Fidelity protect customers in the USA, do not do so for the UK

InvestInPoker

Fidelity have a very reassuring page on their .com website

https://www.fidelity.com/security/customer-protection-guarantee

Customer Protection Guarantee: We will reimburse your Fidelity account for any losses due to unauthorized activity.

However that is their website for customers in the USA. I could find no such guarantee for UK customers so I wrote to them and asked if they had the same guarantee for customers here. It took a good week to get a reply but I did eventually get one which said.

Thank you for contacting Fidelity regarding your concerns about the security of your account. I am sorry for our delayed reply and appreciate your patience.

The 'Customer Protection Guarantee' is offered by Fidelity Management and Research Company in the USA and not by Fidelity Investments Limited in the UK

I was left very disappointed by this. Fidelity only employ a password and pin system which is, despite what they might say, not secure enough for anyone wishing to invest a reasonable amount of money (in my opinion).

I also enquired about RSA token authentication. Having this would set my mind at rest as it is fully secure imo and again I have read on forums they are trialling this in the USA. I received this response on that one

Additionally, we do not currently provide an 'RSA token' security procedure for our clients.

Again disappointing, I have had RSA token authentication on online poker accounts of mine for over 5 years. I would have hoped somewhere like fidelity, which deals in bigger amounts of money, would take security a bit more seriously.

Are there any fund supermarkets which do offer proper security? And shouldn't fidelity be extending its UK customers the same protection as its customers from the USA?

bowlhead99

Are there any fund supermarkets which do offer proper security?

The ones I use don't if you mean an extra physical authentication factor - just a logon password (sometimes with a separate security word and sometimes with a separate dealing password)

And shouldn't fidelity be extending its UK customers the same protection as its customers from the USA?

I don't see why they should. They are different products from different sub brands in a different competitive markets. Should all US banks offer chip and pin just because all ours do?

Also, the quote you put up from Fidelity US says they will reimburse you for any unauthorized activity. How much detail does it go into about what happens when you flat out deny a transaction was authorized by you, and needs to be compensated as 'unauthorized activity' and they say it must have been authorized by you because someone logged on from your username and password at a time of day you usually log on from the same ISP? Sometimes 'guarantees' can be a bit hollow.

For what its worth the below is T&C from TD direct. The last sub-clause may be just as good as what you get from the Fidelity US one, on the face of it, because they are responsible for the unauthorised activity unless....... One of the unlesses is if they can show that you have been negligent or fraudulent "or you or anyone else using your username and password has has allowed an unauthorised person to give or enter into an order or communication"

13
Account numbers and security
13.1
When you open an Account with us, you will be issued with an Account number and a Password which provides access to your Account(s).You will be required to provide us with a piece or pieces of identifying information when setting up your Account with us,
which we will use to identify you as our client when you contact us by telephone.
13.2
You acknowledge that in relation to each Account:
13.2.1
you (or if applicable the other joint holder(s)) are the sole and exclusive owner of the Account and Password;
13.2.2
you will be responsible for the confidentiality and use of the Account and your Password; and
13.2.3
(subject to clause 13.3 below) we may rely on all orders and other communications given or entered by you or anyone else using your Account number and Passwords, and you will be bound by any agreement entered into or expense incurred in reliance on such orders and communications.
13.3
We will be responsible for losses you suffer as a result of any agreement entered into or expense incurred referred to in 13.2.3 where you tell us that you have not authorised such order and/or communication unless we can show that you have acted negligently, fraudulently or in wilful default or you or anyone else using your Account and Password has allowed an unauthorised person to give or enter into an order or communication.

jimjames

Do you get equivalent to fscs protection in the USA?

Two questions really, one is security and the other is protection.

If someone does get access to your account what can they do?

Trade and sell/buy?
Move money into your bank account?

I thought all changes were sent in writing to your address and by email so you'd know about it too?

InvestInPoker

jimjames wrote: »

Do you get equivalent to fscs protection in the USA?

Completely different things, FSCS protection is protection from the company going broke and being unable to honour deposited amounts. This Fidelity protection for USA customers is from themselves, against "unauthorised activity" (hackers)

If someone does get access to your account what can they do?

A lot, and you would be naive to assume otherwise

bowlhead99 wrote: »

The ones I use don't if you mean an extra physical authentication factor - just a logon password (sometimes with a separate security word and sometimes with a separate dealing password)

Yep ok this was my understanding as well, it is very poor. Offshore gambling sites (the better, more customer focused ones) are taking customer account protection a lot more seriously than this. These financial institutions are cutting costs at client expense here.

I don't see why they should. They are different products from different sub brands in a different competitive markets. Should all US banks offer chip and pin just because all ours do?

