JonC

Hi Peter. In our experience, the guarantee is set by the provider and doesn't vary for mega or small plans. It's either wide or narrow, and plan size/desire to retain the client doesn't play much of a role. Perhaps a truly mega plan could negotiate laxer guarantee standards, but I haven't seen that happen--and our largest plan clients are measured in the billions. Details about lockout protocols are not publicized, to protect against "bad actors" gaming the protocols, but my experience is that the lockout typically lasts approximately ten business days, which allows the RK the opportunity to confirm the change (address change or other) with the participant. We recently had an experience with a client that was looking to complete a plan termination, and one of the few remaining (former) participants had moved, so had processed a change of address, which locked them out from a distribution. The participant was able to confirm her identity with the call center, have the lockout lifted, and receive her distribution. So there's flexibility in the lockout, the approach should perhaps be described as "enhanced security procedures" rather than truly as a lockout. Hope that helps with your questions!

Our firm posed questions regarding cybersecurity compliance practices to many of our recordkeeper partners, and cohosted webinars with the recordkeepers to communicate each organization's approach. We compiled responses from twenty-five recordkeepers, and hosted twelve webinars. Big picture, I'd suggest that while there are similarities in approach, there are some material differences between different providers, and generally, the larger the provider, the deeper the cybersecurity compliance approach. Here are some areas of difference that I noted: Customer guarantee. Most offer reimbursement if security is breached, distinctions arise regarding conditions to qualify for reimbursement. Best simply require attestation that login credentials weren't shared and agreement to support efforts to prosecute if the thief is apprehended. Worst guarantees require documentation that all security recommendations were followed (e.g., regularly changing password, maintaining antivirus, updating systems, etc.). The worst guarantees are, IMO, unlikely to payout following a breach. Number of employees dedicated to cybersecurity. Largest entities have almost 1,000 people in this role. And they take it seriously, running "red team" / "white team" exercises regularly. Proactive vs. reactive. Some providers will actively search dark web and will notify participants if they find evidence that their credentials have been breached BEFORE there's an attempt at a hack. Kind of creepy, perhaps, but but could be necessary to avoid losses. Use of advanced techniques. Two factor authentication is almost universal. Newer techniques like voice authentication are less common. Lockouts on certain transactions for some time period following "high risk" events (e.g. address changes) are increasingly common. Different levels of ISO certification. Most feature ISO 27001 certification. https://www.iso.org/isoiec-27001-information-security.html. Some go all the way to ISO 27002. We think of ourselves as primarily investment consultants to retirement plan sponsors. But increasingly, the scope of our consulting advice is expanding to administration, compliance, plan design, and now, to cybersecurity. Just part of the world, so we do our best to stay informed on topics that historically haven't come under our purview.

There's DOL guidance on similar situations at https://www.dol.gov/agencies/ebsa/employers-and-advisers/guidance/field-assistance-bulletins/2006-01. While I'd encourage you to read the entire guidance, the DOL seems willing to provide considerable flexibility with respect to how settlement proceeds are allocated as ongoing fund assets, summarized as follows: "While plan fiduciaries generally have flexibility in designing a methodology for allocating settlement fund proceeds among the plan's participants and beneficiaries, plan fiduciaries must ensure that the selected methodology does not otherwise violate the prudence and "solely in the interest" requirements of section 404(a)." My guess is that the individual named in the "FBO" was a prior trustee or signatory for the plan--based both on the scale of the settlement amount and on the fact that only one check came in for the plan. But that's just a guess. Getting more information would help considerably!

That's correct. You (very) occasionally see participants eligible for both 457 and 403(b) or 401(k) (governmental 401(k) plans are rare but do exist) and participants contribute up to $19,500 in each plan.

This design is very common for large Silicon Valley employers. ACP testing isn't an issue because people are paid so well that many well-paid employees aren't HCEs, due to the top paid group/20% rule. It's typical for people earning $200K+ to be NHCEs. Aggregate match rates tend to be lower for HCEs than for NHCEs because of how the formulas work. A common match design in the Silicon Valley is a simple 50% match. So assume two employees each defer the (2019) $19,000 maximum, both get a $9,500 match, but the employee making $100,000 has a match rate of 9.5%, while the employee making $200,000 has a match rate of 4.75%. For this reason, we regularly see ACP tests where the ACP for NHCEs is HIGHER than the ACP for NHCEs. In this environment where a mix of both higher paid NHCEs and plain old HCEs both want to make after-tax contributions and convert their after-tax contributions to Roth, with an ACP test with lots of room, the only effective constraint on the after-tax contribution is the Section 415 limit ($56,000 in 2019). It's simple math to back out 401(k) and match to get to the after-tax contribution amount (in this example, $56,000 - $19,000 - $9,500 = $27,500). Hundreds of employees will contribute to this limit. With regards to the IRS potentially challenging the two step "back door" conversion, I've seen that concern raised, but some of the largest companies in the Valley offer this benefit. Most companies have decided that IRS won't challenge these mega companies--the worst may be to announce that the technique will be prospectively disallowed. So more companies are offering this. The major recordkeepers now support immediate standing conversions of after-tax to Roth, so it's not even a two step process. The effect is an end-around on the 402(g) limit for Roth contributions. But it happens all the time.