Benefits November 1, 2024

Personalization Push Persists

Increased data availability has led to many more ways to customize the management of retirement portfolios.
Reported by
Art by Klaus Kremmerz

This story has been updated for the magazine. That version can be found here: “The Move to Customization

Almost two decades after the Pension Protection Act of 2006 paved the way for target-date funds to become near-ubiquitous in today’s 401(k) plans, a growing number of plan sponsors are now thinking about how plans can evolve further to improve participants’ financial well-being both up to and through retirement.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Many plan sponsors believe the answer lies in more personalized offerings, including options on where and how to direct participant and plan sponsor contributions. The paths plan sponsors are taking toward personalization vary, with employers looking to an expansion of managed accounts and lifetime income offerings, including hybrid qualified default investment alternatives; targeted communications and nudges; and new in-plan (thanks to the SECURE 2.0 Act of 2022) and out-of-plan features.

“There’s a consensus in the industry that the more we know about an individual, the more effective we can be in building an asset allocation that reflects their objectives and meets their needs,” says Jessica Sclafani, a senior defined contribution strategist at T. Rowe Price.

The push toward personalization reflects two key shifts: First, a widespread recognition that improved retirement outcomes require more information than the single data point (projected retirement date) used to inform target-date funds. Second, advancements in technology make it easier to collect and use data about individual participants to produce a more customized retirement road map.

But while recordkeepers and employers may be able to share some data—such as an employee’s salary, age and account balance—they still need employees to share additional information—including outside assets, financial goals and risk tolerance—to fully tailor a retirement offering.

“One of the challenges with personalization has been that if you’re going to use personalization as a default, either you need to get information directly from an employer or recordkeeper, or you need an engaged participant,” says Kevin Walsh, an attorney at Groom Law Group. “One of the things the defaults are trying to solve for is a lack of participant engagement.”

Better Outcomes

A recent study by Prudential made the case for both personalized investments and a managed withdrawal strategy, arguing that even a well-invested portfolio cannot overcome a suboptimal withdrawal strategy. A separate study, published in March in The Journal of Portfolio Management, pegged the average benefit of personalization across assumed balances and salaries at 5% to 6%.

Such research is increasing plan sponsor and consultant interest in both managed accounts and hybrid QDIAs, which incorporate personalization and target-date funds or automatically move participants into managed accounts when they reach a certain trigger point, often based on their age or account balance.

In addition to cost, a deciding factor for many plan sponsors as to whether to introduce managed accounts—on their own or as a QDIA—is the relative heterogeneity of their employment population.

“If your participants are all similar and bunched together closely in terms of their compensation or career trajectory, you might conclude that a target-date fund is more suitable,” Walsh says. “But if your participants are very different than one another in terms of whether they’re highly compensated or the length of their career, you might think a managed account is a better solution.”

Older workers tend to have more assets and more complicated financial situations that may require personal guidance, but younger workers also have important financial goals, including paying down debt, building an emergency fund or saving for a down payment on a home. For now, most managed accounts are offered as an opt-in on the investment menu, according to T. Rowe Price research.

Personalized Communication

Regardless of whether their plan includes a managed account or a hybrid QDIA option, many plan sponsors are finding additional methods of personalizing their offerings and the ways they interact with participants. Often that starts with a targeted communications strategy that corresponds with the specific needs or life stage of an employee, via that participant’s preferred media.

“We’re reaching out to employees to give them education and meet them wherever they are in their retirement journey, to really lay out the benefits of the retirement plan and encourage them to take the next best action,” says Hutch Schafer, vice president of product development for Nationwide Financial.

That best action might simply be enrollment for some eligible employees. It could also be, for those already enrolled, putting a plan in place to boost contributions, or encouraging them to enter additional information about their financial situation so that the next action is more accurate for their specific situation.

“If you’re not hitting on their hot button issues about what’s really important to them, the chances of them fully engaging isn’t as great,” Schafer says. “So providing personalized messaging along the way can get them more engaged and help them make better decisions about their retirement.”

Help From Technology

Recordkeepers are increasingly turning to technology, often with the help of their fintech partners, to make those messages even more relevant to their intended audiences, says Deb Boyden, head of U.S. defined contribution at Schroders.

