Is my money really safe with AJ Bell Youinvest?

BananaRepublic

Albermarle said:

Thanks, I didn't know that. I would have thought that if the platform is covered by the £85K limit, then as far as the investor is concerned the buck stops with them. I went to the YouInvest web site and couldn't find any confirmation or otherwise.

This is from the HL website Cash | Hargreaves Lansdown (hl.co.uk)

Interesting. So even though HL opened the account, and you have no direct access to or knowledge of it, it is treated as if it is in your name for the purpose of compensation. It isn’t clear who would have to instigate the claim for compensation if the bank went bust. I suggest HL as they hold the account details, and the funds are inside a SIPP or ISA and they would need to be kept in the wrapper. 

fryderykchopin

Audaxer said:

fryderykchopin said:

BananaRepublic said:

Deleted_User said:

My understanding..
Cash in accounts on the platform £85k per bank protection
Shares and ETFs - no protection (irrespective of platform)
Funds UK domiciled - £85k protection per fund house
Funds IE domiciled - Euro 20k protection (example - Lindsell Train)

If the platform goes bust, you may lose cash subject to an £85K per platform protection, but the platform does not own your shares and funds, they merely act as the adviser/broker. You will not lose your shares and funds, but you will of course have to transfer them to a new platform.

Of course that does not allow for fraud, whereby someone employed by the platform sells your shares/funds and trousers the money. AJ Bell will have systems in place to limit access to trusted individuals, and to catch unexpected activity. I would have thought that this was very very unlikely.

It also does not allow for the case where criminals hack into the web site and sell your funds. The level of security for a web site such as AJ Bell will be very high. For example, when I log on, I have to enter several passwords. I am a little surprised that they have not implemented security checking by means of a code sent to your phone, or the use of an encryption device as used by the Nationwide Building Society for example. However, it is very unlikely that a criminal could hack in unless you gave them your passwords, which sadly does happen when criminals phone people pretending to be employees of the fund manager. The back end systems will be very secure. How secure? That is something for a cyber security expert to comment on.

I just opened my account and they have the option to send a code to your phone when you log in, but it is disabled by default, you need to enable it in the settings of your account. You will also need to install their app, that's how you will get the code (not via sms).

If you have to download the AJ Bell App to get a code to log-in, is the App purely for supplying the code, or can you view your account via the App?

You can do both. The app is fully functional, you can see your account and trade from the app, etc. When you log in using a desktop computer/web browser, then the app will also give you the code.

masonic

BananaRepublic said:

Albermarle said:

Thanks, I didn't know that. I would have thought that if the platform is covered by the £85K limit, then as far as the investor is concerned the buck stops with them. I went to the YouInvest web site and couldn't find any confirmation or otherwise.

This is from the HL website Cash | Hargreaves Lansdown (hl.co.uk)

Interesting. So even though HL opened the account, and you have no direct access to or knowledge of it, it is treated as if it is in your name for the purpose of compensation. It isn’t clear who would have to instigate the claim for compensation if the bank went bust. I suggest HL as they hold the account details, and the funds are inside a SIPP or ISA and they would need to be kept in the wrapper. 

HL would need to provide the FSCS with a list of investors and the amounts of cash they held for each in the respective collective nominee account. If a major bank goes bust, but the nominee using said bank to hold client money survives, it is unlikely individual customers will need to get involved with a formal claims process.

masonic

Deleted_User said:

My understanding..
Cash in accounts on the platform £85k per bank protection
Shares and ETFs - no protection (irrespective of platform)
Funds UK domiciled - £85k protection per fund house
Funds IE domiciled - Euro 20k protection (example - Lindsell Train)

It is certainly the case that if your cash held in a bank gets lost by the bank the protection comes from the bank, if your shares lose value there is no protection, if your ETFs suffer fraud there is no protection, if your open ended funds suffer fraud you have the protection of the regime in which they are domiciled. However, if you hold any of these assets through an FCA authorised investment firm, and said firm loses some or all of those investments and cannot repay you, you have up to £85k protection for whatever combination of cash, shares, ETFs and open ended funds they were holding for you and lost.

fryderykchopin

BananaRepublic said:

Albermarle said:

BananaRepublic said:

Albermarle said:

If the platform goes bust, you may lose cash subject to an £85K per bank protection

Alternatively if the bank went bust and you already had separately £85K with that bank , then the cash in the platform that was held by that bank will not be covered AFAIU.

