The American Institute of Certified Public Accountants’ (AICPA)’s Employee Benefit Plan Audit Quality Center has issued a plan advisory, “The importance of retaining and protecting employee benefit plan records.”

The advisory notes that Section 107 of the Employee Retirement Income Security Act (ERISA) requires plan records used to support filings, including the annual Form 5500, to be retained for at least six years from the filing date. Under ERISA section 107, the following documentation should be retained at least six years after the Form 5500 filing date, including, but not limited to: copies of the Form 5500 (including all required schedules and attachments); nondiscrimination and coverage test results; required employee communications; financial reports and supporting documentation; evidence of the plan’s fidelity bond; and corporate income-tax returns (to reconcile deductions).

In addition, according to the advisory, Section 209 of ERISA states that an employer must “maintain benefit records, in accordance with such regulations as required by the DOL, with respect to each of [its] employees sufficient to determine the benefits due or which may become due to such employees.”

Proposed Department of Labor (DOL) regulations issued in 1980 state that participant benefit records must be retained “as long as a possibility exists that they might be relevant to a determination of the benefit entitlements of a participant or beneficiary.” While the regulations were never finalized, the DOL has taken the position those record retention obligations apply beginning when the DOL issued its first set of proposed regulations under Section 209 on February 9, 1979, because employers were put on notice of the obligations. As such, plan sponsors should consider whether benefit plan records need to be maintained indefinitely.

Under ERISA Section 209, the records used to determine the benefits that are or may become due to each employee include, but are not limited to plan documents, and items related to the plan document including, adoption agreements, amendments, summaries of material modifications (SMMs), summary plan descriptions (SPDs), the most recent IRS determination letter, etc.; census data and support for such information including records that are used to determine eligibility, vesting, and calculated benefits (such as rates of pay, hours worked, deferral elections; employer contribution calculations); participant account records and actuarial accrued benefit records; support and documentation relating to plan loans, withdrawals and distributions; board or administrative committee minutes and resolutions; and trust documents

Best practices for plan record retention the Employee Benefit Plan Audit Quality Center suggests includes:

• Establishing a written record retention policy governing how the organization periodically reviews, updates, preserves, and discards documents related to plan administration—It should be approved by ERISA counsel or those charged with governance over the plan to ensure that federal and state retention laws are being considered and adhered to. When service organizations (e.g., recordkeeper, investment custodian) maintain plan records, the plan administrator needs to understand the retention policies of those service organizations for plan records they prepare and/or maintain. The Center reminds plan sponsors that the use of a service organization does not alleviate the plan sponsor’s responsibilities to retain adequate records.
• Monitoring compliance with the written record retention policy—If the plan uses service organizations, the plan administrator should also monitor the service organizations’ compliance with their respective retention policies.
• Categorizing and documenting your plan records—Data should be organized such that it can be easily and readily retrieved. Document the type of record, a brief description of the type of record, and the category to which records of this type belong. Records in the same category often have the same retention periods and might require similar treatment in other ways.
• Maintaining important participant records indefinitely—Because ERISA Section 209 does not provide a specific period of time for retaining participant-level records such as demographic information, compensation and elections sufficient to determine benefits due, these records should be kept for an indefinite period of time in a format that is easily retrieved to ensure they are available upon request by the participant or auditor in case of an audit.
• Maintaining necessary paper records—If electronic records don’t establish a substitute or duplicate record of the paper records from which they are transferred under the terms of the plan or applicable federal or state law, the original records should not be discarded.

For protection of personally identifiable information (PII) and other sensitive information, the Center suggests:

• Follow “minimum necessary” and “business need” principles and only share the minimum amount of data (especially personal data) needed to accomplish a task.
• Reduce use of paper documents, as they cannot be encrypted.
• Retain only that information that is truly necessary for the business purpose. Collect less data and purge unnecessary PII from your records to reduce vulnerability.
• Shred purged paper documents with personal information in a secure disposal unit; do not use recycling or trash bins.
• Use caution in public spaces when handling or viewing personal information; be aware of your environment and use privacy screens on computers.
• Keep work spaces clear of documents containing personal information when not in use.
• Use secure methods to transmit personal information. For example, encrypt documents containing confidential information when emailing. Preferably, use an approved, secure collaboration site to transfer confidential data. Email generally should not be used to send personal information.
• De-identify data where possible. Mask or truncate government identifiers and health identifiers whenever possible.
• Control access to PII. Sensitive information should only be accessible by people who need it to do their jobs. This includes the information you share with your financial statement auditor. Check with your auditor to determine what PII is necessary for the audit.

“The hiring of a service organization to assist in plan administration…is a fiduciary function,” the advisory says. “It is important that the service organizations you use to perform investment processing, recordkeeping and/or benefit payments, claims processing, and other services that require access to your plan’s sensitive data have adequate protections in place to safeguard that information. Plan administrators should perform adequate due diligence during the selection process and prior to hiring a service organization.”