Compliance March 4, 2022

Understanding PRT: Fiduciary and Admin Considerations

When transferring pension risk via a full or partial buy-in or buy-out, plan sponsors have a fiduciary obligation to ensure the transaction is implemented in compliance with the Employee Retirement Income Security Act.
Reported by

The second session of the ISS Media 2022 Understanding PRT virtual conference featured a panel of experts who discussed the critical topic of administrative and fiduciary considerations pertaining to pension risk transfer transactions.

The speakers included Kate Pizzi, partner and senior consultant, Fiducient Advisors; Geroge Sepsakos, principal, Groom Law Group; and Evan Woollacott, Jr., vice president of actuarial services at Hooker & Holcombe. As the panel described, when transferring pension risk via a full or partial buy-in or buy-out, plan sponsors have a fiduciary obligation to ensure the transaction is implemented in compliance with the Employee Retirement Income Security Act. They emphasized how proper due diligence and administration are vital to guarantee that the transaction does not create additional risk for plan sponsors, or negative outcomes for participants and beneficiaries.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Pizzi began the discussion by detailing the two types of annuity purchases that underpin PRT transactions, these being pension buy-ins and pension buy-outs.

“People tend to be more familiar with the second category, with annuity buy-outs,” she explained. “However, as a pension plan professional, it is important to know about both options, and to understand that, from the fiduciary perspective, there are some key differences.”

As Pizzi detailed, a buy-out is often called a retiree carve out. Such an annuity purchase is about transferring to an insurer the future risk of pension obligations. A given pension plan sponsor can decide to enact a partial buy-out of the total liability, Pizzi said, or they can do a full pension termination and completely transfer all the risks and obligations of the pension to the insurance provider. Both approaches are common, with partial buy-outs often being followed by complete risk transfers.

Pizzi said an annuity buy-in also removes some risk by bringing in an insurance provider that agrees to make payments to beneficiaries, per a negotiated contract. However, such a buy-in does not actually transfer all of the employer’s obligations over the long term. This is to say, the employer retains the ultimate legal responsibility for making sure that beneficiaries receive their due payments.

“On the buy-in side, the fiduciary obligation remains, even as you engage in an insurance contract to meet some or all of the pension’s payment obligations,” Pizzi said.

Two implications stem from this difference, Pizzi explained. First, because the sponsor is ultimately retaining the obligation for payment when enacting a buy-in, they remain responsible for paying Pension Benefit Guaranty Corporation premiums for those participants and payments. The other big distinction is from an accounting perspective. In basic terms, with a buy-out, the company sponsoring the pension plan must recognize the transaction within its profit and loss statements. With a buy-in situation, that is not the case.

Offering some legal perspective, Sepsakos said an important distinction to make when considering PRT is the difference between fiduciary and settlor functions.

“The company generally acts as a ‘settlor’ when establishing, amending or setting the terms of a benefit plan such as a pension,” Sepsakos said. “Settlor functions are not governed so strictly, and plan sponsors have freedom in deciding what kind of benefit they want to offer at what time. In contrast, steps taken to actually implement the plan will generally trigger fiduciary status under the Employee Retirement Income Security Act. This distinction is important in this entire discussion and in the PRT marketplace.”

Sepsakos emphasized that, when annuities are purchased for a terminating plan, both the Department of Labor and the federal courts have agreed that this process represents a fiduciary function. ERISA, in this case, requires prudence and loyalty on the part of fiduciaries—and that the fiduciary acts for the sole and exclusive purpose of providing benefits and paying only reasonable expenses.

“Some folks may remember that, back in 1995, the DOL addressed this situation in the aftermath of the implosion of the insurance company Executive Life,” Sepsakos recalled. “There was extensive litigation following that event regarding the selection of Executive Life as an annuity provider by certain pension plans. In some of the cases, it was determined that the employers had not lived up to their fiduciary responsibilities, while in other cases the opposite conclusion was reached. This led to the DOL taking the step of creating and publishing the important Interpretive Bulletin 95-01.”

As Sepsakos summarized, this bulletin speaks to the importance of selecting the safest-possible annuity, unless there is a compelling reason to act otherwise. It requires fiduciaries to conduct a thorough and analytical search for identifying and selecting annuity providers, as well as an evaluation of the credit worthiness and the claims-paying abilities of those insurers.

“The DOL points to various factors a fiduciary should consider,” Sepsakos said. “Some of these include the quality and diversification of the investment portfolio of the insurer, the insurer’s capital levels and surplus, its lines of business and its overall size relative to the transaction being considered. Other factors to weigh include the role of state guaranty associations. There’s a lot there, frankly, and it suggests that the fiduciary should obtain the advice of an independent expert in cases where the internal expertise is lacking. It instructs fiduciaries to be very warry of conflicts of interest, as well.”