Apologies, I meant per platform protection. The money is held by the platform, not a bank. 

If you are holding cash inside an investment platform, the platform deposits it with a bank . This will not be obvious from looking at your account but if you read the platform info you will find this is the case .
It seems that if the bank goes bust you have to claim the up to £85K compensation and not the platform.
If you happen to have money separately in the same bank then the overall compensation limit is £85K including the cash held by the bank via the platform, as far as I understand it.
It's all a bit of grey area and others may understand the situation differently . Plus each platform seems to use a different form of words. 

Thanks, I didn't know that. I would have thought that if the platform is covered by the £85K limit, then as far as the investor is concerned the buck stops with them. I went to the YouInvest web site and couldn't find any confirmation or otherwise.

fryderykchopin said:

BananaRepublic said:

Deleted_User said:

My understanding..
Cash in accounts on the platform £85k per bank protection
Shares and ETFs - no protection (irrespective of platform)
Funds UK domiciled - £85k protection per fund house
Funds IE domiciled - Euro 20k protection (example - Lindsell Train)

If the platform goes bust, you may lose cash subject to an £85K per platform protection, but the platform does not own your shares and funds, they merely act as the adviser/broker. You will not lose your shares and funds, but you will of course have to transfer them to a new platform.

Of course that does not allow for fraud, whereby someone employed by the platform sells your shares/funds and trousers the money. AJ Bell will have systems in place to limit access to trusted individuals, and to catch unexpected activity. I would have thought that this was very very unlikely.

It also does not allow for the case where criminals hack into the web site and sell your funds. The level of security for a web site such as AJ Bell will be very high. For example, when I log on, I have to enter several passwords. I am a little surprised that they have not implemented security checking by means of a code sent to your phone, or the use of an encryption device as used by the Nationwide Building Society for example. However, it is very unlikely that a criminal could hack in unless you gave them your passwords, which sadly does happen when criminals phone people pretending to be employees of the fund manager. The back end systems will be very secure. How secure? That is something for a cyber security expert to comment on.

I just opened my account and they have the option to send a code to your phone when you log in, but it is disabled by default, you need to enable it in the settings of your account. You will also need to install their app, that's how you will get the code (not via sms).

Thanks, I have enabled it. I was surprised to see that it is only used when logging in from the web site, and not when using the AJ Bell app on an iPhone or iPad so they must consider the security on those to be sufficient. It doesn't account for someone having stolen your account details, and logging on from their iPhone. I would like it to use a code sent to your iPhone as an SMS message, which my bank sometimes does.

Having a code sent to your own phone when you are trying to access from it is a bit pointless, and I would say the bank does that just to give you a feeling of higher security.

The reason why a code is sent to your phone is not because accessing through a desktop PC is less secure. The whole idea of the two-factor authentication (2FA) is that if someone manages to steal your login details online and tries to access your account remotely from anywhere, they won't be able as they won't have physically your phone to see the code they need to access. Only the legitimate owner will have the phone number associated to the account and will be the only one who gets the code to access. This is the only reason why it is more secure (nothing to do with the technology used in computers or phones, which actually is pretty much the same).

If you are already logging in from your phone, it is because it's actually you who is trying to access. They can identify your phone through the phone number that you provided at the time of application and other unique identifiers of your device (IMEI). If someone tries to access your account from another phone using the app, it will detect that the phone is not the same and won't work. And if they try to access from another phone using a web browser, then a code will be sent to your phone (just like when accessing from a computeR), not to the thief's phone.

The only way the system could be hacked is if the thief can steal your login details (something that in most cases can only happen online) and also your phone (something that can only happen physically).

BananaRepublic

fryderykchopin said:

BananaRepublic said:

Albermarle said:

BananaRepublic said:

Albermarle said:

If the platform goes bust, you may lose cash subject to an £85K per bank protection

Alternatively if the bank went bust and you already had separately £85K with that bank , then the cash in the platform that was held by that bank will not be covered AFAIU.

Apologies, I meant per platform protection. The money is held by the platform, not a bank. 

