Compliance October 7, 2022

ERISA Lawsuit Brought Against Mutual of America

The plaintiffs have alleged Mutual of America plan fiduciaries using a closed-architecture recordkeeping platform caused plan participants to pay excessive fees for recordkeeping and administrative services.  

Reported by

Retirement plan participants have brought a class action lawsuit against Mutual of America Life Insurance Company for alleged breach of fiduciary duty under the Employee Retirement Income Security Act.

Plaintiffs have alleged Mutual of America 401(k) plan fiduciaries breached its fiduciary duties of loyalty and prudence to participants by selecting a proprietary, closed architecture recordkeeping platform and for failing to monitor or control the plan’s administrative expenses, the complaint states.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Through the class period “Mutual of America used its own proprietary closed-architecture recordkeeping platform, causing participants to pay annual administrative fees roughly [10] times higher than what participants would have paid for administrative services had Mutual of America diligently investigated the marketplace and hired a third-party recordkeeper to provide either the same set of services or services of superior quality,” according to the court document.  

The plaintiffs brought one count, for breach of fiduciary duties of loyalty and prudence, against Mutual of America.

“Among other things, Mutual of America caused the plan to pay excessive administrative fees and failed to properly monitor and control administrative expenses, retaining a proprietary recordkeeping platform because doing so was in Mutual of America’s financial interest,” the complaint states.

Additionally, plaintiffs have alleged that Mutual of America failed to use a prudent and loyal process for selecting, monitoring and removing from the investment lineup expensive, proprietary Mutual of America funds that underperformed their benchmarks “and gave an improper and unjustified preference to these funds over superior, less expensive alternative available options.”

Plaintiffs claimed that plan fiduciary mismanagement—failure to act in the best of interests of participants, as required by ERISA—was “imprudent and disloyal conduct” and harmed participants by costing millions of dollars over the class period.

“Mutual of America has not acted in participants’ best interest,” the complaint states. “To the contrary, Mutual of America used the plan to promote Mutual of America’s proprietary services and investments and earn profits for Mutual of America.”

The complaint explains that, while plan fiduciaries’ decision to use a proprietary recordkeeping platform, is not “per se imprudent,” Mutual of America’s selection “severely limited the plan’s investment menu and caused plan participants to pay excessive administrative expenses, for proprietary investment funds in the plan.”

In 2016, plaintiffs claim, the plan charged participants $350 per person in average annual administrative and recordkeeping fees. And in 2020, plan participants paid an average of approximately $500 per person, the complaint states.  

“Based on plaintiffs’ investigation, a prudent and loyal fiduciary of a similarly sized plan could have obtained comparable administrative services for approximately $50-80 per participant—or less—at that time,” plaintiffs’ attorneys argued in the complaint. “It was not prudent or in the best interest of participants to allow the plan to be charged up to [10] times more than this amount.”

It is alleged that the Mutual of America plan included 29 proprietary investments, at the end of 2020—comprised of one proprietary fixed-interest account and 28 proprietary mutual funds—in a menu that consisted of 50 total investments.

“As of the end of 2016, the plan’s investment menu consisted of 40 investments, 26 of which were proprietary Mutual of America funds—including a suite of proprietary target-date funds and index funds,” the complaint states. “From 2016 until 2020, Mutual of America did not remove a single one of these 26 proprietary investments from the plan’s menu. In fact, it added [three] additional proprietary investments, as well as some non-proprietary investments.”

The Mutual of America 401(k) plan’s investments are held in a group annuity contract administered by the company, according to the complaint. Nearly all the investments are mutual funds held within a group annuity subaccount vehicle, a separate account, except for the Mutual of America’s proprietary fixed interest account, documents show.  

From 2016 through the end of 2020—the last year for which data is publicly available—the plan had between 1,800 and 2,000 participants and approximately $274 million to $436 million in assets, according to court documents.

Mutual of America is an insurance company headquartered and incorporated in New York. Mutual of America also provides retirement plan services to the small retirement plan market. 

The complaint is before US District Court for the Southern District of New York. Minneapolis-based firm, Nichols Kaster, is counsel for the plaintiffs.  

