By Kenneth Corbin
For months it was a story about Fidelity Investments. Last year, the financial services company issued a public statement saying it planned to block credential-sharing applications that enable external investment advisors to gain access to their clients' retirement accounts held at administrators such as Fidelity.
Now another heavyweight has entered the fray, albeit with less fanfare. Charles Schwab says it, like Fidelity, is notifying clients that it prohibits the use of credential-sharing tools and is asking customers whose advisors have used those fintech applications to reset their login credentials, citing security concerns.
"Schwab is honored by the trust our clients place in us to help them achieve their financial goals and protect their personal information and assets, and we take that responsibility very seriously," the firm says.
"As part of our security processes, we determined that some clients provided login access to third-party data vendors which may void policies we have in place to protect clients through our Schwab Security Guarantee," it adds. "As part of our data security policy, we required these clients to update their account information."
Schwab declined to comment further on its communications with clients, but the stance opposing credential sharing seems to mirror that of Fidelity, another large administrator and record-keeper for retirement plans.
At issue is an emerging crop of service providers that offer technology enabling advisors to manage clients' employer-sponsored retirement accounts using the clients' login credentials. The basic premise is a simple one -- that an individual's personal wealth manager should be able to manage their clients' retirement plan, which for many people is their largest pool of assets, to make sure it aligns with the rest of their investment and retirement-planning strategy.
Fidelity and Schwab argue that credential sharing compromises client security. One notice Fidelity sent to clients that was reviewed by Barron's Advisor reads in part:
"This puts the individual at risk, particularly when it enables third parties to take actions, such as executing trades within customer accounts. Digital credentials are a key part of the security features that Fidelity uses to secure individuals' accounts."
A Fidelity spokeswoman elaborates that credential sharing means that all of a client's accounts with the firm, a 401(k) and any others, are no longer protected by its security protocols, which "significantly increases the risk associated with their accounts."
Pontera's lament. Pontera, the fintech that has been the most vocal about the issue, accuses Fidelity of taking extreme measures to prevent clients from engaging with its credential-sharing service and keeping their accounts locked inside a walled garden. Last month, Pontera CEO Yoav Zurel posted an open letter accusing Fidelity of "locking out tens of thousands of its own customers from their accounts for choosing to work with financial advisors outside of Fidelity's ecosystem."
Fidelity says it did no such thing. It has been sending out messages explaining that it doesn't permit the use of third-party credential-sharing tools and asking clients who engaged with one of those services to reset their login information. Fidelity says that a very small percentage of its clients -- less than 0.1% -- had digital access to their account blocked after ignoring multiple password-reset requests.
"We understand that resetting credentials to secure accounts may cause disruption to our customers; however, Fidelity believes these ongoing safeguarding efforts are necessary to protect customer data and personal information," a spokeswoman says. "Any blocks placed on accounts will be lifted as soon as customers secure their accounts by calling Fidelity and putting new credentials in place."
She also notes that the blocks only relate to digital account access. "Customers can always access information and transact in their accounts by calling a Fidelity phone representative," she says.
Zurel framed the issue in terms of "freedom vs. captivity" in his open letter, arguing that employees should be able to "choose how they shape their financial futures by securely connecting their own trusted financial advisors to their workplace retirement accounts."
He further defends his company's security protocols and suggested that Fidelity is acting in its own financial self-interest to keep outside advisors away from the assets on its platform.
Zachary Pardes, head of brand at Pontera, says that even though Schwab has been notifying clients that they need to reset their login information, Fidelity's actions stand apart.
"A credentials reset is fundamentally different from blocking consumers' digital access to their accounts en masse or threatening to permanently revoke that access," he says. "This is not the same thing. Fidelity stands alone in its actions. And we should all be concerned by those actions."
Fidelity counters that it is only restricting access to digital accounts for a tiny portion of its clients and that those blocks will only last until the clients reset their credentials.