“They’re providing technology that really speaks in different ways to different populations,” Boyden says. “There’s so much that can be done with [artificial intelligence] now, and many of these firms are really taking advantage of AI to customize the messaging even more so.”

For participants who remain in a plan after they have retired, personalization should focus on turning their accumulated assets into income, Boyden says.

“The industry has put a great emphasis on asset accumulation, but decumulation strategies are equally important and arguably more complex,” Boyden says. “All kinds of new variables come into play at retirement: taxes, health care needs when to take Social Security.”

Looking ahead, industry experts say it is clear the trend toward personalization will continue.

“Millions of American workers now have this pot of money [in their 401(k) plan], but everyone has different needs and financial hurdles to overcome,” says Tim Rouse, the executive director of the SPARK [Society of Professional Asset Managers and Recordkeepers] Institute. “But everyone has different needs and different financial hurdles to overcome, so that’s only going to drive personalization.” 

Administration October 1, 2024

Plan Security Relies on Vetting 3rd-Party Providers

As 3rd-party subcontractors continue to experience data breaches, plan sponsors must ensure they are asking the right questions about their providers’ providers.
Reported by
Art by James Yang

This story has been updated for the magazine. That version can be found here: “Who Do You Trust?

Retirement plan recordkeepers’ increasing reliance on third-party vendors for various administrative services and tools poses a challenge for plan sponsors who need to vet these vendors, especially as many have been exposed to cybersecurity breaches in the past year.

Get more!  Sign up for PLANSPONSOR newsletters.

To protect participant data and personal information, plan sponsors should be aware of the subcontractors with which their recordkeepers work, of which have access to participant data, and of how to respond to a breach when one occurs.

When Infosys McCamish Systems LLC suffered an external system breach last year, major recordkeepers and insurance companies like T. Rowe Price, Vanguard and Principal Life Insurance Co. were impacted. More than 6 million people had their Social Security numbers, email address, usernames and passwords, drivers’ licenses and passport information exposed.

In a more recent incident, multiple clients of CBIZ Inc.’s benefits and insurance services were affected by a June breach that leaked the personal information retired employees at CBIZ clients.

The Department of Labor issued updated cybersecurity guidance last month for ERISA-covered employee retirement benefit plans and health and welfare plans. Lisa Gomez, assistant secretary of Labor in charge of the Employee Benefits Security Administration, said in a statement that all plans covered by the Employee Retirement Income Security Act need to implement “appropriate best practices” to help protect participants and their beneficiaries from cybercrime and emerging threats.

The updated guidance included tips for plan sponsors and fiduciaries when hiring a service provider. For example, the DOL recommended that plan sponsors compare their service provider’s information security standards, practices and policies, and audit results to industry standards adopted by other financial or health institutions.

Jon Meyer, the chief technology officer at CAPTRUST, says it is important for plan sponsors to fully implement the DOL guidance.

“Ideally, if you’re vetting your recordkeeper, which is probably a large company, they are going to be able to tell you how they are vetting all of their suppliers,” Meyer says. “In turn, you’re going to be able to get a little more confident that they have made efforts to make sure that they are not entrusting key data to suppliers who are not worthy of dealing with that data.”

Asking the Right Questions

Kristine Sciangula, a retirement plan administrator for the 457(b) deferred compensation plan run by Suffolk County, New York, says her plan’s contract with its recordkeeper, T. Rowe Price, explicitly states that T. Rowe Price cannot delegate the “material duties” under the agreement to any other entity without the plan’s consent.

The Suffolk County plan also includes certain requirements for approved subcontractors, such as providing insurance certificates, SOC audit reports and information security policies.

Sciangula says three of the third-party vendors used by the plan’s recordkeeper have experienced breaches—including check mailing company R.R. Donnelley; PBI Research Services, which searches for missing participants; and Infosys McCamish. According to Sciangula, T. Rowe Price made it clear that the Suffolk County plan was not specifically impacted by these breaches, as there is no proof of participant information being obtained.

Sciangula says one issue she has come across is that some recordkeepers do not consider all providers to be “third-party subcontractors.”

“Because of the fact that [recordkeepers] don’t call all these [providers] ‘subcontractors,’ this year when we did our RFP, we changed our questions to specifically ask about vendors and other companies being used,” Sciangula says.

