401(k) Plan Identity Theft is on the Rise by Alison J. Cohen, Esq.
401(k) plan identity theft is a growing industry. The day starts as any other. A distribution form comes in for processing. It has a participant signature. The spousal consent section is completed and notarized. It appears to be like any other distribution form. So, you sign the bottom of the $450,000 in-service distribution form, send it to your third-party administrator (TPA) for processing, and give it no further thought. Three days later, the real participant calls in a panic wondering where his money went. Yikes?
What Can an Employer do to Protect Its Employees?
First, it is important to recognize that the data you send back and forth to payroll, the TPA, and the Recordkeeper (RK) contains confidential information, also known as personally identifiable information or “PII,” that can be used by thieves to steal the participant’s identity. Data should never be sent through unsecured or unencrypted means. Your service providers should provide you with a secure portal to deliver your data. Always use the portal – even when it seems to be a hassle. Take precautions to not become a victim or a target of 401(k) plan identity theft by avoiding paper or standard email transmissions at all costs.
Second, consider revising (or creating) procedures that increase the scrutiny for participant requests that are highly vulnerable to fraud. Loans, in-service distributions, and termination distributions are prime targets. When you have these types of prime targets and a high dollar amount, it may be worthwhile to include in your procedures a verbal confirmation with the participant that her or she did, in fact, request the transaction. It could be as simple as a call to confirm that you’ve received the request and that it is in process, like a courtesy call, to not alarm the participant. If the request is legitimate, the participant will simply say “thank you” and maybe ask when he or she can anticipate the money. If the request is fraudulent, you’ll know right away. And remember – use the phone number in your records and NOT on the form, as this may also be fraudulent.
Third, encourage participants to use the online statement option, rather than receiving this confidential information in paper format. Paper statements become tools of 401(k) plan identity theft as they provide thieves with a bevy of information that they can use to steal the participant’s identity and submit a fraudulent request.
Fourth, create a verification checklist for the Plan Administrator and have them adhere to it. Include questions such as:
- Has the participant submitted a change of address request in the past 3 – 4 weeks?
- Does the address on the form match the employer’s records?
- Does the phone number on the form match the employer’s records?
- Does the Email address match the employer’s records?
- Verify the Instruction for distribution – is the check going to an address other than the participant’s home or office?
- Verify the bank account information for a wire transfer – is it in name of the participant? Can you verify that with the bank?
- Is the Spouse’s name correct?
- Does the signature of the participant and/or spouse match forms previously submitted?
- If the request is over a certain dollar amount, has verbal confirmation been received from the participant based on contact information NOT on the form (alternate phone)?
Plan Administrators should have a discussion with their insurance carriers to see whether their fidelity bond would cover a case of 401(k) plan identity theft. Many of these bonds only cover theft events by employees of the Plan Sponsor and not the actions of an outside thief. It is certainly worth asking the question before it’s not a hypothetical question.
Once a theft has been reported by a participant, you should have procedures in place so everyone knows what the next steps should be. For example, having a list of phone numbers to immediately contact at the major banks, the RK/Custodians, FBI, etc. if there is a chance of quick recovery after the event.
In the real-life scenario, we started with, the TPA quickly contacted the custodian and tried to get the wire recalled. They finally found the correct number at the receiving bank for its fraud department to try to get cooperation from the receiving end. Unfortunately, by the time they contacted the appropriate individual at the receiving bank, the funds had been transferred to the thief. The Plan Sponsor was completely unprepared and couldn’t help in the recovery process. The FBI was brought in, but by then, more than a week had passed since the money was paid out. The tax withholding was able to be reversed and returned to the participant. In cases such as these, the plan sponsor never wants to be in a position of determining how to make the participant whole after a 401(k) plan identity theft occurs.
Alison is a Partner with Ferenczy Benefits Law Center in Atlanta, Georgia. Alison advises clients on many issues related to qualified retirement plans, including design, mergers and acquisitions, audits, and operational issues. Alison commonly works with clients that have operational issues to guide them through the Internal Revenue Service (IRS) and/or Department of Labor (DOL) corrective programs, prepare corrective filings, and prepare and support clients through an audit conducted by the IRS and/or DOL.