Department of Labor Launches Retirement Savings Lost and Found
The SECURE 2.0 Act of 2022 added new Section 523 to the Employee Retirement Income Security Act of 1974 (“ERISA”), requiring the Department of Labor (the “Department”) to establish an online database called the Retirement Savings Lost and Found (“RSLF”). The RSLF is intended to help individuals find unclaimed retirement benefits by identifying the current plan administrator of employer-sponsored plans in which they are or were participants or beneficiaries. On November 18, 2024, after two rounds of proposals and comments, the Department announced a Voluntary Information Collection Request (“ICR”) to retirement plan administrators and their authorized recordkeepers to begin populating the RSLF database.
The RSLF being launched is significantly narrower in scope than the Department’s initial proposal of April 16, 2024, and is expressly designed to be only a starting point for populating the database. At the same time, however, the RSLF announcement answers important data security and fiduciary responsibility concerns left unanswered by the initial and revised proposal of September 12, 2024.
The Information Collection Request
The Department initially proposed collecting historical information dating back to a plan’s first coverage by ERISA, to the extent available, including the plan’s name(s), administrator(s), and sponsor(s), and detailed personal information about participants and designated beneficiaries who separated from service with vested benefits, or whose benefits were paid by mandatory IRA rollovers or purchase of an annuity contract.
Under the RSLF as being implemented, the Department is not requesting any historical information and considerably less information about participants and beneficiaries. Specifically, the Department is asking for voluntary submission of:
- The current plan name, plan administrator, and plan sponsor from the most recent Form 5500 annual report.
- Names and Social Security Numbers of separated vested participants currently age 65 or older who are still owed plan benefits (including those in pay status, or whose benefits have been conditionally forfeited because they cannot be located, or who are deceased with a beneficiary still owed benefits).
These changes should make participation in the nascent RSLF more feasible for interested plan sponsors and administrators.
The Department has established a dedicated web portal for the RSLF and provided an upload template for plan administrators or their recordkeepers. The template permits filing on behalf of multiple plans simultaneously, among other advantages.
Cybersecurity, Fiduciary Responsibility and Privacy Laws
Data Security. The RSLF portal is being developed in accordance with Department of Commerce security and privacy controls and will use advanced encryption standards for data at rest and data in transit. RSLF administrators will use Department of Labor login credential standards, and public users will be required to use Login.gov credentials to enhance security and prevent unauthorized access. Individuals searching in the RSLF will only be able to see information about their benefits, and no general list of information will be visible to the public.
Individuals have the right to opt out of having their data posted to the RSLF. Currently, however, the only opt-out mechanism is filing a request through the DOL’s website. It remains to be seen how successful this method will be if and when the requesting individual’s personal data is uploaded.
Fiduciary Responsibility. As discussed in an earlier post, Departmental guidance clarifies that plan fiduciary responsibilities include assuring mitigation of cybersecurity risk. Commenters on the April and September proposals expressed concerns about participating in the RSLF without detailed information about the security of the database. The Department believes that it has addressed these concerns in the RSLF announcement. Therefore, in the Department’s opinion, plan fiduciaries that voluntarily furnish data in response to the ICR, following the prescribed transmission protocols, “will have satisfied their duty under [ERISA] to ensure proper mitigation of security risks” and “will not be subject to liability under ERISA for the Department’s conduct in the event of a future security failure.” [1]
The announcement also confirms that the reasonable expenses for voluntary data submissions to the RSLF may be paid from plan assets.
State Privacy Laws. The Department generally believes that its authority under ERISA to collect participant information such as names and Social Security numbers, and the fact that many state privacy laws exempt disclosures to comply with a government regulatory inquiry, should mitigate any plan administrator concerns about transmitting participant data to the RSLF. Nonetheless, it also announced a nonenforcement policy under ERISA regarding any plan representative’s failure to obtain participant consent to the extent required by applicable state law before responding to the ICR if (1) furnishing information to the RSLF is authorized by a responsible plan fiduciary and (2) the fiduciary acts reasonably and in good faith.
The Department considers its limited-scope voluntary ICR to provide the “best chance” for beginning to populate the ICR immediately while planning for expansion in the future. If you are interested in learning more about the RSLF or have questions about responding to the ICR, please contact a member of Verrill’s Employee Benefits and Executive Compensation Group.
[1] The Department’s characterization of these views as an “opinion” appears to be a subtle acknowledgement that the final word may rest with the courts.