If the U.S. Department of Labor’s Notice of Proposed Information Collection Request, issued on April 15, 2024, becomes final, fiduciary retirement plan committees may be asked to evaluate the important question of whether the plan should voluntarily submit missing participant data to the DOL before filing the next Form 5500.  The DOL is seeking comments on the proposal by June 17, 2024.

This proposal is intended to implement Section 303 of The SECURE 2.0 Act of 2022, which adds Section 523 of ERISA and charges the U.S. Department of Labor with responsibility for establishing a “Retirement Savings Lost and Found” database by December 29, 2024.  The purpose of the database is to help connect participants and beneficiaries who are entitled to benefits with the plan administrator so they can make a claim.

The DOL has encountered several stumbling blocks with the establishment of the Retirement Savings Lost and Found.  Significantly, the DOL thought they would be able to obtain the participant data from the Form 8955-SSA that is filed with the IRS, which provides the information to the Social Security Administration (SSA).

When separated vested participants later file claims for Social Security Benefits, the SSA lets those participants know they “may be entitled to a benefit” from the XYZ plan.  It is these Form 8955-SSA that have created many headaches for employers over the years who have long-ago paid-out participants coming out of the woodwork believing they may still have a retirement plan benefit.  So it may be with a sigh of relief for fiduciaries to learn the IRS has refused to provide the DOL with the Form 8955-SSA data to be used to populate the Retirement Savings Lost and Found, citing concerns related to the confidentiality of tax information under Section 6103 of the Internal Revenue Code.

With this impediment, the DOL pivoted and concluded it instead needed to seek the voluntary disclosure of information in order to meet its 2-year deadline for establishing the Retirement Savings Lost and Found.  Fiduciaries may find value in having access to a tool that can connect participants and beneficiaries to their plan benefits and conclude the disclosure is in their best interests.  However, there are several critical countervailing considerations.

First, the scope of the information requested goes well beyond what was reflected in SECURE 2.0.  For example, the data request solicits information “dating back to the date a covered plan became subject to ERISA . . . or as far back as possible, if shorter.”  Coincidentally, ERISA is celebrating its 50th birthday this year on September 2, 1974.  Do you have 50 years of missing participant data in your files?  Do you want to tell the DOL that you do not?

Further, SECURE 2.0 contemplated the submission of only the participant’s name and taxpayer identification number to the DOL.  Yet the notice requests the submission of the participant’s name, date of birth, mailing address, email address, telephone number, and taxpayer identification number.  Fiduciaries would need to carefully weigh whether they are comfortable providing a government oversight body with this indicative data, including contact information.  The request also asks for the prior plan names, prior administrators, and prior sponsors, which would be a headache for businesses involved in a lot of mergers and acquisitions.

But wait, there is more.  The DOL also seeks information about whether any participants are over their normal retirement age and unresponsive about their benefits or whose contact information may not be accurate.  This could highlight potential 401(a)(9) minimum required distribution questions and potential vulnerabilities in fiduciary missing participant procedures.  The notice began by noting that missing participants often are the result of “inadequate recordkeeping practices, ineffective processes for communicating with such participants and beneficiaries, and faulty procedures for searching” for these individuals.

Second, the notice leaves the DOL’s cybersecurity measures to your imagination, simply noting that “multiple security measures will be in place” to protect the data provided.  What are those security measures?  Has the DOL conducted a risk assessment related to the transmission and storage of participant data, for example?  The DOL’s own Cybersecurity Program Best Practices publication may serve as a guide to fiduciaries in evaluating whether the security measures are sufficient.  There also may be contractual provisions with recordkeeper or other plan service providers that restrict the disclosure of participant information.

Third, the DOL did not establish a fiduciary safe harbor or any protections in the event the information the fiduciary volunteers is ultimately compromised, incomplete, or incorrect.  For example, what happens if the Social Security Number the Plan has on file is 999-999-9999 or the date of birth is 1-1-1900?  What happens if the data the fiduciary provides highlights that the participant has not received required minimum distributions?  Will the voluntary submission lead to a missing participant or a more extensive investigation?

Time will tell.  Importantly, the DOL notes that it has the authority to investigate and collect information under other sections of ERISA and to verify the identities of those accessing the database.  So, if this voluntary avenue proves unsuccessful, the DOL may pivot again to using its enforcement authority to mandate the submission of missing participant data.

For now, plan fiduciaries should keep an eye on the notice and consider voicing their feedback, positive or negative, to the DOL.  Once finalized, fiduciary committee agendas may reflect this important question.

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance.  Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.