Benefits May 22, 2019

HSA Cybersecurity: A Threat That is Growing

Health savings account (HSA) holders are encouraged to save the money in their accounts for long-term health care expenses, but the less they use their accounts, the greater the risk for fraud and identity theft.

Reported by

The number of health savings accounts (HSAs) grew to 25 million in 2018, with an estimated $53.8 billion in assets, according to Devenir, a provider of investment solutions for HSAs.  But since 2018, HSA card usage is down.

Get more!  Sign up for PLANSPONSOR newsletters.

These consumers are not leaving the marketplace, instead they are using their account funds for bigger expenses—the way the accounts were intended to be used, according to information presented by the cybersecurity group at the 2019 Alegeus Client Conference in early May.

Increasingly, consumers are more educated on the fact that they can, and should, save their money. Rather than using their HSA funds for everyday expenses, they are saving these funds for long-term needs, such as a hospitalization or health care in retirement. The 2018 Alegeus HSA Participant Profile Report indicates that HSA participants are more fluent, engaged and savvier consumers compared than those in traditional plans. High-deductible health plan (HDHP)/HSA participants are 80% more likely to be saving for long-term health care costs.

However, this means there are more funds in HSAs that are subject to theft by unauthorized users, if they get into these accounts.

A consequence of participants not often swiping their cards may mean that they aren’t monitoring their accounts enough. Too often, participants assume that because money from their paycheck is going into the account each month, it is protected and secure for future use. While these contributed funds are great from the perspective of account growth, it also means there is more money for fraudsters to take.

Consumers may think such risk is only applicable to typical credit cards but this is now in the consumer-driven healthcare (CDH) space and includes HSAs and flexible spending accounts (FSAs)—all because of card usage and technology.

Successful credit card fraud attempts have increased 49% since 2016 according to the LexisNexis Risk Solution, 2018 True Cost of Fraud Study.

Fraud Trends

At the outset of HSAs becoming widely available, carbon swipe cards were furnished by providers, and participants were excited to have them. Participants used their cards to pay eligible expenses using their account.

Today, with more advanced technology present the trend has moved towards not having cards present for a purchase at all. Participants are purchasing HSA eligible products digitally using sites such as Amazon, Walmart and Target. According to the U.S. Department of Commerce, in 2018 e-Commerce sales increased by approximately 15% from 2017.

While e-Commerce describes electronic activity on your computer, m-Commerce is about paying bills on mobile devices, which has become riskier lately. Merchants want to follow this innovative market landscape, maintain customer retention, and grow revenue. m-Commerce has doubled since 2016 for mid-size and large merchants, according to the LexisNexis study.

But cardholders/account holders that interact with e-Commerce or m-Commerce merchants hold a higher risk of identity theft than their counterparts—from bot attacks, for instance.

A bot, (short for robot), is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. A bot attack forces a real user out of a merchant’s space to steal real information for malicious reasons.

An Account Takeover (AT) is when a fraudster takes control of an HSA. Identity theft—the fraudulent use of a real individual’s identification—and breaches are scary not only due to the amount of risk associated with it, but the latest type of breach involves a fraudster gaining access to your account and creating a new one.

When a fraudster uses real and fake identification from a bot attack to create a completely new identity, it’s called a synthetic identity. Fraudsters use your ”Fullz”—a slang term used by credit card hackers and data resellers meaning “full packages of individuals’ identifying information.” Fullz usually contain an individual’s name, Social Security number, birth date, account numbers and other data. Fullz are sold to identity thieves who use them in credit fraud schemes. These accounts are also referred to as New Account Fraud (NAF).

According to the 2019 Javelin Identity Fraud Study, losses for NAF’s increased from $3 billion in 2017 to $3.4 billion in 2018.

Cardholder and account holders that interact with e-Commerce and m-Commerce merchants have a higher risk of identity theft than their counterparts. These specific merchants attribute nearly half of identity theft reported to synthetic identities according to the LexisNexis study.

While the total number of medical/health care industry breaches fell from 2017 to 2018, the number of personally identifiable information (PII) records exposed increased over 85%. There may be less hits and try’s, but fraudsters are getting better at it.

Retail HSA accounts are targeted at a higher rate than employer-based accounts, but they are not excluded. Multiple synthetic fraud identities can make up a complete employer group, according to a Javelin report.

Industry experts say that for the long-term, improved consumer authentication will be essential in the fight against increasingly-sophisticated fraud schemes. If accounts can be reliably linked with genuine, legitimate account-holders, it becomes much harder for fraudsters to operate.
Administration May 22, 2019

Considering Balance Sheet Issues for Pension Risk Transfers

A pension risk transfer (PRT) to terminate a defined benefit (DB) plan reflects heavily on a plan sponsor’s balance sheet, which may stop in its tracks a decision to do so.

