The increased use of technology has led to improved administration of retirement benefits through advancements in electronic data storage and online participant portals. But recently, employer plan sponsors have questioned how to properly verify participant information provided on these portals and how to protect their plans’ data from cybersecurity breaches.
Most retirement plans offer an online portal where plan participants can access their accounts, change investment selections or adjust deferral percentages. Some plans have now added the functionality of allowing participants to request a hardship distribution online. To qualify for one, participants must meet one of the following “immediate and heavy financial need” criteria under Treas. Reg. § 1.401(k)-1(d)(3)(iii)(B):
- Expenses for medical care deductible under Section 213(d)
- Costs related to the purchase of a principal residence of an employee
- Payment of tuition and room and board expenses of the employee, or the employee’s spouse, children or dependents
- Payments necessary to prevent eviction of the employee from a principal residence
- Payments for burial or funeral expenses for the employee’s deceased parent, spouse, children or dependents
- Expenses for the repair of damage to the employee’s principal residence that would qualify for the casualty deduction under Section 165
Under this situation, plan sponsors have asked whether they have an obligation to verify the existence of an employee’s hardship. With no verification, the plan sponsor is at risk of an employee’s not being truthful about the stated reason for a hardship distribution, and issuing a distribution impermissibly. This could lead to a violation of either the plan’s written terms or the in-service distribution restrictions of Section 401(k)(2)(B), leading to a disqualification of the plan.
In a memo titled “Substantiation Guidelines for Safe-Harbor Distributions from Section 401(k) Plans,” dated Feb. 23, 2017, the IRS established the following guidelines for plan sponsors to follow to verify the existence of an employee’s hardship:
- Determine whether either source documents or a summary of the information contained in source documents has been obtained prior to making a distribution.
- If summary information is used, provide the employee with notifications required on Attachment I: Hardship Substantiation Information and Notifications for Summary of Source Documents (attached to the IRS memo) prior to making a distribution.
If source documents are obtained, review the documents to determine whether they support the hardship distribution.
If you obtain a summary of information, determine whether it contains information listed on the attachment.
Request source documents if the summary information is incomplete or inconsistent.
Request source documents if the employee has received more than one hardship distribution in the year.
Third-party administrators should provide a report of summary information to the employer.
A more recent problem for plan sponsors, but one that has quickly become a primary concern, is protecting a retirement plan from cybersecurity threats. The ERISA Advisory Council, which advises the secretary of the U.S. Department of Labor on functions under the Employee Retirement Income Security Act, on Jan. 24, 2017, published the final report of its working group on cybersecurity protections for benefit plans. The goal of the report is to “provide useful information to plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans.”
Plan sponsors and administrators of retirement plans constantly use, share and store sensitive data about plan participants, including Social Security numbers, account balances and salary figures. The first step in protecting this data is to collect and keep it only if there is a documentable legal requirement for the data or a demonstrable business process in which the data is actually used.
After the data that will be stored and shared has been identified, a process must be established to manage cybersecurity risk. Each sponsor should tailor a customized cybersecurity strategy to fit its plan. The ERISA Advisory Council identified the following considerations when establishing processes as part of a cybersecurity strategy:
Implementation and monitoring – Review frequently and update cybersecurity strategies to reflect changes in the cybersecurity risk environment.
- Testing and updating – Evaluate the effectiveness of the cybersecurity controls that have been put in place.
Reporting – Consider the level and frequency of reporting to be shared with benefits committees, investment committees or other named fiduciaries.
Training – Train staff with direct or indirect access to retirement plan data.
Controlling access – One of the best ways to reduce cybersecurity risk is to limit data access to individuals who absolutely need it.
Data retention and destruction – Reduce the amount of data stored to reduce the impact of potential cybersecurity breaches.
Third-party risk management – Determine how third parties are using the plan’s data and request information on their security procedures.
Overall, the ERISA Advisory Council’s report has raised awareness on cybersecurity issues and provided guidance on strategies to mitigate cybersecurity risk. More guidance is needed on legal questions relating to a plan sponsor’s responsibility to implement cybersecurity risk mitigation strategies. For more information, the complete report can be found here
Senior Associate, Chicago Office
Human Capital Services
T +1 312 602 9013
Tax professional standards statement
This content supports Grant Thornton LLP’s marketing of professional services and is not written tax advice directed at the particular facts and circumstances of any person. If you are interested in the topics presented herein, we encourage you to contact us or an independent tax professional to discuss their potential application to your particular situation. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this content may be considered to contain written tax advice, any written advice contained in, forwarded with or attached to this content is not intended by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
The information contained herein is general in nature and is based on authorities that are subject to change. It is not, and should not be construed as, accounting, legal or tax advice provided by Grant Thornton LLP to the reader. This material may not be applicable to, or suitable for, the reader’s specific circumstances or needs and may require consideration of tax and nontax factors not described herein. Contact Grant Thornton LLP or other tax professionals prior to taking any action based upon this information. Changes in tax laws or other factors could affect, on a prospective or retroactive basis, the information contained herein; Grant Thornton LLP assumes no obligation to inform the reader of any such changes. All references to “Section,” “Sec.,” or “§” refer to the Internal Revenue Code of 1986, as amended.