Fidelity-Pontera Dispute Reveals Tension Between Choice, Obligation

The public dispute between Fidelity Investments and technology firm Pontera Solutions Inc. has become a flashpoint for plan sponsors, caught between participants’ calls for choice and fiduciary obligations to safeguard plan assets and data. 

In recent weeks, some Fidelity 401(k) participants and their advisers reported losing online access to accounts that had been linked to third-party platforms such as Pontera. According to Fidelity, the restrictions it has imposed are intended to protect accounts from credential-sharing risks. Charles Schwab, meanwhile, required some participants to reset credentials shared with outside tools but stopped short of account lockouts. 

Pontera, whose software enables fiduciary advisers to securely view and implement client-authorized trades in held-away 401(k) accounts, argues that recordkeepers are overreaching.  

“It’s funny that we’re even calling them third-party advisers,” says Dave Goldman, Pontera’s chief business officer. “These are the client’s own advisers. Participants shouldn’t be captive to a prescribed solution simply because of who administers the plan.” 

Ben White, Pontera’s senior director of public policy, says the Employee Retirement Income Security Act provides for participant control over investment decisions, and Interpretive Bulletin 96-1 outlines the boundaries of plan-sponsored education and external advice. 

“Control means choice,” White says. “Anything less limits participants’ rights.” 

Plan sponsor groups say cybersecurity and fiduciary oversight cannot be separated from the conversation about account access.  Some states, including Texas, have weighed in on the issue by clarifying how advisers and their clients in the state can use permissibly data aggregation services. 

An American Benefits Council spokesperson told PLANSPONSOR the group “is aware of industry concerns regarding the data security of our plan sponsors and their participants from credential-sharing practices. We believe that it is critical that safeguards exist to protect plan participants’ retirement savings.”  

The ABC statement continued to cite the importance of prioritizing the protection of its members’ and participants’ data security and a belief that the industry has prudently met their obligations to protect plan sponsors and plan participants. 

Industry advocates emphasize that employers and recordkeepers have long-standing contractual and fiduciary relationships designed to protect participants and that permitting advisers using outside platforms to access plan systems could dilute that oversight. Plan sponsors, they note, already face growing exposure to litigation related to cybersecurity and must ensure that all vendors with access to participant information are covered under existing security and indemnification frameworks. 

For example, DOL cybersecurity regulations from 2021 expanded fiduciary duties for retirement plan sponsors, requiring them to implement robust cybersecurity measures to protect plan assets and participant data from digital threats.  

The concerns about cybersecurity among employer groups affect their view of credential-sharing, even when encrypted, which can remove controls from the entities legally responsible for plan administration. Many also worry about additional layers of cost and uncertainty for participants who may not fully understand how third-party tools operate or how fees are assessed. 

Still, the policy environment is shifting. The Consumer Financial Protection Bureau’s “open banking” rule under Section 1033 of the Dodd-Frank Act aims to formalize consumer-permissioned access to financial data, which Pontera says should extend to retirement accounts. On July 29, the CFPB filed a motion to stay the rule, noting it decided “to initiate a new rulemaking to reconsider the rule with a view to substantially revising it and providing a robust justification.” 

Also, more recently, President Donald Trump’s administration has shrunk the budget and size of the CFPB significantly as part of his cost-cutting agenda, making it unclear how effective the agency’s regulation will be in the future.  

For now, Pontera, which has added Arete Wealth to a list of partnerships with firms that do permit advisers to access held-away accounts. That already included Manulife John Hancock, 401Go, Morningstar, BNY’s PershingX, Commonwealth Financial Network and Captrust, according to the company.  

Participant accounts recordkept by Fidelity are not accessible via the Pontera platform.  

“When digital credentials are shared, it provides access to a user’s full account experience – all accounts, not just 401(k) – and the credentials are then stored by the third-party platform and are no longer protected by Fidelity’s security measures. This significantly increases the risk associated with their accounts,” a Fidelity spokesperson said. 

The Fidelity spokesperson added that if a customer chooses to work with an adviser to manage their 401(k) account, they can do so, but selecting advisers who “securely” advise on employer-sponsored retirement accounts with plan sponsor oversight is important since the firms that rely on participant credential sharing are doing this outside of plan sponsor oversight. 

“Ultimately, the plan sponsor expects Fidelity to provide administrative services to the plan and the rules that govern it. Today, those rules do not include allowing participants’ advisers to trade on behalf of participants through shared credentials,” the Fidelity spokesperson said.   

A spokesperson for Charles Schwab, which also recently reset participant credentials shared for use with outside tools said “Schwab is honored by the trust our clients place in us to help them achieve their financial goals and protect their personal information and assets, and we take that responsibility very seriously. As part of our security processes, we determined that some clients provided login access to third-party data vendors which may void policies we have in place to protect clients through our Schwab Security Guarantee. As part of our data security policy, we required these clients to update their account information.”