. Social Security benefits are taxable at one of three levels based on your "combined income", which is essentially half of your Social Security benefit plus your other gross income and any tax-exempt interest.[5]

Based on this combined income, either none, 50% or 85% of your Social Security retirement benefits will be taxable. The 70½ problem is that RMDs might increase your income enough to make more of your Social Security benefits taxable, thereby increasing your total tax bill. This is a possibility, sometimes referred to as the "Tax Torpedo", that you should discuss with your tax planner, preferably well before you reach age 70½.

I receive a wide range of questions regarding RMDs and many are not what I would have expected. Here are a few of the more common queries:

I don't need to spend the RMDs I will withdraw. What am I supposed to do with the money?

This is one of those unexpected questions that I receive a lot and I have settled on the following response. When RMDs are withdrawn, the IRS essentially turns part of your retirement account balance into income that is taxed at ordinary income rates like income from a job. I suggest you consider the withdrawal a paycheck — it's going to be taxed as if it were. You can even have taxes withheld.

What would you do with this "paycheck?" Anything you want, the same as any other paycheck, except for putting it back into a tax-deferred retirement account.

The IRS doesn't care what you do with the withdrawn funds so long as you pay taxes on the withdrawal and stop deferring taxes on this amount by withdrawing it from the tax-deferred retirement account. You can spend the money, transfer it to a checking or savings account, or reinvest this part of your nest egg in a taxable account. Some of the custodians of your accounts, Schwab for example, will allow you to automate any of these actions.

Bottom line, if you don't want to spend this part of your nest egg, reinvest the remainder after taxes in a taxable account.

If I reinvest these withdrawn funds in a taxable investment account, will I not be taxed twice on my retirement savings?

No, you are finally being taxed for the first time on your tax-deferred contributions, possibly made decades ago, and their earnings. If you reinvest the withdrawn funds in a taxable investment account, you will be taxed on any future earnings on that account but you won't be taxed again on your retirement account contributions or earnings.

Can RMDs be avoided or reduced?

Maybe, if you start tax planning early enough to do Roth conversions, for example. Roth conversions are taxable, too, but you may be able to convert at lower tax rates, possibly even zero. This is another issue you will need to discuss with your tax planner but the closer you get to age 70½, the less likely you will be able to reduce RMDs.

As we approach age 70½, it is important to be aware of pending required minimum distributions and to avoid penalties for late or miscalculated withdrawals. The stress-free way to achieve this is to automate the RMD process with your retirement account custodian. They can ensure that your RMDs are accurately calculated for the accounts they hold, that the withdrawals are made on time, and that the funds you withdraw are used as you prefer.

We also need to be aware of the Social Security taxation implications. This is a fairly complicated issue that most retirees should discuss with a qualified income tax professional rather than trying to navigate it on their own.

Here's a brief to-do list:

1. If your account custodian is not one of the three I mentioned, contact yours and find out if they can automate your RMDs.

2. The automated RMD services typically require that you be at least 70½ years of age to make the request. Calculate the dates that you and your spouse will reach age 70½ here and stick reminders in your smartphone calendar to set up automated RMDs with your custodian(s) on those dates. If you have passed this age already, you can start the service immediately.

3. Start discussions with your tax advisor well before age 70½ if you hope to reduce RMDs or plan for the Tax Torpedo.

You can find much more detail on all of these topics at the references listed below.


[1] Technically Roth 401(k)s, if they remain with your company after your departure or retirement, are subject to RMDs after age 70½. However, they can be rolled into a Roth IRA, which is not subject to RMDs during the owner's lifetime.

[2] When Do I Have to Take My First RMD?, Kiplinger

[3] Avoiding the 50% Penalty on Overlooked RMDs, Kiplinger.

[4] Required Minimum Distribution Worksheets | Internal Revenue Service

[5] How Worried Should I Be About the 'Tax Torpedo'?, Kiplinger.

[6] Benefits Planner | Income Taxes And Your Social Security Benefit | Social Security Administration

[7] Fidelity Investments Automatic Withdrawals - RMD

[8] Vanguard's Required Minimum Distribution Service

[9] Charles Schwab Automated RMD Service

[10] IRS Publication 590-B Cat. No. 66303U Distributions from Individual Retirement Arrangements (IRAs), page 35.

[11] A penalty will apply if your calculation is too low and you withdraw too little. Miscalculating and withdrawing an RMD that is too high won't generate a penalty because you can always distribute more than the minimum, though this may not be what you intend.

[12]  An IRA custodian is a financial institution that holds your account's investments for safekeeping and sees to it that all IRS and government regulations are adhered to at all times. Retirement Tips: How to Choose the Best IRA Custodian,

Saturday, September 28, 2019

The Prevalent but Problematic Probability of Ruin

About 10 years ago, in the course of a conversation with two retirement researchers whom I greatly respect, someone mentioned the 4% Rule. One of those researchers said, "William Bengen did great work showing us that sequence risk exists but trying to turn it into a retirement plan was a huge mistake."

Bengen's work gave us the 4% Rule, derived from the so-called probability of ruin. Probability of ruin, or p(ruin) for short, is the estimated probability that a retiree spending a fixed real dollar amount from a volatile portfolio will outlive her portfolio. Somehow, despite its many shortcomings, p(ruin) has become the most common metric in retirement planning.

The 4% Rule provides a "sustainable withdrawal rate" (SWR) that a retiree can supposedly spend from a volatile portfolio with a 95% probability of not outliving his savings. How much is the SWR? Bengen estimated a range around 4.4%. Wade Pfau, Michael Finke and David Blanchett[1] found that the SWR is currently closer to 3%, primarily due to a low-interest-rate regime. If they are correct, that would result in annual withdrawals nearly 32% lower than Bengen's estimate. That's quite a range.

Some question the implications of that research, notably Michael Kitces, but interestingly, William Bengen believes that valuations are probably important and that "Pfau may be on to something."

