As Schwab forces clients to reset credentials to curb third-party access, the 401(k) fintech Pontera maintains “Fidelity stands alone in its decision to lock out thousands of consumers from their own accounts.”
Schwab has asked clients to reset their login credentials, a request coming shortly after Fidelity took similar action to limit third-party vendor access to 401(k) and other customer accounts.
Like Fidelity, Schwab has cited protecting client data in their attempts to limit credential sharing of a client’s username and password. Third party fintech firms such as Pontera have adopted credential-sharing technology to connect selected outside advisors with held-away assets such as 401(k) accounts from retirement plan providers.
“As part of our security processes, we determined that some clients provided login access to third-party data vendors which may void policies we have in place to protect clients through our Schwab security guarantee,” a Charles Schwab spokesperson said Thursday, according to Citywire. “As part of our data security policy, we required these clients to update their account information.”
Anticompetitive assertions
Pontera previously described Fidelity’s actions as “anticompetitive” in a campaign last month that included coverage in the New York Times. In a statement to InvestmentNews on Friday following Citywire’s reporting on Schwab, a spokesperson for Pontera maintained that “Fidelity stands alone” in its reaction to clamping down on credential sharing.
“Fidelity stands alone in its decision to lock out thousands of consumers from their own accounts. We should all care about protecting consumers – this is why Pontera took a public stance against Fidelity locking consumers out of their accounts, which actually created risk for consumers by eliminating their digital access to their own money,” a Pontera spokesperson told InvestmentNews on Friday.
Platforms like Pontera “use ‘screen scraping’ technology that gives them access to a lot more client information than what’s needed for the tool to perform its function,” Ben Henry-Moreland, a certified financial planner with Kitces.com, explained to InvestmentNews.
Moreland warned that third-party vendors can potentially collect and monetize client data by selling it to other parties without the client’s permission. He added it is problematic for Schwab and Fidelity’s approach to not distinguish between “tools that have a legitimate purpose and strong data protection policies with the potential bad actors,” Moreland said.
“Shaky account connections and frequent re-logins have long been part of screen-scraping tools, which has accelerated the push towards API connections in recent years,” Moreland said. “Hence it’s frustrating that Fidelity, if reporting is true, hasn’t worked with Pontera to establish an API connection.”
Last month, Pontera’s CEO Yoav Zurel told InvestmentNews that his company supplied API-based integrations with 401GO, which markets itself as a “tech-forward 401(k) retirement plan provider.”
“We have a partnership with 401GO, which is a much smaller competitor to Fidelity. That entire partnership is all API-based,” Zurel said. “If Fidelity wants to do that, we’re open to it … It’s really up to them. [But] they’re not answering our phone calls [or suggestions for] different solutions that we’ve provided them.”
A spokesperson for Fidelity said last month that Pontera’s claim of anticompetitive behavior lacks merit. The spokesperson added that Fidelity works “closely to support many RIAs who securely advise on employer-sponsored retirement accounts with plan sponsor oversight.” A person close to the matter confirmed Fidelity has met with Pontera multiple times, and that, “we can confirm that the fintechs created their business models and service offerings without consulting with Fidelity,” said the spokesperson.
Andrew Herzog, an advisor with Texas-based RIA The Watchman Group, says Schwab and Fidelity are right to prioritize protecting their customers’ data above third-party convenience. His RIA has not been impacted by Schwab and Fidelity’s recent moves to restrict third-party access.
Safeguarding client data
“Third-party services are convenient – I use them myself. However, when those connections break my financial life is not upended. I care more about safeguarding my data/credentials than ease-of-use,” Herzog said. “This has not affected our firm, since we jump on video calls with clients to rebalance/evaluate their employer-sponsored retirement accounts.”
Absolute Capital Management works similarly to Pontera, as both provide outside advisors with access to their client’s 401(k) and other retirement assets. However, Absolute Capital is an SEC-registered RIA so it is regulated differently than fintechs like Pontera.
“I thought how Fidelity handled it was appropriate and balanced. They were doing the job they were hired to do by the plan sponsor,” Absolute Capital CEO Brenden Gebben told InvestmentNews at this week’s Schwab IMPACT conference in Denver. “There’s this notion going around the industry that say Fidelity or these custodians are doing it for their own greedy purposes, somehow they’re making more money out of the deal. And that’s just a false narrative because what these custodians are doing is enforcing the rules of the plan.”
About 350 advisor firms are utilizing Absolute Capital, Gebben said. He added that Absolute Capital can connect with about 55% of all 401(k) participants nationwide, and the remaining 45% are retirement plans with documented mandates to not allow third-party access.
Lori Weston, head of compliance at STP Investment Services, stresses advisors must prioritize “ongoing cyber risk assessments” of third-party vendors that access client information.
“Conducting ongoing due diligence on third-party vendors is essential to protecting sensitive client information,” Weston said. “While advisers often focus on their OMS and CRM systems, intermediary credential-sharing platforms that use actual client login credentials can pose even greater risks — enabling potential impersonation of account holders themselves and all permissions that go with account holder access.”