Tag Archive for: plan administration

Print Friendly Version Print Friendly Version

Buyer Beware: All Fiduciary Services Are Not Equal

/in /by

Buyer Beware:  All Fiduciary Services Are Not Equal

Many financial organizations tout the benefits of their 401(k) fiduciary services and, frankly, many of these messages can sound irresistibly compelling. But buyer beware; not all fiduciary services are created equal. In today’s increasingly litigious environment, it is imperative for plan sponsors to be educated consumers of ERISA fiduciary services.  What does it take to be a wise consumer of fiduciary services?

Running a qualified retirement plan for employees is like running a business for clients. Just as with a business, the administrative responsibilities and liabilities of operating a plan are significant. The Department of Labor (DOL) views all business owners who sponsor retirement plans for employees as “3(16)” fiduciaries under federal law [ERISA Sec. 3(16)]. A 3(16) fiduciary is responsible for ensuring the plan is operated in compliance with the strict rules of ERISA day in and day out. One can say, the ERISA “buck stops here” on the 3(16)’s desk.

As fiduciaries, plan sponsors are held to the highest standard of care and must operate their plans in the best interest of participants. That means their actions with respect to their plans will be judged against the “Prudent Person” rule, which says that all decisions and acts must be carried out “… with the care, skill, prudence, and diligence…” of a knowledgeable person. The DOL assumes plan sponsors know what they are doing when it comes to running a plan—and if they don’t—they should seek out competent support or be at risk of a fiduciary breach. From an ERISA standpoint, a plan’s “Jack of all trades,” must be master of all—not none.

The DOL can hold plan sponsors personally liable for failing to fulfill their fiduciary obligations to their plan participants. Plan fiduciaries who fail in their duties can face costly civil and criminal penalties, too. Perhaps even jail time! All of this makes a strong argument for seeking expert help in running a qualified retirement plan. Thank goodness ERISA allows plan sponsors to outsource some of their 3(16) fiduciary responsibilities by formally appointing another entity to assume some of their plans’ administrative functions.

By engaging a 3(16)-plan administrator, the plan sponsor shifts fiduciary responsibility to the provider for the services specifically contracted (e.g., plan reporting, participant disclosures, distribution authorization, plan testing, etc.). It is important to note that a plan sponsor may never fully eliminate its fiduciary oversight responsibilities for the plan, and remains “on the hook” for the prudent selection and monitoring of the 3(16) plan administrator.

There are lots of organizations out there that peddle their outsourced fiduciary services (e.g., TPAs, trust companies, RIAs, etc.). The process of selecting a 3(16) outsourced solution must be carried out in a prudent manner and solely in the interest of the plan participants. The DOL requires the plan sponsor to engage in an objective process designed to elicit information necessary to evaluate candidates considering, but not limited to, the following:

  • Qualifications of the service provider,
  • Whether it has a consistent track record of service,
  • Its professional “bench-strength” and tenure of staff,
  • The quality of services provided and
  • Reasonableness of the provider’s fees in light of the services provided.

In addition, such process should be designed to avoid self-dealing, conflicts of interest or other improper influence. In the delicate area of plan administration, it’s prudent to go with the pros.

Conclusion

A plan sponsor can “outsource” some of its plan administration obligations under ERISA to an outside entity that is willing to assume the responsibilities of an ERISA 3(16) fiduciary of the plan.  It is not a decision to be made lightly as the DOL mandates the plan sponsor follow a prudent selection process that looks out for the best interest of plan participants.

© Copyright 2024 Retirement Learning Center, all rights reserved
Print Friendly Version Print Friendly Version

Cybersecurity and DOL Document Requests

/in /by

An advisor asked: “I understand the Department of Labor (DOL) is already checking the cybersecurity procedures of plans that are currently under audit. Do you have any insight into what the DOL’s auditors are requesting from plan sponsors with respect to cybersecurity policies?”

Highlights of the Discussion

Yes, we have a little insight. The DOL’s “Cybersecurity Document Requests” that we have seen, which have been given to at least some plans under audit, reveal the DOL has been asking for quite an extensive list of documentation, as represented below. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.

1. All policies, procedures, or guidelines relating to

• Data governance, classification and disposal.
• The implementation of access controls and identity management, including any use of multi-factor authentication.
• The processes for business continuity, disaster recovery, and incident response.
• The assessment of security risks.
• Data privacy.
• Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
• Cybersecurity awareness training.
• Encryption to protect all sensitive information transmitted, stored, or in transit.

2. All documents and communications relating to any past cybersecurity incidents.
3. All security risk assessment reports.
4. All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses.
5. All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers.
6. All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis.
7. All documents describing security technical controls, including firewalls, antivirus software, and data backup.
8. All documents and communications from service providers relating to their cybersecurity capabilities and procedures.
9. All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data.
10. All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.

Most recently, the DOL on April 14, 2021, issued three cybersecurity directives nationwide for retirement plans:

Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks by following these 12 steps.
Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.

For more details, please see RLC’s previous Case of the Week: Cybersecurity and Retirement Plans-What’s the Latest?

Conclusion
The industry is still waiting for definitive cybersecurity rules for retirement plan administration. In the meantime, the best that concerned parties can do is make a good faith effort to adopt cybersecurity policies, following the series of guidelines, suggestions and best practices issued by the DOL, and document, document, document.

 

© Copyright 2024 Retirement Learning Center, all rights reserved