Fidelity security policy locks some clients out of their own 401(k)s after using third-party advisors

Fidelity Investments has begun enforcing a security policy that temporarily strips online access from retirement savers who allow outside advisors to manage their 401(k) accounts through credential-sharing technology, leaving some customers unable to view or alter their balances until they contact the firm by phone.

The measure, applied in recent weeks, affects participants who grant third-party fintech platforms such as Pontera permission to log in on their behalf. Fidelity maintains that the restriction is a safeguard against unauthorized trades and other potentially risky transactions that could be executed if login information were compromised. Critics, however, say the procedure is disruptive and amounts to a unilateral power play in an increasingly competitive market for retirement advice.

Policy roots in 2024 cybersecurity statement

In September 2024 Fidelity warned it would block digital access originating from services that rely on shared credentials. The Boston-based company argued at the time that credential sharing exposes retirement accounts to elevated cyber threats, including illicit trades, distributions or transfers. The firm’s position was that client data and assets must be shielded even when account holders willingly share usernames and passwords with advisors or aggregators.

While the warning drew industry attention last year, widespread enforcement began only recently. Customers who had integrated Pontera or similar tools into their retirement planning report receiving notifications that their online portals had been disabled. The lockout applies solely to the web and mobile interface; account holders can regain entry, Fidelity says, after verifying their identity by telephone with a representative.

How fintech platforms operate

Pontera and comparable services give registered investment advisors the ability to monitor and rebalance workplace retirement plans that are typically held at custodians such as Fidelity, Vanguard or Empower. Instead of transferring assets out of an employer-sponsored plan, the advisor uses the platform’s dashboard to implement allocation changes within the 401(k). Proponents contend the arrangement allows holistic wealth management without forcing a rollover.

Security protocols on these platforms vary, but most depend on the advisor entering the client’s login credentials into an encrypted vault. From Fidelity’s perspective, that practice violates its user agreement and erodes the ability to track who is making changes inside the account. The company emphasizes that clients remain responsible for activity conducted under their credentials, a risk it says justifies the access freeze.

One saver’s experience in Arizona

Phoenix resident Kelly Havins, 63, encountered the restriction after authorizing his Pontera-connected advisor to handle his 401(k) because he felt he lacked the time and expertise to manage it himself. When Fidelity alerted him to the impending lockout, he initially suspected phishing. After confirming the message was genuine, Havins discovered his online profile was disabled. He ultimately worked with his advisor and Fidelity by phone to restore visibility into his balance.

Financial planner John Rathnam, who practices in Arizona, says the sudden loss of digital access surprised both clients and professionals. In his view, most savers expect uninterrupted control over their largest retirement asset and are dismayed when access depends on a call center queue.

Imagem: financial planning 24

Ongoing tug-of-war over client data

The incident highlights broader tension between traditional custodians and fintech intermediaries seeking direct hooks into retirement plans. Advisors argue that integrated digital tools allow them to deliver comprehensive, fiduciary-level guidance. Large recordkeepers counter that unvetted connections raise the probability of fraud, data breaches and operational errors.

Cybersecurity concerns hold growing weight with regulators. The U.S. Department of Labor recommends that plan sponsors scrutinize service providers’ security standards and verify that they “maintain robust access controls” (see DOL guidance). Industry observers note that recordkeepers could face liability should a third-party tool facilitate unauthorized distributions, prompting firms to adopt stricter gatekeeping.

What affected customers can do

Fidelity advises any participant whose portal has been disabled to call the customer service line, complete identity authentication and review recent account activity. Once verification is finished, online access is typically restored, although the company warns it may continue to block automated logins from credential-sharing platforms.

Participants who prefer outside management options still have alternatives. They can grant advisors limited power of attorney to speak with a Fidelity representative, use plan-sponsored advice services, or transfer assets to an individual retirement account that allows third-party control without violating the recordkeeper’s policies. Each route carries cost, tax and timing considerations that savers should evaluate carefully.

For now, the standoff underscores the delicate balance between convenience and security in America’s $7.4 trillion defined-contribution market. As fintech platforms push for open access while custodians tighten defenses, retirement savers may need to navigate new hurdles to share their data safely and keep tabs on their own nest eggs.

Crédito da imagem: Getty Images