Executive Summary
Historically, advisors haven't had many avenues to manage clients' 401(k) plan accounts, since unlike traditional custodial investment accounts, advisors generally lack discretionary trading authority in employer-sponsored retirement plans. Which wasn't necessarily a big issue back when most clients hired advisors after they had already retired and were able to roll over their employer plans into an IRA managed by the advisor; but as advisors have increasingly taken on working-age clients (and the 401(k) plan itself has taken on greater importance in retirement planning), the friction between 401(k) and non-401(k) plan assets has grown into a bigger issue from an operational and compliance standpoint.
For advisors who want to advise on clients' 401(k) plan assets but who can't manage them directly, there have generally been 2 options. First, the advisor can periodically review the investment statements issued by the 401(k) plan against the client's goals and risk tolerance and make recommendations that the client must then carry out on their own – which can prove frustrating for both the advisor and the client as it involves making multiple requests for information and then executing the trade, and if the client is busy or forgetful, there's the risk that the recommended trades will never actually be carried out. Alternatively, some advisors have instead opted to collect clients' login information so they can execute the trades in their clients' accounts themselves –presenting numerous data security and compliance issues for the advisor (and can lead to the advisor being considered to have custody over client assets).
In this environment, several data aggregation tools, with Pontera being the most prominent, have emerged to enable advisors to more efficiently and securely manage their clients' 401(k) plan accounts by giving the advisor the ability to view and trade in the 401(k) account. Which would seem to be a preferable solution to the old method of logging in with the client's credentials, since the advisor doesn't need to collect the client's login information (as it is entered by the client themselves and stored securely without giving the advisors access to the credentials), and can allow advisors to more efficiently serve clients with 401(k) plan assets (including those who might not have enough non-401(k) plan assets to meet the advisor's minimums).
However, regulators in several states, including Washington and Missouri, have recently begun to scrutinize advisors' use of Pontera and similar technology, citing concerns that recommending clients to share their login credentials with third-party technology may constitute "dishonest and unethical" conduct by potentially violating clients' user agreements with their 401(k) platforms. On the surface, this doesn't necessarily make sense, because many 401(k) plan platforms don't in fact ban such third-party credential sharing. But at the same time, regulators may have some valid concerns, since the amount of client data that can be seen and collected by the technology often exceeds what is actually needed to view and trade in clients' 401(k) accounts, while their ability to manage clients' investments outside of the traditional (and well regulated) custodial framework might also have spurred regulators to find a way to 'pump the brakes' until they can more carefully determine what is or is not an appropriate use of data aggregation technology.
And yet the fact remains that technology like Pontera may still be preferable to the alternatives that exist for advisors to advise on and manage clients' 401(k) assets (e.g., making recommendations for the clients to execute on their own or collecting client login credentials), while it also doesn't make sense from a fiduciary standpoint to simply leave 401(k) assets out of the financial planning conversation entirely. And so, despite the current regulatory friction around held-away asset management, the most sensible path forward does involve some role for technology to manage clients' 401(k) accounts – albeit with more communication between technology providers, financial institutions, regulators, and advisors to build a system that addresses the concerns of each.
In the short term, however, it's uncertain whether states like Washington and Missouri will remain the outliers in scrutinizing Pontera and similar technology or whether other states (or the SEC) will share those issues. Which makes it important for advisors considering whether to use the technology to understand where their own state regulators stand and for those who use it already to explain to their regulators how it allows them to better holistically manage their clients' assets without resorting to collecting client login credentials. Since ultimately, the advisors who use it every day are best positioned to show how held-away asset management technology can truly be used in the client's best interests!
The Challenge Of Advising On Clients' Employer Retirement Account Assets
For financial advisors who manage their clients' investments, employer-sponsored retirement accounts like 401(k) and 403(b) plans have long presented a conundrum.
