Preventing Identity Theft in a Retirement Program as an Employer

Identify theft is a major problem faced by retirement plan participants and sponsors. According to a recent study by Javelin, 14.4 million participants fell victim to identity theft in 2018 alone. As a plan sponsor, identify theft poses a serious risk to your participants. If you’re concerned about how to combat this issue, we’ve answered all of the most common questions we receive about it below:

How Does Identity Theft Typically Occur in Retirement Plans?

A request for a distribution or loan is submitted for a current participant.  It may even have a notarized spousal consent. Everything about it will appear legitimate.  The thieves have managed to get the participant’s social security number, date of birth, and basic information.  So, they have the required information to make the request form look legitimate. The thieves also may have hacked into the participant’s account and changed the address.  So, if a check is requested, and not an ACH, the check will be sent to the fake address and the thieves will get their money. If an ACH deposit is requested, the thieves may have already set up an account on their own behalf to receive the payment.

There may be minor oddities about the form, but in today’s work environment today of ‘do more with less,’ a busy Human Resources staff member may not always have the time or attention to detail to notice these or to check the bank information for the ACH deposit request.  The point is: these thieves are exceptionally sophisticated, looking to get a quick payout, and, more often than not, working from an offshore location.

How Can a Plan Sponsor Help Prevent Identity Theft?

There are many opportunities for Plan Sponsors to help protect their participants from potential theft of retirement assets.  Immediate steps that a Plan Sponsor can take include:

  • Check with your service vendor to see what security protocols it has in place, such as multi-factor authentication (MFA)
  • Move away from paper.  Paper statements in the mail are an easy target for someone to steal and get balances, vendor information, etc.  Paper forms are also easier to falsify information.  
  • Consider implementing additional steps for requests over a certain dollar amount, such as sending an email acknowledgment to the participant upon receipt of the request via the business email account or last legitimate confirmed email address for former employees
  • For current employees, if the request is $100k or more, consider picking up the phone and checking to make sure the request came from the real participant
  • If a change of address is made to an account, make sure that you or the service provider flag the account for a certain period of time afterward.  Many thefts start with a fake change of address.

What Questions Should a Plan Sponsor Ask of its Service Providers With Respect to Prevention of Identity Theft and Data Breaches?

It is important to review the service agreement provided by the provider to confirm its obligations and affirmative actions to help prevent theft.  A good service provider should have a confidentiality section of its service agreement, outlining the steps it will take to protect data and what it will do if a breach is discovered.  If no affirmative statement exists in the service agreement, a Plan Sponsor should ask about whether the service provider has cyber insurance that will cover the costs of the steps necessary to be taken in the event of a breach.  Also, there is a difference between the service provider accepting financial responsibility for the costs related to repairing a breach of security and being willing to “make good” on amounts that are stolen. A Plan Sponsor should know what to expect in terms of account reimbursement if funds are stolen from the plan.

Does the Plan’s Fiduciary Bond Cover This Type of Theft?

Probably not.  Most Plan Sponsors get the minimum coverage (the cheapest) policy available.  These basic bonds will cover theft by an employee of the Plan Sponsor, but not a theft by an outside third party.  If you are unsure whether your plan is properly covered in the case of theft by an outside party, talk to your insurance carrier.  If you have such a basic policy, you should consider upgrading to one that covers theft of participant funds, since the participant will most likely go after the Plan Sponsor to make the account whole.