Why cyberattacks make a compelling case for auto-portability

The recent hacking of Equifax, which potentially compromised the security of sensitive information for 143 million Americans, doesn’t just reinforce the importance of cybersecurity; it also makes a compelling case for the widespread adoption of auto-portability.

Yes, you read the above correctly. Participants who roll their 401(k) savings into an active account in their new-employer plans when they change jobs are making a sound financial decision as well as a sound security decision. Completing a roll-in removes a participant’s stranded 401(k) account, and the sensitive information attached to it, from the online systems of the former employer and its record-keeper. The fewer systems where a participant has an active account, the less likely that participant’s sensitive data will be compromised in a cyberattack.

It also makes a difference for employers, as hacks might open them up to fiduciary liability.

Unfortunately, the increase in dangerous cyberattacks has coincided with a rise in small accounts. In early August, the Employee Benefit Research Institute revealed that 41.3% of plan participants in the EBRI/ICI 401(k) database at year-end 2015 had below $10,000 in their 401(k) accounts. This is the highest percentage of 401(k) plan participants with less-than-$10,000 account balances since year-end 2008, when we were in the midst of the financial crisis.

The uptick in small accounts is problematic for many reasons, but in light of recent cyberattacks against Equifax and other financial services companies, plan sponsors and record-keepers should be worried because more small accounts means more lost and missing participants. According to Vanguard’s “How America Saves 2017” report, 30% of all participants in Vanguard-administered plans had separated from their employers during the previous year or in past years.

The increase in lost and missing participants is an urgent concern. If participants’ sensitive information is compromised, they have to be told immediately — but if their contact details on file are out-of-date, they can’t be informed and the cyber-criminals who hacked into the system gain valuable time to exploit their ill-gotten data. This can open the hacked sponsor or record-keeper up to significant fiduciary liability.

Furthermore, the Department of Labor has intensified its focus on auditing large defined benefit/contribution retirement plans it suspects have fallen short on efforts to locate lost and missing participants. The fines can be pretty steep. Effective Aug. 1, 2016, various penalties defined under the Federal Civil Penalties Inflation Adjustment Act of 1990 increased, including the fine for failing to maintain records or furnish reports to former participants and beneficiaries. The fine rose from $11 per employee to $28 per employee.

There are certainly services available to help plan sponsors search for missing participants. The DOL’s Field Assistance Bulletin No. 2014-01 that outlines best practices for sponsors to locate terminated participants, and keep their records up-to-date, is an excellent resource for sponsors looking for guidance on missing participants.

Protect yourself by embracing auto-portability

The best way to address the missing participant issue is to go to the root cause and remove small accounts from the retirement plan system. Luckily, there is an easy way to do this: Sponsors and record-keepers can adopt auto-portability — the routine, standardized, and automated movement of a plan participant’s 401(k) savings account from their former employer’s plan to an active account in their current employer’s plan.

Auto-portability enables participants to seamlessly transport their 401(k) savings to their new employer’s plan at the point when they change jobs. If sponsors proactively counsel participants on how and why they should consolidate their 401(k) savings upon switching employers, and implement a process to help them do so, they can decrease the stranded small accounts in their plans — along with the number of lost and missing participants who hold them.

The urgency of the need for sponsors to track down their missing participants, and prevent participants from becoming “lost” or “missing” in the future, isn’t an exaggeration. Taking steps to address this problem once and for all will protect sponsors in the event of a DOL audit, and also reduce the probability that participants fall victim to cyber-criminals.

Spencer Williams is President and CEO of Retirement Clearinghouse, a portability solutions provider.