Former DOL Investigator Starts Firm Targeting 401(k) Fraud

Retirement plan participants are often prime targets for fraud perpetrated by criminals who steal participants’ identities, then their savings.

The recent MOVEit hack, which exposed more than 3 million retirement plan participants’ data, is a recent example of risk. Meanwhile, lawsuits have been brought against plan sponsors, including the Bank of New York Mellon Corp. and the Colgate-Palmolive Co., for allegedly not doing enough to protect participant data from fraud.

David Donaldson, president of risk management firm and 3(16) fiduciary ERISA Smart, has launched a separate company offering software he says will mitigate retirement plan fraud through a three-factor authentication system. Donaldson was once a Department of Labor investigator and says the need for a safer login system for participants is essential to combatting theft.

“The majority of distributions go through very little scrutiny, and the fraudsters know it,” Donaldson says. “This is becoming a major issue that no one wants to address.”

As a 3(16) fiduciary services provider, ERISA Smart does a lot of retirement plan distribution, Donaldson says. Through that business, the firm saw the increasingly sophisticated ways that thieves were going after participant savings, including creating fake websites posing as the third-party plan administrator of a plan. In the meantime, they were also seeing less advanced methods, such as disgruntled family members trying to defraud relatives, Donaldson says.

To combat these tactics, ERISA Smart created its own system to try and prevent fraud and send an alert to a plan sponsor or provider when a distribution appeared to be suspicious. After using it for about a year, Donaldson saw the potential for a new business.

“This is something we didn’t want to just use internally, so I started a separate company so I can bring it to the industry,” he says.

Participant I.D.’s software uses facial recognition, government identification verification and an artificial intelligence-driven system to give a fraud score to a participant login. The whole process takes place “in minutes” to verify a participant’s identification, according Donaldson. For the participant, it will be a normal cell phone sign-in.

Donaldson says online accounts generally use two-factor authentication that often rely on a combination of phone messaging and email. These methods, he says, are becoming more susceptible to malware installed by criminals that can then intercept the messages and redirect participant information to the attacker.

Even voice recognition technology, which many recordkeepers use, may not work well due to the fact that more plan participants are doing all of their business digitally, not by phone, he says.

Participant I.D. is licensing its software to third-party administrators and pooled employer plan providers. The startup is also working on an enterprise solution for recordkeepers to be available in November. Pricing for the software will depend on distribution volume, Donaldson says.

“The problem [of fraud] is just getting worse and worse and worse, and nobody in the industry has taken the steps to lock this down,” he says.