The Shiller CAPE 10 ratio[2], a measure of stock market valuation, was around 10 when Bengen's data series began in 1926 and today suggests a much higher market valuation of around 30. A higher CAPE 10 suggests lower future market returns and vice versa. Had the market return data series studied by Bengen begun when valuations were relatively high, the results may have suggested a lower SWR. (It is not uncommon for economics studies to improperly ignore initial conditions like market valuations.)

I will toss yet another monkey wrench into these analyses and note that both studies make assumptions about future asset returns so neither can be proven to be correct ex-ante. Still, Pfau et al.  provides evidence that Bengen's SWR may be overestimated. This uncertainty is the essence of risk.

What are these shortcomings of p(ruin)? Let's start with p(ruin) being a one-dimensional measure of risk. By that I mean it estimates the probability (risk) of outliving a consumption portfolio, which I will define as a volatile portfolio of investments from which a retiree withdraws cash periodically to pay his bills, without measuring the magnitude of that risk.

Some research I'm currently coauthoring serves as an example. We compare two consumption-portfolio spending strategies. Each estimates a p(ruin) near 5%. On this basis, we would say that the two strategies are equally risky. However, when scenarios fail using the first strategy, the mean number of underfunded years is about 15. When scenarios fail using the second strategy, the mean number of underfunded years is about 21. The second strategy is riskier because when it fails, it leaves the retiree underfunded for 6 more years on average. This magnitude of risk isn't captured by p(ruin).

Another problem with p(ruin) is that it is based on a very limited sample of historical equity returns. Robert Shiller has reconstructed equity returns back to 1871, providing a little less than 150 years of data but this historical data contains very few unique long-term sequences of returns of 30 years or more that we need for retirement studies. We simply don't have enough data to draw statistically significant conclusions about the future probability of ruin. Many argue that only the more recent years of Shiller's historic returns are truly reliable.

Researchers have tried multiple strategies to get around this lack of data. Bengen used overlapping 30-year periods of returns. This strategy is flawed because the first and last years of the equity return time series are each used only once, the second and next-to-last twice, etc., while the returns in the middle of the series are included up to 30 times.

Another strategy is to generate 30-year series of returns by resampling, or randomly choosing returns from the entire historical data set with replacement. This strategy will provide results similar to the experience of the handful of available unique historical 30-year sequences of returns but doesn't generate "out-of-sample" series.

In other words, it assumes that the limited number of 30-year historical periods of data we have contain all of the information we will ever need to know about future market returns. It is more likely that the future will likely throw something at us that we have never seen before. Said a third way, our limited amount of historical long-term data series has very little predictive power. It can only tell us what might happen in the future if the future is very much like our limited past.

Let's focus now on a term I just introduced, "sequence of returns." The success or failure of a consumption portfolio is primarily a function of the sequence of the portfolio returns and not on the returns themselves. To quote BigErn at, "Precisely what I mean by SRR (sequence of returns risk) matters more than average returns: 31% of the fit is explained by the average return, an additional 64% is explained by the sequence of returns!"[4]

While we can generate realistic market returns from historical data using statistical methods like resampling, we cannot capture the most important characteristic of that data relative to portfolio ruin, the sequence of those returns. Resampling and most Monte Carlo models simply create random uniform sequences of returns and these are often quite unlike the few long sequences we observe from historical data.

This leaves two possibilities. One possibility is that the sequence of market returns is truly purely random as we most commonly model, in which case we have been extremely lucky not to have received a catastrophic sequence of returns over the past 150 years. Another possibility, and the one I favor is that sequences of returns are not purely random but are limited by market forces that we don't yet understand. In that case, we may never see catastrophic sequences of returns but our models are wrong.

I can't leave this topic without noting that consumption-portfolio failure doesn't require really bad negative returns. A long sequence of sub-par returns will do the trick. The worst-case series of 30-year returns beginning in 1964 that defines the 4% rule was simply a long period of mostly-positive but mediocre real returns.

Not long after the Great Recession, some SWR advocates were quick to note that the market had rebounded rather quickly, supporting the idea of a 4.5% SWR. While this is true, there are two important caveats. First, consumption portfolios recover much more slowly than a market index because we aren't spending from the market index. Second, the Great Recession was a three-year sequence and, as I note in the previous paragraph, portfolio failure typically results from long periods of mediocre returns and not short periods of negative returns.The Great Recession may not portend future portfolio failure for today's recent retirees.

Lastly, I think it is important that we consider the ability of humans to "internalize" probabilities. Clearly, there are some of us like Nate Silver, who can see a probability and intuitively interpret it. Most of us can't.

Most people tend to round small percentages to zero and large percentages to 100. The 2016 presidential election is a perfect example. On November 9, 2019, Nate Silver published a prediction that Trump had a 28.6% probability of winning the election and Hillary Clinton had a 71.4% probability. Many read this and concluded that Trump had no chance of winning, i.e., they rounded 28.6% to zero and 71.4% to 100%. When Trump won, they were outraged at Silver. I saw a poster at the Women's March saying, "I will never believe Nate Silver again."

The election was a one-time event and clearly not random. Silver's probabilities weren't based on counting who won past elections between Trump and Clinton. They represented Silver's belief that these were the odds and he believed that Trump's chances of winning were significantly greater than zero. It appears that many people didn't understand that.

This raises the issue of one-time events like a presidential election or your retirement. It's simple enough to look at a roomful of one hundred 65-year olds and say that a 4% Rule strategy means five of them will outlive their savings but it is impossible to say in advance which ive it will be. It is, therefore, difficult to internalize what 5% of retirees outliving their savings translates to your individual probability of failure.

(This is a poor analogy in one sense but I hope it makes the point. The 4% Rule says that 5% of 30-year periods will result in a failed portfolio, so if everyone in that room were 65 years old, they presumably all would go broke or none would. They will all experience the same future market returns.)

Your retirement differs from the 2016 election, although both are one-time events. We can use historical market data to count how often you might have succeeded in the past, given some withdrawal rate. The problem is that we don't have nearly enough of that data. Even if we did, we could only predict how many retirees would fail and not whether you would be one of them.

