Fidelity restricts sharing of credentials with third parties for 401(k) access

According to a security update, Fidelity Investments will soon prevent financial advisors from managing participants' defined contribution assets through third-party technology providers without oversight from the plan sponsor.

In the update posted Friday, Fidelity wrote that it plans to protect customer information by soon blocking third-party financial technology companies that allow DC plan participants to share account information with their financial advisors. The company noted that it supports financial advisors who advise customers on their employer-sponsored retirement accounts, with the plan sponsor's oversight applying.

“Fidelity announces that the company will take action to prevent platforms that rely on the sharing of credentials from accessing and taking action on Fidelity customer accounts,” the letter said. “This change is in the best interests of customers to increase security and reduce exposure of customer data.”

Fidelity did not name any companies in the post, but pointed to third-party financial firms that allow advisors to trade within an employer-sponsored account with the participant's consent. Financial Advisor IQ originally reported the news.

Fidelity is making this move after a trend of financial advisors offering to manage clients' 401(k) plans or other book-entry assets alongside other investments. Pontera is the most well-known firm in this space, working with registered investment advisors to offer clients advice on DC plans. The firm has raised funding rounds totaling at least $160 million and has signed deals with companies such as Ameritas, OneDigital, SageView Advisory Group and many others.

“Safety and security are core to our business,” a Pontera spokesperson said in response to Fidelity's statement. “We are committed to helping Americans make the most of their retirement savings. We maintain close relationships with data custodians and seek to partner with them to deliver the best outcomes for our mutual customers.”

Future Capital is another player in the space whose business model until recently was to manage RIA advice for financial advisor partners. Since June, it has also offered a direct line to plan management. The company declined to comment on Fidelity's announcement.

Greatest Archivist

According to the PLANSPONSOR 2024 Recordkeeping Survey, Fidelity is the largest DC recordkeeper in the country in both terms of participants (31.7 million) and assets ($3.5 trillion). PLANSPONSOR is a sister publication of PLANADVISER.

The following largest data managers by assets – Empower, Alight Solutions and Vangaurd – did not immediately respond to requests for comment on consultants’ use of third-party DC management systems.

Fidelity said the changes would cause “minimal disruption to participants,” but noted that participants may need to notify their financial advisor of the change because “advisor accounts may no longer be accessible through certain third-party platforms.”

The data controller explained that it wanted to protect participants from the security risks that come with sharing login credentials, especially when it comes to executing transactions on their accounts.

“The financial advisors who chose to work with these third-party fintechs did so independently of their relationship with Fidelity,” a Fidelity spokesperson said via email. “The fintechs in question use credential sharing to access and take actions on employer-sponsored retirement accounts without oversight by the plan sponsor. This type of credential sharing is contrary to Fidelity's core principles and beliefs. Fidelity works in partnership to support many advisors who securely advise on employer-sponsored retirement accounts under the oversight of the plan sponsor.”

The move also follows a change Fidelity made in 2023 to prevent “screen scraping” by third-party financial service providers. In that case, the company said it wanted to protect customer data by requiring them to use Fidelity's standardized application programming interface (API) to access customer accounts.

Security concerns

Sean Kelly, financial advisor and vice president at Heffernan Financial Services, says when he saw the letter Fidelity sent to plan sponsors about the change, he viewed it as a positive for protecting participant data.

“I felt this was in the best interest of the participant to protect them from the potential risks posed by sharing credentials,” Kelly says.

The adviser notes that given the various potential hacking and cybersecurity concerns facing plan administrators, it is understandable that Fidelity would be concerned about third parties accessing plan participants' accounts. He notes that it has considered similar third-party management programs and declined to use them in part due to security concerns.

Steve Boms, President of Allon Advocacy LLC and Executive Director of the Financial Data and Technology Association [of which Pontera is a member]takes a different view and describes Fidelity's move as similar to the security concerns that the banking industry expressed years ago.

He says that around 2016, banks tried to block third-party financial companies from accessing consumer data for security reasons. Today, many banks have set up an API for these third-party providers to ensure a secure connection to consumer information.

“There are ways to provide that access in a safe and secure way when the ultimate goal is for stakeholders to have an advisor manage their 401(k) portfolios,” he says. “In the traditional banking world, all of those tensions have largely been resolved through industry cooperation and coordination. And all of that has happened in a highly regulated environment, largely due to consumer demand for these services.”

Boms points out that the Consumer Financial Protection Bureau will soon issue a rule on personal financial information rights that will require banks to provide consumers with third-party services for their own accounts. The same rules also raise security concerns about credential sharing and screen scraping.