Print Friendly Version Print Friendly Version

Cybersecurity and DOL Document Requests

An advisor asked: “I understand the Department of Labor (DOL) is already checking the cybersecurity procedures of plans that are currently under audit. Do you have any insight into what the DOL’s auditors are requesting from plan sponsors with respect to cybersecurity policies?”

Highlights of the Discussion

Yes, we have a little insight. The DOL’s “Cybersecurity Document Requests” that we have seen, which have been given to at least some plans under audit, reveal the DOL has been asking for quite an extensive list of documentation, as represented below. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.

1. All policies, procedures, or guidelines relating to

• Data governance, classification and disposal.
• The implementation of access controls and identity management, including any use of multi-factor authentication.
• The processes for business continuity, disaster recovery, and incident response.
• The assessment of security risks.
• Data privacy.
• Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
• Cybersecurity awareness training.
• Encryption to protect all sensitive information transmitted, stored, or in transit.

2. All documents and communications relating to any past cybersecurity incidents.
3. All security risk assessment reports.
4. All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses.
5. All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers.
6. All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis.
7. All documents describing security technical controls, including firewalls, antivirus software, and data backup.
8. All documents and communications from service providers relating to their cybersecurity capabilities and procedures.
9. All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data.
10. All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.

Most recently, the DOL on April 14, 2021, issued three cybersecurity directives nationwide for retirement plans:

Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks by following these 12 steps.
Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.

For more details, please see RLC’s previous Case of the Week: Cybersecurity and Retirement Plans-What’s the Latest?

Conclusion
The industry is still waiting for definitive cybersecurity rules for retirement plan administration. In the meantime, the best that concerned parties can do is make a good faith effort to adopt cybersecurity policies, following the series of guidelines, suggestions and best practices issued by the DOL, and document, document, document.

 

© Copyright 2021 Retirement Learning Center, all rights reserved
Print Friendly Version Print Friendly Version

Failed Rollovers

An advisor asked:

“One of my clients took a distribution from his 401(k) plan and timely rolled it over to an IRA. All good—except that the IRA rollover contained an amount which should have been my client’s required minimum distribution (RMD) for the year. What happens to the RMD in the IRA?”

ERISA consultants at the Retirement Learning Center (RLC) Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings and income plans, including nonqualified plans, stock options, and Social Security and Medicare.  We bring Case of the Week to you to highlight the most relevant topics affecting your business.

A recent call with a financial advisor from Massachusetts is representative of a common inquiry related to an invalid qualified-plan-to-IRA rollover.

Highlights of the Discussion

A rollover to an IRA could be a failed or invalid rollover under several circumstances, including if the rollover

  • Includes an RMD;
  • Is made after the 60-day time limit without a valid waiver or extension;
  • Violates the one-per-12-month IRA-to-IRA rollover rule (NA in this case since coming from a plan);
  • Does not meet the definition of an eligible rollover distribution.

Generally, the IRA owner has a few of options to correct the error pursuant to IRC Sec. 219(f)(6). Your client should seek the guidance of a professional tax advisor for his specific situation. Generally, under current rules,

  1. The IRA owner could leave the ineligible rollover amount in the IRA because the IRS deems such invalid rollovers to be regular IRA contributions for the year. (Of course, the individual, otherwise, would have to be eligible to make a regular IRA contribution for the year and the IRA administrator would need to correct the IRS reporting to reflect a regular IRA contribution).
  2. IRS Notice 87-16 allows an IRA owner to remove any current-year IRA contribution that is an eligible contribution without penalty by following the rules for removing excess contributions with net income attributable (NIA). These contributions must be removed by the tax return due date (including any extensions).
  3. If all or a portion of the invalid rollover amount exceeds the IRA owner’s regular contribution limit, the remaining rollover amount is treated as an excess contribution and will be subject to the six percent penalty tax if not timely removed (i.e., generally, October 15 of the year following the year the excess was created).
  4. Any remaining excess that is carried over in the IRA in subsequent years continues to be treated as a regular IRA contribution until the excess amount is eventually used up or removed.