If you are holding cash inside an investment platform, the platform deposits it with a bank . This will not be obvious from looking at your account but if you read the platform info you will find this is the case .
It seems that if the bank goes bust you have to claim the up to £85K compensation and not the platform.
If you happen to have money separately in the same bank then the overall compensation limit is £85K including the cash held by the bank via the platform, as far as I understand it.
It's all a bit of grey area and others may understand the situation differently . Plus each platform seems to use a different form of words. 

Thanks, I didn't know that. I would have thought that if the platform is covered by the £85K limit, then as far as the investor is concerned the buck stops with them. I went to the YouInvest web site and couldn't find any confirmation or otherwise.

fryderykchopin said:

BananaRepublic said:

Deleted_User said:

My understanding..
Cash in accounts on the platform £85k per bank protection
Shares and ETFs - no protection (irrespective of platform)
Funds UK domiciled - £85k protection per fund house
Funds IE domiciled - Euro 20k protection (example - Lindsell Train)

If the platform goes bust, you may lose cash subject to an £85K per platform protection, but the platform does not own your shares and funds, they merely act as the adviser/broker. You will not lose your shares and funds, but you will of course have to transfer them to a new platform.

Of course that does not allow for fraud, whereby someone employed by the platform sells your shares/funds and trousers the money. AJ Bell will have systems in place to limit access to trusted individuals, and to catch unexpected activity. I would have thought that this was very very unlikely.

It also does not allow for the case where criminals hack into the web site and sell your funds. The level of security for a web site such as AJ Bell will be very high. For example, when I log on, I have to enter several passwords. I am a little surprised that they have not implemented security checking by means of a code sent to your phone, or the use of an encryption device as used by the Nationwide Building Society for example. However, it is very unlikely that a criminal could hack in unless you gave them your passwords, which sadly does happen when criminals phone people pretending to be employees of the fund manager. The back end systems will be very secure. How secure? That is something for a cyber security expert to comment on.

I just opened my account and they have the option to send a code to your phone when you log in, but it is disabled by default, you need to enable it in the settings of your account. You will also need to install their app, that's how you will get the code (not via sms).

Thanks, I have enabled it. I was surprised to see that it is only used when logging in from the web site, and not when using the AJ Bell app on an iPhone or iPad so they must consider the security on those to be sufficient. It doesn't account for someone having stolen your account details, and logging on from their iPhone. I would like it to use a code sent to your iPhone as an SMS message, which my bank sometimes does.

Having a code sent to your own phone when you are trying to access from it is a bit pointless, and I would say the bank does that just to give you a feeling of higher security.

The reason why a code is sent to your phone is not because accessing through a desktop PC is less secure. The whole idea of the two-factor authentication (2FA) is that if someone manages to steal your login details online and tries to access your account remotely from anywhere, they won't be able as they won't have physically your phone to see the code they need to access. Only the legitimate owner will have the phone number associated to the account and will be the only one who gets the code to access. This is the only reason why it is more secure (nothing to do with the technology used in computers or phones, which actually is pretty much the same).

If you are already logging in from your phone, it is because it's actually you who is trying to access. They can identify your phone through the phone number that you provided at the time of application and other unique identifiers of your device (IMEI). If someone tries to access your account from another phone using the app, it will detect that the phone is not the same and won't work. And if they try to access from another phone using a web browser, then a code will be sent to your phone (just like when accessing from a computeR), not to the thief's phone.

The only way the system could be hacked is if the thief can steal your login details (something that in most cases can only happen online) and also your phone (something that can only happen physically).

Yes some of that is obvious, and some of it is factually incorrect. 

iOS does not allow an app to obtain the device’s phone number, and my iPad does not even have a SIM card. Similarly iOS does not allow an app to obtain the IMEI, or the IMSI. Both of those are associated with a mobile phone, which my iPad is not. So even if what you said was correct, which it isn’t, it would not work for non SIM card enabled iPads. 

So the question remains, how does the YouInvest app know that it is me and not an imposter who has stolen my login details? 

masonic

I don't have any knowledge of the YouInvest app, but the way most apps tie a user to a particular installation of the app is to mint a digital certificate when the app is first run and bind this to the user's login credentials. Using a phone number or IMEI for this purpose would not be secure because those details can easily be discovered.