Bates Research | 05-06-21
DOL Releases New Guidance on Cybersecurity and on Exemptions for Investment Advice Fiduciaries
In December 2020, the Department of Labor (“DOL”) adopted regulations on investment advice for retirement accounts under the Employee Retirement Income Security Act (“ERISA”). The regulation provides a class exemption for persons who are fiduciaries under ERISA allowing them to receive compensation and engage in otherwise prohibited transactions on behalf of retirement investors, employee benefit plans and investment advice providers. The regulation, known as "Improving Investment Advice for Workers and Retirees," has a long regulatory history (see prior Bates articles here and here). The exemption became effective on February 16, 2021. On April 13, 2021, the DOL issued guidance to address detailed implementation questions. We review the new guidance below.
In addition, on April 14, 2021, the DOL issued cybersecurity guidance for ERISA plan sponsors, fiduciaries and record-keepers, as well as for plan participants and beneficiaries. For sponsors and fiduciaries, the guidance is provided in separate documents, one on selecting service providers, and one on best practices. For participants and beneficiaries, DOL published a third document providing tips to reduce the risks of fraud and loss when online. Here’s a closer look.
DOL Guidance on Fiduciary Investment Advice for Retirement Investors
The DOL’s guidance for retirement investors, employee benefit plans and investment advice providers is contained in two documents: one concerns compliance FAQs on the fiduciary class exemption; the other concerns how a retirement investor should choose an adviser. Both documents are limited to advice concerning investments in plans covered under ERISA.
FAQs on Fiduciary Class Exemption
Generally, the FAQs provide information on the background of the exemption, key compliance dates, definitions for fiduciary investment advice, and detailed compliance questions on the exemption. Broadly, the DOL emphasizes that its purpose is “to make sure that fiduciary advice providers adhere to stringent standards designed to ensure that their investment recommendations reflect the best interest of plan and IRA investors.” This includes, among others, (i) written acknowledgement of a fiduciary status, (ii) conflicts of interest disclosures—e.g. the specific reasons that any rollover recommendations are in a retirement investor’s best interest; (iii) adherence to the Impartial Conduct Standards (see Bates post here), and (iv) conducting an annual retrospective compliance review.
On FAQs about compliance dates, the DOL confirmed existing effective dates and prior enforcement announcements not to pursue certain claims regarding rollover recommendations prior to the effective date of the exemption that would be considered non-fiduciary conduct. The DOL also inferred that it will likely take formal regulatory action to improve the exemption, but that, for now, it believes the core components of the exemption “are fundamental investor protections which should not be delayed while the Department considers additional protections or clarifications.”
On FAQs concerning the definition of fiduciary investment advice, the DOL reaffirmed the five-part test (see Bates post here) and clarified that the exemption provides relief for rollover recommendations that result in prohibited transactions, so long as the exemption conditions are satisfied.
Finally, the FAQs detail specific compliance obligations that firms must undertake to secure the exemption. To this end, the FAQs provide further clarity on: (i) compliance with the Impartial Conduct Standards; (ii) the relationship between the exemption and the best interest standard—i.e., an adviser can be compensated so long as they do not place their own interests ahead of the interests of the retirement investor; (iii) detailed disclosure and the mitigation of conflicts of interest; (iv) specific requirements for insurance companies; and (v) enforcement-related guidance—e.g. correcting violations, incentivizing compliance, the annual retrospective review.
FAQs on Choosing a Retirement Adviser
The DOL also provided FAQs for the retirement investor on the selection of an investment advice provider who is a fiduciary. The FAQs provide information on legal protections afforded to the retirement investor, and at the heart of the guidance are questions that a retirement investor should ask before selecting an investment advice provider. These include, among others, whether the investment advice provider is a fiduciary, what fees and expenses will be charged and what the fees and expenses cover, and whether the advice provider has conflicts of interest concerning a recommendation.
DOL Guidance on Cybersecurity
The DOL, through its Employee Benefits Security Administration (“EBSA”) emphasized the importance of its new cybersecurity guidance by citing estimates on the need to protect “34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.” The risks in a market of this size should caution firms to ensure that their compliance procedures secure plan accounts, maintain plan records securely and to keep participant data confidential.
In its general guidance on cybersecurity, the DOL recommends—among numerous steps—that fiduciaries, recordkeepers and others responsible for plan-related IT systems and data responsible parties: (i) have a formal documented cyber program; (ii) perform annual risk assessments; (iii) provide for third-party audits on security controls; (iv) engage in security reviews and assessments for any assets or data stored in a cloud or managed by third parties; (v) have strong access control procedures; (vi) conduct periodic training; (vii) have effective business continuity, disaster recovery and incident response programs; (viii) encrypt sensitive data; and (ix) appropriately respond to cybersecurity incidents.
In its guidance on performing due diligence on potential service providers, the DOL reminded sponsors and business owners that ERISA requires prudence in selecting and monitoring them. According to the DOL, part of that selection process should be hiring only those who engage in strong cybersecurity practices. The DOL recommends asking providers about their information security standards, practices and policies; whether they use third-party auditing to review and verify “information security, system/data availability, processing integrity, and data confidentiality”; their track record in the industry, including information on security incidents and litigation related to their services; other past security breaches; and whether they are covered for loss due to any form of cybersecurity breach; and to “beware” any provisions in a contract that might limit the service provider’s responsibility for IT breaches.
In its guidance for participants and beneficiaries, DOL provided now-familiar tips to reduce the risks of fraud and loss when online. These include, among others: monitoring accounts, using multifactor authentication, closing unused accounts, avoiding unsecure wifi, becoming alert to phishing attacks and reporting identity theft. The DOL also provided links for reporting cyber events to the FBI and to the Cybersecurity and Infrastructure Security Agency (“CISA”).
To utilize the DOL exemption, fiduciary investment advice providers must satisfy many requirements intended to protect retirement investors. These protections are in addition to the standards of other regulators. Though firms have been preparing for these requirements for some time, now that the regulation is effective, there will be significant enforcement attention paid to compliance.
Similarly, the cybersecurity guidance issued by the DOL for ERISA plan sponsors, fiduciaries and record-keepers will require attention by compliance officers. Not because they are not already attentive, but because the DOL guidance sets more defined parameters for cyber compliance. Bates will continue to keep you apprised.
For more information, or to learn how the new regulations will affect your firm, please contact Bates Compliance today.
- email@example.com | 504-450-9632
- firstname.lastname@example.org | 860-671-7270