Conclusion

When an invalid rollover contribution is made to an IRA during the year, the invalid rollover amount is deemed to be a regular IRA contribution for that taxable year. What happens next depends on whether the amount is an eligible contribution or an excess contribution.

See IRS Publication 590-A, Contributions to Individual Retirement Arrangements (IRAs) for more guidance.

© Copyright 2021 Retirement Learning Center, all rights reserved
Print Friendly Version Print Friendly Version

LLC Plan Establishment Deadline

An advisor asked,

“I’m working with a limited liability company (LLC) that is interested in setting up a retirement plan.  What is the LLC’s deadline for establishing a plan?”

ERISA consultants at the Retirement Learning Center (RLC) Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings and income plans, including nonqualified plans, stock options, and Social Security and Medicare.  We bring Case of the Week to you to highlight the most relevant topics affecting your business.

A recent call with a financial advisor from Texas is representative of a common inquiry related to setting up qualified retirement plans.

Highlights of the Discussion

Because this question deals with specific tax information, business owners should always seek the guidance of a tax professional for advice on their specific situations.  What follows is general information.

The short answer is it depends on whether the LLC is taxed as a corporation, a partnership or a sole proprietorship. For federal tax purposes, the IRS, typically, treats an LLC as a partnership that must file IRS Form 1065, U.S. Return of Partnership Income for the business.[1] There are exceptions to this rule, so a client should be encouraged to determine the exact nature of the business’s tax structure with a tax advisor. For example, a domestic LLC with at least two members is classified as a partnership for federal income tax purposes unless it files Form 8832, Entity Classification Election and elects to be treated as a corporation. A single-member LLC may choose to be taxed as either a corporation or as a sole proprietorship.

Once the LLC’s tax-filing status is determined, then we turn to the Setting Every Community Up for Retirement Enhancement (SECURE) Act, which gave businesses more time to set up plans for a particular tax year. Prior to the SECURE Act, a business that wanted a qualified retirement plan (e.g., 401(k), profit sharing, money purchase pension, defined benefit pension plan, etc.) for a particular tax year had to establish it by the last day of the business’s tax year. For example, a calendar year business had to sign documents to set up the plan by December 31 of the tax year in order to be able to contribute to and take a deduction for contributions.

Under the SECURE Act, for 2020 and later tax years, a business has until its tax filing deadline, plus extensions for a particular tax year to set up a plan. The plan establishment deadline is tied to the type of business entity and its associated tax filing deadline as illustrated below.

Tax Status Standard Filing Deadline Extended Filing Deadline
S-Corporation (or LLC taxed as S-Corp) March 15 September 15
Partnership (or LLC taxed as a partnership) March 15 September 15
C-Corporation (or LLC taxed as C-Corp) April 15 October 15
Sole Proprietorship (or LLC taxed as sole prop) April 15 October 15

[Note: Simplified employee pension (SEP) plans have historically followed the above schedule; and special set-up rules apply for safe harbor 401(k) plans.]

EXAMPLE:  The Limited is an LLC taxed as a partnership. Its standard tax filing deadline is March 15th of the year following the tax year in question. For the 2020 tax year, The Limited timely filed IRS Form 7004, Application for Automatic Extension of Time To File Certain Business Income Tax, Information, and Other Returns.  Consequently, it has an extended tax filing deadline of September 15, 2021, for its 2020 tax year. The owners of The Limited decide in August of 2021 they would like to set up a 401(k)/profit sharing plan for the business for 2020 and later years. The Limited has until September 15, 2021, to execute plan documents to set up the plan, effective for 2020. While The Limited would be able to make a profit sharing contribution on behalf of participants for 2020, participants can only make pre-tax employee salary deferrals and designated Roth contributions prospectively—meaning after they execute valid salary deferral elections for compensation yet to be received in 2021.

Conclusion

For many reasons, including determining the deadline to establish a qualified retirement plan, it is important to ascertain the federal tax-filing status of an LLC business. Under the SECURE Act, for 2020 and later tax years, a business has until its tax filing deadline, plus extensions to set up a plan.

 

[1] LLC Filing as a Corporation or Partnership

 

© Copyright 2021 Retirement Learning Center, all rights reserved