Is Personal Capital Safe? Personal Capital Security Explained

I use Personal Capital on a monthly basis to collect my net worth information. I’ve been at it for over a decade.

When I tell people I use a tool to do it, they all ask me the same question – is Personal Capital safe?

Security is one of the biggest concerns people have with any financial aggregator or tool. Whether it’s Mint, Personal Capital, or some other service – putting your data into the “cloud” can be unnerving. This is especially true given how many hacks we’ve seen recently. Equifax, one of the biggest credit reporting agencies, was hacked and 143 million consumers had their data stolen. It was enormous.

How do you know that your data is going to be safe at another company?

It comes down to two key parts – how do they safeguard your information when they have it and how do they safeguard the transmission of your information while they get it.

Table of Contents
  1. Two Key Security Areas
  2. How Safe Is My Data in the Cloud?
  3. How Safe Is My Data at Personal Capital?
  4. Quick Primer on Encryption
  5. How Safe is the Connection with Personal Capital?
  6. How Personal Capital Protects Against Fraud
  7. Is Personal Capital Safe?
  8. Nothing Is 100% Safe

Two Key Security Areas

When it comes to financial apps and security, there are two key pieces to look at:

  1. How Safe is My Data – When you give the tool your data, how is it stored and protected? What is stored and where is it stored? How are the employees monitored to prevent any kind of theft?
  2. How Safe is the Connection – When you communicate with the tool, how secure is that connection? When you log in, when you view your data, when you update anything, when you give them your credentials… the transmission of that data is subject to risk.

The information you put into the system has to be safe in its place of storage. The way you communicate that information must also be secure.

How Safe Is My Data in the Cloud?

One of the biggest concerns people have with tools like Personal Capital is having their data in the “cloud.”

I reached out to David M. Parker, Asst. Prof., Div. of Accounting & Finance and Director, Center for the Study of Fraud and Corruption at Saint Xavier University, for his thoughts on services like Mint and Personal Capital. He shared some valuable thoughts on how to weigh the potential risks and rewards of using cloud-based tools:

David M. Parker, Asst. Prof., Div. of Accounting & Finance and Director, Center for the Study of Fraud and Corruption

With regard to general thoughts about storing data in the cloud by giving your data to Amazon, Microsoft, Dropbox, Equifax, your bank, Google, Facebook, or whoever… is it safe? Recent news items reveal the many, many companies that have suffered data breaches at the hands of cybercriminals.

Can your data be stolen if you hand it over to the cloud? Yes.

So, you decide to keep your data safe at home. Can it be stolen? Also yes. Cybercriminals can break in to your home computer, your home wi-fi, your Internet-enabled thermostat or doorbell, etc.

Points in favor of the cloud include that a big company like Amazon or Microsoft might have more resources and be better at defensive security that you are at home. And, certainly, it is in the best interest of their business to do their best to remain secure. They also offer redundant storage to an extent you would not have just storing your data at home where your hard drive could blow up or your house burn down with your data in it. So, it is often an acceptable risk.

I have no direct personal experience with Mint or Personal Capital. My understanding of these third party financial data aggregator services is that they work by gathering all your financial data into one place and offering their clients the resulting convenience of the nice graphs and charts. This means they need to work with your bank, broker, etc. to get access to your transactions. The extent and type of access they will be able to get may depend on whether the financial institution views them as a partner or a competitor.

An issue that comes to my mind is the size of the attack surface. If your bank and your aggregator both have a copy of your information it gives the criminal two possible targets from which to steal it. Also, if all of your information is collected at one spot, rather than having to break into multiple accounts the criminal now has one-stop shopping.

There will always be risks. No system will ever be perfectly secure. There will always be vulnerabilities and bad people willing to exploit them. But, it always comes down to an individual judgment about whether the risk is reasonable or minimal compared with the benefit of the service.

Your data isn’t 100% safe at home and it isn’t 100% safe in the cloud.

But the companies that you trust with your data will have safeguards in place (“defensive security”) to protect you.

Let’s take a closer look at Personal Capital and what they do to secure your data.

How Safe Is My Data at Personal Capital?

Are you worried about your data being stored on Personal Capital servers?

The guy you want to talk to when it comes to security at Personal Capital is Fritz Robbins. He is their Chief Technology Officer and Chief Information Officer. He has over 20 years of experience in their field including a three-year stint as a System Architect at RSA Security and 8 years running his own full-lifecycle software engineering company. He holds an M.S. in Computer Science from Stanford University to boot.

(also, for what it’s worth, Personal Capital’s Founder Bill Harris co-founded PassMark Security, a company that built online authentication systems used by most major banks, and Fritz Robbins was with that company as well)

I asked Fritz about security and he mentioned a few of the points I’ll dive deeper on below:

Fritz Robbins, CTO/CIO of Personal Capital

Our point of view is that viewing your banking and brokerage accounts via Personal Capital is *safer* than going directly to the banking/brokerage site from your browser. You touched on many of the reasons why:

  1. Your credentials are stored in a secure data center versus always being transmitted via the user’s (generally less-secure) browser
  2. The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.
  3. Our service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!

