Recently, we have seen a number of instances of cybercriminals committing 401k fraud by deceiving providers into authorizing fraudulent distributions. Many of these thefts have resulted in litigation with the intent to determine who will reimburse the plan for the incorrect payouts.
Outlined below are two examples of 401k fraud litigation, followed by steps plan sponsors and employees can take to protect against 401k fraud.
Probably the best-known case of 401k fraud is the theft of $245,000 from a former Abbott Laboratories employee’s account.
It appears that a cybercriminal obtained personal information about the former employee from a phone conversation with Alight Solutions – (the plan’s recordkeeper), changed the password on the account, and initiated a balance transfer to an account setup by the cybercriminal.
At issue is who has the fiduciary responsibility to protect employee balances from 401k fraud: the plan sponsor or the recordkeeper who made the error. And, of course, who will reimburse the plan for the incorrect payout.
Fiduciary responsibility is also at issue in the Leventhal case, where a cybercriminal obtained a copy of the plan’s distribution form and used it to steal more than $400,000.
As of this writing, litigation is ongoing to determine who will end up being assigned fiduciary responsibility for the fraudulent withdrawals: the employer, the custodian or the third-party administration firm.
What employers should do to protect employees from 401k fraud
The Wagner Law Group recommends that plan sponsors do the following to protect against 401k fraud:
Review all of their plan service provider agreements to identify cybersecurity fiduciary liability and any indemnification or limits of liability provisions.
Review the cybersecurity processes and procedures used by plan service providers concerning data exchange and cybersecurity processes and procedures.
Confirm that plan service providers have appropriate professional liability and cyber liability insurance coverage.
Review the plan service provider’s Service Organization Control Reports. A Service Control Report provides information on internal controls relative to the services provided to the plan to assess and address the potential risks associated with an outsourced service.
Employers can find some help and guidance on cybersecurity from the Cybersecurity and Infrastructure Security Agency (CISA). As an official government agency that is part of the Department of Homeland Security, much of what CISA provides is free.
Employers should also review the insurance coverage they have in place to learn whether it protects against 401k fraud. Talk to your insurance agent about the 401k fraud coverage contained in the fidelity bond required for your 401k plan and your corporate professional liability insurance.
What employees should do to protect their 401k balances
Fidelity, one of the largest recordkeepers in the world, recommends that participants do the following to protect their accounts against 401k fraud:
Register their accounts. You would be surprised how many participants have never established online access to their 401k accounts. In other words, they have never created a username and password to access account information online.
Enable two-factor authentication. Many recordkeepers require two-factor login authentication and it appears Fidelity will before the end of the year. Two-factor authentication has been cited as being the primary security measure to protect against 401k fraud.
Provide contact information. Make sure the recordkeeper working with the plan has their mobile phone number and/or email address on file.
Regularly review their accounts. Employees should setup a routine to regularly review their accounts, ideally weekly. Unfortunately, employees may be the first to detect 401k fraud in their accounts.
Most recordkeepers are happy to assist employers in producing and distributing communications, either written or electronic, to help plan participants protect themselves against 401k fraud. Reach out to your recordkeeper to learn what options you have available.
It appears that attempts by cybercriminals to commit 401k fraud are here to stay. Of all the threats to working Americans’ retirement, this one may become more difficult to combat as more employees work remotely and companies have less ability to secure their online activity.
Robert C. Lawton, AIF, CRPS is the founder and President of Lawton Retirement Plan Consultants, LLC. Mr. Lawton is an award-winning 401(k) investment adviser with over 30 years of experience. He has consulted with many Fortune 500 companies, including: Aon Hewitt, Apple, AT&T, First Interstate Bank, Florida Power & Light, General Dynamics, Houghton Mifflin Harcourt, IBM, John Deere, Mazda Motor Corporation, Northwestern Mutual, Northern Trust Company, Trek Bikes, Tribune Company, Underwriters Labs and many others. Mr. Lawton may be contacted at (414) 828-4015 or email@example.com.
Lawton Retirement Plan Consultants, LLC (LRPC) is a Milwaukee, Wisconsin-based independent, objective Registered Investment Adviser (RIA) providing investment advisory, fiduciary compliance, employee education, provider management and plan design services to employer retirement plan sponsors. The firm specializes in Socially Responsible Investment (SRI) strategies for retirement plans and is a pioneer in the field. LRPC currently has contracts in place to provide consulting services on nearly a half billion dollars in plan assets. For more information, please contact Robert C. Lawton at (414) 828-4015 or firstname.lastname@example.org or visit the firm’s website at https://www.lawtonrpc.com. Lawton Retirement Plan Consultants, LLC is a Wisconsin Registered Investment Adviser.
This information was developed as a general guide to educate plan sponsors and is not intended as authoritative guidance, tax, legal or investment advice. Each plan has unique requirements and you should consult your attorney or tax adviser for guidance on your specific situation. In no way does Lawton Retirement Plan Consultants, LLC assure that, by using the information provided, a plan sponsor will be in compliance with ERISA regulations. Investors should carefully consider investment objectives, risks, charges and expenses. The statements in this publication are the opinions and beliefs of the commentator expressed when the commentary was made and are not intended to represent that person’s opinions and beliefs at any other time. The commentary does not necessarily reflect the opinion of Lawton Retirement Plan Consultants, LLC and should not be construed as recommendations or investment advice. Lawton Retirement Plan Consultants, LLC offers no tax, legal or accounting advice, and any advice contained herein is not specific to any individual, entity or retirement plan, but rather general in nature and, therefore, should not be relied upon for specific investment situations. Lawton Retirement Plan Consultants, LLC is a Wisconsin Registered Investment Adviser and accepts clients outside of Wisconsin based upon applicable state registration regulations and the “de minimus” exception.