Well ok this is just opinion from both myself and you. It is just Fidelity policy in the USA, nothing else needed, so it is not like chip and pin. I feel if they are offering such a sweeping statement which is very reassuring to their .com customers they should be doing the same here really. If you think that they shouldn't then fair enough.

For what its worth the below is T&C from TD direct. The last sub-clause may be just as good as what you get from the Fidelity US one, on the face of it, because they are responsible for the unauthorised activity unless....... One of the unlesses is if they can show that you have been negligent or fraudulent "or you or anyone else using your username and password has has allowed an unauthorised person to give or enter into an order or communication"

That is good and just the sort of thing Fidelity US are offering. Shame they do not treat UK customers the same.

bowlhead99

InvestInPoker wrote: »

Yep ok this was my understanding as well, it is very poor. Offshore gambling sites (the better, more customer focused ones) are taking customer account protection a lot more seriously than this. These financial institutions are cutting costs at client expense here

Well arguably they are cutting costs at client negative expense, for the clients that don't feel they need the protection. Also, as you mention, the top gambling sites use extra authentication but the mass market ones don't because it's a barrier to casual gamers. And it's not like the gaming sites have been using security tokens forever, even though they could have been doing this for 15-20 years. So perhaps unfair to compare the average of one industry with the most security focussed of another.

I bank with Lloyds, among others, and haven't ever needed a physical security token for my accounts whether onshore or off, and was an early adopter of online banking having been doing it 15+ years. When banks introduce security tokens or keyfob/cardreader devices, they always get moaned about on here.

That is good and just the sort of thing Fidelity US are offering. Shame they do not treat UK customers the same.

My point was that it sounds like a bit of a hollow promise because if "anyone else using my user name and password" "allows an unauthorised person to give an order or communication", or they prove I was "negligent" (not defined, but perhaps e.g. letting someone overhear my password, or writing it down somewhere) then they are carving it out of the protection with their "unless-es"

A cursory "we'll offer you protection except in certain circumstances ", may not be worth the (electronic) paper it's printed on, when you come to test it.

If you are looking at the common platforms and don't like the security options you could always look at having an offline account. TD Direct who are quite mainstream but decently-featured as brokers go, use voiceprint recognition if you call them. Although if you fail it they will still deal with you after doing some other security questions that a hacking"social engineer" would or could probably know about you and your account.

Of course, dealing is more expensive if you do on phone with them rather than DIYing online. Likewise there will be plenty of expensive brokers and intermediaries that haven't even set up a cheap online service and so you wouldn't even be offered an insecure web interface, and thereby might judge the risk to be lower.

InvestInPoker

bowlhead99 wrote: »

Well arguably they are cutting costs at client negative expense, for the clients that don't feel they need the protection. Also, as you mention, the top gambling sites use extra authentication but the mass market ones don't because it's a barrier to casual gamers. And it's not like the gaming sites have been using security tokens forever, even though they could have been doing this for 15-20 years.

Absolutely not true. you say the "mass market ones" don't. The biggest sites do and the ones that are specifically "mass market" (do not want to mention names on a non gambling board). It is also not a barrier at all. You choose to have it on your account or not, and the better the customer you are the less you pay for it. If you want it and hardly play at all that's fine but you cover the cost. If you want it and play loads you get it for free - and all gradients in between. Also, it is personal choice if you have it or not.

So perhaps unfair to compare the average of one industry with the most security focussed of another.

I asked if any internet investment sites for UK customers provided RSA token authentication. It appears not. When you are in the business of holding peoples money, I believe your security should be scrutinised.

When banks introduce security tokens or keyfob/cardreader devices, they always get moaned about on here.

It should be a choice, if you want it on your account you have it otherwise not. I would also be willing to cover the cost.

I have had the card reader versions of the security for some banks. They are very user unfriendly. The token authentication you can have on your keys is by far and away the best way.

DesG

InvestInPoker wrote: »

The token authentication you can have on your keys is by far and away the best way.

Unless every service requires one, then you would need a padawan to carry them all behind you


Personally, I am on the fence. It really gets on my tits to have to use a card reader plus card, or doodah without card just to login to all my accounts and check a balance, check if a transaction has gone in/come out.

Places like FD and NW have the right formula, where I can login without my card/reader/doodah and can perform normal transactions, but can't add a new payee/apply for a new product, change any of my contact details, without using the additional security.


M&S which require me to use their doodah just to login and see my balance, can have their account back the day after my 0% purchases period expires.

masonic

Token based 2-factor is not without its risks and quite inconvenient.

Best option I've seen is automated phonecalls to authorise high risk transactions as used by Lloyds group, which still offers some protection even in the event of a security breach.