Most types of investment accounts (taxable, trust accounts, IRAs, and the like) can be held at virtually any financial institution and easily moved from one institution to the other, allowing an advisor to consolidate all of a client's accounts under one custodian to streamline the process of trading, tracking, and reporting on the accounts. But assets in a 401(k) plan can only be held at the institution that serves as that particular plan's custodian, meaning that as long as the client is still employed and actively participating in the plan, their 401(k) plan assets are effectively sequestered within an institution separate from their other assets, and over which the advisor has no direct discretionary trading authority.
From the 1970s (when the first 401(k) plans were introduced) up until the 1990s, the separation of 401(k) assets from a client's other investments wasn't necessarily a major issue for advisors. For one thing, the relative newness of 401(k) plans meant that 401(k) assets didn't yet make up a large chunk of most clients' net worth, with more people participating in traditional defined benefit pension plans than in defined contribution plans like 401(k) plans up until the mid-1980s.
Plus, the retirement-centric focus of most financial advisors in those years meant that more often than not, clients were hiring financial advisors at the point when they were already retired and no longer actively participating in their employers' retirement plans, meaning they could simply roll over their 401(k) plan assets into an IRA that could be directly managed by the advisor.
But as the 20th century rolled into the 21st, shifts in the retirement savings landscape as well as the financial advice industry created increasing friction between the way advisors handled 401(k) versus non-401(k) plan investments. Greater adoption of defined contribution plans by employers, and of plan features like employer matching contributions, auto-enrollment, and target date funds – which coincided with a decline in the use of traditional defined benefit plans – led to more widespread employee participation in 401(k) plans, and to a greater share of individuals' investments being held in 401(k) plan accounts.
At the same time, financial advisors were increasingly seeking out ways to serve a broader range of clients beyond their core clientele of recent retirees (who themselves were often not so 'recently' retired anymore, and in many cases were starting to pass on and leave their wealth to younger generations), including still-working families for whom 401(k) plan assets now made up a substantial portion of their savings. All of which made it more desirable for advisors to find ways to incorporate these assets into their financial planning and investment management services for clients, despite not being able to roll the assets over to their custodian of choice to manage in-house.
Operationally, however, it was still challenging for advisors to handle the management of assets in their clients' 401(k) plans since there was little or no way to exercise discretionary trading over a client's 401(k) plan account (other than in the fairly rare cases where a client's 401(k) plan had a self-managed brokerage window option that also allowed for a third-party advisor to trade on the client's behalf). In practice, most advisors had to choose between 2 options, both of which presented numerous pitfalls for the advisor and the client.
The first option was for the advisor to periodically review statements issued by the client's 401(k) plan provider and recommend rebalancing trades, which the client would then execute on their own. Although simple enough in theory, this method introduces a lot of friction into the investment management process, since each rebalancing cycle involves sending, at minimum, 2 separate requests to clients (one asking the client to send their 401(k) plan statement for the advisor to review, and the other instructing the client to make any rebalancing trades the advisor recommends). And in practice, there are usually additional follow-ups required to ensure those tasks are actually completed – and it's all too common for clients' busy lives to get in the way of following through on even 1 of those requests, let alone both.
And so the other option that began to gain widespread use was for the advisor to actually collect and store the client's login credentials for their 401(k) plan provider, allowing the advisor to log in and access the client's account themselves. Which, while avoiding the hassle of asking the client to send statements and make rebalancing trades, also represents an ethical and compliance nightmare for the advisor, and a serious data security risk for the client. Because without a way to securely store client login credentials, an advisor whose systems were compromised in a data breach would risk having those credentials stolen as well (for which the advisor might ultimately be found legally liable). Furthermore, in the eyes of many regulators, including the SEC, possessing a client's user name and password for their 401(k) plan account constitutes custody over the client's assets, which triggers numerous regulatory obligations (such as annual audits of client assets by an independent accounting firm) that many advisors would prefer to avoid unless having custody is truly necessary to their service model.
The Rise Of Data Aggregation Tools To Streamline Held-Away Asset Management
In the 2010s, technology began to come along that made it more feasible for advisors to advise on (and even directly manage) clients' "held-away" assets, including not only 401(k) plan accounts but also other investments like private equity funds, investment partnership or LLC interests, and non-traded REITs.
