Employers that sponsor employee benefit plans for their employees assume a great responsibility to ensure that the plan is operated in the best interest of the plan participants and their beneficiaries. The Employee Retirement Income Security Act (“ERISA”) was passed into law in 1974 to set minimum standards for most private industry retirement, health and welfare plans that provide protections for plan participants, set forth fiduciary responsibilities for those with discretion over plan management, administration and/or control regarding disposition of plan assets, and provide participants the right to sue for benefits and breaches of fiduciary duty. ERISA plan fiduciaries should periodically conduct a fiduciary self-audit to ensure policies and procedures are in place for prudent plan governance.
The Fiduciary Self-Audit
Under ERISA, plan fiduciaries are charged with a high standard of responsibility to act prudently in discharging their duties. It is not sufficient for an employer to adopt a plan and then leave it on auto-pilot with the assistance of retained service providers. Plan fiduciaries who breach their duties can be subject to numerous types of penalties including personal liability for any losses to a plan resulting from a breach of their responsibility. At a high-level, plan fiduciaries should periodically conduct a review of plan governance structure, confirm who has been delegated fiduciary responsibility for the plans and how those duties are being carried out. Any identified gaps should be promptly addressed, and policies and procedures for plan governance should be developed and/or updated. The scope of a fiduciary self-audit will vary depending on an organization’s needs and types of benefit plans, and must be tailored to the situation. A self-audit of the following types of issues will require development of a road map to collect the requisite materials such as plan documents, meeting minutes, plan reports, plan investment and fee information, investment, trust and service provider agreements and all other necessary plan information. These materials will need to be reviewed in a logical manner with proper assistance as needed. At a minimum, an organization should confirm the following:
1. Has the Organization Properly Delegated Fiduciary Duty for ERISA Plans from its Governing Body to Specific Individuals or a Committee?
An employer as plan sponsor is an ERISA fiduciary, however, an organization’s board of directors or governing body can adopt resolutions to appoint individuals to a committee to serve as the plan fiduciaries in accordance with organizational requirements and plan terms. Failure to do so will ensure that members of the employer’s governing body carry the fiduciary responsibility and liabilities associated with ERISA plans. Proper delegation of duties limits their liability to an ongoing duty to prudently select its delegees, and to monitor the delegees to ensure their appointment remains prudent and that they are properly carrying out their duties. One way to monitor the delegees is to request an annual high-level report to confirm that such an appointed committee has met regularly during the year and that plan obligations have been met. If any claims are brought against the plan, a process should also be in place to notify the organizational leadership. Consideration may also be given as to whether separate committees should be established such as one for investment decisions and one for administrative decisions, or one solely for retirement plans or combined for all ERISA plans. The organization should adopt a governing Charter or By-laws for the committee to ensure there is process and procedure regarding the committee’s duties and how they will be executed, how additional fiduciaries (such as trustees or certain investment advisors) or non-fiduciary service providers are appointed, as well as how committee members will be removed. It should also be confirmed that the plan fiduciaries are properly named and identified in the applicable plan documents; if there is a designated committee, then the committee should be the named fiduciaries in the plan document as opposed to the employer.
2. Have the Plan Fiduciaries Prudently Executed Their Duties?
Once the proper delegation of fiduciary duties from the organization to a committee is confirmed, it is important to review how the plan fiduciaries have been operating. For example, have: (a) they conducted regular meetings throughout the year (e.g. quarterly or on another prudent schedule) to review plan investments and administrative issues, (b) they ensured that plan contributions have been timely remitted to the plan, (c) the types of service providers and advisors needed been reviewed and vetted, prudently selected and monitored on an ongoing basis, (d) any duties been further delegated prudently and such delegees monitored, (e) retirement plan fees and expenses, as well as investment option fees, expenses, and revenue sharing arrangements been reviewed and evaluated, (f) plan document terms been reviewed, updated for changes in the law, followed correctly in operation, drafted to include certain protective provisions for fiduciary decisions (g) plan operations been reviewed and any identifiable errors corrected under available government programs, (h) applicable plan compliance testing issues been addressed, (i) all reporting and disclosure obligations been met, (j) plan communications and required notices and disclosures to participants been prudently developed in accordance with legal requirements and plan terms and timely disseminated, and (k) any transactions occurred that could violate ERISA’s prohibited transaction rules? A comprehensive list of issues for review should be developed at the outset of the fiduciary self-audit and then the overall processes for addressing these and other fiduciary duties should be confirmed.
3. Have the Plan Fiduciaries Developed Prudent Policies and Procedures for Plan Governance?
In addition to confirming fiduciary processes for plan management and operations, the types of written policies and procedures that the fiduciaries should have in place for the specific type of ERISA plan should be reviewed, developed and/or updated. For example, for 401(k) plan governance, the plan fiduciaries should have an Investment Policy Statement to govern the investment objectives and policies for the plan which might be developed or updated with the assistance of an outside investment advisor. If the plan utilizes an ERISA budget or similar account in connection with revenue share recapture arrangements, a policy should be in place for administration of such an account. The plan should have procedures for claims and appeals, loans, hardship withdrawals, review of qualified domestic relations orders, record retention, as well as dissemination of required plan information, including participant investment materials and required notices and disclosures. There should also be a procedure for reporting back to the organizational governing body so that they can monitor the fiduciaries and any plan litigation or claims. A schedule for fiduciary training should also be followed on an ongoing basis as well as for new committee members as needed. Confirmation that these policies and procedures are in place, up to date, and being followed in accordance with their terms can demonstrate fiduciary prudence in plan management and can serve to buttress any defense to a claim of fiduciary breach.
4. Have Plan Bond Requirements and Insurance Needs been Met?
ERISA plans are required to be bonded to protect the plan from fraud or dishonesty by those handling plans funds. The amount of the bond is at least 10% of plan assets up to $500,000 or $1,000,000 for plans that hold employer securities. Whether a particular type of plan requires a bond should be confirmed under applicable Department of Labor guidance, and the bonds must be placed with a surety or reinsurer that is named on the Department of the Treasury’s Listing of Approved Sureties, Department Circular 570. Fiduciary Liability insurance is a separate issue from the ERISA bond—it is insurance that can be purchased to cover certain liabilities and losses resulting from the actions or inactions of plan fiduciaries. Attention must be paid as to whether the liability insurance allows recourse against the individual fiduciaries (in which case the policy can be paid by the plan) or whether it is a no-recourse policy (which cannot be paid for by the plan). Of course, any policy carve-outs and limitations must be reviewed and negotiated. Employers may also decide in plan documentation or a Charter, for example, whether they will indemnify plan fiduciaries for liabilities incurred in carrying out their duties except to the extent that the liability is due to the fiduciary’s gross negligence or willful misconduct.
Once the fiduciary self-audit review is completed, the organizational body and plan fiduciaries should have a clearer picture of the strength of the current fiduciary practices and plan governance.
Plan Governance Following a Self-Audit
The results of the Fiduciary Self-Audit should be analyzed to confirm any ERISA plan governance gaps and risks that need to be addressed. Then, a plan of action should be implemented to set the course for ongoing plan management. If policies and procedures have not been reduced to writing, they should be drafted, adopted and maintained with plan records. If they exist but have not been updated in a while, action can also be taken to make the necessary amendments to adopt the updated policies and procedures. If plan errors were identified, they should be addressed and corrected if possible under applicable government programs. If certain issues were identified that require a further deep dive, then an action plan can be developed to self-audit those isolated issues. For example, perhaps it will be discovered that plan investments, fees and expenses should be benchmarked and re-negotiated if they have not been reviewed in a while. Or maybe it will become apparent that plan data and security issues have not been addressed in service provider agreements or procedures and safeguards need to be implemented in agreements or coordinated with organizational cybersecurity policies. Thus, many projects may emerge from the fiduciary self-audit which may require prioritization, but they involve important issues that should not be neglected.
While a fiduciary self-audit review may seem daunting and time consuming at the outset, the upside is that following a review the plan sponsor and plan fiduciaries can take any necessary actions to reduce its plan and fiduciary liability risks. It will also provide an opportunity to organize and update plan records so that the organization is best prepared to respond to an outside audit by the Internal Revenue Service, the Department of Labor, another government agency or even a benefit claim or lawsuit. This will undoubtedly be time well spent not only for the organization and plan fiduciaries, but also for the participants and beneficiaries for whom the ERISA plans must provide the exclusive benefit.