Published: November 11, 2025
Key points
- Charles Schwab has asked a subset of clients to reset their usernames/passwords after detecting third‑party credential sharing tied to data vendors. The firm frames the move as a client‑security step. [1]
- The change lands amid a broader industry fight over “credential sharing” and screen‑scraping access to 401(k)s and other “held‑away” accounts. Fidelity moved first to restrict such access in 2024 and stepped up enforcement this fall. [2]
- Fintech Pontera, which enables outside advisors to manage employer plans, says Fidelity “stands alone” in locking out clients and has escalated its public pressure campaign. Fidelity disputes Pontera’s claims and points to data‑security risks. [3]
What happened
On Monday, Nov. 10, Charles Schwab began requiring some clients to reset their login credentials. According to coverage from ThinkAdvisor and Citywire, the reset notices went to customers who had shared their Schwab usernames and passwords with third‑party data vendors; Schwab says the change is part of its security processes. [4]
InvestmentNews reports the step follows Fidelity’s earlier enforcement moves limiting third‑party access to customer accounts, particularly for employer retirement plans, and places Schwab alongside its rival in cracking down on credential sharing. [5]
Schwab’s own terms warn clients not to share credentials with anyone, including third‑party providers, adding that the company’s Security Guarantee won’t apply if clients do so. That policy context helps explain why customers who had shared logins were prompted to update them. [6]
Why this matters: the 401(k) “held‑away assets” fight
The core tension is how RIAs and fintechs connect to accounts held at large providers. Many tools still rely on clients’ raw credentials (and sometimes screen scraping), a practice custodians argue exposes excessive data and security risk. In 2024 Fidelity announced it would “prevent platforms reliant on credential sharing from accessing and taking action in customer accounts,” framing the change as a client‑protection move to reduce data exposure. [7]
Coverage this fall in 401(k) Specialist and other outlets highlighted how Fidelity’s enforcement affected advisors managing held‑away assets and intensified calls to shift to API‑based connections with plan‑sponsor oversight. [8]
Pontera escalates: ‘Fidelity stands alone’ vs. ‘security first’
Pontera has led the pushback. In an open letter last month, CEO Yoav Zurel accused Fidelity of locking out “tens of thousands” of customers who work with outside fiduciary advisors. InvestmentNews reports that after Schwab’s reset notices surfaced, Pontera reiterated that “Fidelity stands alone” in outright lockouts. Fidelity rejects the characterization and has emphasized that its approach is about cybersecurity and reducing data exposure. [9]
Consumer‑facing explainers have also documented friction for some Fidelity participants as the firm tightened policies; Fidelity told NerdWallet the measures aim to address credential sharing while offering guidance for affected customers. [10]
What Schwab is telling clients — and what advisors are saying
Schwab indicated that some clients granted third‑party data vendors access in ways that could conflict with the firm’s security policies, prompting required credential updates. That aligns with longstanding Schwab notices that sharing logins can negate certain protections under its Security Guarantee. [11]
Industry voices quoted by InvestmentNews argue that screen‑scraping tools often hoover up more information than necessary and break frequently, strengthening the case for direct APIs. Others note that custodians must enforce plan‑sponsor rules and data‑protection obligations, even when it frustrates advisor workflows. [12]
Separate analysis last month also underscored the compliance and auditability risks advisors may run when managing held‑away assets through credential‑sharing intermediaries rather than approved channels. [13]
What clients can do now
- Review and disconnect third‑party access you don’t need. Schwab provides a security‑settings page where clients can see which services are linked and remove them. [14]
- Update your password and login ID. If you received a reset notice—or simply haven’t changed credentials in a while—Schwab’s guidance details strong‑password rules and how to update. [15]
- Turn on two‑factor authentication. Enabling verification codes (and using a hardware or mobile token where available) reduces takeover risk. [16]
- Understand the Security Guarantee. Schwab explicitly warns that sharing your login with any third party can void the guarantee; if a tool needs access, ask whether there’s an approved, read‑only, API‑based alternative. [17]
What RIAs should do next
- Audit fintech connections. Identify systems that rely on raw credentials or scraping and map them to approved, API‑based integrations where possible. Expect more custodians to follow Fidelity and Schwab in curbing credential sharing. [18]
- Document client consent and plan‑sponsor oversight. Several advisors warn that the compliance burden is rising for held‑away accounts; be ready to evidence controls and data‑minimization. [19]
- Proactively communicate. Reset prompts can unsettle clients. Explain the security rationale, how access may change, and alternatives for ongoing advice on 401(k)s. [20]
Timeline: how we got here
- Sept. 13, 2024 — Fidelity announces it will prevent credential‑sharing platforms from accessing and taking action in customer accounts to enhance security. [21]
- Oct. 10, 2025 — Pontera publishes an open letter alleging Fidelity is locking out many customers who work with outside advisors. [22]
- Oct. 15, 2025 — Industry coverage details the escalating Fidelity‑Pontera dispute and the underlying security debate. [23]
- Nov. 10, 2025 — Schwab asks certain clients who shared credentials with third‑party vendors to reset logins; the firm cites data security. [24]
- Nov. 10, 2025 — InvestmentNews reports Pontera’s fresh criticism that “Fidelity stands alone,” while experts urge a shift from scraping to APIs. [25]
Bottom line
Schwab’s targeted reset requirement doesn’t mirror Fidelity’s policy step‑for‑step, but it signals the same direction of travel: credential sharing and screen scraping are on borrowed time. Expect more enforcement, more client prompts, and continued pressure on advisors and fintechs to use sanctioned, least‑privilege API connections—with plan‑sponsor oversight where required. For investors, the practical takeaway is straightforward: review who can see your accounts, stop sharing passwords, and turn on strong authentication. [26]
Sources: InvestmentNews, ThinkAdvisor, Citywire Pro Buyer, Fidelity newsroom, Pontera, and Schwab client‑security documentation. [27]
Disclosure: This article is for information only and does not constitute investment, legal, or cybersecurity advice.
References
1. www.thinkadvisor.com, 2. newsroom.fidelity.com, 3. www.investmentnews.com, 4. www.thinkadvisor.com, 5. www.investmentnews.com, 6. www.schwab.com, 7. newsroom.fidelity.com, 8. 401kspecialistmag.com, 9. pontera.com, 10. www.nerdwallet.com, 11. www.investmentnews.com, 12. www.investmentnews.com, 13. www.investmentnews.com, 14. www.schwab.com, 15. www.schwab.com, 16. www.schwab.com, 17. www.schwab.com, 18. www.investmentnews.com, 19. www.investmentnews.com, 20. www.investmentnews.com, 21. newsroom.fidelity.com, 22. pontera.com, 23. 401kspecialistmag.com, 24. www.thinkadvisor.com, 25. www.investmentnews.com, 26. www.investmentnews.com, 27. www.investmentnews.com
