Fidelity to limit 401(k) access by third parties: How advisors, fintech will be affected

Following a change Fidelity made last year to eliminate “screen scraping” (collecting data to use elsewhere) by third party financial service providers, Fidelity, one of the largest retirement asset management companies, announced last week that the company will begin taking steps to prevent third party platforms reliant on credential sharing from accessing and taking action in customer accounts held at Fidelity.

“Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the accounts,” read Fidelity’s announcement. Fidelity also sent letters to advisors that it intends to block their ability to access and manage clients’ 401(k) accounts via credential sharing.

“We anticipate these changes will be minimally disruptive to participants,” continues the announcement. “Their login experience will remain unchanged. However, they may need to communicate with any outside advisor with whom they work to ensure account transactions are managed as intended given accounts may no longer be accessible by advisors via certain third-party platforms as Fidelity begins this transition.”

It is uncertain how important it is for advisors to make transactions in participants’ accounts, rather than viewing them and making recommendations to clients. However, “Fidelity recognizes the added measures some advisors may need to take due to these changes and values their shared commitment to customers’ privacy and data security,” said the announcement.

“Fidelity works in partnership to support many advisors who securely advise on employer-sponsored retirement accounts with plan sponsor oversight,” said the announcement.

However, some third-party fintech firms use “credential sharing (e.g., username and password) to access, manage, and trade within their clients’ employer-sponsored retirement accounts, including those held at Fidelity, without plan sponsor oversight,” said the announcement. “Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the accounts,” said the announcement.

Fidelity is not singling out any individual company and did not identify any third party platforms by name in its announcement, nor does it have plans to prohibit platforms reliant on credential sharing from accessing and taking action in customer accounts at Fidelity, said the company.

Related: 401(k) plan sponsors are ‘highly satisfied’ with advisor expertise: Fidelity

However, many 401(k) management software providers help the 14.8 million Americans with workplace retirement plans who change jobs professionally manager their 401(k)s.

Pontera is one such fintech firm that helps retirement savers by enabling their trusted financial advisors to securely and compliantly manage their 401(k)s. “We aspire to work in close partnership with all the retirement plan recordkeepers,” said Jerry Bonnabeau, Head of DC Partnerships at Pontera, in response Fidelity’s announcement. “Our focus, as always, is on building the best possible experiences for financial advisers and their clients. We have strong relationships with recordkeepers and aim to partner with them to deliver the best-possible outcomes for our shared customers.”

“Fidelity recognizes the added measures financial advisors may need to take due to these changes, and we value their shared commitment to customers’ privacy and data security,” according to a Fidelity spokesperson. “Fidelity also recognizes how quickly we will begin to make these changes, but Fidelity has long made clear our stance on digital credentials and data security. We are committed to taking action as we become aware of any unsafe practices taking place on our platforms, even if that means not having an immediate solution.”

Fidelity’s new secure data sharing effort is expected to begin Oct. 2.

In making the screen scraping announcement last year, Fidelity shared the following data sharing principles:

1. Put customers in control of sharing their financial data. “Customers should be able to grant, manage, or revoke access to their financial data as they see fit.”
2. Use customer-authorized third-party websites and apps. “We support the use of authorized third-party tools and believe in the power of data sharing, if directed by our customers.”
3. Help customers share their financial data safely and securely. “This includes moving away from unsafe practices, like screen scraping, and adopting more secure practices.”