The point of our ability or inability to intuitively understand probabilities is that many people will round a 5% chance of ruin to zero and feel perfectly safe, while others (like me) will feel that a 1-in-20 chance of ending up destitute in their dotage is completely unacceptable. In either case, p(ruin) is frequently problematic because of our inability to intuit it.

There are a couple of other shortcomings of p(ruin) that I will briefly mention in conclusion. Many argue that no retiree would ever do what the 4% rule requires, that is, to continue to spend the same amount from a consumption portfolio even when it is obviously failing. First of all, I would note that if the retiree doesn't do this, then the 4% Rule is not predictive at all because the retiree isn't adhering to the strategy but I also have anecdotal evidence that there are rational reasons a retire would continue spending the same amount.

At some point, a retiree with a failing portfolio will reach an amount of spending that is necessary to meet non-discretionary expenses and spending too much to pay necessary expenses will be the rational response even if it will undoubtedly lead to portfolio depletion in the near future (see Why a Rational Retiree Might Keep Going Back to that ATM).

If the 4% Rule says I can spend no more than $1,000 or else I will probably go broke in the near future but my necessary expenses total $1,500, I will spend the $1,500. In this scenario of continued fixed spending, portfolio behavior is either chaotic or behaves chaotically and it doesn't matter much which (see Retirement Income and Chaos Theory).

Economist, Laurence Kotlikoff believes the 4% Rule estimates both the wrong amount to save and the wrong amount to spend compared to an economics approach. He explains it better than I could in The 4% Retirement-Asset Spend-Down Rule Is Rubbish.[5]

Lastly, probability of ruin is a number that we intentionally try to make as small as practical. It's a measure of "tail risk", or the area of low-probability outcomes of a model. Nassim Taleb, in testimony before Congress no less[6], stated that "the more remote the event, the less we can predict it." Taleb goes on to say, "Financial risks, particularly those known as Black Swan events cannot be measured in any possible quantitative and predictive manner; they can only be dealt with non-predictive ways." But, predicting unlikely events is precisely what p(ruin) purports to do.

The 4% Rule has achieved cult status to the extent that I hear retirees with virtually no other knowledge of retirement finance casually refer to it as if it is a universal law. It is not. It is a questionable but unfortunately prevalent retirement finance metric.

A better approach is recommended by life-cycle economics (see, for example, Risk Less and Prosper by Zvi Bodie), sometimes referred to as "safety-first." The safety-first strategy is to assume that portfolio failure is a (perhaps) small — Taleb would say unquantifiable — probability of an unacceptable outcome. It deals with the risk of portfolio depletion "in non-predictive ways." The retiree is encouraged to plan for an acceptable standard-of-living in the event of that outcome without having to roll the dice and simply hope the future looks a lot like the past.


[1] The 4 Percent Rule Is Not Safe in a Low-Yield World , Michael Finke, Ph.D., CFP®; Wade D. Pfau, Ph.D., CFA; and David M. Blanchett, CFP®, CFA.

[2] Shiller PE Ratio,

[3] Online Data, Robert Shiller, Yale Economics.

[4] The Ultimate Guide to Safe Withdrawal Rates – Part 15: More Thoughts on Sequence of Return Risk,

[5] The 4% Retirement-Asset Spend-Down Rule Is Rubbish, Laurence Kotlikoff,

[6] The Risks of Financial Modeling: VAR and the  Economic Meltdown, House Subcommittee on Investigations and Oversight, GPO.

Thursday, August 15, 2019

Why Can't We Stop Pfishing?

During my employee orientation at America Online in 1997, that day-long tradition of assaulting new hires with mundane and mind-numbing facts that are immediately forgotten, I was warned that AOL employees were constantly under threat of phishing attacks, though they weren't called that, and I admit that I didn't really understand the explanation.

By close of business the following day I had developed a full appreciation of the threat because I had unwisely clicked on a link in an Instant Message and unwittingly handed my employee login credentials to a hacker, something I had been told not to do just hours before. IT's "clean-up" process took two days, though I suspect that was a form of punishment, and during that time I wore the scarlet letter of being cut off from the rest of the company that functioned entirely around AOL Mail and Instant Messaging.

What a dunce. Lesson learned.

AOL finally put a huge dent in the phishing attacks by implementing two-factor authentication (2FA) for all employees, as I described in those previous posts, except that in 1997 we used hardware tokens because there were no smartphones.

Having dedicated my last two posts, You're Responsible for Your Own Online Security and How to Secure Your Online Financial Accounts, to securing online financial accounts, I realize my retirement finance blog has taken on a computer-geek air of late. My rationale is that retirement finance is primarily about dealing with risk and cyber security is a huge component of financial risk. describes phishing attacks as follows.
"Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there's more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgment by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence."
The term "phish" comes from fishing. A hacker dangles some bait in front of you in the form of a disguised hyperlink in an email or text message and hopes you will click on it hook, line and sinker.

Phishing attacks can be implemented with text messages, email, or even phone calls. It is actually a "social engineering" attack because rather than relying on technology to steal your vital information, it relies on you giving away that information in a moment of fear, confusion or just complacency.

Some people provide their sensitive information over the phone in spite of knowing that no bank, brokerage or government office like the Social Security Administration is going to call, text or email you and ask for your login credentials. The IRS does not announce an audit in an email.

Others click on a hyperlink in an email or text message because they believe they know the sender or because the link looks familiar or harmless. It isn't difficult for a hacker to change an email sender's address, using an attack known as "spoofing." You cannot trust an email's source simply by looking at the sender's email address or a phone call's source by checking Caller ID.

A lot of people who should know better get hacked by phishing attacks. It's a highly effective strategy.

Cyber security firm, CSO, lists three infamous phishing attacks.
  • Perhaps one of the most consequential phishing attacks in history happened in 2016 when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password. 
  • The "fappening" attack, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's iCloud servers, but was in fact the product of a number of successful phishing attempts.
  • In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
The Clinton Campaign phishing hack may have helped decide a presidential election.

(Note to political parties: Why are you sending unencrypted sensitive information over email systems like GMail when you can create a free, encrypted account at CERN's Proton Mail or spend a few bucks to encrypt your own mail server? More importantly, why are you saying things in an email that you wouldn't want the world to share? Emails never die. Your stupidity will be on the web forever. This is not the way you want to go viral.)