Plaintiffs asked the court to certify the class period as any time on or after September 14, 2016.

In response, Mutual of America told PLANSPONSOR, “Mutual of America Financial Group has a long history and extensive experience in providing a competitive array of retirement savings plan products and services to its clients. As a retirement company, we take pride in helping our own employees save for retirement and prepare for a financially secure future. The company believes these claims lack merit and will defend against these allegations.”

Administration October 6, 2022

How Plan Sponsors Can Combat Cybercrime

A panel hosted by the National Institute on Retirement Security explained that all pension plans are at increased risk, especially plans for public employees, and discussed ways that plan sponsors can mitigate their risk.

Reported by

Pension plans for public employees are at a much higher risk for cybersecurity breaches than private plans, although private plans face plenty of risk themselves, according to an expert panel hosted by the National Institute on Retirement Security yesterday.

The panel featured Peter Dewar, president of Linea Secure; John Rosenburg, an information security officer at the New York State Teachers’ Retirement System; Michael Kreps, an attorney and co-chair at Groom Law’s Retirement Services & Fiduciary Group; and Jefferey Saiger, the chief technology officer at Illinois State Universities Retirement System.

Get more!  Sign up for PLANSPONSOR newsletters.

The panel agreed that public pensions are more susceptible to attack and breach by cyber fraudsters. Kreps argued that public employees’ plans have a “unique vulnerability” because so much of their personal data is publicly available through internet searches by merit of their government employment. This data can then be used to narrow down the remaining information required to take over their retirement account by stealing their identity.

Saiger added that even public records requests, or FOIA requests, are a risk to the security of public systems since they can be used to acquire needed payroll information about public employees and have been used successfully by fraudsters in the past. “We are a ripe target unfortunately,” Saiger said.

The panelists also agreed that though public plans have unique risks, this is a general—and rising—challenge in the industry.

Saiger says the “bad guys are doing their research,” and even if you are paper-based they will submit the paperwork and change of address requests. “They are very well informed, they are viewing this as a business opportunity.” The put in the work and don’t take short cuts, because the opportunities can be so lucrative.

Rosenburg warned that account takeover attempts are becoming more frequent, and that knowledge-based verification, such as asking a client to state their address or phone number, is not as solid as it once was, since fraudsters have access to personal information. He explained that retirement cybersecurity professionals need secondary controls, such as requiring a personal PIN or account number that would be not publicly available.

Kreps explained that his clients are spending a lot of resources on cybersecurity insurance, and that for some the costs of premiums are so high that they have abandoned insurance altogether.

He also cautioned that insurance coverage is very limited, so plan sponsors need to be careful and closely read their plan to understand what is covered and what is not. For example, some insurance policies may only cover you if you require participants to change their passwords every 30 days, and can deny claims on the basis that a plan did not require it. Kreps recommends that providers have access to legal counsel who can explain their insurance plan to them if they are unsure if it is a good value or not.

The panelists offered some recommendations for added cybersecurity.

Rosenburg emphasized that coordination between departments such as IT, risk, legal and cybersecurity is essential to prevent information from being siloed off between them. Regular interdepartmental meetings should be encouraged. He also recommended annual security assessments, and hiring an external service to bring “another set of eyes” to your assessments.

When it comes to training staff at call centers, Rosenburg says that fraudsters will often try to manipulate staff into offering pieces of information that the fraudster lacks, such as by suggesting an answer or appearing sympathetic or forgetful in order to solicit missing pieces of identifying information. It is essential that employees working in customer service be trained to recognize these manipulation tactics, but also be sympathetic to the fact that some clients may be losing their memory or other mental faculties as they age.

On the subject of legal liability, Dewar explained that the Department of Labor requires employers to take certain steps to remain compliant with the Employee Retirement Income Safety Act. Kreps, the only attorney on the panel, confirmed this, and although, “Congress has not figured out how to tackle the issue,” DOL audits ask cybersecurity questions and ask what protections plan sponsors have in place and what they require of their service providers.

«