Fraudulent Distribution

[RCK]

This is a complicated situation, so I'll see if I can hit enough of the highlights to get the questions across. Facts are not in duspute:

We (I'm with the sponsor) have a large plan with lots of participants (more than 125,000). All transactions are paperless except for hardship withdrawals, and those few people whose accounts still have money requiring spousal consent.

Participant gets a virus on his home computer that "scrapes" his social security number and password and sends it to the bad guys (BG). BG uses that information to log in to the account, and changes the banking information. Participant receives notice of change in banking information, but disregards it.

BG waits through the required 7 day wait on banking changes, requests a $9,500 loan with direct payment to the newly defined bank.

Another week later, Participant receives paystub that shows a hefty loan payment being deducted from his check. He calls the call center, which triggers research. Needless to say, the money is no longer in the receiving bank. It went to a bank in Russia, and may or may not still be there.

We see two sets of issues:

1. The money has left the account, and we're seeing the participant as the responsible party. But at a high level, do we treat this as a loan and continue loan payments, treat this as a loan but allow him to stop payments, or treat this as some kind of investment loss.

2. What is the tax treatment of the event? 1099 R Early distribution no known exception; 1099 R Early distribution exception applies; No reporting required. Fortunately, it was a 2010 event so we do have time to figure this part out.

Anyone with actual experience in a similar situation?

[rocknrolls2]

I have been advising a client with a large 401(k) plan (a few billion in assets) where other situations have arisen, not quite factually related to yours. The very first thing I would do would be to impose a suspension on the participant's account until an investigation can be conducted and findings can be made a s result of such investigation. You would need to hire an investigator who would be good at following the money trail through the international banking system. Some times, the participant is a party to the fraud, in which case, you might want to terminate his/her employment. Sometimes, the transactions are requested by a former spouse or significant other with knowledge of all the correct numbers and information so that s/he can access the account. Once your investigation has been completed, you would need to involve the law enforecement authorities to arrest any wrongdoers and order them to pay restitution as a condition of whatever sentence the court orders. Until the investigation has been completed and the conclusions of the investigation are presented, it would be premature to recharacterize any transactions, including any allegedly resulting from fraud. If it is indeed found that the account was fraudulently accessed, the loan should be reversed from the beginning and the particiipant's account should be recredited with the amount allegedly "borrowed."

In addition, you might want to consider amending your plan to authorize account suspensions where reports are made that the account has been fraudulently accessed and in other circumstances where it is apparent that the transactions were made under suspicious circumstances.

[david rigby]

If it is indeed found that the account was fraudulently accessed, the loan should be reversed from the beginning and the participant's account should be recredited with the amount allegedly "borrowed."

Pardon my ignorance: how do you accomplish this? Treat it as an investment loss, so that everyone shares the pain? (If the BG is in another country, that money is 100% gone.)

[Peter Gulia]

rocknrols2 presents some sensible suggestions about not being too quick to assume facts that might not be fully known.

However, suppose that the employer doesn't volunteer to pay the plan's expenses. In meeting fiduciary duties to take on no more than reasonable plan-administration expenses, what factors should a plan fiduciary consider in deciding how much of the plan's money to spend on trying to uncover the facts of a particular theft loss?

Further, might a plan fiduciary decide that - although there might be some value in investigating to the extent that it would find information that the plan fiduciaries could consider in designing the plan's controls to guard against future thefts - tracing where the money went after it left the plan seems unlikely to meaningfully benefit the plan?

[jpod]

Let's assume after some reasonable investigation the Plan concludes that the participant wasn't involved in the scheme. Obviously, there is no "loan" or reportable "distribution."

While there may not be evidence of a fiduciary breach on the part of any Plan fiduciary, the Plan fiduciary(ies) have a fiduciary responsibility to try to get the money back for the plan. If the employer decides that it would cost as much if not more to go down that road than it would to restore $9,500 to the employee's account, and then call it a day after the restoration, I see nothing wrong with that approach, although there probably is a need to consider whether some change to administrative systems should be made to reduce the risks of this happening to other participants. There is authority for taking the position that the employer's restoration of the $9,500 is neither a contribution subject to 401(a)(4) etc. nor an annual addition (and deductible as an ordinary and necessary business expense and not as a Section 404 pension contribution).

