Privacy Statement

Last Updated: June 2017


There is nothing more important to us than protecting the privacy of our advisor clients and their customers and safeguarding the personal and financial information submitted to us on their behalf. This Privacy Statement explains our practices with respect to the collection and protection of that information via the ByAllAccounts Service and addresses the concerns regarding the disclosure of personal and other information to third parties.

For the sake of this document, "personal information" is defined as any and all of the information specific to a natural person, whether an advisor, an advisor's customer, or an individual investor that is submitted to Morningstar via the ByAllAccounts Service. This information includes the individual's name, street address, phone number, email address, as well as any financial service login IDs, passwords, account numbers, and any other information tied to an identified or identifiable individual that is supplied to Morningstar as part of the ByAllAccounts Service. Clients of the Custodial Integrator (as decribed in the Frequently Asked Question section below) use the ByAllAccounts service only for the user and account registration process, and in this respect are affected by this Privacy Statement.

What type of personal information will be collected during the registration process?

During the user registration process, the following information may be gathered:

  • Name
  • Email Address
  • Street Address (if provided)
  • Phone Number (if provided)

Occasionally, we may find it necessary to contact the user regarding account status and other matters relevant to the Service and/or the information collected. We will use the Name and Email Address associated with the account for this purpose; this name and address may be that of the advisor or that of the advisor’s customer/investor.

What personal information is collected for on-line account access?

Personal information required to allow on-line access usually includes a login ID (which may be a user name, customer number, account number, social security number, etc.), a password/PIN, an account number or other unique account identifier, and -- depending on the system requirements of the financial institution (a.k.a., the Account Provider) maintaining the account(s) in question -- a social security or tax identification number. Some Account Providers may require additional login and/or account identification information in order for their customers to access the individual accounts maintained on their behalf. To the extent necessary, this information will also be collected. Morningstar will use all reasonable efforts to only collect that personal information necessary to enable it to provide the ByAllAccounts Service.

Use of personal information

EXCEPT WHERE OTHERWISE AUTHORIZED BY YOU OR WHERE REQUIRED TO COMPLY WITH LAW OR ANY COURT/GOVERNMENT ORDER, Morningstar will not sell, exchange, or release any of your personal information to a third party (including the vendor whose website was used to access the ByAllAccounts Service).

Accuracy of personal information

You are responsible for ensuring that any personal information entered or reviewed by you, including all on-line account access information in the ByAllAccounts Service, is accurate and up-to-date.

Your consent

By using the ByAllAccounts Service, you consent to the collection and use of your personal information, as described in this Privacy Statement and the Morningstar® ByAllAccounts® User Agreement. The ByAllAccounts systems are not currently configured to handle “Do Not Track” requests.

Are Cookies Used?

No, Morningstar does not use cookies as part of the ByAllAccounts Service.

How Does a User Discontinue Service?

Use of the ByAllAccounts Service can be discontinued at any time via the Service setup application. When the ByAllAccounts Service is discontinued, all account information (current and historical) is deleted from our database on the timeframe set forth herein.

Changes to the Privacy Statement

Morningstar reserves the right to change this Privacy Statement at any time by distributing and/or posting a new Privacy Statement without notice. We encourage you to review our Privacy Statement periodically so that you are aware of any changes to it.

Any questions or issues around this Privacy Statement may be directed via email to: or by calling the support number at 866-856-4951.


Is the ByAllAccounts Service a vendor hosted or on premise client solution?

The ByAllAccounts Service is a hosted solution that runs in Morningstar’s secure data center. There is an optional client site component called Custodial Integrator.

Do you maintain a SSAE16, SOC, or equivalent audit report / certification?

Our primary data center maintains an annual SSAE 16 SOC I Type II report.

How do you ensure the sending or receiving of information is secure?

All sensitive data is encrypted before transmission or storage. Where Morningstar controls the sending of the sensitive data, “strong” encryption (128-bit or stronger) is used exclusively.

How do you ensure that a user from one firm cannot see the data of another firm?

Data is logically partitioned by customer, and further access is determined by role. Access to the data is only available through ByAllAccounts Service applications and APIs, which are responsible for enforcing the partitioning.

Is it possible for one of your employees to use login credentials to get at end-client accounts?

Note that the ByAllAccounts Service is a software program and is automated. Someone who knows the login credentials registers them directly in the ByAllAccounts Service system. They are not given to any Morningstar employee. Morningstar employees also are not using the registered credentials to log into the sites to perform retrieval manually; the software is using them on its own.

During the process of establishing or maintaining the connectivity between a source and the ByAllAccounts Services, it is possible that a Morningstar employee could come into contact with those login credentials?

The potential risk is determined by the nature of the source itself, the nature of the access granted to the credentials used, and any additional security measures in place at the financial institution. If the source provides transactional capabilities, the credentials used have full access to those capabilities, and no further security mechanism (such as an out-of-band one-time security code sent via email or text message, additional PIN, or challenge questions) is in place. Therefore, it is possible that an employee gaining access to the credentials could attempt to trade or move assets. Where available, we attempt to develop interfaces to reporting-only sources and to encourage obtaining login credentials having read-only access.

How long do you keep user personal information?

Data retention policy is determined on a per-customer basis. In providing the ByAllAccounts Service, Morningstar is simply acting as a data middleman, collecting information from the primary source (e.g., the financial institution where the account is held) and delivering it to the user of the ByAllAccount Service. A small amount of recent historical information is retained to facilitate processing of information retrieved subsequently. Typical retention is one calendar quarter.

What is your Service Level Agreement (SLA) for recovery in the event of a disaster?

Our Recovery Time Objective (RTO) from a catastrophic site failure is 72 hours. Note that Morningstar is not a primary source of any data. Upon resumption of service, the system would gather from the primary sources any data that went uncollected due to the outage.

Have you observed major outages or unplanned downtime in the last 12 months?

There have been no major outages within the past 12 months.

What is your development and testing approach?

We follow a formal systems development life cycle (SDLC) process, employing an Agile methodology and continuous integration and testing. We also employ formal test plans (a mix of automated and manual testing) on all releases.

Do you permit custom programming for your application?

We do not permit custom programming of the ByAllAccounts Service. We provide an API, and custom applications or integrations may be built using that API.

What are your system maintenance policies and processes?

Morningstar’s IT systems are subject to formal change management processes and procedures. Change management procedures ensure that changes to IT systems are performed in a predictable and orderly manner. Changes are logged, tested, approved, and communicated to system owners prior to implementation. Systems and supporting applications are normally patched/updated monthly, with patches for any significant security or stability issues applied as soon as possible. All such patching is performed under formal change tracking and approval processes.