Nonprofit Report - February 2018

Date: February 28, 2018

Your Fiduciary Duty: Find Missing Retirement Plan Participants
By: Mary Claire Chesshire, Esq.

Originally published by ASAE

Does your association have more retirement plan participants than it does full-time staff? If so, you have a fiduciary duty to find former employees who are owed benefits—and the Department of Labor is paying increased attention to who is meeting it.

Each year, associations report information about their retirement plans to the federal government. That reporting includes information about plan assets, income, expenses, and the number of participants.  Many association leaders may be surprised by the total participant count -- and have a lot of questions.

How is it that an association that employs no more than 20 people at any given time has more than 80 participants in its retirement plan? Who and, more important, where are these people?

In this age of job mobility, employers are more frequently left with departing employees’ account balances in their retirement plan. The plan’s fiduciaries should care about this for a variety of reasons -- and the U.S. Department of Labor added a new one last fall.

In October 2017, DOL announced that it was expanding “missing participant” audits from a pilot program in a regional office to a nationwide effort. While the program appears to focus on defined-benefit plans, it could easily be applied to defined-contribution plans such as 403(b) and 401(k) plans. The audits look at the plan sponsor’s procedures for tracking down participants who are due benefit payments. Failure by plan sponsors and fiduciaries to actively look for plan participants could be construed as a breach of fiduciary duty to those individuals.

Even before DOL announced it would ramp up enforcement in this area, there were plenty of reasons why retirement plan fiduciaries should care about keeping track of plan participants. For example: 

Increased administrative fees. Administrative fees charged by retirement plan recordkeepers are frequently structured to include a “per participant” charge. The total administrative costs for operating the retirement plan correspondingly increase with the number of accounts in the plan. Furthermore, plans with 100 or more participants are required to engage an independent accountant to examine and render an opinion on the plan’s financial statements. The “100 or more participants” rule is based on the total number of participants, including former employees. Accordingly, an upward creep of the participant count adds to the costs of running a retirement plan.

Minimum distribution requirements. Administrators of retirement plans are required to begin payment to former employees who reach age 70½. Failure to pay the minimum distributions subjects the participant to a 50 percent excise tax and subjects the plan sponsor to plan qualification issues. In other words: “I couldn’t find the participant to make the payment” is not an acceptable reason for missing minimum distribution payments.

Plan termination distribution deadline. If the plan sponsor decides to terminate the retirement plan, then it must also distribute all of the plan’s assets as soon as administratively possible after the termination. This is, of course, impossible if plan participants are not located.  

Plan Audits

As DOL auditing increases, the agency is emphasizing that plan sponsors cannot simply wait for participants to come forward to claim their benefits. DOL has identified several best practices for finding missing participants:

  • Send a missing participant a certified letter advising of the availability of a benefit using the participant’s last known address in the plan sponsor’s records. Using certified mail with a return receipt provides confirmation of receipt by the participant and the accuracy of the address.
  • Ask current employees if they’re still in touch with the former coworker and whether they have up-to-date contact information. A notice stating that “we’re looking for [these missing former employees]” in an employee newsletter may yield results. 
  • Contact the participant’s designated beneficiary for updated information about the participant.
  • Call the participant, particularly if the records include a mobile phone number that they may keep longer than a landline.
  • Use a commercial locator service.  If you can provide a former employee’s date of birth, Social Security number, and last known address, the service usually can obtain remarkably reliable and current information. 

Keep records of your efforts to locate missing plan participants to defend against possible DOL claims that you did not actively search for them.

Pay Out Small Balances

Finally, keep in mind that the participant count may also be controlled by distributing small account balances without affirmative participant consent and direction. Balances of $1,000 and less may be distributed in cash, with required tax withholding, if the participant fails to provide direction to the plan sponsor as to whether he or she wants the distribution paid in a cash distribution or direct rollover.

If the account balance is between $1,000 and $5,000, the employer may establish an individual retirement account for the benefit of the participant and direct that the account balance be rolled over.  Most institutional retirement plan custodians provide the direct IRA rollover service for their clients.

GDPR Compliance Quick Guide for U.S. Nonprofit Organizations and Associations
By: Razvan Miutescu, Esq. & Dorothy Deng, Esq.

The General Data Protection Regulation (GDPR) is a privacy regulation of the European Union designed to give individuals control over their personal data. The GDPR protects the privacy of individuals regardless of their nationality when their data is collected when they are located in the European Union, Iceland, Liechtenstein or Norway (EEA). For example, the personal data of an organization’s employee, independent contractor, or volunteer located in the EEA may be protected by the GDPR even if that individual is a U.S. citizen and resident. 

The GDPR has a broad territorial scope that may apply to nonprofit organizations and associations in the United States. We have listed some common scenarios for U.S. associations: 

  • Does your organization have members in the EEA?
  • Does your organization host events, conferences, educational or training programs, seminars, meetings, or administer exams in the EEA?
  • Does your organization host the list of events above in the United States that are attended by individuals from the EEA?
  • Does your organization certify individuals in the EEA?
  • Does your association have employees, independent contractors, volunteers, or vendors in the EEA?
  • Does your association have a website with a version in a language spoken in EEA countries (in addition to English)?
  • Does your association have an affiliate or subsidiary or other physical presence in the EEA? 

If the answer is yes to any of these questions, your association may be subject to the requirements of the GDPR.

As the GDPR takes effect on May 25, 2018, it is advisable to start preparing for compliance if the GDPR applies to your organization. Given the extensive nature of GDPR requirements, information and sources suggest that the majority of U.S.-based nonprofit organizations and associations are not in compliance with GDPR, and likely will not be in full compliance in the next few months.  With that, one key advice is NOT to make any representation to the public, in your contracts, or in any privacy policies, that your organization is in compliance with the GDPR at this time, or even suggest or imply GDPR compliance in its communications to potential data subjects. If any reference to the GDPR is made on your organization’s website or in communications to data subjects, that reference must accurately reflect your organization’s GDPR then-current status of practices and compliance efforts. 

As a first step towards GDPR compliance, it may be advisable to take the following actions: 

First, determine whether your organization’s activities bring it within the scope of the GDPR; if yes, the next action is to identify your organization’s staff members who have most knowledge about what personal data is received from individuals in the EEA (HR, membership, recruitment, etc.) and determine how much personal data is being collected, and how it is being used.  

Second, prepare an action plan to identify what internal and external policies need to be adopted, and to identify which agreements (with staff, members, vendors, etc.) need to be amended, for compliance with the GDPR. Depending on the amount of personal data collected and the extent of how it is used, this step may require assistance from legal counsel.  

Finally, identify technological safeguards that may need to be adopted, such as abandoning use of personal emails and personal laptops for work purposes. GDPR compliance will be an ongoing process for years to come and beginning with these steps is a good start, as it could demonstrate good faith efforts toward compliance.

As is the case with privacy laws in the United States, becoming compliant with the GDPR does not eliminate an organization’s liability in the event of data breach.  As such, it is strongly advisable to obtain cybersecurity insurance coverage to mitigate risk exposures.  Our firm’s cybersecurity practice group will be working on identifying reliable privacy practitioners and consultants, including cybersecurity insurance brokers, to assist firm clients with a more comprehensive GDPR compliance plan.