[Peter Gulia]

A plan fiduciary must make an effort that's reasonable in the circumstances to get a restoration of the plan's loss. But in considering how much effort to use (even to the point of almost none), a fiduciary may balance expense against the amount sought, discounted by the probabilities of successful action and collection.

On the hypothetical situation that RCK described, if there is no collection from a wrongdoer, it seems doubtful that the employer must restore the loss because the facts suggest that there might not be any fiduciary that breached a duty to the plan (or that has personal possession of the plan's money, property, or rights).

If the theft loss stays an unrestored loss, should it be allocated to the individual account of the one participant?

[RCK]

Thanks to everyone for their thoughts.

Here's the update: we have managed to recover about $6,000 from one of the banks somewhere along the line, and are still working on remaining $3,500. We still have not decided on a final strategy in regard to what ever fund ends up lost, but we do not feel there is a fiduciary issue.

There is an interesting sidenote on this case. The domestic account that the BG set up to receive the funds from the plan had a $10,000 limit. After the first loan was deposited to the account, BG requested a second loan, also for $9,500. And it hit the account before the transfer overseas happened. So the domestic bank rejected that deposit and returned it to the plan.

[Mike Preston]

I wonder just how specific the major retirement plan vendors are in their disclosures to participants regarding the need to safeguard their access information? It would seem to me that in the case described by RCK, if the participant was adequately informed, while seemingly cold-hearted, the responsibility lies with the participant. Unless the participant can make a reasonable case that a plan representative or procedure was involved in creating or facilitating the loss, I would think an argument could be made that it is not prudent for the plan to expend funds or resources on this matter.

If the Plan Sponsor chooses to do either, though, perhaps on the basis of employee relations, that would be ok.

Has anybody done a comparison of disclosure by major vendors on this issue?

[Belgarath]

Let me put on my "participant hat" for a moment. My contention would be that it was a Trustee/Plan Administrator/Fiduciary decision to make all transactions paperless, that this decuision was a considered and evaluated risk to the plan, and that no home computer system in the world is immune from things like this, no matter how careful I am about passwords, etc. You can bet I'd argue that it is NOT my responsibility, and that my account had better be reestablished at no cost to me.

Has there been any litigation of such issues? I'd rather expect the DOL to weigh in on the side of the participant if it were brought to their attention, but I don't really know.

It seems that this might be an area of increasing scrutiny as the movement is continuing toward paperless.

[Mike Preston]

So, while the participant might reasonably claim all that you have mentioned, I would think it a good possibility that a ruling would go against them. Especially if the plan argues that the integrity of the entire system is at risk if a plan is held responsible for acts that take place on property or equipment over which it has no control (the participant's home computer). Couple that with adequate disclosure (whatever that means) and I think the participant's counsel has a steep hill to climb.

[Belgarath]

Very possibly. Would it make any difference if the participant had the ability to "opt out" of paperless transactions, and instead chose not to?

I'm just curious about this issue, as there are certain specific protections and liability limits for stolen or unauthorized use of your credit cards, for example, and as qualified plans move into the paperless arena, I wonder what may happen in situations such as the one being discussed here.

Doubtless, at some point, some unfortunate sap will get nailed not just for a relatively small loan, but for an entire account, they will bring it to their Congressman, and some piece of legislation will be passed that will be complete overkill and cause unwarranted paperwork and expense for plans in general.

[Jim Chad]

If this had been done on paper with a forged participant signature, who would be out the $9,500?

[RCK]

In response to some of the earlier posts, I have raised some of these high level issues with the recordkeeper.

I do know that we put significant value on the fact that we have the participant on a recorded line with the call center, admitting that he received the Change of Banking Information notice, and did not pay any attention to it. I'm not sure how much impact that has in court, but it does make us feel better.

[masteff]

One thing I'm not seeing in the discussion is regarding the plan's fidelity bond / criminal insurance. As the plan permitted someone other than the participant to initiate a distribution to a bank account in a foreign country, I might talk to my insurance agent if the last $3500 can't be recovered (of course if the deductible is greater than that then the company might simply repay the loss itself to have it over and done with).

Don't forget the PR that might result if make the employee suffer the loss and he goes around telling all his coworkers about how the company permitted his retirement money to be sent to Russia.

