Know the Risks: Using Your Clients’ 401(k) Logins

Thanks to a new partnership with Pontera announced in late January, Commonwealth’s affiliated advisors can now “seamlessly” manage their clients’ workplace retirement plan assets, but perhaps even more importantly, they can do this work in a professionally secured digital environment.

In fact, as Pontera’s chief business officer, David Goldman, recently told ThinkAdvisor, the firm’s ability to help advisors efficiently monitor, trade and rebalance their clients’ 401(k) plan assets from a unified interface is a big deal, but another key part of the value proposition is the unyielding focus on cybersecurity.

“Look, any advisor can borrow their clients’ log-in credentials and make trades in their retirement plan account,” Goldman said. “But that process is cumbersome, and advisors run cybersecurity risks by collecting and maintaining their clients’ passwords and usernames. Most advisors aren’t taking steps to encrypt this data, for example, and they may not be adequately monitoring for potential breaches.”

No advisor wants to see their clients’ hard-earned retirement assets put in jeopardy, and there is also the potential personal and professional liability to consider, especially since the typical tax-advantaged retirement account is going to be subject to the rules and requirements of the Employee Retirement Income Security Act. There are also questions about whether advisors can adequately document and report such activity to their home office or regulatory authorities.

“It is important to note that there is nothing inherently wrong with advisors managing these accounts for their clients by logging in with their credentials, as they have been for years,” Goldman emphasized. “It’s too important an asset to leave underserved, and clients are asking for help. If they do, advisors should be mindful to follow protocols and take all necessary precautions, including claiming custody and submitting to regular surprise audits while doing everything in their power to keep those credentials safe and secure.”

According to Goldman, the new Commonwealth partnership is Pontera’s largest publicly announced agreement with a national registered Investment advisor firm, and he said the cybersecurity story his firm can tell was an important part of the equation — in addition to Commonwealth’s strong interest in helping advisors support the management of retirement accounts at scale.

“We are thrilled about this partnership with Commonwealth. They’re a real titan in the wealth management industry,” Goldman said. “We look forward to equipping Commonwealth advisors with the tools to integrate 401(k) and 403(b) assets into custom financial strategies for their clients. This comprehensive approach is vital to creating superior financial outcomes for retirement savers.”

Holistic Advice Is In Demand

Goldman said he agrees strongly with the proposition that the traditionally distinct worlds of private wealth management and workplace retirement accounts are quickly coming together, thanks to a number of interrelated factors that include organic client demand and legislative tailwinds.

“Todays’ advisors are being asked to make an even greater impact on their clients’ holistic financial well-being,” Goldman said. This means advisors are being asked to integrate retirement assets efficiently and effectively into the broader financial planning process, thereby elevating their ability to deliver comprehensive services for their clients.

The Importance of Cybersecurity

Goldman observed that some wealth managers have been working in their clients’ retirement accounts for decades, but the traditional approach to this work is “very manual and very prone to cybersecurity risk.”

“For example, you still see a lot of advisors just asking for their client’s retirement account username and password, and they are actually logging in from their own private computer to trade and review the account,” Goldman said. “Again, it’s a great service, but in today’s environment, it poses real cybersecurity risk. So, what we are doing is allowing them to deliver this type of advice but do it in a way that has audit trails and a full set of cybersecurity tools. We’ve literally invested tens of millions of dollars in our security infrastructure.”

Goldman said it is particularly important that the firm lives up to both the SOC 2 Type II and ISO 27001 certifications, which he says are crucial for assuring customers that a company has robust measures in place to secure their data.

Put simply, SOC 2 Type II is a framework for managing and securing sensitive information that is stored and processed in the cloud. The certification ensures that a company’s systems are designed and operated securely, particularly in terms of data privacy, availability, processing integrity, confidentiality and security. SOC 2 Type II involves a rigorous assessment over a specified period to evaluate the effectiveness of these controls. Pontera’s SOC 2 Type II certification is issued through Ernst & Young.

The ISO 27001 is an international standard for information security management systems. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity and availability. As the firm explains, an ISO 27001 certification demonstrates that an organization has implemented — and is actively maintaining — a robust information security management system.

“It’s a globally recognized standard that gives clients confidence that their data is being handled securely,” Goldman said. “Meeting these standards is important for Pontera to maintain its position as a trusted technology platform for financial advisors and their end clients. The world-recognized security certifications demonstrate our strong measures to protect sensitive customer information and maintain business continuity.”