Finding the Starting Point

Deciding where to start is a critical and challenging part of serving retirement plans. 

Holly Verdeyen, director of defined contribution investments at Russell Investments, says where plan advisers can help the client most “depends on the plan sponsor’s starting point.”

One lesson retirement plan service providers learn quickly is that each plan is different—with different demographics, levels of employer commitment and amount of groundwork done. But as Verdeyen observes, keeping fees down is pivotal for all plans.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

“Plan governance and plan menu design are also big areas to focus on because good governance is key for proper plan oversight,” she adds, “and plan design drives participant behavior.”  

She says advisers should also generally encourage plan sponsor clients to revisit how their participants’ portfolios break down, based on their age, and do a full plan re-enrollment, moving non-responding participants into the plan’s qualified default investment alternative (QDIA), if necessary, she says.  

For plan sponsors still unsure about the value of “institutionalizing” their plans, Michael Swann, director of DC strategy for SEI Investments Co., recommends leveraging industry thought leadership to demonstrate how participants’ behavioral tendencies can sabotage their saving habits and how institutionalization could counteract that, increasing the whole retirement program’s effectiveness.

For example, he says, “there have been several studies done that have shown the fewer choices that you offer participants—and just choices in general if you look at behavioral economics—the better decisions people tend to make, from enrolling in the plan to deferring in the plan to how they allocate their money.”

NEXT: Fighting the ‘maintenance mentality’

Swann continues: “With a broader approach and a simplified menu, you might have only two options that are active in U.S. equity—a large cap and maybe a small cap. If you have these two options and they contain both growth and value managers, there’s a lot less temptation to chase performance when you’re only making a strategic decision between two different market caps.”

This simplification—a best practice of institutional plans—encourages participants to think more strategically and longer-term about their allocations, Swann says.

Advisers could also begin with a custom analysis of both replacement income targets and the projected effect on the company’s bottom line if participants need to work past retirement age.

“It really comes down to defining success,” Verdeyen says. Noting that advisers often help their sponsor client define and measure what success means to a plan, she urges them to frame institutionalization as something that can have a measurable improvement on their employees’ ability to successfully retire. 

To this end, they can provide data on how institutionalizing the plan can lead to better participant outcomes, in terms of lower fees, improved participant decisionmaking, a more equitable distribution of administrative fees and greater transparency.   

Some plan sponsors may just be satisfied with the status quo and resist making this change—either in total or just in part. “Some DC plan sponsors may believe their DC plans are basically good enough,” she says, “and they are content to operate in maintenance mode as opposed to improvement mode. Again, it’s a mindset,” she says.

For the rest, Verdeyen warns against “the maintenance mentality,” wherein plan sponsors will focus on just maintaining changes made so far. “Advisers should encourage their clients to not lose sight of the more strategic decisions, like plan menu design, qualified default investment alternative [QDIA] selection and plan mapping decisions, which can really move the dial when it comes to participant retirement readiness,” she says.

Battening Down the Hatches Against a Data Breach

Retirement plan advisers and plan sponsors share some concerns about data security, but advisers are especially worried.

An emerging area of concern for plan advisers might just be the actual data of the retirement plan itself, which could shape up to be a compliance issue for the plan sponsors they support. And of course plan advisers themselves hold a great deal of sensitive data on their own clients.

Both FINRA and the Securities and Exchange Commission (SEC) are worried about the amount of personal data an adviser has, notes Gary Sutherland, chief executive of North American Professional Liability Insurance Agency. “They think advisers will be a handy target for people to steal identity,” Sutherland says, “because they tend to be smaller firms with less resources to protect the data.”

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Data security is an obligation of all who hold sensitive information, says Marcy Supovitz, principal at Boulay Donnelly & Supovitz Consulting Group. “Even without specific DOL (Department of Labor) guidance, advisers need to be vigilant in protecting plan and participant data as part of their general fiduciary responsibility to clients,” she tells PLANADVISER, noting that cybersecurity governance is a top business issue for her firm.

After issuing a detailed checklist of what advisory firms should provide in terms of data protection in February, the SEC brought out additional steps for firms to address cybersecurity risk. “We viewed that checklist as an opportunity to assess our procedures and, equally important, to re-educate our employees about cybersecurity, as firms are only as safe as their weakest link,” Supovitz says.