First came a generation of data aggregation tools, starting with consumer-facing software like Mint (which is now absorbed into Credit Karma), but later expanding to advisor-specific solutions like Morningstar's ByAllAccounts and eMoney's client portal. Clients could connect all of their various accounts to these platforms by entering their login credentials (which were stored securely by the software but not viewable by an advisor or any other third-party) and allow advisors view-only access to see the client's account balances, holdings, and transactions without having the ability to trade, move money, or alter account settings in a way that could trigger custody for the advisor. Which meant that even if the advisor couldn't physically make the trades in the client's 401(k) plan account (which the client would still have to do themselves, either on their own or during the course of a meeting with the advisor), they were still spared the pain of tracking down account statements and manually inputting statement data into their own investment management software.
In 2012, a new solution called FeeX launched that took the data aggregation concept one step further. Its original product used data aggregation to allow advisors and clients to view and compare the underlying fees the client was paying on their 401(k) plan investments (thus making it easier for advisors to compare the plan's fees with their own advisory and underlying fund fees and show how it could be in the client's best interests to roll over the funds into an IRA to be managed by the advisor).
But in 2018, FeeX (which later rebranded itself as Pontera) pivoted its focus to allowing advisors to directly trade in clients' 401(k) plan accounts. Which, at least in theory, finally made it possible for advisors to manage investments in their clients' 401(k) plans similarly to how they managed their 'normal' custodial assets (i.e., by inputting the trades themselves) without the security and custody issues presented by logging into clients' accounts.
Pontera has proven popular among advisors and clients, and has spawned competitors such as Absolute Capital and Future Capital as alternatives for managing clients' held-away assets. But it wasn't just the added operational efficiency of being able to monitor and manage a client's 401(k) plan in real time that made the technology worth it to many advisors; it was also the opportunity to drive business growth, either by adding assets in clients' 401(k) plans to their billable Assets Under Advisement (AUA), or by serving a whole new class of clients whose investable assets may have consisted primarily of funds in their 401(k) plan accounts and who wouldn't have met the advisor's investment minimums using only IRA and/or taxable accounts.
Which, for many advisors, made it worth paying Pontera's substantial 30 bps fee on managed 401(k) plan assets, since they could either bill clients directly on the assets to offset the cost, or else make up the difference via business growth by differentiating themselves on offering full-service investment management of their clients' 401(k) plans.
Why State Regulators Are Pushing Back On Held-Away Asset Management
At first, regulators seemed to welcome advisors' use of data aggregation technology to view client accounts since it was a clear improvement over the alternative of clients sharing their login information with their advisors. However, as more advisors have begun using Pontera and other tools to not just view but also manage clients' held-away assets, at least a few state regulators have begun to reevaluate what does or doesn't constitute an appropriate use of data aggregation.
In late 2023, Washington state's Department of Financial Institutions began to scrutinize advisors' use of Pontera, informing advisors on the platform that because Pontera requires clients to enter their personal login information to connect their financial institution to the platform, it violates the section of the state's administrative code concerning unethical business practices.
A few months later, in May 2024, Missouri's state securities regulator began sending out its own notice to advisors registered in that state, which, while not citing Pontera by name, warned that the use of third-party providers that rely on client login credentials (potentially encompassing not only Pontera but also a wide swath of other data aggregation tools) is "considered dishonest and ethical" if it is done without the knowledge or approval of the financial institution where the account is held.
In both cases, the regulators' stated concerns were that clients giving account login credentials to a third party (e.g., by entering them into a data aggregation platform) could violate the client's user agreement with the financial institution where their accounts are held, which, in turn, could theoretically void any fraud protection the client would have been entitled to in the event that their login credentials were compromised and money was stolen from their account. By extension, as the regulators' reasoning goes, it would be unethical for advisors to recommend or require clients to use any such service, since it would (again, theoretically) invalidate a key protection of the client's assets against cybertheft.
