Anyone seen my missing money?

I must admit I was pretty happy to read about the proposed Lost and Found database provisions in SECURE 2.0. The database would house information for employees to track down their old or missing retirement plans. In the hurly-burly of interviewing/ changing jobs, employees may not be as focused on rolling over an old retirement plan. As time rolls on, they might forget about it or it is one of many items on an ever-growing to-do list. Anyhoo, this database seemed like a good idea.

Of course, the Compliance side of my brain kicked in at the same time and I pondered such questions as "What data will be needed so employees can find old accounts?", "How will that data be transmitted to the database", and finally, "What cybersecurity measures will be in place to prevent hacking and unauthorized distributions?"? This questions are worth exploring in light of the Paula Disberry - Colgate Palmolive case from last October where Ms. Disberry's old 401k worth $750K was given to someone else.

I then happened to peruse the ERISA Industry Committee's (ERIC) June 17, 2024 letter to the Department of Labor (DOL) regarding how the Lost and Found database is being implemented. ERIC notes in its letter that the DOL is not only overreaching in the amount of data it is requesting on former employees and their plans but that the DOL has not addressed cyber-security concerns. Also, the DOL is asking for data that is already contained in an IRS filing. Might it be helpful to coordinate with the IRS?

Unpacking this, we find that SECURE 2.0, Section 303 authorizes the DOL to collect limited information to "stock" the database. Some of the information is obvious - name/ address of the plan and plan administrator, whether the plan was terminated, and the name/ taxpayer identification number of the plan participant. Seems reasonable, right?

The DOL however is asking for the date of birth, mailing address, email address, and telephone number of any separated vested participant of normal retirement age or older that is owed a vested benefit, and who has been unresponsive to plan communications. Similar information is asked by the DOL of any designated beneficiary.

Can you imagine how many blank beneficiary designations I have seen in 34 years in the industry? And for those that are filled in, the social security and date of birth are frequently blank. And how many times have folks changed phone number, emails, and physical addresses? This is quite a burden to put on a plan administrator particularly for a large plan where numerous employees may be leaving on any given day.

I also cannot stress cyber-security enough. As I am writing this article, a client has alerted me to a cyber-hack/ ransomware situation at a local credit union. This credit union reported assets of $9.7 billion as of December 31, 2023, ranking it in 6th place among credit unions based on asset size. If a private bank of this size can be subject to a cyber attack, what are the odds on the DOL being safe?

Finally, much of the data the DOL is seeking is contained on Form 8955 that is filed annually with the IRS. The IRS, citing taxpayer privacy under Section 6103 of the tax code, is apparently reluctant to share this data with the DOL. Two government agencies cannot figure out a way to work together? This is truly puzzling.

The premise and proposal contained in SECURE 2.0 are sound. Reunite employees with their missing retirement plans. This is part of a prudent process to help employees hopefully retire with dignity. I am less enamored by what I am seeing of the proposed implementation. More to come?