Dollar Cost Averaging Is Ill Founded And Overrated

Scope And Purpose Of This Post

Visual metaphor for DCA's inconsistency

Dollar cost averaging (DCA) is a strategy deliberately delaying investing money.  I will argue that DCA is an ill-founded and logically inconsistent way to manage risk.  The superior way to manage risk is a well-chosen asset allocation.

I'm going to take some time to define my terms, because people use the term DCA in different ways.  I'm not arguing against all of the different flavors of DCA, just a particular flavor.

I'll point to some existing great work on how DCA has been disappointing historically, but the heart of the post is explaining on a conceptual basis why DCA is disappointing and not a coherent approach to investing.  Proper asset allocation is the superior and coherent way to manage risk.

Terminology

S/B notation: for this post, "75s/25b" is shorthand for "75% stocks, 25% bonds".  It can be shortened to "100s" for "100% stocks" and it can be extended to "70s/20b/10c" to indicate 10% cash as well.

Asset Allocation: the proportions of stocks, bonds, real estate, cash, gold, etc, that you own.  For instance, you might have a desired asset allocation of 75s/25b, or a more aggressive 100s/0b.  Your desired asset allocation should reflect the risk-and-return profile that is appropriate for you.

Cash: in investing/savings contexts, this isn't just physical dollar bills, but also very short-term interest-bearing assets, like money in a savings account, money market fund, or even 1-month treasury bills.  These are very "safe" assets in being very unlikely to lose nominal value.

Lump Sum Investing (LSI): if you receive a sum of money, you immediately invest it in accordance with your desired asset allocation.  For instance, you inherit $100K dollars and you immediately invest it in stocks and bonds in accordance with your desired asset allocation of 75s/25b.  The core goal of LSI is to invest earlier rather than later to get more growth out of your money and to keep your asset allocation in line with your desired risk-and-return profile.

When people say "dollar cost averaging" (DCA), they usually mean one of two things:

• DCA1: If you receive a large sum of money, you don't do Lump Sum Investing (LSI) where you invest it all at once.  Instead, you initially keep the money as cash and invest it gradually over time, perhaps over a period of years.  The core goal of DCA1 is to invest across time to buy in at different price levels (thus the name) and to avoid investing all of your money at an unfortunate time (like a stock market peak). This is "DCA as opposed to LSI".
• DCA2: Continuously saving and investing (like every time you get a paycheck) over the course of years.  Just keep investing, don't try to time the market and pull out of equities before a predicted stock market crash.  The core goal of DCA2 is to invest your money as you earn it and to stick with your plan even when things looks scary.  This is "DCA as opposed to market timing".

As an example of how DCA is used in different ways.  Here's two articles from Nick Maggiulli's Of Dollars And Data site:

• How To Invest a Lump Sum, where he argues for LSI and against DCA1: "What if the market crashes right after you invest?  Wouldn’t it be better to average-in over time (i.e. dollar-cost averaging/DCA) to smooth out any unlucky timing on your part? Statistically, the answer is no."
•  Even God Couldn’t Beat Dollar-Cost Averaging, where he argues for DCA2 and against market timing: "You have 2 investment strategies to choose from ... Dollar-cost averaging ... Buy the Dip".

So, same guy, same blog, arguing against DCA1 and for DCA2, using the same term for both.  He's a smart guy that knows what he's talking about, but readers might confuse themselves if they mentally use the same label ("DCA") when thinking about both articles.

DCA1 is what I will argue against.  I approve of DCA2, which is really just the buy-and-hold (BAH) part of the Boglehead passive investing approach.  The next section will spend some more time distinguishing DCA1 vs DCA2 so that we don't think about "dollar cost averaging" in a confused manner.

Account Recovery: Insecure And Uncertain

Summary

Account recovery procedures (ex: when someone says they lost your password and/or phone) are often the easiest way for attackers to gain access to your account, and unfortunately there is very little advice on how to deal with it, other than "turn your username, email, and security answers into unique, hard-to-guess things", in other words: make everything a password.  But account recovery procedures often make that tactic useless.

Also, I am doubtful that adding extra account recovery options (recovery phone numbers, alternate emails) is a good idea for people who are using a password manager to create and store strong, unique passwords, and have taken steps to make sure they won't lose access to their password database.  Extra account recovery options are extra ways for bad guys to get into your account and are often easier than guessing your password.

Motivation And Background

The computer security field has some things about account security pretty well settled, like use a password manager to generate and store strong, unique passwords for your accounts.  I think one of the big remaining questions is: how should users manage the risk from account recovery procedures (when someone claims to have lost your phone and/or password).

To illustrate how bad account recovery procedures from popular account providers can be, Betfair only required a username and date of birth to change someone's password, and here's the tragic story of Mat Honan from 2012:

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn't get into his Me.com e-mail – which, of course was my Me.com e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover....It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.

It also used to be that to take over an Amazon account, you only had to know was a person's name and their shipping address, and to make three calls to customer service.  You could use the name and address to find out the registered email address, then use those three things to add a phony credit card number, then use those four things to change the associated email and then trigger a password reset using the new email address..

This is extremely scary.  To continue the old Amazon example, for a long time your Amazon password (and probably 2FA if they even offered it at the time) offered no protection against someone who knew your name and physical address.  I don't really know what someone could do to guard against that.

A big part of why account recovery is insecure and will probably continue to be so for a long time is incentives faced by the account providers.  The number of legitimate customers that have lost their phones and passwords outnumber bad guys on any given day.  Businesses want to please their customers and convenience-security trade-offs are being made that are probably close to what most customers want.  The average Amazon/Apple customer does NOT wanted to be locked out of their account just because they forgot their password.