My goal is to help you protect yourself and your wealth from phishing attacks (if political organizations haven't figured out how by now then I have little hope for them in cyberspace).

Because phishing attacks are social engineering attacks that depend on tricking you, your diligence is the best protective measure. Think twice — no, make that three times — before you click on any link in an email or text message.

Check the context. My friend, Lex, send me lots of emails, text messages and messaging app thoughts. I normally click on all of his links but when I recently received an email from him that contained nothing but a hyperlink, I deleted it. It would be very unusual for Lex to send me a link with no explanation.

Needing no further clues, I checked the email's CC list and noticed it was quite long and included no one that I know. Not a confidence-building sign.

If I have any doubt that a link I receive is not legitimate, I will contact the sender and ask if the email or message was really from them but it is critical to contact them through a different channel and not by replying to the message. If the link really is phish, then replying may simply be me asking the hacker if he is legit. He'll probably say yes. If the link arrives in an email, for example, call or text the sender, instead.

When I receive an email or text message regarding the status of a credit card account,  I visit the card's website without clicking on the link.

It's quite easy to make a link look like a legitimate website when it actually points to a hacker's own malicious website. It's also quite easy to make that website look like Chase Bank's website, for example, and encourage you to "login" at the fake website and thereby hand your login credentials to the hacker.

Most email systems and websites allow you to view the actual link by hovering your mouse over the hyperlink. The underlying link will appear. Read the actual link closely to detect small changes that indicate you might not land where you expected.

You may find, for example, that a link that appears to point to (my website) actually points to, which could belong to anyone. Notice the subtle misspelling. Hover your mouse over each of these links and, depending on your browser, the actual destination hyperlink will show up somewhere on your screen.

Some anti-virus and anti-malware software also incorporates anti-phishing features. Check your software's website to know for sure. Still, it won't replace your own diligence in examining hyperlinks sent to you before clicking on them.

Why are phishing attacks still so successful though we've been exposed to them since the late 1990s? They prey on our fear, complacency, and familiarity. It should be really easy to always say, "I'm not 100% sure this is a legitimate link so I'm just not going to click it" or "no legitimate business would ask me to provide sensitive information through an email or a phone call," yet it remains a successful hacking strategy.

One last question you might ask yourself is what would happen if I don't click this link? If it is important, the sender will surely try other ways to reach you, even if it's a friend just making sure that you saw the link she sent to her latest baby pictures.

Phishing attacks aren't the only cyber threat to your wealth but they are one of the most common and they are very effective. The best way to protect yourself is to treat any link sent to you as a potential threat. Never click on them without stopping to think about possible bad outcomes. Err on the side of avoiding the pfisher. If you're not certain, don't click.

Tuesday, August 6, 2019

How to Secure Your Online Financial Accounts

In my previous post, You're Responsible for Your Own Online Security, I noted that online fraud protections from banks, credit unions, investment companies, and other financial services companies are significantly weaker than consumer protections for credit cards, debit cards, ATMs, and EFTs. The "100% online fraud guarantees" advertised by financial services companies can have a lot of fine print and they are backed by the companies, not by consumer protection laws.

You may be thinking, "That's a lot of trouble. In the unlikely event that my account is hacked, the financial services company will reimburse me." I think that's a mistake for a few reasons. First, even if the company covers your losses, recovering from the fraud is unlikely to be a pleasant experience. Second, if you don't meet the company's security requirements spelled out clearly on their websites, you might not be covered by their online fraud guarantee, at all. Do you want to take that risk with your savings?

My goals for this post don't include boring you to tears, though that is certainly a risk when one explains technology to people who just want things to work. The truth is that Internet passwords don't work. We need a very different solution for securing online access but unless and until we get that, we have to work with what's available.

One of my goals is to help you avoid losing your hard-earned wealth to online fraud. A second goal is to help you avoid the long, painful process of recovering from online fraud when recovery is possible — you'll find it much easier to stop fraud before it happens than to tidy up afterward. And, my third goal is to keep you from running afoul of requirements that might preclude those "100% online fraud guarantees" offered by financial services companies. I used to refer to them as "online financial services companies" but now almost all of them are.

I warn you up front that some of these measures can be complicated to implement and that they will complicate your financial life a bit. It won't be as easy for you to access your online financial services but it should be a lot more difficult for a thief to do so.

And finally, before diving into security measures, be aware that many online services offer different levels of security that you can implement depending on how much set-up work you are willing to do  and how much inconvenience you will tolerate to achieve greater security. You can improve security significantly with stronger passwords, for example. With more work and complexity, you can greatly improve on long-password security by adding two-factor authentication. You will need to decide if the extra security is worth the effort.

You might also think, "This is way too difficult. I'm just going to avoid online access to my accounts altogether."

While this might be achievable in some limited way, it will preclude most investment opportunities. I asked Fidelity Investments if it is possible to open an account with no online access. They thought I had lost my mind. And, should you decide to simply not set up the online access, a thief might well do it for you.

Wade Pfau and the gang at are seeking volunteers for a research project called the Retirement Income Style Awareness,™ (RISA™). Please consider following this link to the survey.  Participants will be able to get results from the survey in the fall.

First, if your computer, smartphone, or tablet is compromised, no other security process can be trusted. If someone installs a keylogger on your computer, for example, that person can watch you type in your log-in credentials from half a world away and it won't matter what other security measures you take, they're looking over your shoulder. Run anti-malware software on your computer and only download smartphone apps from your apps store. This step is essential. There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well.

Next, you probably have a lot of sensitive information on your smartphone. Many services will use your phone to reset your password, for example. A thief doesn't need to learn your password if she can more easily reset it. Actually, a thief doesn't need to physically steal your phone. He may be able to illegally "port-out" your phone number and receive all your phone calls and text messages. Your smartphone is a key to your online security whether or not you intended it to be.

