Thanks John, I have read all that. Some specific questions:

• Is there a plan to roll out proper 2FA?
• Why can I email support and have transactions executed without identity validation?
• Can you confirm whether the unauthorized transaction insurance is applicable if (a) a user once used a “third party account aggregator” but no longer does and has since changed their password; (b) a user has logged in to Questrade on “public wifi” but this was not causal in a compromise; (c) a user’s credentials are compromised for any reason not attributable to “carelessness”?

I would deeply recommend clarifying the vague terms present in the “privacy and security online security guarantee” page. Currently, it sure sounds like it is designed to get Questrade out of actually providing any insurance.