Crapification, Vanguard Style: Customer Service Rep Bullies Your Humble Blogger into Taking Security Risk
Today we have another small case study in crapification, and this time, from Vanguard, a company that has no excuse.
Asset management is a particularly secure business if management doesn’t screw it up. Admittedly, it does have significant scale economies, which means a dominant player like Vanguard already has huge economic advantages. Retail asset managers also have exceptionally sticky customers. Fund managers like Vanguard that focus on passive strategies aren’t subject to investment pickers having a bad run and customers fleeing as performance flags; they compete based on replicating the index at the lowest cost and providing decent service.
And with the Fed highly attentive to the perceived importance of propping up asset prices, fund complexes like Vanguard suffered only a dip in revenues when asset values fell in March, but even in April, it had net investor inflows. And yes, every company that runs call centers has had to figure out how to minimize Covid-19 risk which has often meant having employees work from home. But Vanguard certainly sorted out its Covid-19 adaptations months ago.
Yours truly has been a Vanguard customer for a very long time, both directly and for the last nearly 15 years also as a limited agent on my mother’s account. I would just about never need any service from Vanguard, and it was usually of the “Where do I find this form on your site?” sort.
Moreover, since those queries were related to my IRAs, I knew the drill. Call during hours when IRA specialists were available. Allow for two normally not-long wait times, since even if you call on the theoretical IRA number, customers get validated first, then passed on to an IRA specialist.
Heretofore, I never had anything to complain about. The waits were never noteworthy. Vanguard phone reps all seemed intelligent and well versed in their various areas of expertise, and would provide regulatory information when germane.
Yesterday, the Vanguard experience made dealing with airlines during a major snowstorm look good. It took four calls that per my phone records took over an hour and a half to have Vanguard identify which form I needed to complete to execute a non-standard instruction (the rep I eventually got admittedly did pre-complete the form for my review and submission). Note what time of year this is: the dead of summer, on a Thursday, not near any IRS filing deadlines.
And the only reason I got through on the fourth attempt was I called on the Flagship (elite customer) line, using my mother’s ID to get through to a human being.1 If my account was not linked to a Flagship account, I doubt I ever would have gotten to anyone.
And when I finally got to an IRA agent, he was arrogant and incompetent about IT security issues that were clearly Vanguard IT issues of a seriousness that I have never seen on any other financial services website. When I said he needed to report them, he told me he wouldn’t.
Specifically, on the first three failed calls, I had first to deal with Vanguard’s horribly designed automated prompt system, which you can’t get past even though they have only five limited, dopey options that were not even close to my situation. Oh, and they wanted my voiceprint, which I had to reject too.2
That guarantees you won’t get to the right rep. Only one time, on the first call, when I chose the least bad fit, I did get a person, who sent me over supposedly to get another person, but that line rang for over twenty minutes before I gave up.
The second two times I tried the automated prompt system, using the same response that had at least gotten me to a human before I went into forward hell, I got put through to dead air and hung up after a few minutes. I’m now about 45 minutes into this ordeal. I then call the Flagship line.
Even with Flagship, I had to wait more than five minutes to get to a first line rep. I complained to him. He said he would stay on the line with me even though it would go silent (he said he would check in periodically), that it looked like it would take another eight minutes. This wait was a tad shorter than that.
When I finally got to the IRA rep, I explained my problem. He said I needed to send in a completed instruction form which it would take Vanguard seven days to execute. The form was a bit complicated so he said he would fill it out, load it in my personal account Messages section, and I could review it and submit it. He said he would stay online while I looked at it, presumably in case it needed to be redone.
This is where the fun started. Safari is my main browser and I keep Firefox open too.
I have Vanguard as a “favorite” in Safari so I clicked on that to go to Vanguard. Instead of going to the address in my browser, “www.vanguard.com,” I was redirected to “https://investor.vanguard.com/corporate-portal/” AND got a security warning, that the certificate expired, and that this site might be imitating “https://investor.vanguard.com/corporate-portal/” to steal my data.
I told the rep what has happened and that I couldn’t proceed and risk exposing my login and password to a possible phishing site. He starts treating me like a dingbat, that this was clearly my problem and had nothing to do with Vanguard.
