Fidelity to limit 401(k) access by third parties

Fidelity is clamping down on third-party access to 401(k)s, a move that could restrict outside advisors from managing clients’ assets in those accounts.

On Friday, the massive financial services company announced that it would “begin taking steps to prevent platforms reliant on credential sharing from accessing and taking action in customer accounts held at Fidelity.”

That step, the firm stated, “is with customers’ best interests in mind to enhance security and reduce customer data exposure.”

It’s also a major roadblock for fintechs like Pontera that specialize in giving advisors a way to access clients’ accounts without having 401(k) participants give advisors their login credentials directly. That company, which quickly responded to Fidelity’s announcement on Friday, has raised at least $160 million across numerous funding rounds and has clients including SageView Advisory Group, Dynasty Financial, SignatureFD, and Savant.

In May, Stifel announced that it signed on with Pontera to give more than 2,400 advisors access to as many as 200,000 client accounts.

“Safety and security are core to our company. We are committed to helping Americans make the most of their retirement savings,” Pontera said in a statement provided by a company spokesperson. “We maintain strong relationships with record keepers and aim to partner to deliver the best outcomes for our shared customers.”

That firm sent a letter to clients last week, according to a report on Friday by Financial Advisor IQ. It provided suggested language for comments to Fidelity that would urge the company "to explore collaboration," the spokesperson said.

"We can confirm that Fidelity is proactively seeking to engage with those impacted by these changes," a Fidelity spokesperson said in an email. "We have requested more information on how they are working with other record keepers, which we have not yet received. In the meantime, we feel we need to work toward prohibiting access through credential sharing to protect our clients and their assets."

For its part, the company said that the forthcoming restrictions are necessary to help ensure account security.

“Some third-party fintech firms use credential sharing (e.g., username and password) to access, manage, and trade within their clients’ employer-sponsored retirement accounts, including those held at Fidelity, without plan sponsor oversight,” the firm stated in its announcement. “Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the accounts.”

The firm also said that it expected the change to be “minimally disruptive to clients” but that “they may need to communicate with any outside advisor with whom they work to ensure account transactions are managed as intended given accounts may no longer be accessible by advisors via certain third-party platforms.”

"The financial advisors that have chosen to work with these third-party fintechs have done so independent of their relationship with Fidelity," the company spokesperson said. "This type of credential sharing is misaligned with Fidelity’s core principles and beliefs. Fidelity works in partnership to support many advisors who securely advise on employer-sponsored retirement accounts with plan sponsor oversight."

The halt to third-party credential log ins follows a change Fidelity made last year to eliminate “screen scraping” from its systems, resulting in nearly all consumer data sharing happening through its own application programming interfaces, or APIs, the firm noted. The middleware firm Akoya is a spinoff of Fidelity, the business it uses for APIs, among others.

“Security considerations need to be balanced with consumer access and experiences. Open banking, which enables consumers to securely permission their data to third parties, is built on this premise,” Sima Gandhi, senior advisor at FS Vector, said in an email. “Importantly, when entities take steps that materially impact consumers, those should be done in consultation with industry stakeholders to minimize disruption.”

How important it is for advisors to make transactions in clients’ 401(k) accounts, rather than just viewing them and making recommendations to customers, may vary.

“It is important to understand what the advisor is looking to accomplish with access to the 401(k) platform,” said Chuck Failla, CEO of Sovereign Financial Group, in an email. “Specifically, does the advisor simply want to establish a stable link between the 401(k) platform and their account aggregation system with a goal of having a single point to view all the client holdings? Or does the advisor want to actually have the ability to get into a client’s 401(k) to place trades?”

The former is critical to most, while the latter is nice to have, he said.

Pontera’s service provides the convenience of not having to have clients make their own allocation changes within 401(k)s, though using the service adds costs, he noted.

“For that reason, not all advisors will pursue that solution, which is why I believe it’s less of an issue if ‘trading access’ gets closed down,” he said. “However, it is very important to note that the ideal would be to maintain both types of access, which would give the advisors and their clients choice – that’s always paramount in my book.”

Editor's note: This story was updated to include comments from Fidelity.