[RCK]

Clarification for masteff:

The distribution from the plan went to a DOMESTIC BANK in the name of our participant. From there it went to a foreign bank. The second transaction had nothing to do with the plan.

[masteff]

Missed that it was a double hop. But my point about checking into your fidelity bond / crime insurance still stands if the money can't be recovered.

[RCK]

Good point. But our deductible is an awful lot bigger than that.

Will keep it in mind for the next one though.

[david rigby]

Two years later, any new developments? Inquiring minds want to know.

[MoJo]

So, while the participant might reasonably claim all that you have mentioned, I would think it a good possibility that a ruling would go against them. Especially if the plan argues that the integrity of the entire system is at risk if a plan is held responsible for acts that take place on property or equipment over which it has no control (the participant's home computer). Couple that with adequate disclosure (whatever that means) and I think the participant's counsel has a steep hill to climb.

I disagree completely. The plan fiduciaries have an absolute obligation to protect plan assets (common law of trusts). the beneficiariy of the trust (here, a participant) has no such obligation to similarly protect plan assets from theft. Ignoring the change of bank notice, IMHO, does not impose upon this participant the obligation to do anything - that is exclusively the responsibility of the fiduciary - although one would hope that most participants would at least question the notice - although, not ervery participant is "financially literate" to understand the interplay between the various financial entities involved, and may have assumed this was "just another stupid plan notice that doesn't affect me" (and even though I'm in the business, I get lots of "stupid plan notices that don't affect me" and typically don't read them completely).

I question why the first bank in line (the one into which the fraudulent loan proceeds were deposited) is not completely liable for a return of the assets. First, they opened an account in the name of someone who's identity they did not know (and for quite some time now, under anti-money laundering statutes that is a big "no no."). Second, they executed a transfer to an offshore bank without proper instructions from the "owner" on the account (nominally, the actual participant). It was incumbent on that bank to verify the identity of the person opening the account and also the person giving the instructions to move the money. That bank, then could attempt to recover the funds from any bank downstream.

[Mike Preston]

I totally agree with your second paragraph, MoJo, but we are going to just have to agree to disagree with respect to your first paragraph. I can't imagine proper disclosures (as stated earlier, "whatever that means") not informing the participant of the need to safeguard passwords and, if necessary, computers, from falling into the wrong hands. Here's a thought: since we know that a general description of "fiduciary" includes those who have the right, under the terms of the plan, to move monies around, doesn't the participant who authorizes paperless transactions become a fiduciary with respect to his/her own account? Just musing.

[Peter Gulia]

How does the plan's administrator know that it was not the participant who changed the banking information?

Is there any independent evidence to corroborate the participant's description of what happened?

I imagine that the recordkeeper's computer knows that the participant's identity credentials were used, but doesn't know which human caused those digits to become entered into a computer.

Or is there more to the mechanics than I know about?

[Peter Gulia]

By the way, I've been successful in making a bank that received a payment eat the fraud loss if the bank lacked good evidence that the receiving account belonged to the plan's payee, or lacked good evidence that the purported account holder is the same person as the one who opened the account.

[MoJo]

I totally agree with your second paragraph, MoJo, but we are going to just have to agree to disagree with respect to your first paragraph. I can't imagine proper disclosures (as stated earlier, "whatever that means") not informing the participant of the need to safeguard passwords and, if necessary, computers, from falling into the wrong hands. Here's a thought: since we know that a general description of "fiduciary" includes those who have the right, under the terms of the plan, to move monies around, doesn't the participant who authorizes paperless transactions become a fiduciary with respect to his/her own account? Just musing.

While I can certainly see situations where the negligence of the participant contributed to a loss (and under equity, may have an impact on their ability to recover) I have never seen any statute or court case that absolves a plan fiduciary from responsibility because of the actions of another non-fiduciary - especially a participant, the "Primary" obligation of the fiduciaries being the protection of his or her interest in the plan. Participants don't select whether to have on-line access or not - that is a plan sponsor and fiduciary decision (including the selection of a service provider who may, or may not have alternatives to on-line access, and who's technology & security should be key drivers of that fiduciary decision).

In my mind, the participant owes no duties to the plan, the plan fiduciaries owe essentially everything to the plan and its participants.