Fidelity Investments, the largest administrator of 401(k) plans in the United States, is taking action against customers who share their login credentials with third-party financial technology firms. The company has begun temporarily locking accounts, citing security risks, which has created a significant conflict with fintech companies like Pontera that offer tools for external financial advisers to actively manage workplace retirement plans.
Key Takeaways
- Fidelity Investments is restricting online access for 401(k) plan participants who share login details with third-party financial management platforms.
- Fintech firms, such as Pontera, provide tools that allow independent financial advisers to execute trades and rebalance client 401(k) accounts.
- The core of the dispute centers on security, with Fidelity warning against the risks of credential sharing, while fintech firms argue their methods are secure and authorized by the client.
- The conflict affects a massive market, as Americans hold over $9 trillion in 401(k) plans, with Fidelity alone managing accounts for more than 24 million people.
A New Front in Retirement Plan Management
For decades, managing a workplace retirement account like a 401(k) was a largely self-directed activity. Employees would select investments from a list provided by their employer's chosen administrator and handle any adjustments themselves. However, a new generation of financial technology companies is changing this dynamic.
Firms like Pontera are building platforms that connect independent financial advisers directly to these employer-sponsored accounts. This technology moves beyond simple "read-only" access, empowering advisers to perform actions such as rebalancing portfolios on behalf of their clients. This allows for a more integrated approach to financial planning, where a 401(k) can be managed in coordination with a client's other investments.
This development has created a point of friction with major plan administrators. Fidelity Investments has expressed serious concerns about the practice, leading to a standoff that is catching both investors and their advisers in the middle.
The Scale of the Market
The stakes are incredibly high due to the sheer size of the U.S. retirement market. According to data from the Investment Company Institute, Americans held approximately $13 trillion in employer-based retirement plans as of mid-2025. Of that total, $9.3 trillion was held specifically in 401(k) plans, making them a cornerstone of personal savings for millions.
Fidelity's Security Stance and Customer Impact
Fidelity's primary argument against these third-party tools is the risk associated with sharing login credentials. The company maintains that when a customer provides their username and password to an outside service, it can compromise account security and void certain consumer protections.
In a statement from September 2024, Fidelity warned, "Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the account."
The company recently began enforcing this position by locking users out of their online accounts. Kelly Havins, a 63-year-old consultant from Phoenix, experienced this firsthand. He had hired a financial adviser who uses Pontera to help manage his 401(k).
"I don’t have the time or the understanding to manage investments," Mr. Havins explained. After receiving a letter from Fidelity in late August, he was asked to verify his identity by emailing a copy of his driver's license, which he declined to do. "They said, ‘Consider yourself locked out,’" he recalled. He was subsequently unable to access his account online until his adviser helped him reset his credentials.
Fidelity has stated that many affected customers who were contacted to reset their information were not even aware they had shared their credentials. This highlights a potential communication gap between advisers, their clients, and the technology platforms they use.
The Fintech Perspective on Access and Authorization
Pontera and its competitors argue that their services are both secure and legally sound. They position themselves as an authorized agent acting on the consumer's behalf. Yoav Zurel, Pontera's chief executive, stated, "This is what customers want, and it’s their money."
According to Pontera, the client explicitly grants permission for the platform to access their account. The adviser using the service does not see or store the client's login credentials; this information is held within Pontera's system, which it describes as a secure digital "vault" with multiple layers of encryption.
How the Technology Works
Unlike older tools that only allowed advisers to view account data, Pontera's platform logs into the 401(k) portal as the client to carry out an adviser's instructions. Pontera says this process is authorized by the client and that its system cannot perform certain actions, such as withdrawing funds or changing beneficiaries, which would constitute taking "custody" of the account.
The company also claims its model aligns with guidance from the Securities and Exchange Commission (S.E.C.) regarding how advisers can access workplace accounts. "Consumers have rights to ask that an agent perform an action for them," said Zachary Pardes, a Pontera spokesman. "This is not a gray area."
Diverging Industry and Regulatory Views
Not all 401(k) administrators share Fidelity's hardline stance. Manulife John Hancock Retirement, for instance, recently announced a collaboration with Pontera. Wayne Park, the firm's chief executive, stated, "We’ve done our due diligence, and their security is up to our standards."
This suggests a split in the industry on how to handle these new technologies. Some firms see value in secure digital connections, viewing them as an improvement over outdated methods like clients bringing paper statements to their advisers.
The regulatory landscape remains complex. Some state regulators have raised concerns about these tools, while others find them acceptable provided advisers maintain their fiduciary duties and are transparent with clients. Pontera acknowledges it does not have a formal data-sharing agreement with Fidelity but maintains one is not required because the plan participant grants access.
Some competitors operate differently. Absolute Capital, another firm in this space, establishes formal agreements with plan custodians. "We come in through the front door," said CEO Brenden Gebben, explaining that his firm is recognized as an authorized agent by the plan administrator.
What Savers Should Consider
For individuals with 401(k)s, the appeal of professional management is clear. As plan options become more complex, including brokerage windows and alternative investments, some savers feel they need expert help to stay on track.
Financial advisers argue that managing a 401(k) as part of a holistic financial plan is critical. Kyle Louvar, CEO of Guided Capital Wealth Management, noted that clients often fail to implement recommended changes on their own. "We’d agree on a plan, but they would oftentimes forget," he said.
However, this convenience comes with a cost. Pontera charges advisers a fee of 20 to 30 basis points (0.2% to 0.3%) on the assets it helps manage. These costs are typically passed on to the client.
Corey Frayer, director of investor protection at the Consumer Federation of America, noted that cybersecurity concerns are "legitimate" when there is no formal API connection. He also highlighted the financial aspect for consumers. "I see the fees passed on as a core issue," Frayer said, advising clients to consider whether the potential for market outperformance justifies the additional cost.
For now, the tug of war between legacy investment giants and disruptive fintech firms continues, with the control and security of trillions of dollars in American retirement savings at the center of the debate.
