New DOL Guidance Addresses Responsibilities of Retirement Plan Sponsors

Fiduciary duties for retirement plan sponsors are sometimes confusing, and often tedious, but always crucial to pay attention to. A slip-up can result in consequences such as audits or, worse, lawsuits.

Staying on top of this includes monitoring Department of Labor (DOL) guidance. So far, DOL concerns in 2021 have ranged across a variety of areas, with varying degrees of guidance. Two important areas involve plan sponsor responsibility to:

• locate missing plan participants and
• help to ensure the cybersecurity of retirement plan data.

During the 2021 Fiduciary Summit virtual event, sponsored by Qualified Plan Advisors, Matthew Eickman and Fred Reish, along with several industry experts, provided a detailed picture of what plan sponsors should be aware of. Their key concerns were:

1. Locating missing plan participants.  There are two situations in which a plan sponsor might be faced with a practical need to find a missing participant, said Eickman, National Retirement Practice Leader with Qualified Plan Advisor: first, uncashed check situations, in which the plan sends a distribution and the recipient doesn’t cash the check; and second, when a participant reaches the age to begin required minimum distributions (RMDs) but hasn’t worked for the company in years.

Sponsors need to anticipate these occurrences and have proactive procedures in place to find participants, he said.

2. Helping to ensure cybersecurity of retirement plan data.  If your eyes glazed over at the mention of security, ERISA attorney Fred Reish, a partner with Faegre Drinker, says there’s one primary reason, beyond just toeing the line with the DOL, why cybersecurity should be a concern: litigation.

Two cases he presented make clear why cybersecurity should be on every plan sponsor’s radar:

• In Barnett v. Abbott Laboratories, a cyber thief was able to impersonate a plan participant and request and obtain a sum from that person’s account. The participant had signed up for phone and email notifications of such requests, but the recordkeeper instead sent a notification via postal mail. By the time the participant received it, the money had been transferred to overseas banks where it couldn’t be retrieved. The participant sued the plan sponsor and the recordkeeper.
• In Leventhal v. MandMarblestone, a cyberthief obtained a copy of the participant’s application for a previous withdrawal, modified it, and sent it to the plan provider as if it had come from the plan sponsor. The money was transferred to a bank, then transferred overseas before it could be stopped. The plan sponsor sued the provider, but in an interesting—and significant—twist, the plan provider counter-sued the plan sponsor, arguing that the plan sponsor’s “carelessness” with respect to its employees and computer policies enabled less stringent security policies, which made the theft possible.

One of a plan sponsor’s responsibilities is looking at cybersecurity procedures of the plan’s providers, Reish said. Although the DOL would likely start enforcement actions with the largest companies, he said, every business should incorporate the recent DOL cyber guidance for fiduciaries, providers, and participants now. Among other actions, plan sponsors should:

• Take the participant guidance and distribute it to plan participants. Then redistribute it annually.
• Make sure all retirement plan committee members have copies of the guidance and go over it, making sure the meeting minutes include that conversation.
• Consider possibly using the guidance to modify requests for proposals (RFPs) for recordkeepers.

From: BenefitsPro