If you think of your brokerage account security like a front door, you probably feel safe because you have a strong password and you use two-factor authentication. You assume the house is locked. But there is a massive backdoor in the financial world called ACATS, and most people leave it wide open.

The Problem: The “Outside-In” Attack

ACATS (Automated Customer Account Transfer Service) is the system banks use to move your stocks and ETFs from one brokerage to another. It is designed to be fast and convenient.

The catch is that an ACATS transfer starts at the receiving bank, not yours.

If a scammer steals your identity, they do not need your password to drain your account. They just open a new account in your name at a different firm and “pull” your assets toward them. Because the request looks like it is coming from a legitimate financial institution, your current broker often lets it happen without ever asking for your 2FA code.

The Clark Howard Warning

I first heard about this security flaw from Clark Howard. If you know Clark, you know he does not do “panic.” But when he says a security loophole is “insidious,” I listen.

As Clark recently pointed out in his YouTube post, the real danger is your entire portfolio being “pulled” out from under you. He recommends a Transfer Lockdown. After looking into it, I agree it is a total no-brainer. It is the path of least resistance to making sure your life savings do not disappear overnight because of a paperwork loophole.

The Fix: The ACATS Lock

Enabling an ACATS lock (sometimes called a “Security Lock” or “Transfer Lockdown”) tells your broker: “Do not let anything leave this account via the automated system unless I manually unlock it first.”

It is a “set it and forget it” move for your long-term nest egg. It takes five minutes to set up and provides a level of protection that a 20-character password simply cannot touch.

Where to Lock (and Where to Wait)

Not every brokerage makes this easy. Here is how the big players handle it right now:

Fidelity: Easy. Go to the Security Center and toggle “Money Transfer Lockdown” to ON.

Vanguard: Call them. Ask the “Onboarding and Transfer” team for a block on outgoing ACATS.

E*TRADE: Call them. Ask for a “Security Freeze” on outbound asset transfers.

Charles Schwab: Alerts only. They do not have a toggle yet. You must watch your email and text alerts closely.

J.P. Morgan (Chase): Reactive only. They have no proactive lock. If you see a transfer, you must quickly submit a “Rescind Authorization” form.

If an ACATS lock is not available call and ask that they implement this security to setup a ACATS

The Bottom Line

This is a total no-brainer. Protect your money and close and lock all the doors to your financial house. Go to your security settings today. If there is a "Lockdown" toggle, flip it or call your brokerage and ask to implement a lock.