Supovitz raises another issue for advisers, sometimes overlooked, that arises when a mutual fund owns shares in a company that has been the victim of a cybersecurity attack. “Prudence may call for removing the fund from the plan’s investment lineup,” she says, “especially if the fund has a large weighting in the victim company.”

NEXT: Keeping tabs on sensitive client data.

Tracking devices on laptops are vital and highly affordable, Sutherland says. “Advisers can remotely wipe out data if it is exposed,” he says, “and three years of coverage is about $100 per laptop.” He recommends installing the software at the time of purchase, so that protection and tracking kick in immediately.

Sutherland recalls an insured client who left his laptop on a train one Friday. He notified the train authorities and was told the next day that the laptop had been located. But when he went to pick it up on Monday, it was gone. Tracking would have helped the client, he says, but the more important piece is that once the computer is used to go online, it sends a signal to tell the owner to eliminate the data. “Laptops may be password-protected,” Sutherland says, “but in the same carrying case as the computer is a sticky note with your log-on and password name.”

When it comes to data protection for a retirement plan, two areas stand out, according to Supovitz. “First, when plan sponsors engage us for a vendor search, we address cybersecurity risks early on in the selection process,” she says. In the request for proposal (RFP) process, Supovitz evaluates the data security procedures of every vendor.

Critical points to compare include how they seal off access to confidential information from intruders and how they monitor cybersecurity procedures on an ongoing basis, notes Supovitz. Plan sponsors can engage the services of an expert to help vet providers, or turn to someone internally on their own IT staff.

“Security should be a pretty significant area of focus for all data that plan sponsors house,” says Adam Pozek, a partner at DWC ERISA Consultants. From Social Security numbers to home addresses and even direct access to payroll, in some cases, the data transcends any one benefit plan, Pozek tells PLANADVISER.

NEXT: The plan sponsor’s security is only effective if the provider’s security is strong.

Be aware of the information chain. “If a plan sponsor has security measures in place but the service provider is lax, their data can still be at risk, making data security a critical part of any vetting process, whether for payroll or a benefits plan,” Pozek says.

Sutherland says plan sponsor due diligence on all providers includes asking questions on the provider’s own history of data loss, whether they have insurance to cover a breach and what steps they will take to protect the identity of the plan sponsor as well as the plan sponsor’s employees.

Beyond looking into a provider’s actual data systems, Sutherland recommends that a vendor conduct background checks on new hires and change passwords frequently so they can’t be saved (every 60 days is recommended).

“Plan sponsors will want the TPA and recordkeeper to back up systems at least weekly,” Sutherland advises. Daily backing up is preferable, with redundant systems available. “Typically, if a TPA’s system is hacked into, the provider can move into another system in the Cloud so they can be up and running within hours, not days.”

Pozek says he would ask whether the provider has a specific data security policy for the way its own employees handle data, a question that can generate several more lines of inquiry. “If an employee accesses data through a smartphone, mobile device or laptop, are those devices encrypted or password protected?” Pozek asks. “What type of security is in place? What steps does the organization take to make sure its employees understand the importance of protecting sensitive data? For example, do they understand that many states have restrictions against emailing Social Security numbers over the Internet without password protection or encryption?”

NEXT: The costs of a data breach.

A data breach can generate different costs, Sutherland points out, such as the first-party costs incurred  by the recordkeeper and TPA to notify people of a breach or compromise. “The recordkeeper or TPA might need to bring in a lawyer to handle the notification process or, in some cases, public relations people and/or IT forensics,” he says. “Third-party costs appear when the data they hold belongs to one of their clients and the client suffers damages as a result of the data breach. If the plan sponsor gets a letter saying all their employee data was breached, costs could also include new credit monitoring as well as any potential damages to the employees (third party)

The typical cost to manage someone whose data has been breached is about $150 per person. “At 800 employees, for example,” Sutherland says, “that $150 for each can add up pretty quickly.”

While there ERISA has no specific jurisdiction over plan data, in Pozek’s opinion, all businesses should have a written policy on data security. “It goes into the prudent process selection,” he says. “They have to evaluate on different criteria.” Plan sponsors that don’t feel comfortable reviewing procedures and vendors should seek outside help from their own IT department, an attorney or investment adviser: “Anyone qualified to look at the response and provide guidance.”

The need to pay attention to data security transcends any benefit plan or company size, Pozek says, noting that most breaches are done by robots trained to look for holes they can take advantage of. “Anyone who would use the data for nefarious purposes doesn’t care how big or small you are,” he says.

«