Held-Away Assets: Fidelity-Pontera Feud Highlights Different Perspectives on Access vs. Security

A serious clash of perspectives exemplifies the recently escalated dispute between Pontera and Fidelity regarding financial advisor access to 401(k) accounts via credential sharing.

Pontera, a fintech platform enabling financial advisors to securely manage clients held-away 401(k) accounts, released an open letter on Oct. 10 from CEO Yoav Zurel that accused Fidelity—the biggest employer plan custodian in the U.S.—of “an anticompetitive power grab” with its Sept. 2024 decision that it would restrict third-party credential sharing—which Fidelity recently started enforcing.

Fidelity announced that the company would begin taking steps to prevent platforms reliant on credential sharing—such as Pontera—from accessing and taking action in customer accounts held at Fidelity. “This change is with customers’ best interests in mind to enhance security and reduce customer data exposure,” the 2024 Fidelity update stated.

Pontera counters that secure integrations are not only possible, but are commonplace, and that participants deserve the option to work directly with their outside advisor on their 401(k).

“What we’re seeing is an anticompetitive power grab—Fidelity compelling customers to use Fidelity advisors for customers’ own 401(k) accounts, or no advisors at all,” Zurel wrote in the open letter.

In Fidelity’s view, this primary claim lacks merit, as even its own advisors can’t take action on 401(k)s, and the dispute is not about the recordkeeper making it difficult for outside advisors to manage 401(k)s but is rather focused entirely on credential-sharing security concerns.

“If a customer chooses to work with an advisor to manage their 401(k), they can do so, as there are solutions and advisors available that leverage safe practices,” a Fidelity spokesperson told 401(k) Specialist.

For example, Fidelity works with firms including Absolute Capital, which collaborate with plan sponsors to leverage safe practices, using self-directed brokerage accounts to manage 401(k) assets. No client credentials or passwords are used.

“Fidelity’s concerns are focused on how some advisors are gaining such access by using customer credentials. We work closely to support many RIAs who securely advise on employer-sponsored retirement accounts with plan sponsor oversight,” Fidelity’s spokesperson said.

Fidelity also notes that credential-sharing arrangements often bypass plan sponsor oversight, potentially raising fiduciary concerns under ERISA.

The use of actual customer credentials to access accounts is a clear sticking point for Fidelity, because those credentials provide access to a user’s full account experience—not just their 401(k). Plan participant credentials held by third parties are not protected by a recordkeeper’s security measures, which can put participant data and personal information at risk.

“Some third-party fintech firms use credential sharing (e.g., username and password) to access, manage, and trade within their clients’ employer-sponsored retirement accounts, including those held at Fidelity, without plan sponsor oversight,” the Sept. 2024 update stated. “Credential sharing presents security risks to our customers, particularly when it enables third parties to take high-risk actions, such as executing trades within the accounts.”

Other recordkeepers have taken differing approaches—some choosing to integrate with credential-sharing platforms under strict security agreements—illustrating an industry still debating how to balance access with protection.

Pontera also claimed in its open letter that Fidelity rejected an offer to build an API to safely share data, a claim Fidelity characterizes as untrue.

“We can confirm that the fintechs created their business models and service offerings without consulting with Fidelity,” Fidelity’s spokesperson told 401(k) Specialist. “Similarly, financial advisors that have chosen to work with them have done so independent of their relationship with Fidelity.”

Fidelity to date has not partnered with Pontera or other fintechs with similar models that do not align with its security principles. While Fidelity has acknowledged meeting with Pontera, as it meets regularly with any new financial technology vendors, the two firms remain at a bypass on the security issue as it relates to Pontera’s credential-sharing business model.

“Recordkeepers and thousands of registered financial advisors and financial institutions across the country have reviewed and approved Pontera’s security conventions. Credential-based aggregation, the method Pontera uses to connect accounts, is widely adopted and recognized across the financial industry,” Zurel wrote in the open letter. “Advisors using Pontera do not—and cannot—see the participants’ credentials or access the participants’ accounts. Our technology is certified under SOC 2 Type II and ISO 27001, two of the industry’s key security standards.”

In the open letter, Zurel notes that Americans do not get to choose their 401(k) provider, unlike how they can choose where to bank, obtain credit cards, taxable investments, IRAs, and other financial products. To counter that lack of choice, he said personalized advice and management from a participant-chosen advisor allows for holistic planning, tax optimization strategies, and navigation of investment products both simple and complex.

“Many recordkeepers, retirement plan advisors, and portfolio management platforms agree. That’s why Pontera has partnered with Manulife John Hancock, 401GO, Morningstar, BNY’s PershingX, Orion, Commonwealth Financial Network, Captrust, and other industry leaders,” the open letter states.

It goes on to say a powerful recordkeeper has an economic motivation to try to keep retirement savers locked under maximal institutional control for asset retention and the ability to offer in-plan advisory services, products, and proprietary financial tools and research.

“It’s like being forced to only shop at one grocery store—no matter the prices, selection, or quality of products—even if there’s a store that you prefer around the corner that already knows your preferences, meal plans, and dietary restrictions.”

While Pontera said Fidelity has never asked to review its security practices despite Pontera’s repeated invitations to collaborate, the open letter concluded that Pontera remains open to a dialogue with Fidelity on additional solutions that put savers’ interests first.

For advisors, it is becoming clear that the custodial access model is now a frontline issue. The dispute could influence how custodians, fintechs, and plan sponsors navigate the growing demand for holistic advice across held-away assets, setting precedents for data security, plan sponsor oversight, and participant choice in the years ahead.

Whether viewed as a matter of participant freedom and access to holistic advice—or a question of cybersecurity, plan oversight and custodial responsibility—what’s at stake is how 401(k) assets are advised and managed going forward.

• Read Fidelity’s Sept. 2024 Update on Secure Data Sharing Efforts here
• Read Pontera’s October 10, 2025 Open Letter here

SEE ALSO:

• Retirement Savers Feel Lack of Control Over Their 401(k)s: Pontera
• Pontera, Manulife John Hancock Collaborate to Better Manage Held-Away 401(k)s