On the evening of July 27, StashAway users began writing panicked Facebook posts in groups about how their bank accounts had been practically drained by the robo-advisor wealth management platform in a series of back-to-back transactions.
These came with no indication of why it was happening, leading some to think that their accounts had been hacked.
The issue seemed to only affect StashAway users based in Malaysia, as Singaporean users had indicated that they were facing no such problem.
Based on the posts and following comments, it was also only users who enabled Direct Debit (setting up monthly automated deposits) who experienced this.
Coincidentally, this happened the same day news broke of StashAway’s latest funding round being completed.
In the Series C fundraising round, it raised RM68.8 million, bringing its paid-up capital to RM153.8 million.
Editor’s Update: Parts of this section have been edited to include more information.
The First Official Response From StashAway Malaysia
According to affected users (and as later clarified in an email from StashAway Malaysia too), 26-27 transactions of a user’s set Direct Debit amount were made to the company.
For example, if they had set up the monthly automated deposit to transfer RM150 to StashAway Malaysia’s partner bank, they may have experienced 26-27 collections of RM150 each by the company.
That same evening, StashAway Malaysia’s Country Manager, Wong Wai Ken sent out an email to affected users detailing that they were aware of the technical issue and what steps they planned to take to rectify it.
In the email, he stated that StashAway Malaysia was working with their Direct Debit service provider, Curlec, and partner bank to fix the issue.
Editor’s Update: Information in the above paragraph has been edited to omit specific details irrelevant to the topic being discussed.
“Rest assured that we have received your funds and that the funds will not be invested. We will credit the full amount back to your bank account by tomorrow 11PM latest,” he wrote.
Affected users should be receiving an update email by tonight (July 28) once they’ve gotten their money back.
Editor’s Update: From the comments in the StashAway Forum group as well as from people we know who use StashAway, it’s been confirmed that all the funds transacted in the error have since been refunded prior to 11PM on July 28.
He also said that they had already taken the necessary steps to ensure that this wouldn’t happen again on their end, but didn’t provide more details yet.
To make up for the massive inconvenience they caused to many users, they’ll be applying a voucher entitling affected users to 6 months of free investing to their account.
“This will be automatically applied over the next few days and you should be able to see the voucher in your app under More > Promotions,” the email read.
Preventing This From Happening Again
At about 12PM on July 28, StashAway Malaysia made a Facebook post on its page stating, “Our priority today is to credit the full amount that was deducted back to your bank account. We’ll be starting the refunds this afternoon.”
Understandably, many users are still upset that this even occurred in the first place, and have made their opinions known.
As they wait for their refunds, we noticed some suggestions from Facebook and Lowyat users on what affected users could opt to do in the meantime, if they’re still concerned about the security of their money.
One option would be to immediately unlink your bank account from StashAway Malaysia or to remove the Direct Debit function from your StashAway account.
In the future, users could also opt to do manual deposits instead, as other users pointed out that we should all have better responsibility and control over our own money.
The affected users all had their StashAway accounts linked to different banks like Maybank, HSBC, Hong Leong Bank, and CIMB, hence it wasn’t only a single bank that had allowed these mass transactions to happen.
After this occurrence, perhaps banks should look into implementing a better system to immediately catch multiple identical transactions made in one go.
On Stashaway’s end, it is extremely important that they will need to be transparent about providing the exact details of:
- What had happened,
- What factors caused it to happen,
- Who the parties responsible for it were,
- What initiatives StashAway and its Direct Debit service provider, Curlec will be taking to prevent something like this from happening again in the future.
If this were to happen again in the future, a simple 6-month voucher for free investing would not make up for it at all, and users would lose confidence in StashAway.
Editor’s Note (updated 29/07/20 at 6:43PM): We’ve reached out to the StashAway Malaysia team and have posted a follow-up article with their updated responses to the whole situation here.
Editor’s Note (updated 31/07/20 at 7:37PM): StashAway Malaysia released a detailed post-mortem analysis of the situation on July 30, 2020 at around 4PM. You can read it here.
- You can read more on what we’ve written about StashAway here.
Featured Image Credit: Vulcan Post / A user on StashAway Forum Facebook