diff --git a/contracts/Vault.sol b/contracts/Vault.sol
index aed1db7..17f3f5e 100644
--- a/contracts/Vault.sol
+++ b/contracts/Vault.sol
@@ -224,6 +224,7 @@ contract Vault is VaultBase, Pausable, Ownable {
     AccountId account
   ) public {
     (address holder, ) = Accounts.decodeId(account);
+    require(msg.sender == holder, VaultOnlyAccountHolder());
     _withdraw(controller, fund, account);
   }
 
@@ -234,4 +235,6 @@ contract Vault is VaultBase, Pausable, Ownable {
   function unpause() public onlyOwner {
     _unpause();
   }
+
+  error VaultOnlyAccountHolder();
 }
diff --git a/test/Vault.tests.js b/test/Vault.tests.js
index 711dc4c..5f80e7d 100644
--- a/test/Vault.tests.js
+++ b/test/Vault.tests.js
@@ -772,7 +772,7 @@ describe("Vault", function () {
         expect(after - before).to.equal(amount)
       })
 
-      it("allows recipient to withdraw for itself", async function () {
+      it("allows account holder to withdraw for itself", async function () {
         await expire()
         const before = await token.balanceOf(holder.address)
         await vault
@@ -782,6 +782,15 @@ describe("Vault", function () {
         expect(after - before).to.equal(amount)
       })
 
+      it("does not allow anyone else to withdraw for the account holder", async function () {
+        await expire()
+        await expect(
+          vault
+            .connect(holder2)
+            .withdrawByRecipient(controller.address, fund, account1)
+        ).to.be.revertedWith("OnlyAccountHolder")
+      })
+
       it("empties the balance when withdrawing", async function () {
         await expire()
         await vault.withdraw(fund, account1)