Fidelity to Limit Third-Party Credential-Sharing for 401(k) Access

Fidelity Investments will soon stop financial advisers from managing participant’s defined contribution assets via third-party technology providers without plan sponsor oversight, according to a security update.

In the update posted Friday, Fidelity wrote that it is seeking to protect customer information by soon blocking third-party financial technology firms that let DC plan participants give their financial advisers account credentials. The firm noted that it does support financial advisers who advise clients on their employer-sponsored retirement accounts with plan sponsor oversight. 

“Fidelity is announcing that the company will begin taking steps to prevent platforms reliant on credential sharing from accessing and taking action in customer accounts held at Fidelity,” it wrote. “This change is with customers’ best interests in mind to enhance security and reduce customer data exposure.”

Fidelity did not name any firms in the post, but referred to third-party financial firms who allow advisers to trade within an employer-sponsored account with participant approval. Financial Advisor IQ originally reported the news.

Fidelity makes the move after a trend has started of financial advisers offering clients the ability to manage their 401(k) or other recordkept assets alongside other investments. Pontera has been the most prominent firm in this space, partnering with registered investment advisories to offer DC plan advisement to clients. The firm has held fundraising rounds totaling at least $160 million, and penned deals with firms including Ameritas, OneDigital, SageView Advisory Group and many more.

“Safety and security are core to our company,” a Pontera spokesperson says in response to Fidelity’s statement. “We are committed to helping Americans make the most of their retirement savings. We maintain strong relationships with recordkeepers and aim to partner with them to deliver the best outcomes for our shared customers.”

Future Capital is another player in the space, though their model until recently has been to manage the RIA advisement for financial adviser partners; as of June it also started offering a direct line to plan management. The firm declined to comment on Fidelity’s announcement.

Largest Recordkeeper

Fidelity is the country’s largest DC recordkeeper by both participants (31.7 million) and assets ($3.5 trillion), according to the PLANSPONSOR 2024 Recordkeeping Survey; PLANSPONSOR is a sister publication of PLANADVISER.

The following largest recordkeepers by assets, Empower, Alight Solutions and Vangaurd did not immediately respond to request for comment about advisers use of third-party DC management systems.

Fidelity said the changes will be “minimally disruptive to participants,” but noted that participants may need to tell their financial adviser about the change, as “accounts may no longer be accessible by advisers via certain third-party platforms.”

The recordkeeper said it is seeking to protect participants from security risks from sharing credentials, particularly when it comes to executing trades for their accounts.

”The financial advisers that have chosen to work with these third-party fintechs have done so independent of their relationship with Fidelity,” a Fidelity spokesperson said via email. “The fintechs in question use credential sharing to access and take action on employer-sponsored retirement accounts without plan sponsor oversight. This type of credential sharing is misaligned with Fidelity’s core principles and beliefs. Fidelity works in partnership to support many advisers who securely advise on employer-sponsored retirement accounts with plan sponsor oversight.” 

The move also follows a change Fidelity made in 2023 to try and stop “screen scraping” by third-party financial service providers. In that case, the firm noted it was seeking to protect customer data by having them use Fidelity’s standardized application programming interface, or API, to access customer accounts.

Security Concerns

Sean Kelly, a financial adviser and vice president with Heffernan Financial Services, says when he saw the letter Fidelity was sending to plan sponsors concerning the change, he saw it as a positive in protecting participant data.

“I saw this as in the best interest of the participant in terms of protecting them from the potential risks that come through sharing credentials,” Kelly says.

The adviser notes that, when considering the various potential hacks and cybersecurity concerns for plan fiduciaries, it makes sense that Fidelity would be concerned with third parties accessing plan participant accounts; he notes having considered similar third-party management programs and declining to use them in part due to security concerns.

Steve Boms, president of Allon Advocacy LLC and executive director of the Financial Data and Technology Association [of which Pontera is a member], takes an opposing view, calling the move by Fidelity similar to security concerns expressed by the banking industry years ago.

He says around 2016, banks sought to block access to consumer data firms third-party financial firms for security issues. Fast-forward to today, and many banks have set up an API for those third-party providers to ensure a secure connection to consumer information.

“There are ways to facilitate this access safely and securely if, at the end of the day, the goal is for stakeholders to have an adviser manage their 401(k) portfolios,” he says. “In the traditional banking world, all of this tension has for the most part been worked out through industry cooperation and coordination. And all of that was done in a heavily regulated environment due in large part to consumer demand for the services.”

Boms notes that the Consumer Financial Protection Bureau is scheduled to soon issue rulemaking regarding Personal Financial Data Rights that requires banks to make third-party services available to consumers regarding their own accounts. Those same rules also do note security concerns around sharing credentials and screen scraping.