Distribution Approval and Security

Record keeping platform sends approval notification to the TPA for review an approval.  Does anyone attempt to confirm that it is truly the participant who is initiating the distribution request?  If so, what do you do?  A TPA review/confirmation certainly opens the TPA to some liability.

I'd like to get some specific control ideas from the group.  We've never had a fraud incident in 30 years but just a few days ago, someone tried.

Thank you! 

Great question!  Scammers have discovered that retirement plan accounts have big balances that can be easy targets if the scammer can gain access to a participant's account credentials on the recordkeeping system.  We also have to include family members in the mix, too.

Part of the discussion needs to be around what is in the TPA's service agreement with respect to the approval process. 

• Is the TPA only checking that a transaction is permissible under the terms of the plan given the participant's demographics, the plan document and accounts?  This makes the process somewhat mechanical.
• Is the TPA review/confirmation not constrained by the service agreement?  This could easily push the TPA into a role where they could be considered a plan fiduciary with authority to pay or reject a request.

In either case, it helps if there is written procedures or documentation where the TPA should escalate a request to the Plan Administrator.  The TPA would present the request and the reason for the escalation and let the PA decide.

Your E&O insurance provider also may have notification requirements that you must follow if you want coverage.

Operationally, the best control is educating staff to recognize when a request is not quite right.  In many ways, this is similar to knowing how someone is trying to scam anyone.

• Is the request made with a sense of urgency that something bad will happen if funds are not delivered immediately?  We have had requests for payments to be sent overnight to prevent eviction or repossession of a car.  Sending out a distribution overnight is far from any standard procedure, and we will ask for more information that can be used to validate the request like birth date, address on file, part of an ssn, or a beneficiary name, and then discuss the approval with the PA.
• Is the individual asking to stop by to pick up the check?  We had an instance where the individual found our phone number and knew we were part of the approval process, and wanted to come to our offices to get the check.  It turned out that the individual had a criminal record for assault. 
• Is any required documentation missing or vague?  If so, we will not make an approval until we have what we need to be comfortable the request is valid.
• Is the individual asking for full payment of a death benefit when records show multiple beneficiaries (or there is no beneficiary on file)?
• Are there multiple requests in a relatively short period of time?  A scammer may test to see if they can get a small payment, and if they succeed, then they try for a larger amount?  We have two people review any large payment request (for example, requests for more than $100,000).
• Is the request for an amount that may change due to a correction that is in process?  This takes a little bit more internal information, but we have had to push back on the amount of a payment when we are aware that a refund or other correction will impact the distribution.

It can get awkward sometimes, and we have to make sure our bias towards being helpful and problem-solvers does not supersede good judgment.

Consider also whether the TPA has or lacks ERISA § 412 fidelity-bond insurance or ERISA fiduciary-liability insurance (or both).

If a TPA has either kind of insurance, consider whether the TPA’s procedures follow, or at least are not contrary to, what the TPA and anyone acting for it said in the application for the insurance. A false or misleading statement can result in lacking insurance coverage.

Likewise, follow anything represented to the TPA’s errors-and-omissions insurer.

If a TPA prefers to be a nonfiduciary, one might write its service agreement to avoid anything that could involve discretion, instead doing only what the plan’s administrator specified and engaged, and doing it with clear on-off rules with no discretion.

If a situation calls for judgment or discretion, a nonfiduciary TPA might put the matter to the plan’s administrator.

This is not advice to anyone.

Thank you both - definitely some good ideas to consider such as making sure our service agreement simply says we confirm the distribution request is allowable under the terms of the plan but that we are not responsible for confirming the identity of the distributee.  We are a non-fiduciary per our service agreement and operationally.  Record keepers have controls of their own of course. Still anyone connected with the plan can be vulnerable.  And yes I will check our liability carrier. 

For DB plans, we receive funds and quickly push out in accordance with distribution elections.  We obtain drivers license and get the Trustee to approve of course.  Still that is an area of vulnerability.  I know many use services like PenChecks.  In talking with a TPA about that it seems a complicated process.

Can anyone recommend a DB product that would include distribution processing that an independent actuary and financial advisor can work with?

Thank you

This is one of those areas where you want to make sure you are in line with industry practices, regardless of what your contracts say. You may also want an indemnity from the sponsor for any distribution that is made pursuant to your policies and procedures and is later determined to be fraudulent.  I do know one TPA I remember verified the address with the employer when checks were issued, but I believe they were a 3(16).  I also know there is a service called GIACT that a lot of RKs use that verifies the bank account when ACHs are used, to ensure the same name and birthdate are associated with the account as with the participant.  I would find out what the RK has in place on this front.  The biggest issue is encouraging sponsors to educate their employees about using secure passwords, Phishing and Spear Phishing attempts, these are honestly one of the biggest sources of fraud. Good article on the types and ways people are vulnerable to ATO:  https://www.security.org/digital-safety/account-takeover-prevention/

A nonfiduciary service provider’s contract with its service recipient ought to provide (at least) nonliability, indemnity, and defense, including advances for reasonably incurred attorneys’ fees and other expenses, against a third person’s claims if the service provider followed the plan administrator’s or other fiduciary’s procedures and other instructions.

Also, a service provider might want each responsible plan fiduciary and each directing fiduciary to maintain ERISA fiduciary liability insurance. (I recognize this might be a business challenge about some kinds of plans and service recipients.)

This is not advice to anyone.