The problem with this logic, as Pontera pointed out in its own response, is that in most cases, financial institutions' user agreements don't actually include blanket provisions that prohibit sharing of login credentials with third parties. They may still state that clients would assume the risk in sharing their login information – which makes it important at least to understand whether the data aggregator will guarantee any financial losses that may result from a cybersecurity breach on their platform – but as long as those risks are disclosed to and understood by the client, there would seem to be nothing inherently dishonest or unethical about using a data aggregation platform that is otherwise safe and secure in how it handles sensitive client information.
So, if advisors and clients both like it, and financial institutions don't disallow it, then why are state regulators pushing back on advisors' use of Pontera and other data aggregators?
NASAA's Account Access Model Rule
The confusion seems to go back to 2019, when the North American Securities Administrators Association (NASAA) amended its Model Rule on Unethical Business Practices of Investment Advisers And Investment Adviser Representatives to address the growing problem of advisors using clients' login credentials to access their accounts.
The text of the amendment itself is straightforward. To the list of unethical business practices for financial advisors, it adds:
Accessing a client's account by using the client's own unique identifying information (such as username and password).
The plain text of the rule makes it pretty clear that its intent is simply to prevent advisors themselves from collecting and using clients' credentials to access their financial accounts. And since Pontera and similar tools are designed specifically to avoid giving advisors access to their clients' login credentials, advisors who use them wouldn’t seem to be in violation of the rule – one would actually think that these tools would allow for better compliance with the rule, since they remove any reason that an advisor might have for wanting to keep their clients' login credentials.
But the state regulators pushing back on advisors' use of Pontera seem to have broadened their interpretation of the account-access model rule to include not just advisors using their clients' login credentials, but also using any third-party platform that requires clients to enter in their credentials, even if those credentials are never seen by the advisor. With the reasoning that asking clients to share their login credentials with a technology platform sitting in between the advisor and the institution presents the same opportunity for fraud and cybertheft as the advisor using the clients' credentials themselves.
Looking at things from a regulatory perspective, there are a couple of reasons why it could make sense to be concerned about tools like Pontera being used by advisors.
First, even though clients sharing their credentials with a third-party platform might not always amount to a violation of their user agreement with their 401(k) plan's platform, there are legitimate reasons why it can be problematic to use technology that accesses a client's account without having a data-sharing agreement in place with the financial institution where the account is held (which seems to be the case with Pontera). Rather than only being allowed to access the specific account information that's needed to perform the technology's function (e.g., viewing and rebalancing client's 401(k) plan accounts), the technology can effectively access all client information on the site – including address, marital status, birthdate, beneficiary names, employer, and contribution information – which it at could at least in theory surreptitiously collect and sell, or misuse in some other way. (To be clear, there's no reason to believe Pontera might misuse client data in this way; however, simply the possibility of doing so might be enough for regulators to be wary of technology with that level of access to client information.)
Additionally, every time there's a change to the user interface of the 401(k) plan's website or a change of password or multifactor authentication information, the connection with Pontera (and the advisor's ability to view or trade in the client's account) is broken until the client can log in and fix the issue. And depending on how frequently those interruptions occur (and how many clients they effect), they can prove seriously disruptive to the advisor's ability to deliver the management of 401(k) plan assets that their clients are paying for.
These issues are why there has been an industrywide push from regulators and financial institutions for over a decade to curb the use of 'screen-scraping' data aggregators that log on virtually as the client to collect information from an institution's customer-facing website, in favor of other methods like Application Programming Interface (API) feeds that allow the institution more control over what data to share and whom to share it with. Pontera's method of logging into the client's 401(k) plan account on their behalf and automatically pushing the buttons to execute rebalancing trades is reminiscent of the screen-scraping technology that the industry has been trying to move away from for years, which makes it logical that Pontera's technology would raise some red flags with regulators who view it in a similar light as screen-scraping aggregators.
The other possible concern for regulators is that, unlike 'pure' data aggregators that simply collect client account data, Pontera and similar tools actually allow the advisor to make discretionary trades on the client's behalf. Traditionally, discretionary trading has only been done either directly on the custodial or broker-dealer platform where the client's assets are held, or via third-party trading software like Orion or Advyzon that has direct integrations with custodians. Thus, a common framework has built up around that model to ensure that regulators can audit records of trading and account activity done by advisors.
