TreasuryDirect Wikipedia article
August 23, 2022 10:17 PM Subscribe
TreasuryDirect Wikipedia article
I find TreasuryDirect.gov fascinating and frustrating. It's an aging web application that dates back to 2002, and for many years it was used by relatively few people, mostly US citizens who wanted to buy or redeem savings bonds — which heavily declined in popularity over the past few decades, since they had relatively low interest rates. TreasuryDirect suddenly got millions of new users over the past year because of high interest rates on inflation-protected Series I bonds, and the system and its customer support team have been struggling. I wrote an in-depth Wikipedia article covering the history of this service since it started in 1986, including details about a replacement web application that the Treasury has been working on since 2014.
Article includes juicy details about: TreasuryDirect's bananas account processes that can involve something called a medallion signature guarantee, incredibly long wait times for customer support, a vintage password entry interface, and an example of a new system taking forever to get released possibly due to its waterfall-style software development process.
I work on unrelated government systems, so I have sympathy for the complexities of this kind of project, while also knowing that this system could and should be better.
I find TreasuryDirect.gov fascinating and frustrating. It's an aging web application that dates back to 2002, and for many years it was used by relatively few people, mostly US citizens who wanted to buy or redeem savings bonds — which heavily declined in popularity over the past few decades, since they had relatively low interest rates. TreasuryDirect suddenly got millions of new users over the past year because of high interest rates on inflation-protected Series I bonds, and the system and its customer support team have been struggling. I wrote an in-depth Wikipedia article covering the history of this service since it started in 1986, including details about a replacement web application that the Treasury has been working on since 2014.
Article includes juicy details about: TreasuryDirect's bananas account processes that can involve something called a medallion signature guarantee, incredibly long wait times for customer support, a vintage password entry interface, and an example of a new system taking forever to get released possibly due to its waterfall-style software development process.
I work on unrelated government systems, so I have sympathy for the complexities of this kind of project, while also knowing that this system could and should be better.
Role: writer, researcher
Yeah, a virtual keyboard was an understandable guess about risk mitigation in 2002, but not in 2022. The current government standard, NIST SP 800-63B, is pretty good and includes "Support copy and paste functionality in fields for entering memorized secrets, including passphrases" (page 53).
posted by dreamyshade at 9:32 AM on August 24, 2022
posted by dreamyshade at 9:32 AM on August 24, 2022
Fascinating. I actually looked into treasurydirect.gov earlier this year myself.
I wasn't quite sure what to make of the site. It wasn't the vintage that concerned me, but the fact that it doesn't seem to look like any other .gov website. I could have dug into the book rather than judging it by its cover, but time is short these days.
The Wikipedia entry is nice.
posted by schmudde at 10:18 AM on August 24, 2022
I wasn't quite sure what to make of the site. It wasn't the vintage that concerned me, but the fact that it doesn't seem to look like any other .gov website. I could have dug into the book rather than judging it by its cover, but time is short these days.
The Wikipedia entry is nice.
posted by schmudde at 10:18 AM on August 24, 2022
Last year I realized that while CD rates were better than savings, neither have matched inflation in like a decade. And while that's the case, might as well just buy into I series bonds. But man that website is terrible and your complaints are spot on. One thing you didnt mention is that TD's session management is so bad that if you click the browser's back button it logs you out, and warns you about it when you log in.
posted by pwnguin at 9:45 PM on August 28, 2022
posted by pwnguin at 9:45 PM on August 28, 2022
Ahaha yeah that browser button thing. I added a brief note about that to the article, but I haven't been able to find a suitable source explaining why TreasuryDirect's justification of "security reasons" makes no sense, so I can't include that aspect in the Wikipedia article.
posted by dreamyshade at 11:40 AM on August 29, 2022
posted by dreamyshade at 11:40 AM on August 29, 2022
Ahhh, that medallion thing got me to join a credit union earlier this year just to get the form stamped. My regular bank was online-only, so I had no way to get the signature I needed from them. What was driving me bonkers was that to confirm my bank when I set up the TD account initially, I just needed to do that normal deposit verification thing, where they make three really small deposits into your account and you tell them how much each deposit was. My partner recently created a new account, and was able to do the deposit verification. Why do I need to get the extra special stamp to change accounts instead of just doing deposit verification? Why? Why? Why?
posted by amarynth at 4:03 PM on August 29, 2022
posted by amarynth at 4:03 PM on August 29, 2022
Yeah, to establish my account, I had to set up a new local bank account, wait three months, spend half a day finding a branch with somebody who could do the stamp, then mail the form and wait for processing. My motivation for this whole overly-detailed research project is to try to figure out why TreasuryDirect is so bananas.
I can try to do a five whys exercise:
Why did you have to do that at all? Treasury has a custom online verification service that is not robust, instead of using login.gov. When that doesn't work, their regulations (last updated in 2009) require the form to be signed by a person "authorized to bind his or her institution by his or her acts, to guarantee signatures to assignments of securities, or to certify assignments of securities". This medallion signature guarantee requirement has not changed since TreasuryDirect launched in 2002.