I then went to Firefox, put “vanguard.com” as the URL and again get redirected, as my Firefox history shows:
I quickly opened Chrome, tried again and got the same result. I told the Vanguard agent the redirect was happening in three different browsers and any who cared about security would be alarmed, particularly given that this was happening in concert with popup alerts from my browsers that these looked like impersonator sites. I also read the URL out to him. He was not interested and made it clear he thought I was an idiot (not so much with his choice of words as with his annoyed and patronizing tone), and added (and this is close to a direct quote) “I don’t have this problem, this is your browser.”3
I told him I could take screenshots and show him how I was getting redirects and security warnings. He again said that he couldn’t receive any e-mails and in any event it didn’t matter, this was my issue, he’d never had any problem like this and he could pull up the Vanguard site just fine.
I try explaining that Vanguard likely has distributed servers to manage the load and what he gets therefore can have nothing to do with what I get. He cut me off and continued to convey that I must be a moron:
Vanguard: “Open Google and search for Vanguard.”
Me: “That won’t change anything.”
Vanguard: “Just do what I say.”
I searched and and of course was proven correct:
I clicked through on the second link, after telling him the first link, the ad, showed “investor.vanguard.com” but not the “corporate portal” bit I kept seeing on my redirects. That continued not to interest him.
The Google “vanguard.com” link took me straight back to “https://investor.vanguard.com/corporate-portal/.” I told him and he was clearly angry. “I just used Bing and I’m not having any issue.” I told him he needed to report this problem and he said he wouldn’t.
He then insisted I find a way to click through to a login page. I informed him again I’d gotten warnings this might be a site trying to steal my credentials. He insisted I go ahead. I never would have done this except my accountant had told me I needed this done this week, which was news to me, and I didn’t have any assurance things would be any better with Vanguard on Friday, let along that I’d be able to get a live IRA person again.
I went back to Safari. I had to override the security warning to click to the next page. I had to override the security warning a second time to log in. And I had to override it a third time, after I had logged in, on the splash page they stuck in my face about signing up for paperless services.
I have been accessing financial services sites for over 20 years, including executing trades at Vanguard, and regularly from non-big-city locations (Alabama and rural Maine). I have never gotten a security warning before, let alone repeated ones in combination with a persistent redirect. Now this all turned out to be OK, even though there’s no good explanation for the redirect. The certificate was likely a stale certificate on a distributed server, but Vanguard should not be stinting on IT to have this happen.
And remember I had come through on an account linked to a Flagship account. Anyone who had gotten my user ID and password could have drained my funds and likely figured out how to go after my mother’s money. And even if this wasn’t a not trivial amount of money, an institution like Vanguard should be operating on the assumption that the funds it holds are a large percentage and maybe all of that customer’s net worth, and should be treated as significant regardless of the dollar amount. That is what being a fiduciary means.
Instead, I was confronted with a bullying rep who dismissed signs in combination that raised genuine red flags of a bona fide, serious security risk. He did not come to his conclusion based on any knowledge of the IT issue (he also cut me off when I told him I had had top Chief Information Officers as clients and was not unknowledgeable) but simply based on his personal experience, which was irrelevant to what I was seeing. He refused to believe what I said and pressed me to take unreasonable risks based on the fact set. It should not have been hard for him to put me on hold and confer with an IT or security expert. Instead, he pushed me to risk my account safety, and by doing so, my and my mother’s money, out of his ego and ignorance.
If you are considering Vanguard, don’t. Find another broker and fund family. I would leave except it would take time I don’t have.
1 Before you draw the wrong conclusion, virtually all her funds are in an IRA, so it’s pretax. And she is paying for hot and cold running health care aides.
2 What is wrong with these people? There is now technology that can replicate a voice with a clip under ten seconds. Anyone with a voicemail recording is exposed even before you get to people who’ve been on radio, TV, or in a clip on YouTube.
3 I later checked this out with my webhost. He of course confirmed what I knew, that there was no way this was my computer or three browsers all misbehaving in exactly the same way, which is what Vanguard dude kept insisting. My host did say there was a tiny possibility that my ISP was caching pages from Vanguard and the one they had had an expired certificate. I said my ISP was AT&T. My host said, “No way then. AT&T has tons of bandwidth. This isn’t what they do. It’s the sort of thing that could happen with Comcast.”