Compliance October 17, 2023

Acting Secretary of Labor Su Clarifies Aim of New Fiduciary Proposal

The proposal seeks to broaden the definition of fiduciary adviser under ERISA, though the precise wording is not yet available.

Reported by

The Department of Labor continues to focus on its still-unpublished fiduciary rule draft clarifying when advisers providing investment advice for a fee for benefit plans and individual retirement accounts are ERISA fiduciaries, according to information the department provided to a U.S. House of Representatives committee.

The House Committee on Education and the Workforce published written answers on October 11 from DOL Acting Secretary Julie Su to questions from a June hearing hosted by the committee. The written answers included a defense of the unpublished fiduciary rule draft proposal currently being considered by the Office of Management and Budget.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Su wrote that the purpose of the proposal is to amend “the regulatory definition of the term fiduciary set forth at 29 CFR 2510.3-21(c) to more appropriately define when persons who render investment advice for a fee to employee benefit plans and IRAs are fiduciaries within the meaning of section 3(21) of ERISA.”

The DOL had previously stated that the proposal will change its regulation of “the ways advisers are compensated that can subject advisers to harmful conflicts of interest.” The written answers reword this same concern: “Our concern consistently has been and continues to be with financial arrangements that can present conflicts of interest” for advisers in the retirement space.

This purpose—to broaden the scope of 3(21) fiduciary status for plan advisers to potentially include IRA rollovers and related transactions—is attracting some controversy, despite the fact that no full draft of the proposal is available.

Jason Berkowitz, the chief legal and regulatory affairs officer at the Insured Retirement Institute, says there is an extensive history of litigation establishing that advice concerning IRA rollovers is “beyond [the DOL’s] jurisdiction.” He was referring to a 2016 5th Circuit Court of Appeals decision that ruled IRA rollovers are one-time advice, not a “special relationship of trust and confidence,” and therefore do not trigger fiduciary status under ERISA.

Despite this, the DOL is “not ready to give up that fight,” and “they are not ready to just say, ‘We can’t regulate rollovers,’” says Berkowitz.

For Berkowitz, there is “not a need for further rulemaking with all the changes that have been made,” because of Regulation Best Interest, finalized by the Securities and Exchange Commission after the 2016 decision, which requires advisers to give advice in the best interest of their clients and to disclose conflicts.

IRA rollovers can be complicated transactions, which can expose participants to changes in fee structures. The implications of more sophisticated rollovers, such as from a traditional 401(k) to a Roth IRA, may not be apparent to an unsophisticated investor with no adviser. However, Reg BI applies to rollovers because they involve the divesting of plan assets and re-investing them into an IRA, Berkowitz explains, which is already regulated by the SEC.

The OMB typically takes between 60 and 90 days to review a proposal, but it can also extend the process. The proposal was first sent to the OMB on September 8, so industry actors hope a published proposal will be released for comment between November 7 and December 7.

Berkowitz adds that the OMB has begun holding meetings with stakeholders to discuss the proposal, though a draft is not being made available to stakeholders. He says he intends to tell the OMB that the proposal as he understands it is “not a proposal that should be allowed to come out for public comment.”

Administration October 17, 2023

How to Stay Safe From Evolving Cybersecurity Threats

Experts discussed the SEC’s new cybersecurity rules and the importance of having an action plan at PLANSPONSOR’s Cybersecurity livestream.

Reported by

To minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission’s new cybersecurity rules, should adopt prevention measures against threats and should be prepared to respond if an attack happens, experts said at the “Best Practices for Cybersecurity Protection” session of PLANSPONSOR’s Cybersecurity livestream on October 12.

Percy Lee, an associate at Ivins, Phillips & Barker, Chartered, discussed the SEC’s new cybersecurity rules, which apply to public companies, registered investment advisers, investment companies and broker/dealers.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

“These rules have generated a lot of conversation since they were introduced last year, some backlash, so the rules have been delayed for now [for certain organizations],” said Lee.

There are two sets of new SEC cybersecurity rules. The first set of rules governs publicly traded companies and was finalized on July 26, despite industry pushback. This rule takes effect this year, with initial disclosure requirements effective December 18, with later dates for smaller reporting companies.

The second set of rules governs registered investment companies and investment advisers and would require them to adopt cybersecurity policies and report digital incidents. This rule was proposed in 2022 and remains on the SEC’s rulemaking agenda but the specific timeline for finalization remains unknown.

“According to the rules, which were brought forward by the SEC in July, registered investment advisers, investment companies and broker/dealers would have to adopt written cybersecurity procedures and report cyber security incidents,” Lee said.

Although these investment advisory rules do not apply to retirement plan fiduciaries in general, he recommended that producers ask their investment managers about their compliance.

“As far as the SEC rules goes, it’s important to understand … that’s for public companies now, but obviously I think that’s going to make its way to even private firms that aren’t traded,” said Nick Brezinski, director of information security and network at CAPTRUST.

Brezinski urged firms to adopt good cybersecurity practice now to get to a “good spot” before the SEC settles on its requirements, and Roger Grimes, a data-driven defense “evangelist” at KnowBe4 Inc., agreed.

“I think it’s always good for any organization to think about what the rules are that apply to you and how you would respond if you got hit by some cybersecurity incident,” Grimes said. “Just a ton of people have been hit by ransomware over the last couple of years.”

Grimes proposed that firms have a plan in place for if a cybersecurity incident were to hit. He recommended to the virtual audience that they know who to reach out to, whether it be a communications team or a group of consultants.

“You don’t want to be making those sorts of decisions in the midst of the crisis,” he said. “It’s nice to have a thoughtful plan ahead of time. If the worst happens, you can approach it in the best way.”

Grimes said institutional investors, plan sponsors and advisers should:

  • Be cautious of social engineering such as fake emails and websites;
  • Mend unpatched software;
  • Regularly update software, firmware and routers; and
  • Use multifactor authentication and different passwords for every site as preventative measures.

“Those four things,” he said. “If you can do them, it will probably mean that you’re very unlikely to get compromised.”

«