Why does it require that special authority related to securities, instead of simply requiring an offline form of identity verification, such as a notary? I don't know. The rule that established this requirement doesn't seem to explain why they made that choice. The form itself does not explain why. Some other Treasury forms allow notarizing for identity verification, so it's not like they only had one process and had to use it for everything. Treasury has said that they are working to allow notarizing this document.
Why don't they use login.gov? Login.gov launched in 2017. The TreasuryDirect system dates to 2002, and I can't imagine it could be retrofitted sufficiently to migrate to using login.gov. I don't know whether Treasury is planning to use login.gov in their replacement system.
Why is the current system so old? Treasury has been planning a replacement system since 2014, and they appear to have spent six years planning it, since they started development in FY 2020. They have not released anything yet. In the meantime, they appear to not have made any significant user-facing updates to the current system.
Why haven't they released the replacement? There appears to be an entrenched culture of enterprise waterfall-style software development. Many other agencies have shifted to more agile-style development, influenced by USDS and 18F (nicely summarized in this 2020 guide to de-risking software projects in the federal government). In 2021, Treasury's outgoing CIO said that he had been working to modernize Treasury systems and practices, but I don't know how far that got, and I haven't found much about the current CIO.
posted by dreamyshade at 6:08 PM on August 29, 2022 [1 favorite]
I can try to do a five whys exercise:
Why did you have to do that at all? Treasury has a custom online verification service that is not robust, instead of using login.gov. When that doesn't work, their regulations (last updated in 2009) require the form to be signed by a person "authorized to bind his or her institution by his or her acts, to guarantee signatures to assignments of securities, or to certify assignments of securities". This medallion signature guarantee requirement has not changed since TreasuryDirect launched in 2002.
Why does it require that special authority related to securities, instead of simply requiring an offline form of identity verification, such as a notary? I don't know. The rule that established this requirement doesn't seem to explain why they made that choice. The form itself does not explain why. Some other Treasury forms allow notarizing for identity verification, so it's not like they only had one process and had to use it for everything. Treasury has said that they are working to allow notarizing this document.
Why don't they use login.gov? Login.gov launched in 2017. The TreasuryDirect system dates to 2002, and I can't imagine it could be retrofitted sufficiently to migrate to using login.gov. I don't know whether Treasury is planning to use login.gov in their replacement system.
Why is the current system so old? Treasury has been planning a replacement system since 2014, and they appear to have spent six years planning it, since they started development in FY 2020. They have not released anything yet. In the meantime, they appear to not have made any significant user-facing updates to the current system.
Why haven't they released the replacement? There appears to be an entrenched culture of enterprise waterfall-style software development. Many other agencies have shifted to more agile-style development, influenced by USDS and 18F (nicely summarized in this 2020 guide to de-risking software projects in the federal government). In 2021, Treasury's outgoing CIO said that he had been working to modernize Treasury systems and practices, but I don't know how far that got, and I haven't found much about the current CIO.
posted by dreamyshade at 6:08 PM on August 29, 2022 [1 favorite]
Oh I see, you're asking about the form for changing bank accounts, not the form for initial identity verification. I have no idea on the first few "whys" for that question.
posted by dreamyshade at 6:16 PM on August 29, 2022
posted by dreamyshade at 6:16 PM on August 29, 2022
I somehow locked myself out of my account and sat there in dumb disbelief that I (think) I would have to go through the whole medallion thing or something similarly onerous just to get my password reset. But, then, out of nowhere, a few weeks later, I got an email from Treasury Direct saying my account had been unlocked. I'm thinking they're simply overwhelmed and doing what they can to reduce the number of people who are sending them various paper documents to do silly things like resetting a password. Anyway, I've been too afraid to try and log in for fear of being locked out again.
posted by flamk at 6:30 PM on September 9, 2022
posted by flamk at 6:30 PM on September 9, 2022
Progress!
As of May 2023, the TreasuryDirect login screen allows normal entry of a password. Previously, the login screen required the user to enter their password using a virtual keyboard, which prevented copying-and-pasting a password or automatically entering a password using some password managers.[12] This virtual keyboard made using a strong password more difficult, and people made unofficial bookmarklets and browser extensions to enable pasting a password.[17]
As of December 2022, the TreasuryDirect website allows people to connect their account to a new bank account online.[18] Previously, if a person needed to correct their bank account or add a different one, they needed to complete the paper signature guarantee process.[19][20]
posted by pwnguin at 9:12 AM on May 8, 2023
As of May 2023, the TreasuryDirect login screen allows normal entry of a password. Previously, the login screen required the user to enter their password using a virtual keyboard, which prevented copying-and-pasting a password or automatically entering a password using some password managers.[12] This virtual keyboard made using a strong password more difficult, and people made unofficial bookmarklets and browser extensions to enable pasting a password.[17]
As of December 2022, the TreasuryDirect website allows people to connect their account to a new bank account online.[18] Previously, if a person needed to correct their bank account or add a different one, they needed to complete the paper signature guarantee process.[19][20]
posted by pwnguin at 9:12 AM on May 8, 2023
« Older ScotRail audio announcements as an interactive dat... | rating every english-language ... Newer »
posted by jedicus at 7:43 AM on August 24, 2022