You need to keep that key beyond the grasp of hackers. Bite the bullet and change your lock-screen passcode to at least 8-digits.[3] (Are you still using four digits?) This step is also essential. I'd recommend avoiding lock-screen patterns on Android phones.

For many financial services companies, the use of "third-party aggregators" like, Fidelity Fullview and Vanguard Portfolio Watch will violate your guarantee of fraud protection. Charles Schwab explicitly states next to the button to enable these services that they invalidate your guarantee. Stop using them. This is an essential step. You can go to the aggregator websites and turn off the feature but you can also change the passwords on all your financial services accounts (which you probably should do, anyway) and simply not update them at the aggregator website. If your financial data still shows up at your aggregator site, you know you're not finished. The aggregators will no longer have access to your data and you will no longer be in violation of the terms of your guarantee.

Creating strong passwords is an essential step. Make passwords to all your sensitive online accounts at least 12 random characters long. Use upper and lower case letters, numbers and special characters as allowed by the website. Here's an example: Wt4e-7B13^qS. As the saying goes, the best password is the one you can't remember. It has been estimated that an 8-character password can be cracked in hours, nine characters in months, and 12-character passwords in hundreds of years with a brute force attack. If your password contains recognizable words, a dictionary attack can be even faster.

Don't reuse passwords. This is essential because cracking one of your passwords compromises every other account using that password. Every sensitive account should have its own.

Never share your password with anyone other than a spouse on a joint account. That will almost certainly invalidate your online fraud protection. If you want an advisor or a spouse to have access to your individual accounts, grant that authority explicitly by filing the appropriate paperwork with your financial services companies instead of going through the "back door" of sharing your passwords. Recognize the risk you're taking by doing this and consider sharing "read-only" access and not authority to transact in your account.

If you write them down, store the list of passwords in a secure location and hide a backup in a different physical location. The next step isn't essential but I find it helpful. I use a password manager to both create random passwords and store them. LastPass, Dashlane,  and 1Password are perhaps the best known and you can access passwords from your computer, smartphone, and tablet.

The next level of security (and complexity to implement and use) beyond strong passwords is two-factor authentication. 2FA is perhaps not as essential as strong passwords but many experts would disagree. I consider it mandatory for my accounts but I also recognize that it is complicated for a "non-techie" to understand and implement. I can imagine that most will consider it too complex and that's a shame because it is a huge step up in security.

In essence, 2FA provides a second password that changes every minute and can only be read from an app on your smartphone (or a dedicated hardware token[4]). Unless a thief has access to your smartphone, she can't log in to your account even if she knows your password.

2FA is now offered by most, though not all, financial services websites. I even use 2FA at social media websites and on my email accounts. Two Factor Auth[5] provides a list of websites that support 2FA and[6] explains how to use many of them.

I have found that customer service departments of financial services companies will walk you through implementing 2FA over the phone if you ask and it only takes a few minutes. This is far and away the easiest way to implement 2FA on your account.

There are several ways in which 2FA can be implemented. The passcode can be sent to you in an email, sent to your phone in a text message (SMS), delivered by a voice phone call, or created by an app on your phone. If your financial services company offers a choice, the app approach (or a hardware token) is the safest.[7]

Some websites, like TreasuryDirect®, will email a one-time password (OTP) as a second layer of authentication after you enter the correct password. A lot of people know I can be reached at and that's the first place a hacker might search for my one-time password. It would be harder for a hacker to intercept my OTP if I have it sent to say,, which doesn't identify me.

If any of your accounts use 2FA by sending an email, consider setting up an email account with a random name solely to receive 2FA passcodes. Set up a notification in that email account to alert you anytime you receive an email.

Many websites have a "password recovery" process that will reset your password if you answer security questions like "What was your high school mascot?" It makes no sense to go to all this trouble to secure a password when someone can "recover" your password by answering these security questions after reading your social media posts or by Googling your name.[10]

(I checked my password recovery questions on an email account I use for junk and found that that a hacker would need to either spend hundreds of years guessing my password or simply guess the name of my favorite band to gain access to my account.)

I make up unrelated answers to these questions and store both the questions and the answers with my passwords. For example, I might choose the question "What was your school mascot?" ("Eagles" is a good guess for a hacker.) I might enter "bookbinder" as the answer.

Thieves can sometimes illegally "port-out" your mobile phone number to theiro phone and the only indication you will get that this has happened is that your phone will stop working. They'll receive your text messages and phone calls so they'll intercept any one-time passwords sent by either of those methods. Furthermore, many online accounts will allow you or a thief to recover your password by texting or calling your phone and the thief is now the recipient of both of those. You may have the physical phone in your hand but all of your voice calls and text messages will now go to the thief's phone.

To illegally port-out your phone number, a thief only needs some basic name and address information about you and a PIN that is set up at your wireless carrier's website. Better beef-up the security of wireless carrier passwords and PINS with your wireless carrier. Krebs on Security tells you how.

Log on to your wireless carrier online account and make sure your PIN isn't something obvious like "1234" or the last four digits of your social security number. Use a strong password on your wireless carrier's website. I added 2FA to mine. Otherwise, the fraudster can hack into your wireless carrier account and change that PIN. Your smartphone, one way or the other, is the key to much of your online security. If it is lost or stolen, take action immediately.[8,9]

Since this all began with a reader's comment regarding security at TreasuryDirect®, let's look at how we might secure accounts there.

To log on to a TreasuryDirect® account, a thief will need your account number, a password for that account, an email address to which TreasuryDirect® will send a one-time passcode each time we attempt to log on, and that one-time passcode.

First, create a random password at TreasuryDirect® that is at least 12 characters long. Then, create unrelated answers to password recovery security questions at TreasuryDirect®, as described above.

Create a new email address with a random name and direct TreasuryDirect® to send one-time passwords there instead of sending it to your public primary email address. Secure the email account with a long, random password.

Now, a hacker will need to learn your TreasuryDirect® account number, hack its long random password, figure out what e-mail account you have told TreasuryDirect® to send your one-time password, and hack that e-mail's long random password to learn your OTP. If he tries to hack your TreasuryDirect® account using password recovery, he will need to know that you told TreasuryDirect® that your father was born in the city of banjo.

