What's Behind Fidelity's Move to Restrict 401(k) Login Sharing

Analysis September 17, 2024 at 04:43 PM
Share & Print

What You Need To Know

  • The move affects the access of fintech firms that serve clients with trillions of dollars custodied at Fidelity.
  • The firm characterized the move as part of an effort to safeguard customer data and privacy.
  • It will take some time for the marketplace to put Fidelity's decision into context.
Fidelity sign

Today's increasingly tech-enabled advisors face nuanced decisions about balancing cybersecurity concerns with clients' account-accessibility expectations and their own long-term competitive considerations.

It's a tension that sources say is clearly reflected in the recent decision by Fidelity to prevent platforms reliant on credential sharing from accessing and taking action in customer accounts held on its platform.

"Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the accounts," Fidelity's announcement reads.

"This change is with customers' best interests in mind to enhance security and reduce customer data exposure. We anticipate these changes will be minimally disruptive to participants," it stated.

The move, first reported Friday by Financial Advisor IQ, came as an apparent surprise to the growing set of financial technology firms that have built client-service capabilities that "reach into" third-party platforms (like Fidelity's) in order to access information and, in some cases, make changes to accounts.

Among these firms is Pontera. Asked for comment about Fidelity's announcement, Pontera replied by saying "safety and security are core to our company."

"We are committed to helping Americans make the most of their retirement savings," the statement continued. "We maintain strong relationships with recordkeepers and aim to partner to deliver the best outcomes for shared customers."

What's Going On?

The initial coverage suggested that Fidelity's decision surprised Pontera and its peers, who were reported to be urging their advisors who are in touch with Fidelity to argue that the firm reconsider. As noted in the story, advisors who use Pontera serve clients with trillions of dollars in custody on the Fidelity platform.

For its part, Fidelity's statement painted the move as the latest step in an ongoing effort to safeguard customer data and privacy. In late 2023, the announcement points out, Fidelity took another big step to address unsafe data sharing practices by working toward eliminating screen scraping on its platform.

Ultimately, as sources familiar with the matter emphasized to ThinkAdvisor, it will take some time for the marketplace to fully understand how Fidelity's decision may affect advisors, tech providers and clients — not to mention the recordkeeping firm itself.

It also remains to be seen how other big firms might react. What is clear is that the manifold tension between meeting clients' and advisors' expectations about account access while also maintaining account security and protecting established firms' market share from leakage won't be resolved overnight.

Growing Industry Tension

Asked to help interpret what Fidelity's decision could mean for advisors and the recordkeeping marketplace in general, Sima Gandhi, who ran policy and banking relationships at Plaid and is currently a senior advisor at FS Vector, compared the developments to issues that have arisen in the banking industry stemming from Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Section 1033 gives consumers the right to access and share their financial data by requiring that financial services providers make available to consumers — and representatives acting on their behalf — certain information in those providers' control. This can include information like a consumer's transactions or the balance in a financial account.

In October, the Consumer Financial Protection Bureau proposed a rule to accelerate the shift to "open banking" and establish stronger financial data rights in this domain.

The proposed rule, which would be the first to implement Section 1033, would require banks and other data providers to help consumers access and share their financial data through safe, secure and reliable developer interfaces.

Notably, Gandhi pointed out, the Dodd-Frank Act did not explicitly include brokerages, retirement plan recordkeepers or wealth management advisory firms. As a result, the private industry has been left to respond organically to client and advisor expectations, leading to the growth of firms like Pontera.

Another important factor to keep in mind, Gandhi said, is that Fidelity and some 10 of the other largest U.S. financial services organizations have created their own data-sharing and account-connection consortium, dubbed the Akoya Data Access Network.

The organization was ostensibly created out of the need to establish 1033 compliance, but it could also have implications in the world of retirement plans.

Overall, Gandhi said, Fidelity has clear and legitimate cybersecurity goals and responsibilities at stake. But, it's not clear in her view that security concerns justify cutting off access to wealth advisors.

The 1033 rule shows it's possible to allow data access securely, she argues, and it's also important to acknowledge that these firms have their own competitive interests to weigh when allowing outside advisors or fintech organizations to access their data and accounts.

"Without clear regulations on this issue for brokerages, the marketplace will take the lead," Gandhi said. "This is also a reflection of the fact that, back in the day, you got all of your financial services from one organization. Your credit card, your mortgage and your assets were all with one brick-and-mortar bank."

Today's landscape looks completely different.

"It's really a bigger, interesting story about third-party technology providers and advisors using new technology that enables them to operate on clients' behalf across many different organizations," Gandhi said. "What does security look like in this world? What does it mean for where they keep their assets and how firms service and compete for their shared clients?"

Credit: Shutterstock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center