Not for nothing but knowing the security chops of the team behind Personal Capital gives me confidence they’re on top of their game.

There are two ways that Personal Capital keeps your data safe:

  • They use very powerful encryption and,
  • They have strict internal access controls.

Quick Primer on Encryption

(click to expand this section & read a primer on encryption)

AES-256 is seriously serious encryption.

When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.

They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero.

How Safe is the Connection with Personal Capital?

Your data is safe and encrypted on their servers, but it needs to get there first without someone peeking.

That’s where encryption plays yet another role.

All of your online interaction with Personal Capital is encrypted, so no one can decipher what you’re communicating with Personal Capital servers. They prefer TLS 1.2 but also suppoert TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).

They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it’s you via your phone or email (you pick when you set it up). I feel it’s a must for any financial institution and there are some banks who don’t have this yet!

Finally, their apps are tested by NowSecure and the AppSecure certification process.

How Personal Capital Protects Against Fraud

To this point, we’ve talked only about how Personal Capital protects you and your data. What if the data is bad?

What if your credit card gets used in a fraudulent way? Personal Capital monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.

I personally set transaction notifications for any amount above $0 or $1 (depends on the card, some won’t let you do $0), but this is a good alternative if you feel that level of notifications is overkill (it probably is).

Is Personal Capital Safe?

Yes, Personal Capital could actually be safer than your bank.

(This is the concern that worries people the most.)

How is Personal Capital going to be safer than your bank?

They do everything your bank does plus more, in some cases:

  1. It’s read-only. When you connect your accounts to Personal Capital, Personal Capital can’t do anything except read the data. You can’t transfer funds.
  2. It’s not an appealing target. It’s read-only and your credentials are stored elsewhere (Yodlee).
  3. It has 2-factor authorization. Not all banks have 2-factor authorization (stunning but true) but Personal Capital does. It’s an extra and necessary layer of security.
  4. They encrypt everything to 256 bits. Against a brute force attack, it would take 1 billion billion years.
  5. One point of access for multiple banks means you don’t have to log into each of those banks individually. In fact, when you log into your Personal Capital, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.

Nothing Is 100% Safe

As they say, the only thing that’s 100% safe is abstinence.

Nothing else is 100% safe. Personal Capital is not 100% safe. The best alternatives to Personal Capital are not 100% safe either.

If you add another layer to the system, it’s another layer that can be attacked.

That said, you have to weigh the benefits you get from using them (you can read my Personal Capital review to see everything I like and dislike about them) versus the small chance they could be attacked.

I am personally comfortable with using them but that’s ultimately for you to decide. They have put all the proper protections in place, often higher standards than is required, and that’s good enough for me.

Check out Personal Capital

Other Posts You May Enjoy:

Stansberry Research Review: Investing Newsletters for Everyone

Stock selection is one of the biggest challenges for investors of individual stocks. In response to that, an entire industry of investment advisories has grown up over the years. One of the most popular investment advisory services of the past two decades has been Stansberry Research.

Acorns vs Robinhood vs Stash: Which Micro-Investing App is Best?

There are several investment apps you can use for investing a few dollars at a time. Three of the most popular platforms for new and experienced investors are Acorns, Robinhood, and Stash. Each service has different investment options and account amenities. This comparison of these popular micro-investing apps can help you choose the best platform for your investing goals and personal preferences.

About Jim Wang

Jim Wang is a thirty-something father of three who is a frequent contributor to Forbes and Vanguard's Blog. He has also been fortunate to have appeared in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

Jim has a B.S. in Computer Science and Economics from Carnegie Mellon University, an M.S. in Information Technology - Software Engineering from Carnegie Mellon University, as well as a Masters in Business Administration from Johns Hopkins University. His approach to personal finance is that of an engineer, breaking down complex subjects into bite-sized easily understood concepts that you can use in your daily life.

One of his favorite tools (here's my treasure chest of tools,, everything I use) is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a few commercial properties and a farm in Illinois via AcreTrader.

Reader Interactions

Leave a Comment:

Comments

About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

  1. Steve says

    I agree that nothing is 100% safe, but I personally think Personal Capital is a great tool to use, and will continue to refer newbies to it when it comes to tracking their net worth for the first time. It’s a fantastic resource.

  2. Mitch says

    I’ve been reading reading a lot about Personal Capital lately and it seems to be greatly favored among the Personal Finance commentariat. I am one of those who has reservations about putting personal financial data in the “cloud”.

    Your article and others address many of those concerns but there is one area that no one seems to cover. Who has access to the data and can it be linked back to me?

    Yes, the data is read only and account credentials are encrypted and stored at Yodlee. That’s great. Who can read my data and what can they do with it offline? Software isn’t cheap to develop and maintain and I’m not sure I believe the argument that Advisor fees cover the cost. How would consumers know that their financial data won’t be reviewed and sold just like Google and Facebook do with the data they have?