I believe any web-based service is hackable but a thief could probably find an easier way to steal money than this.

If you only install anti-malware software on your computer and improve your passwords, you will greatly enhance your online security. If this seems overwhelming, start by improving all of your passwords on financial services company websites and do more later.

You can download a checklist in Word to organize your security enhancement project. I included a sample using a Charles Schwab account. Click the link to see the document, then click download to save a copy.

This is the world we live in. Practically all financial services companies have an online presence with fraud guarantees provided only if the company considers that you have adequately protected your login credentials.

I realize that most readers will find this all quite complicated even with the links I have provided but this is your retirement savings we're trying to protect here and i4 your security doesn't meet the standards of financial services companies, their "100% online fraud guarantee" might not be available to you. Follow these steps and you are far less likely to ever need to recover from online fraud or rely on a fraud protection guarantee.

Some readers are having problems posting comments anonymously. Please feel free to email comments to and request that I post them anonymously.


[1] Avast for Mac

[2] Windows Defender, Microsoft.

[3] Change Your IOS Passcode. or Change Your Android Passcode for Android.

[4] Some financial services companies will provide, often for free, a hardware "token" to generate the 2FA passcode instead of using your phone. See Protect Your Investment Accounts With A Security Token.

[5] Two Factor Auth list of 2FA supported websites.

[6] Two-Factor Authentication: Who Has It and How to Set It Up, PC magazine.

[7] This is why you shouldn’t use texts for two-factor authentication, Major SMS security lapse is a reminder to use authenticator apps instead,

[8] If your iPhone, iPad, or iPod touch is lost or stolen.

[9] Find, lock, or erase a lost Android device, Google Help.

[10] Time to Kill Security Questions—or Answer Them With Lies, Wired.

[11] This is why your six-digit iPhone passcode isn’t secure,

Wednesday, July 31, 2019

You're Responsible for Your Own Online Security

Credit cards, debit cards, ATMs, and electronic fund transfers (EFTs) offer excellent fraud protection but your bank, credit union and investment company's online protections aren't as strong.

In response to my post, The Best Inflation Protection You Never Heard Of, a reader commented that he/she avoids I Bonds due to security concerns with TreasuryDirect.® It didn't take long to find several threads on the topic. The primary concern seems to be this statement from the Code of Federal Regulations:
§363.17   Who is liable if someone else accesses my TreasuryDirect® account using my password? You are solely responsible for the confidentiality and use of your account number, password, and any other form(s) of authentication we may require. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost, or expense that you may incur as a result of transactions made using your password.[72 FR 30978, June 5, 2007]
Should you be concerned about security issues at TreasuryDirect,® the only place where you can purchase I Bonds? I think you should be concerned about the security of online access to your holdings at all financial services companies and I think your security is largely up to you.

Having your financial services company hacked is different than having your individual account hacked using Internet access. I'm addressing the latter but the former happens with amazing frequency and you will be protected from those breaches. You probably won't even know it happened to your company until you read about it in the paper.[1]

You will probably find wording similar to that of the TreasuryDirect® statement above at the websites of all of your banks, credit unions, investments companies, and other financial services.

First, let's look at where we are protected.

Electronic Fund Transfers.

According to the Federal Reserve, "Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems such as automated teller machine transfers, telephone bill-payment services, point-of-sale (POS) terminal transfers in stores, and preauthorized transfers from or to a consumer's account (such as direct deposit and social security payments). The term "electronic fund transfer" (EFT) generally refers to a transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs a financial institution either to credit or to debit a consumer's asset account."[2]

Section 205.6 of Regulation E states the liability of [the] consumer for unauthorized transfers, "[Regulation E] limits a consumer's liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited."

At first glance that would appear to cover online access to your account at a bank or credit union — they are both subject to Regulation E and it specifically mentions computers — but that does not appear to be the case. The catch seems to be in how your bank or credit union defines "unauthorized access."

Credit Cards.

According to[3],
"Under the Fair Credit Billing Act, your liability for unauthorized charges depends on whether the thief personally presented your card to make the purchase, or just stole the number.
    • If the thief personally presents your card to make the purchase, the card issuer can't hold you liable for more than $50 in fraudulent charges. (12 C.F.R. § 1026.12). Many card issuers waive this $50.
    • If the thief stole the number, but not the card, you have no liability.
In either of the above situations, however, it's important to notify the card issuer as soon as you know of the theft—by phone and in writing.
Additional information regarding how to report fraud is also available at the NOLO link.[3]

ATM and Debit Cards.

Also from,
"With ATM or debit cards, you must act quickly in order to avoid full liability for unauthorized charges when your card is lost or stolen. Under the federal Electronic Fund Transfer Act, your liability is:
    • $0 if you report the loss or theft of the card immediately and the card has not been used
    • up to $50 if you notify the bank within two business days after you realize the card is missing
    • up to $500 if you fail to notify the bank within two business days after you realize the card is missing, but do notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals, or
    • unlimited if you fail to notify the bank within 60 days after your bank statement is mailed to you listing the unauthorized withdrawals. (15 U.S. Code § 1693g).
If you can convince the bank that your notification failure was due to extenuating circumstances, it must extend the notification timeline for a "reasonable period."
If your card wasn't lost or stolen, but the number is used for unauthorized transactions, you aren't liable for those transactions so long as you report them within 60 days of the statement being sent to you.
In response to consumer complaints about the possibility of unlimited liability, some card issuers cap the liability on debit cards at $50. And some banks don't charge anything if unauthorized withdrawals appear on your statement. Also, some states have capped the liability for unauthorized withdrawals on an ATM or debit card at $50."
So, for ETFs, credit cards, debit cards, and ATMs, the fraud protections are pretty strong but what is the extent of our protection for accounts with other financial services?

Banks and Credit Unions.

As I previously mentioned, banks and credit unions are subject to Regulation E and that regulation seems to protect online access to your account. A review of a few online-fraud policies, however, reveals a loophole that limits their guarantees of "100% fund recovery" if you "share" your login credentials or don't "adequately" protect them.