Woollacott pointed to the importance of addressing the missing participant topic as part of the PRT transaction process, noting that the Pension Benefit Guaranty Corporation has promulgated actual regulations—not just informal guidance—regarding a fiduciary’s duties towards missing participants before transferring assets to the insurer.

Sepsakos said these regulations generally require a two-step process. The first is that a commercial locator service be used for all missing participants. Secondly, for those with a benefit above $50 a month, the plan sponsor must actively review its own records and use Internet searches and beneficiary contact information to locate missing participants—to the extent that is affordable and/or feasible.

Woollacott noted that some insurance companies will take on missing participants and some will not, and this is an important part of the PRT planning and negotiation process. Another factor to consider is that the PBGC itself runs a program wherein it will take over the stewardship of missing participants’ accounts.

“Some will require certain types of information in order to take on missing participants, and some will have nothing to do with them,” he observed. “In my experience, working with the PBGC missing participant program is a positive experience, though it can come along with some added costs.”

Compliance February 23, 2022

Analyzing Retirement Industry Cybersecurity Risks and Best Practices

A certain famous bank robber is said to have explained that he robbed banks because ‘that’s where the money is.’ As of the end of 2021, U.S. retirement plans now have a significant amount of money, with more than $37 trillion of assets.
Reported by
PA-020022 OSC1 Fintech-Cybersecurity_Philip Lindeman-web

Art by Philip Lindeman

News reports in recent years show that criminals are targeting retirement plans, as well as the financial services firms that serve them.

Among those that have been targeted recently, with varying degrees of success, are Alight Solutions, Cetera and Transamerica Retirement Solutions, though they’re far from the only providers to have suffered cyberattacks.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

In many cases, cybersecurity lapses can be costly to an organization. Case in point, the U.S. Securities and Exchange Commission charged multiple Cetera entities a combined $300,000 in fines and penalties last summer for failures in their cybersecurity policies and procedures that resulted in what the agency described as “email account takeovers,” which exposed the personal information of thousands of customers and clients at each firm. Earlier in 2021, the SEC censured and fined GWFS Equities, a Colorado-based registered broker/dealer and affiliate of Great-West Life & Annuity Insurance Co., $1.5 million. That case involved alleged violations of the federal securities laws governing the filing of Suspicious Activity Reports, also known as SARs.

According to the Investment Company Institute, U.S. retirement plans held $37.4 trillion of investor assets at the end of 2021’s third quarter. Experts say that ocean of money—combined with the accounts’ valuable personal data and the multiple ways of accessing accounts remotely—makes retirement plans a natural target for thieves.

“As retirement plan advisers, we see phishing schemes, ransomware, social engineering attacks, email compromise and wire fraud,” warns David Graver, vice president of Fort Pitt Capital Group in Pittsburgh. “The last one really sticks out when specifically focusing on retirement accounts. Often, emails will be compromised, or online accounts hacked, and unauthorized loans or withdrawals will be requested from the account.”

Simply put, advisers must be wary of cybersecurity risks and do their utmost to ensure clients, and their own firms, do not become victims of increasingly sophisticated and well-equipped cyberthieves.

The DOL Steps In

In early 2021, the U.S. Department of Labor’s Employee Benefits Security Administration issued new cybersecurity guidance for plan sponsors, fiduciaries, participants and recordkeepers. The first publication in the series offered suggestions for plan sponsors on hiring service providers with strong cybersecurity practices. The second publication was a 12-point list of best practices for plan service providers and the sponsors evaluating those providers. A third publication detailed online security practices for plan participants and beneficiaries.

The DOL’s work was the first of its kind and highlights the agency’s greater focus on retirement plan-related security. While the tips might be new information for some in the industry, in reality, the guidance is not groundbreaking, says Jon Meyer, CAPTRUST’s chief technology officer in Raleigh, North Carolina.

“What [the DOL] is recommending is not really any different from widely understood best practices,” Meyer says, “but that doesn’t mean the DOL’s tips don’t carry significant weight.”

He argues that the “entire ecosystem” in the retirement plan industry understands it is their fiduciary duty to make sure, not only that their house is in order, but that every supplier they are working with is capable and worthy of handling sensitive date—especially participant data.

David Levine, principal and co-chair of the plan sponsor practice with Groom Law Group, Chartered, in Washington, D.C., stresses that the DOL’s tips are not binding. Nonetheless, the recommendations figure prominently in his work with clients.

“If I’m involved in a request for a proposals, we will often ask about these standards and we will actually try to incorporate them into contracts,” Levine says. “If I’m representing a plan sponsor, I’ll try to put them in place between the sponsor and the adviser. These standards are being adopted in many different areas.”

The DOL is doing more than just publishing security suggestions, though. Levine says the agency is “digging deeper and moving.” He cites his experience from about two years ago, when the DOL began asking cybersecurity questions. Levine recalls that the agency’s staff members initially asked 10 short questions.