Reported by

There are instances when, after looking at the hits to the company’s balance sheet, a plan sponsor may find that a pension risk transfer (PRT) to terminate a defined benefit (DB) plan may not be affordable.

Tom Swain, principal at Findley, based in Brentwood, Tennessee, points out that in a DB plan termination, the common forms of distributions are lump-sum window offerings and the purchase of an annuity to transfer assets to an insurance company. The hit to a company’s balance sheet from lump-sum distributions depends on the interest rate used to calculate them and plan provisions, but an annuity purchase will be a bigger hit, he says.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

The cost to pay out lump sums and to purchase an annuity is greater than the DB plan liability on a company’s balance sheet, so the economic impact to an organization is real. “Looking at the estimated funding needed to pay off liabilities to terminate a plan is often the stopping point for a plan sponsor,” Swain says. “It may be too much, and the plan sponsor will need to continue to plan for achieving the funding needed for plan termination.”

He adds that it is rarer for a DB plan to be overfunded—having additional assets to pay for the annuity purchase cost—because there are excise taxes associated with overfunding, so most plan sponsors try to be close to full funding. This means there will have to be an additional contribution at plan termination to have sufficient funding for plan liabilities. Swain says this has a cash flow impact and a balance sheet impact, and the issue should be addressed in the planning process for termination.

So, as Brian Donohue, partner at October Three Consulting, based in Chicago, explains in a blog post, purchasing an annuity to settle plan liabilities causes the first two “hits” to a plan sponsor’s financials: Hit #1- Plan liabilities may have to be written up, reducing net worth; and Hit #2 – That write-up typically will have to be run through the income statement, generating a (non-recurring) expense and reducing net income.

 

Donohue points to another hit: Unrecognized losses may also have to be run through the income statement. He explains that in a year when the plan has poor asset returns—for example, in 2018, a typical pension plan lost 5% on investments—the plan sponsor doesn’t record the charge in the current year. Instead the loss goes into account called “unrecognized loss” and a piece is recognized on the balance sheet over time.

In addition, the blog post says, “The long-run decline in interest rates (from 1982 to the present) has, for DB plan sponsors, generated interest rate-rated losses on plan liabilities… Any remaining ‘deferred losses’ are recognized on the income statement at plan termination.”

Swain says there may also be plan amendments that generated prior service costs that were amortized over time.

For a DB plan that is overfunded, one last hit that will occur with a PRT to terminate a plan is that any “pension income” generated by the plan surplus will disappear—reducing future net income. In his blog post, Donohue provides an example of a company with a DB plan that has (as of year-end 2019) $12.5 billion in liabilities and $15.0 billion in assets. It also has $3.0 billion in unrecognized losses, which Donohue says is the typical situation for pension sponsors and is due to declines in market interest rates and underperformance of plan assets over the past two decades. The plan will take a $5.5 billion hit to its 2019 income statement, and the pension income the overfunded plan was generating will, after the 2019 plan termination, disappear from future income statements.

Swain says he’s seen some plan sponsors not motivated to terminate their plans because it’s generating income. “The plan is manageable. The pension income offsets PBGC premiums and administrative expenses.”

Donohue says there are companies that manage to terminate their plan even with big balance sheet hits. He compares it to the handful of DB plan sponsors that have adopted complete mark-to-market accounting. “They took a big charge when they changed to mark-to-market accounting. It’s sort of like restructuring charges; there was a time when companies would reengineer and take the losses and their financial statements going forward were cleaner.”

But, some companies can’t handle big balance sheet hits. Donohue says October Three has seen, for example, that banks are more sensitive to losses.

Swain says there is no rule of thumb for an amount or percentage hit a company can afford. “In the typical process, the company prepares its best estimate of what it will take to fully distribute all liabilities for plan termination. There is a conversation with the CFO to see if the company has the cash flow or balance sheet strength [to terminate the plan via pension risk transfer]. If it’s not doable immediately or in the near-term, the plan sponsor can take steps to be in a better position, like de-risking,” he says.

Partial PRT actions

Companies can and have done PRTs with only parts of their plan liability—for example, transferring $3 billion in retired participant liability, Donohue points out. He says plan liabilities may have to be written up, reducing net worth, in a partial PRT.

However, when only settling a portion a portion of plan liabilities, it’s possible a plan sponsor won’t have to recognize anything it’s been delaying, according to Donohue. “If the amount settled is less than the service cost and interest cost, the plan sponsor won’t have to recognize anything. Many plan sponsors do a small-scale PRT so they won’t have to recognize anything they’ve been delaying,” he says.

«