Safeguarding DC plan data is about more than cybersecurity

Andy Adams and Jay Schmitt, ASA Thought Leadership

By Andy Adams and Jay Schmitt, ASA

Because defined contribution (DC) retirement plans combine personally identifiable information with asset data, they make attractive targets for identity thieves and other fraudsters.

Much of the fraud threat comes from outside sources. Large-scale data breaches have become alarmingly commonplace, fueled by a thriving black market for consumer information. DC plan recordkeepers tell us they experience dozens, if not hundreds, of cyberattacks every week. We also see more targeted crimes in which individuals attempt to secure loans or intercept funds by impersonating plan participants, not to mention “inside jobs” that originate with a plan sponsor’s recordkeeper or another third-party vendor.

The onus of safeguarding plan participants from fraud, no matter its source, does not fall solely on the recordkeeper. Both DC plan sponsors and recordkeepers need to agree on fraud-resistant processes that are clearly documented, rigorously implemented and consistently followed. Here are a few tips.

Be Risk Averse, Not Speed Oriented

Over the last 20 years, speed has become one of the determining factors in recordkeeper selection. The theory is that faster turn times—including quicker processing of distributions and loan disbursements—will improve participant satisfaction and ease the plan sponsor’s administrative burden.

In practice, too much emphasis on speed has compromised processes meant to safeguard participant assets and contributed to the rise in DC plan fraud. Both plan sponsors and recordkeepers should consider that the most fraud-resistant protocols aren’t always the fastest.

For example, many DC plan sponsors now allow participants to apply for loans paperlessly. Further, plan sponsors often combine the loan check and promissory note into a single document, eliminating the requirement for participants to return a signed promissory note prior to the loan check being issued. These measures may expedite loan disbursements, but they expose both participants and plan sponsors to unnecessary fraud risk. Recordkeepers are seeing an exponential increase in criminals attempting to utilize these expedited processes to infiltrate participant accounts.

Balance the Books

Another disturbing process that often leads to fraud is the use by some DC recordkeepers of “clearing accounts” and “distribution accounts” to manage the inflow and outflow of money to and from plan participants. In such a setup, participant contributions are deposited en masse into a clearing account each payroll period. The deposit is then broken up and disbursed to the various investment fund accounts based on participant elections. In addition, monies paid out from the plan—such as participant distributions, loan disbursements or payments for plan expenses—typically flow through the clearing account before moving on to the disbursement account and then the final destination.

In performing transactional and process audits for our clients, we’ve encountered more than our fair share of messy clearing and distribution accounts. Uncashed checks are often a large part of the problem. Sometimes these checks represent lump-sum or installment distributions made out to a recipient who has moved or died. There may be uncollected force-out distributions issued to terminated employees whose DC plan balances were below the force-out threshold. We have even seen instances in which participants who applied for DC plan hardship withdrawals never cashed their checks.

It’s incumbent on plan sponsors to make sure recordkeepers reconcile clearing and distribution accounts frequently (preferably daily) and accurately, with every transaction clearly identified. When checks go uncashed, there should be clear protocols for locating the intended recipients and a definitive timeline for returning uncollected funds to the plan.

In extreme cases, we have seen several years’ worth of stale checks add up to millions of dollars in uncollected funds. Such a situation opens up plan sponsors to allegations of administrative mismanagement. It also creates an attractive target for unscrupulous employees to exploit—which brings us to our next point.

Put Checks and Balances in Place

Another DC fraud risk factor has to do with separation of duties—or a lack thereof. All too often, we see recordkeepers allowing the same person to make multiple changes to participant accounts without any approval or reporting process. This should raise a major red flag for plan sponsors.

In our opinion, no single employee should have the power both to change a participant’s mailing address and to reissue a check. Separating duties like these is a simple way to protect participants and reduce plan sponsor liability. However, should a recordkeeper make a compelling case for combining these tasks into a single role, the plan sponsor would be wise to enforce an approval process and require an audit trail that documents every transaction in the recordkeeper’s system—even manual adjustments.

Screen Personnel Regularly

Finally, plan sponsors should require thorough background checks for anyone with access to DC plan accounts or participant data. Background checks should be conducted not just at hire but on an ongoing basis. Our experience in the vendor search and vendor management businesses indicates that plan sponsors are usually diligent about requiring employee background checks at the time they hire a new vendor; however, ongoing background checks tend to slip through the cracks.

No plan is impervious to fraud, but by practicing fraud-resistant processes, enforcing separation of duties, and conducting ongoing background checks, plan sponsors and recordkeepers can play a much more proactive role in safeguarding participant data and substantially reduce their risk exposure.

This article originally appeared in PLANSPONSOR.