Your Company and Your Plan Participants – At Risk for Identity Theft?
News of commercial database hackings involving millions of people’s personal information seems commonplace. While many of these stories focus on bank and credit card accounts, many plan sponsors and participants don’t realize that 401(k) plan assets may be at risk. Now isn’t the time to let your guard down.
This can be a problem not only for participants but for sponsors as well. While no sponsor wants to see their plan participants sustain financial hits, depending on how a cybertheft unfolds, sponsors could be left holding the bag, which is not a position anyone wants to be in.
Importance of monitoring
Sponsors should not only take precautions from their end but regularly educate and warn participants about safety measures they should be taking. Participants’ infrequent monitoring of what’s happening in their 401(k) accounts (at least compared to their bank accounts) makes these accounts vulnerable. Indeed, sometimes they’re even encouraged to not worry about short-term fluctuations and volatility in their retirement accounts and instead focus on the long run. This may be good investment advice (if from a qualified advisor, of course), but could also be dangerous if participants pay no attention to their accounts as a result.
However, regular monitoring of accounts by participants is important. For example, one identity theft case tells the story of a plan participant who divorced his wife and moved out of the house but didn’t update his address with the plan administrator or review his account. In the meantime, his ex-wife cleaned out his more than $42,000 balance.
She managed to hijack the account after opening mail from the plan administrator addressed to her ex-husband and making a fraudulent password change enabled by the confidential information contained in the purloined letter. The dispute was over whether the plan administrator could be held liable for the theft. The court ruled that the participant had to suffer the consequences of his failure to inform the plan of his change of address, as required by the plan and well documented in the summary plan description (SPD).
We’ve seen other cases documented where passwords were stolen, and funds were either loaned or distributed from plans in an unauthorized manner. Had the participants been monitoring their accounts or even reading the statements that were being sent to them, some of these cases could have been mitigated.
Limits of protection guarantees
It’s also critical for sponsors and participants not to be lulled into a false sense of security by plan service providers’ customer protection guarantees. Be sure you and your participants understand the caveats that go with them. For example, one large bundled retirement plan service provider issues a broad warning that the company will “reimburse you for losses from unauthorized activity in covered accounts,” but only when “occurring through no fault of your own.”
What does that mean? For starters, the company, reasonably, assumes no responsibility for transactions on behalf of the participant carried out by the participant’s own financial advisor. Those are deemed to have been authorized by the participant — whether they were or not.
Participants must also “adopt [the service provider’s] recommended security practices,” as outlined on the firm’s website. Those include checking account information “frequently” and reviewing correspondence from the administrator “promptly” but “no later than 30 days after that information is posted to your account or delivered to you.”
In addition, the service provider reserves the right to determine the “applicability” of its customer protection guarantee “based on the facts of your situation.” All of these combines to greatly limit the advisor’s liability. Be sure to communicate this with your participants.
Role of sponsors
Plan sponsors also need to protect themselves from negligence on the part of participants. As noted in the case of the participant whose ex-wife stole his account balance, the plan sponsor wasn’t held liable for the loss, thanks to its clear articulation of participants’ obligations in the SPD. Review your SPD with your benefits specialist and ERISA legal counsel to make sure you’re not left holding the bag in this type of situation.
Finally, sponsors must perform strict due diligence in assessing plan service providers’ cyberfraud protection systems. This includes reviewing your own internal safeguards against plan administrative staff practices that could open the door to a breach.
Rewards of diligence
Without adequate vigilance, anybody can be a few clicks away from a retirement plan wipeout. Being prepared and diligent in reviewing your plan documents and educating your participants about their responsibilities for monitoring their accounts will help avoid losses and litigation for all parties.
Action steps for participants to avoid fraud
Besides monitoring their account regularly, what precautions should plan sponsors encourage their participants to take to safeguard their retirement savings from loss by hacking?
Participants should take the same steps they use to protect other accounts accessible on the Internet, including:
- Using strong passwords and changing them regularly,
- Not using the same log-in ID and passwords for multiple websites,
- Taking advantage of multi-factor authentication for account access,
- Rejecting the option of having the Internet browser memorize login information, and
- Never sharing login information. With anyone, for any reason!
While participants have probably read these kinds of pointers many times, hearing that they’re vital to protect their retirement plan accounts might come as a surprise to some. Make this a regular part of your participant education.
James E. Merklin?>
CPA/CFF, CFE, CGMA, MAcc
About the Authors
Stay up-to-date with the latest news and information delivered to your inbox.