  3. Doug says

    You say “Personal Capital can’t do anything except read the data. You can’t transfer funds.” — but they take my credentials! It seems to me at that point they can do anything.

    Two factor authentication is nice… do I have the option to use it in every transaction between PC and my bank or brokerage? No.

    If only my bank and brokerage offered read-only credentials (ING used to do that) I’d feel a lot safer.

    • Jim Wang says

      If your bank and brokerage only offered read-only credentials, that would be the ideal scenario because then you’d 100% be safe but unfortunately few do. 🙁

  4. Becky says

    I received a notification that Personal Capital is now offering a high-yield savings account that can be managed from the dashboard. (Personal Capital Cash.) It seems to me that that changes the read-only nature, right? Would you have concerns about opening such an account?

    • Jim Wang says

      I have to dig a little deeper but I suspect if you take advantage of it then it would have to be a different system entirely.

      If you have a high yield savings account already, you are getting a rate that’s just as good or close enough to what they’re offering. Right now, Ally Bank (the bank I use) pays 2.20% APY (6/14/2019) which is close enough for me. I won’t be opening another account and changing my whole financial system just for an extra 0.1%.

      • Becky says

        Thank you! So that would negate or diminish security concerns?

        I do not have a high-yield account at present so for me the highest number is king. I would do Varo, but I cant run their app. It’s 2.8% if you meet the conditions.

  5. Becky says

    I opened a savings account. It offers you the option to fund the new account from any of your bank accounts in the dashboard.

    I got the squicks and removed all the accounts from my dashboard except my checking account from which I will fund the new savings. I don’t rely on it to the level you do, so this was not a hard decision for me. It’s too bad to lose out on the planning features and convenience of viewing all my accounts in one place but at the moment that is the tradeoff for me.

    • Jim Wang says

      Thanks for digging in Becky, I totally understand your choice. I don’t think I would be as concerned, though I’ve never been burned by something like this so that may play a role!

  6. John says

    Do you have any insights on the privacy aspect of data within Personal Capital. I’m interested to know who (or how many people) have access to my data within PC. Do all their staff (advisors, support, engineers, etc) have access?

    When you go to a bank, you know the tellers can see your account when you make a transaction. Anyone above her probably has access as well. But that data is limited to your accounts with the bank. But with PC, they (people/staff/individuals) have a view to your entire net worth. Wondering how many people gets access within PC as this becomes a security issue if it gets leaked.

    I recently submitted a support ticket regarding an account not getting processed correctly. Supports response was quick, issue was acknowledge and kicked up for developers to fix. I was advised to keep the account linked so they can trouble shoot and fix the issue. From a support perspective, it’s excellent.
    But from a privacy/security perspective, it seems like there’s a lot of potential for data leaks. Is my data only available to one particular support personnel, or is it open to all of their support staff? Where are they based? What about the engineers/developers? I assume there will be a testing group once they have fixed the issue.

    Most people probably won’t care. But what about high net worth people, celebrities, public figures etc? Is it safe for them?

    • Jim Wang says

      Hi John – I posed this question to my contact at Personal Capital and he received this from their security team:

      “While it is true that in order to provide a good experience, there are a few people who need to have access to user data at Personal Capital. Our policies and ethics standards mandate that such access is available on an as-needed basis. Access is also monitored for abuse by our dedicated security team.

      To your example, if a support person were to peruse user accounts for which there is no support issue or legitimate reason, it would likely result in an action by the security team. Advisors also have access to their clients’ data for the purposes of providing holistic advice. Engineers don’t typically have access to production data and that data is not used in our development & testing environments.

      Does that mean we’ve completely eliminated the risk of leaks? Probably not, and that’s why we continue to be vigilant, always looking for ways to further refine our technical controls as well as foster a culture of privacy so we earn and keep our users’ trust.”

      That answer satisfies me and gives me the confidence they have the proper security controls to avoid most issues of this nature.

    • Sam Lee says

      John,
      Last year I got 30+ phone calls from PC badgering me for a free consultation even when I declined them politely. This year they call a few times every other month. For certain they use user account data to aggressively to target potential wealth management clients. But exactly how much of the account detail PC employees have access to is not explained in their privacy policy. I’m presuming the wealth mgmt division is under the “need to know” umbrella.

      • Jim Wang says

        The key to stopping the calls is to be very clear you’re not interested – they will keep calling if they get voicemail or don’t reach a person. I’ve told them on the phone that I’m not interested and they’ve stopped calling.

  7. Aravindh says

    I used to use Personal Capital’s advisory services and recently opted out. I then found out from my advisor on Personal Capital that even though I no longer using their advisory services, the advisory team still has the ability to view everyone’s personal dashboard irrespective of their subscriber status. This in my opinion is another high privacy concern for me which I am sure if Personal Capital users are aware of.

  8. Kevin Recursive says

    To add a layer of security, I manually added my investments and manually update them monthly. I’m willing to add a bit of inconvenience to have an added layer of protection.

As Seen In: