To help employers properly administer their 401(k) plans, in 2022, Foley & Lardner LLP is authoring a series of monthly “401(k) Compliance Check” newsletters. This article discusses some of the policies that are important for the proper administration of 401(k) plans.
In June’s 401(k) Compliance Check, we looked at the importance of understanding your 401(k) plan’s definition of compensation and what to do if you had been applying your definition incorrectly. This month we will take a look at five policies or procedures that are important for proper 401(k) plan administration.
Why is this Topic Important?
401(k) plans are required to maintain some of these policies either by ERISA or under Department of Labor (DOL) guidance, and others, while not necessarily required by law, are helpful in the event of a DOL audit or participant litigation. Having clear policies and procedures in place also helps employees involved in plan administration do their job more efficiently by mapping out appropriate steps to take when various situations arise.
Often, you can obtain these policies or procedures from various plan vendors, such as your 401(k) plan administrator or your plan’s investment consultant. But, with respect to some of these policies, such as the cybersecurity policy, you may need to reach out to qualified legal counsel for assistance.
1. Loan Policy
Why you need it: The prohibited transaction rules under ERISA and the Internal Revenue Code prohibit loans from a 401(k) plan to plan participants unless the loans meet specific requirements. Typically, 401(k) plan documents do not include all these requirements, so a separate loan policy is needed. This loan policy then becomes a part of the “plan rules” from a legal perspective.
What’s typically included: Loan policies are typically fairly detailed and comprehensive, and typically cover the following items (among others):
- Rules regarding loan eligibility
- Loan fees
- Minimum and maximum loans amounts
- Permitted loan sources
- Number of permitted loans
- Events constituting a loan default
2. QDRO Procedures
Why you need it: Under ERISA, every 401(k) plan is required to establish written procedures for (1) determining whether a domestic relations order meets the definition of a qualified domestic relations order (“QDRO”) under ERISA, and (2) administering distributions under QDROs. These procedures must be used by the plan administrator to administer QDROs and a copy must be provided to participants and alternate payees after the plan’s receipt of the domestic relations order; however, it is the DOL’s view that providing a copy of the procedures to the participant and alternate payees before submitting a domestic relations order better facilitates the goal of timely, efficient, and cost-effective QDRO administration.
What’s typically included: The DOL recommends including at least the following items in a plan’s QDRO procedures:
- List of documents related to the plan that are available to assist in drafting a QDRO (for example, SPD, plan document, model QDROs)
- Any time limits set by the plan administrator for making QDRO determinations
- What steps the administrator will take to preserve retirement assets while making a QDRO determination (for example, will benefit payments be delayed or suspended during this period?)
- How and when plan assets will be segregated for the participant and alternate payee
- The processes for appealing the plan administrator’s determination as to whether an order is a QDRO
3. Cybersecurity Policy and Procedures
Why you need it: Cybersecurity has become a recent focus of DOL plan audits ever since the DOL released its cybersecurity guidance in April 2021. During an audit, the DOL now asks plan sponsors to provide “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan.”
What’s typically included: The following is a non-exhaustive list of items that, based on audit inquiries, the DOL expects a plan’s cybersecurity policy to cover:
- Access controls and identity management for online systems
- The processes for responding to a cybersecurity breach
- Diligence process for assessing service provider information security protocols
- Cybersecurity awareness training
- Encryption of sensitive information transmitted, stored, or in transit
4. Missing Participant and Uncashed Check Procedures
Why you need it: Like cybersecurity, the DOL has placed a lot of focus on missing participants and uncashed checks in recent audits (see 401(k) Compliance Check #5), so you can expect that the DOL will ask for these procedures if your plan is audited. The DOL considers it a “red flag” that the plan may have a missing participant problem if a plan sponsor does not have sound policies and procedures for locating missing participants and handling uncashed checks.
What’s typically included:
- Procedures to prevent missing participants, such as a requirement that certain documents (such as all SPDs and SMMs) include a statement reminding participants to inform the plan of any changes in their contact information
- Steps the plan will take to locate missing participants (ex: first check other employment data, second reach out to participant’s beneficiary, third use free electronic search tools, fourth use commercial locator service)
- Frequency that the company will rerun searches for participants initially identified as missing
- Frequency that the company will audit participant census information and correct data errors
- Instructions on how to record and track uncashed checks
- Procedures for reclaiming stale uncashed checks
5. Investment Policy
Why you need it: In the past several years, there has been an explosion of ERISA class actions claiming breaches of fiduciary duties related to fees associated with, and underperformance of, investment alternatives in 401(k) plans. This highlights the need for a 401(k) plan’s investment committee to have clear procedures for selecting plan investment alternatives and monitoring those choices (including fees) to help avoid, or defend against, claims that the plan’s investment alternatives were improper.
What’s typically included:
- Criteria to consider when first selecting a fund
- Criteria to consider when deciding to replace a fund
- Procedures for identifying a qualified default investment alternative
- Process for monitoring investment fund and investment service provider costs
- Proxy voting policy