Advisor appeal. The allure of a service like Pontera's for wealth managers who want to advise on all of a client's assets is strong. The fintech has partnerships with Pershing X, Manulife John Hancock, Captrust, Morningstar, Commonwealth Financial Network, and others. Last week, Arete Wealth announced that it had signed a deal with Pontera.
Advisors who use Pontera's platform have been taking note of the messages Fidelity has been sending out warning against credential-sharing services. Malcolm Etheridge, managing partner at Capital Area Planning Group in Washington, D.C., describes the notices as "vaguely worded" warnings about unspecified security concerns.
"We've been working with Pontera for several years and have noticed the more aggressive stance toward blocking our clients from using the service within the last year or so," Etheridge says. "That said, the clients seem to love the idea that their advisory firm that manages their other retirement savings would also have access to review and incorporate their current workplace account using real-time data and without having to constantly bug the client for updated statements and available funds lineup."
Kevin Clark is the CEO and co-founder of Plan Confidence, a forerunner to Pontera that offers software to help advisors assist clients with held-away assets in retirement accounts. It launched providing services such as research and trading advice, but left the actual trading up to the account holder. "Pontera came along and changed this dramatically for advisors," he says.
Plan Confidence has since integrated with Pontera to enable advisors to trade in held-away accounts. Clark acknowledges that he is "very biased" in favor of Pontera but says he doesn't buy one of Fidelity's stated reasons for prohibiting credential sharing. "I believe it is disingenuous for Fidelity to claim they are blocking Pontera due to 'cybersecurity' reasons," he says.
Some state regulators share the concern, however. Officials in New Jersey, Colorado, Ohio and other states have issued warnings cautioning advisors against using credential-sharing tools such as Pontera, citing cybersecurity fears as well as a potential breach of the advisors' fiduciary duty.
That is not a uniformly held view. At least two states -- Texas and Rhode Island -- have issued guidance affirming advisors' right to use credential-sharing services provided they take steps to address issues such as due diligence and cybersecurity.
At the federal level, the Securities and Exchange Commission declined to comment on whether it is looking at this issue.
Another way. Credential sharing might be the easiest way for advisors to manage clients' held-away accounts, but it isn't the only one. Brenden Gebben is the CEO of Absolute Capital Management, a registered investment advisory firm that works with plan administrators, which are often referred to as custodians, and sponsors to allow outside advisors to manage held-away accounts.
"We're not using a client credential -- never had them, never will, so we don't sneak through that back door," he says.
He estimates that about 55% of U.S. retirement account holders are in a plan that permits outside advisors to access their accounts, a rate that has roughly doubled over the past decade. He predicts that that model, rather than credential sharing, will gain more adoption, especially if more administrators follow Fidelity's lead, as Schwab has. "Fidelity was kind of the tip of the spear," he says.
It is unclear whether other administrators and record-keepers will follow suit and crack down on credential-sharing services. Vanguard, Paychex, TIAA, Empower, and Ascensus either didn't respond to requests for comment on their policies regarding credential-sharing apps or fielded questions but didn't provide comments by press time.
In a statement, Principal Financial Group says: "Principal is committed to supporting participants with the tools they need to understand their full financial picture and make decisions that are right for them -- all while protecting their personal and financial information. We remain committed to continually evaluating and enhancing our security measures to ensure we are doing what is best for our clients and their data."
A spokeswoman wouldn't clarify whether that translates to a ban on credential-sharing services.
To Gebben, the credential-sharing services are a technological solution that doesn't play by the rules of a highly regulated and complex environment with strict rules around privacy, security, and trading authority. He is skeptical about the chances of plan sponsors and administrators warming to services that allow advisors to log in using their clients' credentials.
"You have to be respectful of the plan doc, you have to be respectful of the custodian," he says. "No plan document is going to say you can use fake client credentials."
(MORE TO FOLLOW) Dow Jones Newswires
November 17, 2025 09:41 ET (14:41 GMT)
Copyright (c) 2025 Dow Jones & Company, Inc.