My credit union states in its "Zero Liability Guarantee for Online Fraud" policy, "You should not share your UserID and/or password with anyone. If you share this information with anyone, any actions they perform on your accounts online are considered to be authorized by you."

I found similar statements at bank websites. Wells Fargo's states, "To qualify for the protections provided by the Online Security Guarantee, you must. . . Never disclose your personal account information to others (including your Personal Identification Number (PIN), online username, password, one time passcodes, RSA SecurID® token, or any other security credential you may use to access your accounts)"[4]

Wells Fargo's statement goes on to warn that, "If your device allows access to anyone other than you via fingerprint, that person will also be able to access your Wells Fargo Mobile downloadable applications on the same device when Touch ID® or fingerprint is enabled, and their transactions will be considered authorized."

So, if your phone's fingerprint access feature fails, allowing someone to gain access to your login credentials, Wells Fargo treats that as your authorization for that person to make transactions in your account. And, those fingerprint readers may not be as secure as you think.[5]

You can find your investment company's online-fraud protection policies, well. . . online.[6,7,8] Most of the investment companies I researched do offer full protection against fraud except for fraud committed when you share your login credentials. The problem is that most have a very broad definition of "sharing." Fidelity Investments states, for example,[6]
"What are examples of where I won't be covered?

If you grant authority to, or share your Fidelity account access credentials or information with, any persons or entities, their activity will be considered authorized by you. Losses of cash or securities transferred to outside accounts that are beneficially owned by you are not covered by this guarantee. Also not covered is any activity by an employer/plan administrator, financial intermediary, or third-party who is authorized by you to access your data (or who received your data as a result of that access), or with whom you've shared your username, password, or account number, or from malware or a breach of security that affects the systems of any of those parties."
Fidelity also lists some types of assets that aren't protected:
"What assets may not be covered?

Assets including certain annuities and insurance products, Fidelity Advisor Fund accounts, and Fidelity Advisor 529 accounts are not covered because they are held away from or maintained by someone other than Fidelity."
In a timely email, Charles Schwab just this week sent me the following information:
"We want you to have the highest level of confidence when you do business with Schwab. That's why we offer you this simple guarantee: Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity. Read more about our Security Guarantee at"[7]
That sounds excellent until you click on that link and see the limitations of the guarantee:
"Does the guarantee apply to my account if I use a financial application ("app") or program that retrieves my account data from Schwab for things like financial planning or to help me manage my finances?

Yes, with some conditions. You must not share your Schwab login credentials with anyone or through a non-Schwab app. A firm that retrieves, aggregates, and presents account information to a customer for financial activities is known as an "aggregator." When you authorize an aggregator and instruct Schwab to allow the aggregator access to your account information, the aggregator as well as its employees, agents and financial apps and companies the aggregator does business with who receive your Schwab account information ("aggregator third parties") are considered your authorized persons. The guarantee only applies to unauthorized activity in your account. What an aggregator or an aggregator third party does in connection with your account and your information is authorized, so the guarantee does not apply to their actions."
Sharing login credentials typically invalidates that "100% guarantee" that your loss will be recovered. How broad can a financial service company's definition of "sharing" be?

  • Providing your login credentials to any other person, such as a financial advisor, is generally considered sharing. One company's website suggested that giving your login credentials to your spouse is sharing and recommended that spouses submit paperwork to give one another access to their accounts, instead.
  • Providing login credentials to a third-party aggregator is typically considered sharing. Popular third-party aggregators include, Vanguard's Portfolio Watch, and Fidelity Investments Fullview.
  • As mentioned above, Wells Fargo assumes that you have shared your login credentials with anyone who can fool your smartphone's fingerprint ID feature.
  • Fidelity Investments assumes that someone who learns your login credentials by a security breach or malware is authorized to access your account.
  • TreasuryDirect®'s statement above appears to state that anyone who has your login credentials is authorized to make transactions in your account regardless of how the credentials were obtained.
The message is quite clear: if you want a guarantee against online fraud, don't share your login credentials with anyone or anything and don't let them be stolen. Some recurring themes run through these policies.

  • You have no fraud protection guarantee at any investment company I have researched if you share your login credentials,
  • The company's definition of "sharing" can be quite broad,
  • Investment companies can have vastly different descriptions of what they consider "adequate" protection of your credentials, and
  • Some company's don't protect all types of accounts.

When I began research for this post, I had hoped to be able to provide some general guidelines for all banks, credit unions and investment companies regarding their online fraud protection. Unfortunately, I found that they vary so much that I needed to read every policy for every financial services company that I use to understand my protections and what I am required to do to be eligible for their "100% online guarantees." I changed my passwords at each one, in part so I no longer run afoul of "third-party-aggregator sharing" rules and to be completely honest, in part because the protections weren't as ironclad as I had assumed. I strongly suggest that you do the same.

So, bottom line, fraud protection at investment companies, banks and credit unions is significantly weaker than for credit cards, debit cards, ETFs, and ATMs.

But what about SIPC, you ask? Isn't it the equivalent of FDIC for banks? No, SIPC offers protection of assets at failed brokerage firms. According to their website[9], "SIPC protects against the loss of cash and securities – such as stocks and bonds – held by a customer at a financially-troubled SIPC-member brokerage firm. The limit of SIPC protection is $500,000, which includes a $250,000 limit for cash. Most customers of failed brokerage firms are protected when assets are missing from customer accounts."

Unless it is failing, your investment company backs your brokerage accounts, not SIPC.

Having read this post, extremely risk-averse investors might be tempted to try to find financial services companies with no Internet access. They may be surprised by how difficult that has become. This is the world we live in: we're forced online but not adequately protected from online security problems. Security is largely in our own hands.

Fortunately, there are steps we can take to secure our accounts. Unfortunately, none is perfect.

Here's my advice. Google "online fraud protection company name" for every bank, credit union, investment company or other financial services company you use online. (Links to a few are provided below in REFERENCES.) Search their websites for the following information:
  1. Is there an online fraud guarantee?
  2. Under what conditions are you not covered?
  3. What types of accounts are covered?
  4. What actions does the company require on your part to ensure that your login credentials are "adequately" secured?
Here's a tech hint that will help when they play the fine-print game. Command+ on a Mac or CTRL+ on Windows will usually increase that tiny font as much as you'd like. (I'm looking at you, Fidelity.)