“Now they are constantly evolving,” he says. “I saw one [questionnaire] recently for a client that was four-and-a-half pages long.”

Meyer agrees that the DOL is placing greater emphasis on expanded due diligence. “I think you can run a registered investment adviser practice and not have any technology staff, but you have to be really good at supplier management and focus on how you are making sure that they are strong and capable in the cybersecurity dimension,” Meyer cautions. “Traditionally, that has not been done. People have taken at their word that Company X can provide great services. Now, the DOL is really encouraging parties to dig in and understand if somebody is capable of handling the sensitive data.”

Identifying Exposures

Identifying the cybersecurity exposures that a plan adviser or sponsor might encounter is the first step in eliminating those threats. Dennis Lamm, senior vice president, customer protection, with Fidelity Investments in Merrimack, New Hampshire, suggests that advisers should start by considering the two broad types of risks to plan sponsors and their employees.

These exposures include the risk to their data, in the form of security breaches, and the risk to their accounts, in the form of fraud. 

“The former typically manifests itself through phishing, malware and, increasingly, ransomware,” Lamm says. “The latter is directed more to individual retirement and brokerage accounts and seeks to take over customer accounts by using stolen passwords and compromised email accounts, or mobile phones.”

Levine cites the idea of laying out a “data chain” to see who has access to information and to highlight potentially overlooked exposures. He emphasizes that it’s not sufficient to evaluate only a plan’s 401(k) recordkeeper. For instance, sensitive data can be shared with third-party vendors such as wellness service and managed account providers.

“Every step of the chain has a cybersecurity risk,” Levine warns. “It’s important to look at the entire lineup of your business.”

Meyer stresses the need for an independent third-party to conduct a risk assessment regularly. CAPTRUST conducts an annual risk assessment and also does penetration testing twice each year. The goal of penetration testing is to identify where and how hackers might attack a firm and to determine in an advanced and safe setting how the firm’s defenses would hold up.

The next level of security analysis is “red team” testing. Meyer explains this involves hiring a firm that will work to actively exploit—versus only identifying—potential weaknesses in the organization’s defenses. Red team tests go beyond probing online weaknesses.

“Fraudsters don’t just attack the web,” Meyer says. “They’ll hit the call center, they’ll try faxes and they’ll try mail. They will use every channel to try and make something happen, so it’s not enough to simply just focus on a web application when you are a multichannel contact center and taking requests from participants through a variety of means.”

Building a Best Practices Framework

The sources for this article agreed that cybersecurity is not a one-and-done effort. Cybercrime is global and has no operating hours, Lamm notes, so security efforts must run nonstop. He recommends that advisers look to industry-defined best practices to address exposures internally and with vendors. Along with the DOL’s tips, he also points to the Data Security Reporting and Fraud Controls Best Practices published by the SPARK Institute’s Data Security Oversight Board as a useful resource.

“At a minimum, organizations should comply with established global standards for data security and testing, such as ISO 27001 and the SOC 2,” Lamm adds.

Ben Taylor, senior vice president and head of tax-exempt defined contribution research with Callan Associates in Los Angeles, says that creating a cybersecurity defense is best done with what professionals call a “CSF,” or cybersecurity framework.

Taylor, who serves as vice chairman of the SPARK Data Security Oversight Board , points to frameworks such as those developed by NIST, aka the National Institute of Standards and Technology, and the ISO, or the International Organization for Standardization, which set guidelines for the essential elements of basic security. To assist advisers and clients with understanding the common themes and most important features of the major CSFs, the board developed a set of standards that identify the critical, common features for the industry. 

Working With External Resources

Ultimately, there is a large amount of cybersecurity best-practices guidance available to advisers and sponsors. However, following that guidance can be a challenge if an adviser or plan sponsor lacks the internal expertise to implement the recommendations and evaluate third parties’ efforts.

Conducting due diligence on security measures is challenging, Taylor notes, partly because there is a tangle of legal liability associated with known vulnerabilities and in part because the secrecy of some of the defensive metrics is key to their efficacy.

“As a result, there continues to be a need for clear best practices, and a trusted, third-party standard for audit and review of those security practices,” he says. “There are several options for conducting security audits of key vendors like custodians or recordkeepers, and these include audits like a SOC 2 report, or an agreed-upon procedures audit that follows the SPARK template for the standard best practices. “

Meyer believes smaller organizations can lack the manpower, technical aptitude and persistence to follow a strong cybersecurity process. In response, these firms often hire technology service providers and delegate full responsibility to them.

“That’s only a partial solution,” he cautions. “I would challenge all firms to make sure they have independent oversight and audits of their service providers. If you don’t have that, then I think you end up with holes in your armor. The results are never world-class when you just hire a firm and don’t have anybody checking behind it to make sure that what it’s doing is really secure.”

«