## This was originally posted as ## ## https://old.reddit.com/r/fidelityinvestments/comments/xnp5eo/serious_website_issues_pay_attention/ ## ## but Fidelity's social-media censorship department deleted it, along with ## the few comments it had accumulated. They couldn't face the bare truth ## that they could do anything wrong. So I'm just getting set up for online access to a trust account; I'm a legal co-trustee, but had to set that status up with Fidelity and submit all the necessary paperwork. I've gotten through most of it, but in exploring the website I ran into a few serious gotchas, UX screwups, and flat-out security problems. Several functions are deliberately hidden or greyed out depending on account age. Since the trust had to transition to a new account for subtle reasons, things like flagging a phone number as mobile can't be done right away. But then later, once I was able to do that and add an email address and try to go paperless, it turned out that the fact that I'd done that was NOT showing up in other areas of the website. Despite several reloads, re-checks, etc. Thinking this was a website-end problem, I called support. It turns out that this is known behavior, that a freshly added email address takes a day or so to "propagate" to other backend areas. But there is NO WARNING about that, so the user's expectation is that once you add email, it's valid everywhere else. But their stupid chatbot nontheless kept griping at me to add an email address, over and over, as I moved around the site. Then I went to look at linking to an external bank account, expecting the usual "micropayment" authorization mechanism to be launched. That page came up totally blank, until I poked around in the debugger and proxy log and realized that they were trying to blindly load script content from "jquery.com" and run it. WHAT. THE. FUQ. Red flag... *No* financial institution should ever be doing that. Jquery, not to mention several of the other third-party tracker sites they also try to load, is not a trusted resource, I don't care what they try to say about "partnerships". They need to pull all such components IN-HOUSE, vet them, and serve them out from their own controlled resources. I don't permit connections to most of those standard trackers anyways, like demdex, omtrdc, ensighten, doubleclick, etc. All complete fluff, don't need it. So once I finally gave a little and let the external-ACH link page and its sketchy fetched code come up, it offered something called "Plaid" which I was expected to give my other bank credentials to [uh, *wrong again*] or set it up manually with routing/account like I would usually do anyway. So I selected that. The only presented option afterward was to download a PDF form and mail it in with medallion signature guarantees. Huh? No option for micropayments and waiting a few days like usual. The rep, still on the phone while I was trying to work through this and tell him the obstacles I was running into, said that there's a *THIRTY DAY* hold-down on authorizing EFT online. Again, with NO warning or indication that it's policy, just missing/hidden expected functionality. What I still don't know is, does that also affect being able to authorize ACH-based payments? The account *does* have checkwriting enabled, how about even using that in the usual "send the biller a voided check and a signed form" method? This is NOT how you design a user-friendly UX, even if you're going to stop a user from doing certain things -- you need to clearly state the issue and the REASONS they are unable to select a function. I was reassured that none of this was blocked simply because it was a trust account instead of a personal one, but for all I know the rep could have been wrong about that. I asked the rep to submit a LOUD support ticket about all this, I hope he did, but it's worth backing that up with a few more critical eyeballs on the problem(s). C'mon, Fidelity, your web designers can do better than this. _H*