Nov 20, 2019
The trend of commercial database breaches involving the disclosure of personally identifiable information (PII) does not appear to be slowing down. Recent large scale PII breaches of other companies can negatively impact your retirement plan and participants. Cyber criminals are becoming more sophisticated and with the glut of PII available to them, in combination with other techniques such as phishing and malware, retirement accounts are being put at risk of fraudulent access and distribution of funds.
As a retirement plan sponsor and fiduciary, there are steps you should take to mitigate the risk of fraud from occurring within your plan.
Participant Monitoring and Access
Encourage your participants to log in and monitor their accounts regularly. Participants should:
- Utilize a strong Password and change it every 90 days
- Utilize a different User ID and Password for all accounts
- Sign in at least every 30 days and review their account for unfamiliar activity
- Confirm all personal information and contact information is up to date
- Activate and utilize two-factor authentication (2FA) and set up personal security questions
It is all too common in the retirement industry for a participant to never log in to their account through a website. Participants who have not logged in to their accounts are missing essential layers of protection that two-factor authentication (2FA) and personal security questions provide.
Newport Group recommends communicating the importance of logging in to your plan participants; click here to access a one-page flier you can distribute to your plan participants that highlights this key information.
To Help Deter Retirement Account Fraud:
- Encourage Participants to log in through website
- Remove electronic payments
- Utilize online portal for distributions
Review Distribution and Loan Requests
Throughout the industry, cyber criminals are regularly attempting to submit fraudulent distribution requests to plan sponsors for participant accounts. If your plan requires your approval for loans and distributions, as a fiduciary of your plan, you should be thoroughly reviewing any requests received to ensure they are legitimate. Once a distribution is signed or approved by you, the plan sponsor may be held responsible for any payments made fraudulently, including payments required to make the affected participant whole.
Common targets for distribution and loan fraud are:
- Participants eligible for in-service distributions
- Participants eligible to take a loan
- Participants who are age 59½ or older
- Participants who are terminated
- Participants who sign Forms 5500
- Participants who are listed on a company’s external website
Newport Group suggests that plan sponsors add additional steps to their process to ensure requests are legitimate prior to approval. Simply sending an email to the participant using the email address in the employer’s records, alerting them that you have received their request and are reviewing it, could assist in confirming the authenticity of the request and deterring fraud.
Plan sponsors who approve paper loans and distributions should also be ensuring:
- The address, phone number and email address on the request match the employer’s records
- The spouse’s name is correct, when spousal signature is required
- The participant and/or spouse’s signature, if required, match forms previously submitted
And, when in doubt, a plan sponsor should reach out directly to the participant, through contact information in your records, to verify a loan or distribution. Once funds are distributed, it is often too late to reverse the fraud and recover any distributed funds.
Reduce Risk by Removing Electronic Payments
While electronic payments (ACH and Wire) are convenient, they allow cyber criminals to access cash quickly and often with no recourse to reverse the transaction should it be fraudulent.
Newport Group recommends only allowing for the mailing of distribution checks to the participant’s address on record. When requested, checks can be sent for overnight delivery which, in some cases, will allow faster access to funds than electronic payments. In our current high tech environment, this may feel like a step backwards, but adopting this method is another way to further protect the valuable assets of your participants.
Eliminate Paper Requests and Forms
Newport Group recommends moving loans, distributions and any other processes to our online portal. Online loans and distributions will assist in deterring fraud by:
- Requiring the participant to log in and pass 2FA in order to request a loan or distribution
- Sending the participant a confirmation email once the loan or distribution has been requested, as long as notices have been activated by the plan sponsor and email addresses are on file
- Eliminating paper forms being submitted through unsecured or unverifiable methods and potentially exposing PII
Newport Group also recommends activating plan sponsor approval, as an additional layer of security, for online loans and distributions.
Please contact your Newport Group representative to discuss these best practices or to implement any changes to your plan to further safeguard your participant assets (such as making use of a flier we have created for plan participants
This material has been prepared for informational purposes only. Newport Group, Inc. and its affiliates provide record keeping, plan administration, trust and custody, consulting, fiduciary consulting, insurance and brokerage services. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide timely and accurate information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.