Because this post is already, as my grandfather would say, longer than a horse's face, I have posted  some recommend security measures you should implement with all of your financial accounts, including TreasuryDirect® at How to Secure Your Online Financial Accounts.


[1] For Big Banks, It’s an Endless Fight With Hackers, New York Times.

[2] Regulation E, federalreserve.

[3] Your Liability for Unauthorized Credit and Debit Card Charges,

[4] Wells Fargo online fraud policy.

[5] That Fingerprint Sensor on Your Phone Is Not as Safe as You Think, New York Times.

[6] Fidelity Investments online fraud policy.

[7] Charles Schwab fraud policy.

[8] Vanguard Investments Online Fraud Policy

[9] Securities Investor Protection Corporation (SIPC) website.

Tuesday, July 23, 2019

Navigating the TreasuryDirect® Maze

In a previous post, The Best Inflation Protection You Never Heard Of, I wrote about U.S Series I Savings Bonds. Like Treasury Inflation-Protected Securities (TIPS), I Bond returns compensate for inflation, as measured by the CPI-I Index.

I like Series I Bonds but the TreasuryDirect® website, not so much.

The two types of bonds (I Bonds and TIPS) are otherwise significantly different. I Bonds have some unique features as I previously explained, but they also have significant maximum purchase restrictions that make them cumbersome for wealthy retirees to accumulate.

Those maximum purchase restrictions were one of two issues raised by readers of that post, the other being difficulty in navigating the TreasuryDirect® website to purchase the bonds.

Individuals can purchase up to $10,000 of I Bonds per social security number per (calendar) year, which means a couple can purchase $20,000 annually. A single, retired friend complained that it would take decades to buy enough I Bonds at $10,000 per year to fill his bond portfolio. I suppose I can somewhat sympathize with that "problem" except that I know a lot of people who would love to have it.

I, too, need to own TIPS in addition to the I Bonds I purchase but I don't think of my inability to buy as many I Bonds as I'd like as a reason not to purchase any. Other than the maximum purchase limitation, they have some very attractive features.

TreasuryDirect® e-commerce capabilities could use some work. I just spent two weeks working with a couple of well-educated clients who struggled mightily but were ultimately successful in purchasing I Bonds for both spouses. I will offer some tips that might help you navigate the website (and therein lies the first tip: don't go to or

The first step to purchase I Bonds at TreasuryDirect® will be to open an account for yourself and one for your spouse if you are married. You can submit your application(s) online by clicking here and then click the "Go" button. But, there is some prep work you will need to complete first.

For each account that you will open at TreasuryDirect® you will be required to submit a TreasuryDirect® Account Authorization Form, FS Form 5444, and snail-mail those completed forms to the Treasury Retail Securities Service address on the form. The form requires a bank's signature guarantee or a brokerage's signature guarantee or Medallion Guarantee. Certification by a notary isn't acceptable. Do not fill out the form until you are in the presence of the guarantor.

You will need a source of funds to purchase the bonds, of course, and you have two options. Typically you will want to purchase bonds using an account at a bank that accepts Automated Clearing House debits and credits. (There is a second way using a "Zero-Percent Bond" to make payroll purchases or a recurring bank debit.) You will provide your banking information when you create the TreasuryDirect® account, so have check(s) available to provide the routing and account numbers.

One of the clients I helped was notified that his account application "needed further security checks." About a week later, he was informed that his application had been accepted, though he was unable to find out why additional checks had been necessary.

You may also need to move funds into the bank account before the bond purchase. If you need to sell stocks or funds, for example, to purchase I Bonds, then be aware that it may take a few days for the brokerage sale to clear and another few days to transfer the sale proceeds to the bank account. There are sometimes ways to link bank accounts and brokerage accounts to make this work faster in subsequent years.

As I pointed out in the aforementioned post, you will normally want to purchase I Bonds from a taxable account. If you withdraw retirement account funds, the transaction will be taxable at ordinary income rates and may be subject to penalties. TreasuryDirect® accounts cannot be retirement accounts.

TreasuryDirect® sells several different types of bonds. Once you reach the purchase page, be sure to select "Series I", the second radio button from the bottom of the page.

To summarize the steps:
  1. Collect social security numbers for each of the spouses.
  2. Find a check for each of the bank accounts(s) from which you will make the purchase of I Bonds.
  3. Go to TreasuryDirect® Open Individual Accounts and open an account for each spouse. Set up strong passwords for the accounts, write them down and store them safely (A strong password is very important so please don't ignore.) Save copies of all confirmations for a paper trail.
  4. If you are asked to submit FS Form 5444, download it and take the blank form(s) to your bank or brokerage for signature guarantee(s). Mail the completed form(s) to the address stated on the form. (Update: I edited this after a reader comment below. Though I was unable to find a definitive statement online, it appears that this form is only required if 1) your submission can't be validated online or 2) you are randomly selected to submit it. Regardless, you will be instructed to submit it as part of the application submission process if it is required.)
  5. If you will use funds from a brokerage account instead of a bank, sell the appropriate amount of assets. Use funds from a taxable account — TreasuryDirect® accounts cannot be registered as retirement accounts.
  6. When the brokerage trade is completed and funds are available, transfer those funds to the bank account(s) that you registered during the TreasuryDirect® account creation process in step 4.
  7. When the bank deposits are available, log onto your TreasuryDirect® account(s), click the red "BuyDirect" tab, select "Series I Bonds" from the options, and enter your purchase. Your registered bank account number from which funds will be drawn will be in a drop-down box.
When you return to purchase more I Bonds next calendar year, you will be able to skip steps 1, 2, and 3.  TreasuryDirect® e-commerce software and paperwork requirements are a bit of a maze but the steps are necessary to protect your account. These instructions should help and you can console yourself with the thought that next year's purchases should be a lot easier.