Fidelity Investments is alerting advisors that it is tightening its security protocols to prevent the use of third-party technology for accessing and managing investors’ retirement accounts. This decision targets the rising trend of fintech applications that allow advisors to use investor login credentials to gain entry to their retirement accounts, primarily for more active management of those funds.
Fidelity, one of the largest 401(k) providers in the U.S., managing 24 million defined-contribution accounts as of June 30, 2024, is concerned about the security and privacy risks associated with this practice. As a result, the firm has announced it will start restricting platforms that rely on credential sharing from accessing or managing client accounts held at Fidelity.
For wealth advisors and RIAs, particularly those who manage retirement assets through third-party fintech tools, this policy change has direct implications. Fidelity’s move is framed as a proactive measure aimed at safeguarding clients’ financial data and minimizing the risk of breaches. A recent company statement emphasized that the decision is rooted in customer security: “This change is with customers’ best interests in mind to enhance security and reduce customer data exposure.”
Notably, this shift won’t affect Fidelity’s own employee advisors. In-house Fidelity advisors are already subject to strict internal protocols that prevent them from accessing accounts they don’t directly advise on, even if the accounts are held with Fidelity. The real impact will be felt by independent advisors and RIAs who use third-party fintech platforms, such as Pontera, to manage client accounts at Fidelity.
Fintech platforms like Pontera have grown in popularity, providing advisors with tools to manage clients' retirement assets held outside of their custodial relationship. For advisors, these tools can streamline the process of managing assets across multiple platforms, giving them broader oversight of their clients' full financial picture. However, Fidelity’s decision to block access for platforms using shared credentials disrupts this approach, and advisors who rely on these tools will need to reassess how they manage assets held at Fidelity.
Pontera, for its part, declined to directly comment on Fidelity's policy shift. A company spokesman emphasized Pontera’s commitment to security, stating, “Safety and security are core to our company. We’re committed to helping Americans make the most of their retirement savings. We maintain strong relationships with record-keepers and aim to partner with them and deliver the best possible outcomes for our shared clients.”
This development raises important considerations for RIAs and wealth advisors who have been using third-party technology to access and manage client accounts. Advisors may need to communicate with clients who hold retirement assets at Fidelity to ensure transactions continue smoothly after the new security protocols are enforced. As Fidelity’s restrictions begin to take effect in early October, the company suggests that while plan participants’ login experience will remain the same, they may need to engage more directly with their outside advisors to ensure account management aligns with their financial goals.
From a broader industry perspective, Fidelity’s decision to crack down on credential sharing is part of a wider trend in financial services. Cybersecurity experts have long flagged the risks associated with third-party access using shared login credentials. According to John Horn, director of the cybersecurity practice at Datos Insights, “Fidelity is not alone in taking this position. Across financial services, these kinds of security improvements have been discussed the past few years. Firms are in various stages of upgrading from shared credentials to user-specific multifactor authentication.”
This highlights a key trend that wealth advisors and RIAs must keep in mind: cybersecurity is becoming an increasingly critical factor in client account management. As firms across the financial services sector transition to more robust security measures, such as multifactor authentication, advisors will need to ensure their own technology stack complies with these heightened security standards. Firms relying on third-party tools may need to invest in more secure, integrated solutions that adhere to the stricter protocols being introduced by custodians like Fidelity.
Regulators are also paying close attention to these developments. Earlier this year, state officials in Missouri sent warnings to dozens of advisors, cautioning them about the risks of using third-party tools to access client accounts held away from their advisory firm. This regulatory scrutiny underscores the potential legal and compliance risks for advisors who don’t adapt to new security requirements.
For RIAs, this means that the evolving cybersecurity landscape is not just a back-office concern—it’s a front-line issue that could affect client relationships and the ability to manage assets efficiently. In response to Fidelity’s policy changes, advisors must proactively communicate with clients who have retirement accounts at Fidelity, explaining how these new restrictions may impact the management of their accounts and discussing alternative approaches to ensure seamless asset oversight.
In its communication with advisors, Fidelity has made it clear that the decision to block third-party access via credential sharing is non-negotiable. A Fidelity spokeswoman stated that the company is actively working to engage with all stakeholders affected by the change, including fintech firms, plan sponsors, participants, and financial advisors. However, she also distanced Fidelity from any claims that fintech companies have collaborated with Fidelity in developing tools to enable outside advisor access to retirement accounts. “As the industry’s largest record-keeper, we can confirm that the fintechs in question never engaged with us, and we have not been working with them, as their business models do not align with our core principles and beliefs when it comes to data security,” the spokeswoman said. “The financial advisors that have chosen to work with these third-party fintechs have done so independent of their relationship with Fidelity.”
For wealth advisors who rely on platforms like Pontera, this statement signals that there is little room for negotiation. Advisors will need to consider alternative methods of managing client retirement assets, especially if they are held at custodians like Fidelity. The impact will be felt most by independent advisors who use Fidelity for custody or clearing services but are not directly affiliated with the company.
This shift also emphasizes the need for advisors to critically evaluate the fintech tools they use in their practice. As the financial services industry continues to tighten security protocols, advisors must ensure that the technology they rely on complies with emerging regulations and custodial policies. Working closely with trusted fintech partners that prioritize security and maintain collaborative relationships with major custodians will be key in navigating this transition.
Ultimately, the fallout from Fidelity’s new restrictions on third-party access underscores a broader trend toward tightening cybersecurity measures across the financial services landscape. RIAs and wealth advisors must stay ahead of these changes by adopting best practices in cybersecurity, maintaining open lines of communication with clients, and seeking out technology solutions that provide both the flexibility to manage assets effectively and the security to protect sensitive client data.
As October approaches and Fidelity’s new restrictions take effect, wealth advisors should prioritize proactive client outreach and begin exploring alternative solutions for managing assets held at Fidelity. While the changes may be disruptive in the short term, advisors who adapt quickly and stay informed about the evolving regulatory and cybersecurity landscape will be best positioned to continue delivering value to their clients.
September 19, 2024