Sunday, June 17, 2007

Firstrade Privacy Shenanigans

I've been with Firstrade for some time now, allowing me to invest what little extra money I occasionally find. When initially establishing the account, I faxed my life away to them (voided check, form filled with personal information, etc). I've expressed my frustration with the number of paper documents they use, littered with personal information, so I was happy when they offered an online version of the information. My shredder finally got a reprieve.

Recently, however, I changed the institution with which I bank and attempted to notify Firstrade of the same. As directed on their website, I sent the updated forms via fax to them. A day later I received a notice via email stating that I needed to take the forms, a voided check, and two forms of ID and mail the information to them. Having lost a passport in the mail recently, I was not happy with the idea of putting every piece of personal and financial information into one envelope handled by the USPS.

So I inquired as to the rationale behind this demand. After all, my experience with a passport would support an argument that fax is more secure than postal mail. If their concern was regarding the reputability of facsimile documents, I believe that there is ample legal precedent to prove that such requirements are unnecessary. This was the response:

Thank you for emailing Firstrade. Please note that currently Firstrade requires that amended ACH setup requires you to send in the actual form with the voided check. This is a risk management issue that we are working out with ADP Clearing. We apologize for any inconvenience.

"Risk management". Why did that sound familiar? I deal quite a bit with management throwing the term around, so I know how it can be abused. Does the term actual have any valuable meaning in the above statement? It did not to me. It appeared as if they wanted to throw in a obtuse term which will intimidate the average customer to simply accept the assertion. I'm a bit more stubborn than that, unfortunately.

The only conclusion I could draw was that, due to some dispute between them and ADP, they are placing the burden of the "risk" upon the customer. I wasn't too happy with that:

I don't believe I fully understand:

To cover your "risk-management" concerns, you're putting my personal information at risk by forcing me to send it through the mail? I'm going to put ID cards, a check, and account information into one envelope handled by the USPS? Your risk management is, then, to shift all of the risk onto your customers?

Not going to happen.

Not that I expected to get a concession in response to the email, but I was hoping for at least a more coherent explanation of the "risk" they were trying to manage. Instead, I got an equally cavalier and patronizing email in response:


We are writing in response to your inquiry regarding the ACH profile amendment for your account ***. Kindly note that we are unable to process the amendment at this time, due to the fact that the required documents are not yet received. We understand your concerns about your privacy; however, risk management measures are necessary.

Damn. And I thought that the only place I had to worry about wanton abuse of security terms was while at work.

No comments: