Compliance September 28, 2020

Some View EBSA Income Projections as Too ‘Prescriptive’

Recordkeepers and asset managers want more flexibility in terms of how their clients generate newly mandated lifetime income projections on retirement plan statements.

Reported by

One of the most popular provisions included in the Setting Every Community Up for Retirement Enhancement (SECURE) Act was the directive given to the Department of Labor (DOL) to mandate that retirement plan sponsors send regular “lifetime income disclosures” to their participants.

The text of the law itself, as is often the case with complex regulatory issues, speaks only in general terms about the provision of such disclosures. Strictly speaking, the SECURE Act amends the pension benefit statement rules under the Employee Retirement Income Security Act (ERISA) to require that individual account plans add a “lifetime income disclosure” to at least one benefit statement furnished to participants during a 12-month period. 

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Beyond this, the law requires that this lifetime income disclosure becomes applicable to pension benefit statements furnished “more than 12 months following the later of the DOL’s issuance of (i) interim final rules, (ii) a model lifetime income disclosure or (iii) assumptions used to convert total accrued benefits to lifetime income streams.” Other requirements are also spelled out in the law, but broad discretion is given to the DOL to fill in the working details.

As such, the DOL, through the Employee Benefits Security Administration (EBSA), is now quickly moving forward on this challenging project. In August, the EBSA released its interim final rule, complete with a model lifetime income illustration using prescribed assumptions “designed to give savers a realistic illustration of how much monthly retirement income they could expect to purchase with their account balance.”

In a word, the EBSA’s proposed approach has proven to be controversial. Though the vast majority of comments so far shared with PLANSPONSOR support the EBSA’s goal, there is growing consensus among industry practitioners that the prescribed approach is too simplistic. Comments on the proposed framework are due to the EBSA by 11:59 p.m. EST on November 17.

“The current interim final rule, with its simplistic and prescriptive nature, will deliver well-intentioned but essentially inaccurate information to participants,” says Tim Kohn, head of the retirement distribution group at Dimensional Fund Advisors. “The recordkeeping and asset management industry is in agreement that that there is a better lifetime income framing methodology out there. We can look at how Social Security information is presented, in a table format, to see a better approach.”

The EBSA’s current proposal, rather than permitting a range of projections or detailing a methodology by which recordkeepers can create their own assumptions, strictly mandates that a satisfactory lifetime income calculation must assume that a participant is age 67 on the assumed annuity commencement date. Alternatively, the projection must use the participant’s actual age, if older than 67.

The EBSA framework states that plan administrators must use the 10-year constant maturity Treasury rate (10-year CMT) as of the first business day of the last month of the statement period to calculate the monthly payments. The 10-year CMT approximates the rate used by the insurance industry to price immediate annuities. Administrators must use the gender-neutral mortality table in Section 417(e)(3)(B) of the Internal Revenue Code (IRC)—the mortality table generally used to determine lump-sum cash-outs from defined benefit (DB) plans.

“We have been engaged in this issue since before the DOL even started this rulemaking process,” Kohn says, noting that Dimensional is active on this issue because of its work creating target-date funds (TDFs) with “income as the outcome,” as he puts it. “The SECURE Act has really accelerated the income discussion, and that is a great thing, but we have to get this safe harbor framework right. In building our funds, we have a lot of experience doing these projections and working to give people an accurate picture of what their future will look like if they continue to save and invest.”

Kohn says the retirement industry has already built sophisticated and capable income projection frameworks that the DOL and EBSA should rely on in crafting any safe harbors in this area.

“Providers already use digital tools to help model what it will look like if, say, a given individual chooses to save more than their peers or if they choose to work longer before annuitizing—or do any of the other things that people actually do when planning their future,” Kohn says.

Savina Rizova, head of research at Dimensional, also says a table framework would be superior, and that such tables will still be digestible for non-experts.

“We really should be able to use some variations in terms of the assumptions about when the annuity purchase is happening, and there should also be more flexibility about the assumptions made about the method of annuitization,” Rizova says. “Of course, the goal of creating more uniform projections makes sense, but that doesn’t mean they have to be so simplistic. Even just taking an approach that considers different ages, with all the same assumptions being made about the annuity purchase and purchaser, would make for a better approach.”

Rizova and Kohn also say it’s important to pair lifetime income projections with information about inflation and the erosion of purchasing power that can happen with annuitized income. In fact, the EBSA’s framework requires at least a bare statement about the impact of inflation, but Kohn and Rizova say this information should be prioritized.

“Even if you are age 67 and the model income projection fits your circumstances perfectly, it is misleading simply to give people that nominal annuity income statement without factoring in inflation,” Rizova suggests.

Jim Szostek, vice president and deputy for retirement security at the American Council of Life Insurers (ACLI), has more positive feedback about the approach being taken by the EBSA.

“We understand there are many folks who did not like this idea,” Szostek says. “But, it makes perfect sense for workers to understand the value of their savings as lifetime income. It is good public policy. Congress and the Labor Department seek a uniform illustration so that, as workers change jobs, they receive similar information.”

Szostek emphasizes that plans can still offer additional educational tools to augment the illustration.

“The Department included several of the recommendations from the ACLI’s comment letter,” he adds. “Consistent with ACLI’s recommendation, the IFR allows a plan administrator to include additional lifetime income stream illustrations on the benefit statement as long as such additional illustrations are clearly explained, presented in a manner that is designed to avoid confusing or misleading participants, and based on reasonable assumptions.”

Compliance September 28, 2020

PSNC 2020: Retirement Plan Cybersecurity

In light of a lack of guidance from the DOL on how sponsors should protect their plans from cyberattacks, speakers laid out best practices.

Reported by

Speaking at the last session of the 2020 PLANSPONSOR National Conference, speakers noted that the Department of Labor (DOL) has not issued guidance for how retirement plan sponsors, acting as Employee Retirement Income Security Act (ERISA) fiduciaries, can best protect their plans from cyberattacks.

“Being logical and practical might now serve us best,” Brett Shofner, president of Work Plan Retire, said during the virtual discussion. “For ERISA plans, it is all about protecting participants—not only their money but their data. There are hackers out there, just like out of the TV show, ‘24,’ trying to steal money. Think about internal controls over payroll, HR [human resources] and benefits [workers]. A lot of people have access to sensitive plan data, and all are potential bad actors.”

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Bart McDonough, CEO and founder, Agio, said, “When we think about the fundamentals of cybersecurity, we think about the ‘CIA’ framework: confidentiality, integrity and availability of data. When it comes to confidentiality, we ask, ‘Do people who should not have my data have access to it? Disruption of the integrity of data is when it is manipulated, and an example of the disruption of data is a ransomware attack, whereby access to your computer is frozen. All three of these are affecting the financial services space.”

Unfortunately, McDonough said, “regulations are not clear in ERISA” about plan sponsors’ responsibilities when it comes to cybersecurity. “The DOL has talked about securing data, but there isn’t a rock solid requirement,” he said. However, “depending on the state you are in, there are lots of different regulations that apply.”

When it comes to data privacy guidance, for instance, there are 48 different requirements in the 50 states, McDonough said.

Absent this guidance, McDonough said, “You need to have a very good idea about how you are handling sensitive data, and how you will respond in the event of a cyberattack. You need to have an answer to those two questions.”

Shofner concurred: “You would think there would be some formal policy, but there is not, and that puts plan sponsors in a difficult position. Knowing that there isn’t a formal position, and the DOL hasn’t been specific on how plan sponsors can protect themselves, they should be conservative.”

Shofner noted that a recent paper by ERISA attorney Marcia Wagner, founder of The Wagner Law Group, said plan sponsors should “take a conservative angle and assume that all of this data falls under the ERISA duty of loyalty and prudence. Should there be a bad actor in payroll, administration, the third-party administrator [TPA], recordkeeper or other service providers, sponsors need a policy on how to respond and evidence of that policy.” A good place for sponsors to start is to simply ask their service providers about their cybersecurity defenses and to document these policies in writing, Shofner said.

Complicating matters is the fact that many recordkeepers have overseas offices or call centers, he continued. “The important thing is for plan sponsors to ask these questions,” Shofner said. “This is where the plan sponsor has to be specific and drill down on things, like making the recordkeeper answer if they are using other third parties in outside countries, and do they forbid the sale or distribution of that data? Ask then about the standards that they have. Study the service agreement and understand what they are promising to do and hold them to it.

“We are realizing that a lot of plan sponsors are not asking these questions,” Shofner stressed. “In a court of law, one could argue that this is not a prudent position to be in. Asking about their insurance agreements, their standards and their handling of data is critical.”

McDonough said the “CIA” perspective can guide sponsors’ questioning of their service providers. “The first question I would ask of the company is, ‘Who performs a tabletop exercise, and how often do they do that?’”

McDonough went on to explain that a “tabletop exercise” is a “virtual war game where you role-play scenarios.” He also suggested plan sponsors should ask their vendors who owns the data. And while there currently is no regulation on cybersecurity in the United States, he said he believes the nation will eventually adopt something along the lines of the General Data Protection Regulation (GDPR) that exists in Europe.

Shofner suggested that sponsors familiarize themselves with that regulation. “Lawsuits that are coming down on this are fact-specific,” he said. “If you look at these other standards out there that are reasonable, that is a smart move should something go wrong. It shows you are trying to do the right thing, and that can help mitigate damages.”

McDonough said that using GDPR as guidance, sponsors should be asking important questions of their Tier 1 vendors—those that handle personally identifiable information (PII) on their participants—every six months, and their Tier 2 vendors, annually.

He also said it is important to train employees to avoid being hacked because “there are two types of companies: those that have been hacked, and those that just don’t know about it.”

Currently, he said, companies are spending 90% of their time and money allocated for cybersecurity on defending against hackers, and 10% on responding to them. “We think that should be 60/40—or even more on the response,” Shofner said.

“There are very simple things that companies can do to keep people out,” he said. “Don’t allow workers to reuse passwords.” He noted that he had heard of a high-net-worth individual whose daughter played on a lacrosse team. A hacker found that out and used some of the wording from the team’s website to steal millions of dollars from that person’s accounts, he said. So, another good place to start is to warn people from using familiar places or things for their passwords, Shofner said.

He also said that in light of automatic enrollment, many participants check their accounts infrequently, if at all. Failing to do so on a periodic basis could leave them open to an attack, so it is a good practice for sponsors to remind their participants to check in on their plans.

Also, help participants set up their logins and require at least a two-factor authentication process, Shofner said. “To keep your data secure and your money safe, you do have to be somewhat engaged,” he said. “If you don’t log in all year or wait three years, your money might not even be there.”

Sponsors could ask their advisers to check to see if their participants are monitoring their accounts, Shofner suggested.

Finally, McDonough said it is critical for companies to train new employees on their cybersecurity policies as soon as they are hired, citing one case in which a hacker, using information from LinkedIn, posed as the chief executive officer to a new payroll coordinator hire at a Fortune 1000 company, asking her to send W-2s for all the employees. Companies also should restrict access to sensitive data to only a few people, McDonough said.

It is also important to have antivirus software, to do computer backups regularly, to update participants’ machines, to have cybersecurity insurance and to require those working from home during the coronavirus pandemic to have a virtual private network (VPN), McDonough said. “This will dramatically improve your cybersecurity defenses,” he said.

The bottom line, he concluded, is that cyberattacks are going to happen. “You have to know how to prevent them, what your response will be and where your liabilities are,” McDonough said. Using all these best practices and protocols, Shofner added, “screams that you are trying to protect your retirement plan and make a tremendous difference.”

«