But now that technology like Pontera has arisen that allows advisors to manage clients' investments outside of that framework, it's natural that regulators would give it more scrutiny than existing data aggregators that solely provide view-only access to client accounts. And even though Pontera does create an audit trail that logs rebalancing activity within the account, there's no certainty that every other current or future held-away asset management tool will also include that feature – so rather than scrutinize individual tools one by one as they come on the market, some regulators may be more inclined simply to ban their use altogether.
Why Using Technology To Manage Held-Away Assets Is Still Better Than Sharing Client Credentials
Even though there are valid reasons for regulators to be skeptical towards software like Pontera that can allow advisors to manage clients' held-away assets, there's still a good argument that, from a fiduciary standpoint, it's better than the other options that advisors have towards managing those assets.
From the perspective of a client who wants their advisor to manage their investments, it would make the most sense for the advisor to be able to manage all of their investments – even if a significant chunk of those assets happens to be in a 401(k) plan. For the advisor, the ability to view the client's accounts all together in real time, integrate them into portfolio management and financial planning software, and make trades without requiring any action from the client to do so makes the portfolio management process more efficient. And if Pontera or similar technology can reduce the time it takes for advisors to manage clients' 401(k) plan assets, it then allows the advisor to spend more time on holistic advice and/or reduces the cost of providing that advice, either of which would be a net positive for the client.
Additionally, To the extent that clients do want advisors to manage all of their accounts, it's arguably far better to entrust the collection and storage of client credentials to a third-party company that has the security protocols in place to handle them safely, rather than to the advisor to safeguard the information themselves.
Stated differently, if the alternative options are 1) to not manage or advise on clients' 401(k) plan assets at all, ignoring a potentially major component of their overall financial picture; 2) to advise on them, but to do so in a clunky and inefficient way that requires the client to send account statements and execute trading instructions themselves; or 3) to collect clients' login credentials for the advisor to log in themselves, exposing them to cybersecurity and custody risks; then a solution like Pontera might seem more palatable despite the issues that regulators have brought up, since it allows the advisor to manage the client's 401(k) plan assets in an integrated way along with the rest of their investments, and in a way that doesn't require the advisor having access to the client's login information.
Building A Better Way To Access And Manage Held-Away Accounts
Amid the debate about whether it is or isn't appropriate to use Pontera or other held-away account management tools as a fiduciary, it's worth remembering that this debate only exists because of the need to bridge the chasm between 401(k) and non-401(k) plan assets, which in turn exists because of the structural and regulatory differences that have respectively grown up around employer retirement plans and 'regular' custodied investment accounts. If someone were building the system for saving and investing from scratch today, perhaps the 2 systems would be integrated closely enough to be able to view and manage them holistically rather than as fully separate entities.
However, in reality, there doesn't seem to be much hope of resolving the differences between employer retirement plans and other types of assets. And so, for advisors who want to provide advice that includes both types of assets, there will be a need for a workaround to integrate employer retirement accounts with clients' other investments for as long as the current system is in place.
To that end, having a functional avenue for advisors to safely and securely manage their clients' employer retirement accounts benefits everyone involved – the clients who are saving for retirement, the advisors who provide financial advice and asset management, the regulators who serve to protect the interests of investors, the financial institutions that hold the assets, and the technology providers who create solutions to patch everything together.
But the only way for this to happen is through coordination and cooperation between the parties involved; because as we've seen, attempting to bridge the gap through technology alone without input from everyone with a stake in the game has led to friction with regulators and financial institutions, with advisors who have adopted Pontera now being forced to decide whether continuing to use the technology is worth the regulatory risk. From a technology standpoint, that means having data sharing agreements and/or direct API feeds in place between providers of held-away asset management technology and 401(k) plan platforms and recordkeepers. (Absolute Capital, another provider in the held-away asset management space, does work with employer retirement plans and custodians directly, providing a potential model for how such a system could work.)
