Print Friendly Version Print Friendly Version

Cybersecurity and DOL Document Requests

An advisor asked: “I understand the Department of Labor (DOL) is already checking the cybersecurity procedures of plans that are currently under audit. Do you have any insight into what the DOL’s auditors are requesting from plan sponsors with respect to cybersecurity policies?”

Highlights of the Discussion

Yes, we have a little insight. The DOL’s “Cybersecurity Document Requests” that we have seen, which have been given to at least some plans under audit, reveal the DOL has been asking for quite an extensive list of documentation, as represented below. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.

1. All policies, procedures, or guidelines relating to

• Data governance, classification and disposal.
• The implementation of access controls and identity management, including any use of multi-factor authentication.
• The processes for business continuity, disaster recovery, and incident response.
• The assessment of security risks.
• Data privacy.
• Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
• Cybersecurity awareness training.
• Encryption to protect all sensitive information transmitted, stored, or in transit.

2. All documents and communications relating to any past cybersecurity incidents.
3. All security risk assessment reports.
4. All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses.
5. All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers.
6. All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis.
7. All documents describing security technical controls, including firewalls, antivirus software, and data backup.
8. All documents and communications from service providers relating to their cybersecurity capabilities and procedures.
9. All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data.
10. All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.

Most recently, the DOL on April 14, 2021, issued three cybersecurity directives nationwide for retirement plans:

Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks by following these 12 steps.
Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.

For more details, please see RLC’s previous Case of the Week: Cybersecurity and Retirement Plans-What’s the Latest?

The industry is still waiting for definitive cybersecurity rules for retirement plan administration. In the meantime, the best that concerned parties can do is make a good faith effort to adopt cybersecurity policies, following the series of guidelines, suggestions and best practices issued by the DOL, and document, document, document.


© Copyright 2021 Retirement Learning Center, all rights reserved
Print Friendly Version Print Friendly Version

Voluntary Fiduciary Correction Program and PTE 2002-51

A financial advisor asked:  “Prohibited Transaction Exemption (PTE) 2002-51 exempts certain transactions that are corrected under the DOL’s VFC Program from the 15 percent IRS penalty pursuant to IRC §4795.  What is the definition of transaction?”

ERISA consultants at the Retirement Learning Center (RLC) Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings and income plans, including nonqualified plans, stock options, and Social Security and Medicare.  We bring Case of the Week to you to highlight the most relevant topics affecting your business.

A recent call with an advisor in California is representative of a common question on the Department of Labor’s (DOL’s) Voluntary Fiduciary Correction (VCP) Program.

Highlights of the Discussion

The DOL’s VFC Program allows plan officials to voluntarily correct 19 specific transactions that are prohibited under the Employee Retirement Income Security Act of 1974 (ERISA). These 19 prohibited transactions are typically subject to an IRS excise tax under IRC §4975 of 15 percent. Prohibited Transaction Exemption (PTE) 2002-51 provides relief from the IRS excise tax for six of the 19 transactions.

The six transactions that can be exempt from the IRS penalty are

  1. The failure to timely transmit participant contributions to a plan and/or loan repayments to a plan within a reasonable time after withholding or receipt by the employer;
  2. The making of a loan by a plan at a fair market interest rate to a party in interest with respect to the plan;
  3. The purchase or sale of an asset (including real property) between a plan and a party in interest at fair market value;
  4. The sale of real property to a plan by the employer and the leaseback of such property to the employer at fair market value and fair market rental value, respectively;
  5. The purchase of an asset (including real property) by a plan where the asset has later been determined to be illiquid as described under the Program in a transaction which was a prohibited transaction, and/or the subsequent sale of such asset to a party in interest; and
  6. Use of plan assets to pay expenses, including commissions or fees, to a service provider for services provided in connection with the establishment, design or termination of the plan (settlor expenses), provided that the payment of the settlor expense was not expressly prohibited by a plan provision relating to the payment of expenses by the plan.

There is an important time constraint associated with utilizing the PTE. A business can only take advantage of the relief for a transaction once every three years. Assume a business has multiple failures to transmit participant contributions. The DOL has informally commented that multiple occurrences of delinquent deposits over more than one pay period can be treated as one transaction if the pay periods are close together in time and the delinquencies are related to the same cause.


The employee responsible for payroll at Better Late Than Never, Inc., resigned, and the company is having a hard time replacing her. As a result, over the next few pay periods Better Late Than Never is late in depositing employee contributions to its 401(k) plan. The DOL would count the multiple delinquencies as one transaction because they all are related to the same cause.

Example 2:

Random, LLC, misses the deferral deposit deadline in December 2020, and in March and June of 2021. Each delinquency is for a different reason (e.g., power outage, switching payroll providers, sick employee). Because there is no common cause, the missed deposit deadlines cannot be treated as one transaction for purposes of the three-year timeframe.


The DOL’s VFC Program allows plan officials to voluntarily correct 19 specific prohibited transactions. (PTE) 2002-51 provides relief from the IRS excise tax for six of the 19 transactions. A business can only take advantage of the IRS excise tax relief for a transaction once every three years.

For more information, please refer to the following

Frequently Asked Questions of the VFC Program

VFC Program Class Exemption




© Copyright 2021 Retirement Learning Center, all rights reserved