If you want to make the most of Empower and all their financial tools, you really must link ALL of your financial accounts to the platform. This inherently feels risky.
With the increasing number of online security breaches, people are rightfully concerned about the safety of their personal and financial information.
As a longtime user, I was curious too. In this article, we will explore whether Empower is truly safe to use.
What is Empower (formerly Personal Capital)
In case there is any confusion, Empower acquired Personal Capital in 2020 and formerly changed the name of the tool to Empower in February 2023.
Empower is an all-in-one personal finance tool for budgeting, investing, retirement planning and more. At its heart, it is a free tool designed to help you take control over your finances and your future.
You can read our full, detailed review of Empower here.
Is Empower safe to use?
The bottom line is that yes, Empower is perfectly safe for you to use for financial tracking, budgeting, investing & retirement planning.
Empower has over 5 million registered users, with over $50 billion in assets under management as of 2023. They’re an established, and trusted company with a strong reputation & track record.
Security measures of Empower
Let’s take a deep dive on the security measures Empower take to keep your account information private and secure.
Encryption of sensitive information
All the information exchanged between your device and Empower’s servers is encrypted using AES-256 encryption.
This includes all financial information, such as account balances, transaction details, and investment information.
Even if an attacker were to intercept the data, they would not be able to access it because they would not have the encryption key.
AES-256 encryption is an advanced encryption standard that is widely used by banks, government agencies, and other organizations that require the highest level of security for their data. The US government uses this level of encryption.
AES-256 uses a 256-bit key length, which means that there are 2^256 possible combinations for the key. This makes it virtually impossible for an attacker to crack the encryption and access the data.
AES-256 encryption is considered one of the most secure encryption methods available today. It is significantly more secure than earlier encryption standards, such as AES-128, which (as you might guess) uses a shorter key length.
AES-256 has been tested extensively and has been validated by the National Institute of Standards and Technology (NIST), which is a US government agency that sets encryption standards for federal agencies.
Suffice it to say, your data is extremely difficult to crack.
Multi-factor authentication (MFA)
Empower employs multi-factor authentication, which requires users to provide a password and a unique code sent to their mobile phone before gaining access to their accounts.
They’ll also send you proactive security alerts if certain changes are made to your account.
Empower allows you to choose the frequency with which you are required to enter the MFA code, from every time they log in to once a month. This gives you more flexibility in choosing your preferred level of security.
If you find it more annoying, you might be happy receiving a code just once a month. Though I’d keep it to every time, personally.
Secure account aggregation
According to Empower’s terms of use, they are using Yodlee for the account aggregation aspect of their service.
Yodlee, Inc. is an Envestnet company and is subject to bank-level data security and examination by the U.S. Federal Banking Agencies, per the Bank Service Company Act.
Yodlee provides an added layer of security between stored data and any attempt to access it.
Securing the cloud & data centers
You might be concerned about data being stored in ‘the cloud’, which is where Empower stores data.
Really, the cloud is just a computer server.
Empower uses Elastic to secure its business-critical systems in an infrastructure as a service (IaaS) cloud environment hosted on AWS.
The CISO of Empower, Maxime Rousseau, explains why Elastic Security is important:
“One of the greatest strengths of Elastic Security is its flexibility. It includes all the agents that we need to ingest data from a wide variety of cloud environments, applications, and databases. We now have a unified approach to our security data and can detect issues quickly as well as meet the data conservation requirements of financial regulators.”
– Maxime Rousseau, Chief Information Security Officer, Personal Capital
But what about the physical servers? Are they protected?
Empower stores all user data on servers which are located in secure data centers that are monitored 24/7 by security personnel. It provides several benefits, such as scalability, redundancy, and accessibility.
The data centers are equipped with state-of-the-art security measures, such as biometric access controls, video surveillance, and intrusion detection systems.
The data centers are also designed to withstand natural disasters, such as floods, earthquakes, and hurricanes.
To ensure the integrity of user data, empower uses backup and recovery systems that make regular backups of all user data.
These backups are stored in separate locations to prevent data loss in the event of a disaster, such as a fire or flood. Empower’s backup and recovery systems are tested regularly to ensure they are functioning correctly and can be relied upon in an emergency.