The current challenge here is that not all 401(k) plan platforms are willing to share client account data, particularly smaller providers for whom the cost of building and maintaining a direct data feed would present a higher hurdle. But as larger institutions increasingly transition to direct feeds, there will be more pressure on all providers to follow suit. Additionally, those institutions might soon feel pressure from their own regulators to offer direct feeds for access to client data. For instance, the Consumer Financial Protection Bureau (CFPB) released proposed regulations in late 2023 that would require all financial institutions to make client data available via secure data feeds within 4 years of its finalization (and sooner for larger institutions).
So whether by internal pressure from industry competitors or external pressure from regulators like the CFPB, institutions of all sizes may feel compelled to offer direct data feeds, which would make it easier for platforms like Pontera to access client data without relying on unauthorized logging in to client accounts.
There's also arguably more that securities regulators can do to clearly lay out their concerns with Pontera and other held-away asset management technology. As discussed earlier, their stated critique of clients sharing their 401(k) plan login credentials with Pontera amounting to a violation of the 401(k) plan platforms' user agreements doesn't really square with the fact that the majority of those agreements don't actually forbid sharing credentials with third-party platforms.
If there are other issues, like the method by which Pontera accesses client data or the fact that it allows for trading and rebalancing in client accounts instead of being a purely view-only tool, it would be helpful if regulators more clearly explained those concerns and worked with technology providers on how to address them.
At a broader level, the Pontera issue shows how regulators could be clearer about the expectations for advisors when they adopt new technology. Because while it's one thing to expect advisors to take reasonable measures to safeguard their clients' data, it's another thing to expect advisors to understand the intricacies of data sharing and API access well enough to ensure that all of their data aggregation vendors are accessing their clients' account data with the permission of the financial institution where the assets are held. And it's yet another thing to do so when states haven't made it explicitly known that advisors are expected to drill down to a level of due diligence that entails knowing if and which of their clients' outside financial institutions permit third-party data aggregators to access client information.
If an advisor doesn't find out until after they've already started using the software and integrated it into their business model that their state regulator won't sanction its use, the advisor will be faced with a disruptive choice between dropping the software or finding a way to register in another jurisdiction, perhaps by joining an SEC-registered corporate RIA. Having a clearer set of guidelines for the kinds of factors to look for when doing due diligence of technology providers can help advisors avoid having their practice upended by a letter from regulators telling them that their technology isn't compliant with state securities laws.
For advisors, it's uncertain, at least in the short term, whether Washington and Missouri will remain outliers among state regulators in scrutinizing advisors' use of Pontera and similar technology, or if other states (or even the SEC) will begin to follow suit. State-registered advisors considering whether to adopt technology like Pontera to manage clients' held away assets may want to first reach out to their state regulator(s) to find out whether their states have any issues with advisors' use of the technology. And advisors who use Pontera or similar tools in a jurisdiction that currently allows their use will need to weigh the technology's benefits against the possibility that their own regulator will reverse course and forbid it at some point.
Advisors who do manage held-away assets, and whose regulators have questions about the technology, can work with regulators to explain how it can allow the advisor to holistically manage their clients' assets without resorting to collecting the clients' login credentials, and how that's ultimately in the client's best interests. For those advisors, it's key to ensure that their regulatory disclosures accurately reflect how they use the technology to manage clients' held-away assets.
In the long run, given the continued evolution of the financial advice industry towards more holistic advice and serving clients of working age, it seems inevitable that we'll eventually come to a solution that allows advisors to manage clients' held-away assets in a way that's agreeable to the regulators and financial institutions involved. But in order to get to that point, it's going to be necessary for advisors, regulators, financial institutions, and technology providers to get on the same page about how to provide access to the account data that allows clients to get holistic financial advice while also safeguarding that data and preserving any fraud protection the client is entitled to.
In the end, while technology can help come up with novel solutions to problems like the structural divide between 401(k) and non-401(k) plan assets, it takes everyone's involvement to come up with a solution that's aligned to work in the client's best interests.
Leave a Reply