Instead of using the term “subcontractors,” Sciangula says the request for proposal asked broader questions, such as the names of the companies being used, the locations where services would be performed and the qualifications of each company the recordkeeper intended to involve in any way.

Some recordkeepers did not answer those questions, Sciangula found. Many responded that they used third-party providers but did not name the company or detail the services they provide.

Meyer says if a provider cannot answer certain questions or is unable to complete an assessment, it should raise a red flag.

“If I went to a supplier, say a high-volume printing supplier, and they don’t have an information security team, or they really don’t know how to answer the questions on a shared assessment, I would be a little suspect,” Meyer says. “I would be concerned that they don’t have professionals engaged, in the same way that [you would] if you brought your car to the mechanic and he didn’t have any wrenches.”

Sciangula says her plan’s RFP also asked recordkeepers if they agreed not to sell or make available any participant information without the plan’s consent, as well as if any of the recordkeepers’ subcontractors or vendors had experienced a data breach in the last five years. If they had experienced a breach, the RFP asked for an explanation and detailed outcome. Again, she says some recordkeepers did not answer the last question.

Contract Terms

Sciangula says her plan’s contract with its recordkeeper details which companies would have access to participant information, and the recordkeeper should agree it is responsible for the security of information in its systems, as well as of any information provided or managed by a contractor. She says the plan creates a new contract every five years, but sometimes during that contract period, a recordkeeper may get a new vendor.

“We’ve requested meetings before to discuss what information would be given to the [vendor] and how would that information be transmitted and secured,” Sciangula says. “We’ve brought in our IT people and their IT people to explain how the data is transmitted and how often it is purged or deleted.”

Once, Sciangula says, the plan was able to opt out of using a particular vendor because it allowed a third party to unnecessarily have access to participant data.

“Having another company to worry about having our information just wasn’t worth it,” she says.

The ability to opt out of using a service provider is unusual, but Sciangula says her plan is extremely focused on knowing which companies are involved and understanding the information to which those companies have access.

Red Flags

Meyer adds that it is imperative for plan sponsors to understand who is liable if a data breach occurs, as well as who will notify participants and deal with calls from those impacted.

Prior to contracting with a supplier, Meyer says a plan sponsor should understand the process for managing communications if a breach occurs and who is contractually responsible for costs associated with it.

Veronica Bray, a 401(k) and 403(b) service provider search consultant who owns Retirement Plan Advisor Search in High Point, North Carolina, says she has found that some advisers are not forthcoming about their cybersecurity practices.

“Sometimes [advisers] will say that they don’t have any participant data or plan data, or they don’t receive any personally identifiable information, and they’ll just kind of paint over it,” Bray says. “That’s something that would be a red flag to me—if they’re not willing to go into detail about what their cybersecurity policies and protocols are.”

She says she likes to see that advisers and recordkeepers are testing their controls to make sure employees are not clicking on suspicious emails, as well as training their employees about safe cybersecurity practices.

In addition, Bray specifically asks in an RFP if a recordkeeper works with third-party service providers for rollover services, student loan repayment services, financial wellness services or any other types of services outside the plan. She then requires the recordkeeper to provide the names of these organizations, along with their digital policies and procedures.

Meyer says that in many recent breaches, criminals have attacked a piece of software “hidden in the bowels” of IT organizations that may be unknown to most , yet transports significant critical data.

“I think [when] the software itself has some kind of hidden vulnerability that nobody knows about until after a lot of data has been stolen … it’s super hard to guard against,” Meyer says. Breaches are “inevitable, because everybody’s running some piece of software that they didn’t write, that they’re relying on somebody else to have fully vetted and tested. At the end of the day, it’s really hard to do that with perfection constantly.”

Nevertheless, fiduciaries need to do their due diligence when vetting providers. Meyer recommends two different approaches when vetting providers. One is requesting a SOC 2 Type II report: a third-party audit that assesses a company’s internal controls and systems related to security, processing integrity, confidentiality and privacy of customer data over a period of time. The reports are based on the American Institute of Certified Public Accountants’ trust service criteria and apply to any business handling sensitive customer information.

An alternative to the SOC 2 Type II report is to conduct a shares assessment, which uses a 1,000-item questionnaire about the supplier’s processes. Meyer says working with a specialist or an ERISA attorney is helpful when conducting vendor reviews.

«