So, to summarize, the physical data center and the IaaS cloud environments are both fully protected.
Empower’s fraud protection & prevention
It’s reassuring to know that Empower takes fraud detection and prevention very seriously and has implemented several systems to monitor accounts and detect any unusual activity.
The company uses a combination of artificial intelligence and human expertise to detect and prevent fraud.
One of the fraud detection systems used by Empower is called the “Fraud Guarantee.” This system monitors users’ accounts for any suspicious activity, such as a large withdrawal or transfer, a change of address, or a new device login. If the system detects any unusual behavior, it immediately sends an alert to the user via email or text message.
In addition to the Fraud Guarantee system, Empower employs a team of security experts who monitor accounts 24/7 for any suspicious activity. If any suspicious activity is detected, the team investigates further and takes appropriate action to prevent any fraud.
Empower also provides users with tools to monitor their accounts themselves.
The company’s mobile app and website allow users to view all their accounts in one place, making it easier to spot any unauthorized transactions.
Users can also set up custom alerts to notify them of any changes to their accounts, such as a new account login or a change in account balance.
I’m satisfied that Empower take every precaution you would expect them to, on par with that with any major national bank.
Third party Cybersecurity partnerships
Empower uses several external services to provide independent security evaluations and test their defense-in-depth protections frequently.
These include third-party external auditors performing attestations to produce an annual SOC 1 Type 2 financial report, an annual SOC 2 Type II report, an annual Verizon Business Enterprise Risk Program Certification, annual penetration tests, ongoing cybersecurity and privacy trainings for associates, dark web monitoring, and ongoing business resiliency tabletop and failover exercises.
Yearly results of these valuations have been excellent.
Commitment to not selling data
Empower are keen to make it known that they do not in any way sell your data. This is a fairly standard practice (you would hope most similar services have the same commitment) but it’s important to mention, nonetheless.
Security guarantee
Empower offer a ‘security guarantee’ which states that they will restore losses to your account that occur as a result of unauthorized transactions through no fault of your own.
Every empower account is automatically eligible for this protection providing that you follow the security best practices described on the above link.
There are some caveats in there, such as failing to notify Empower within a certain amount of time of suspicious activity, so I’d give it a good read.
Note that this is specifically relating to financial accounts maintained by Empower and does not extend to accounts held or managed by third parties, such as outside self-directed brokerage accounts.
Safer than your bank account?
Empower themselves make the argument that viewing your banking and brokerage accounts via Empower is actually safer than viewing them directly on your banking/brokerage site from your desktop.
Why? Fritz Robbins, CIO of Wealth Management of Empower gives three reasons:
- Empower ensures the security of your credentials by storing them in a secure data center, rather than transmitting them through your browser, which is generally less secure.
- Additionally, your banking/brokerage passwords are never returned to your browser from our servers. The connection is read-only, meaning that no money can be transferred out of your account via Empower.
- Their service also provides notifications of all banking/brokerage transactions, which can be received through email or mobile push notifications, making it easy for you to monitor your accounts for fraud all in one place.
The verdict
Should you entrust Empower with all your financial information?
After thorough research, I can conclude that Empower is a safe and secure tool for managing finances.
I think it’s worth reiterating the above point, that all information viewed in Empower is read-only. No-one at Empower can actually touch your money. Because of the third-party storage of login information with Yodel, they don’t even have access to your credentials.
Furthermore, the use of multi-factor authentication, advanced encryption, and fraud detection systems ensures that our important user data is protected.
Empower’s regulatory compliance, oversight by regulatory bodies, and (crucially) history of no security breaches also add to my confidence in the tool’s safety.
Empower’s user reviews are also overwhelmingly positive, indicating that users feel secure using the tool. Just take a look anywhere you find your reviews, or on Reddit. Though this is not in any way scientific, it is reassuring.
Personally, I have zero worries about using Empower for organizing my financial life & future. If there is any risk at all, it is dwarfed by the enormous benefit I receive from the tool.
You can read our full review of Empower here, or head on over to Empower to get started.
