New Mandatory Retirement Plan Requirement for Certain New York City Employers

On May 11, 2021, the City Council of New York enacted a local law to establish a retirement savings program for certain employees of private entities.

What are the Details?

The new law creates a mandatory auto-enrollment payroll deduction individual retirement account (“IRA”) program for employees of private sector employers in New York City which (i) do not offer a retirement plan and (ii) employ five or more employees.

The program provides for a default employee contribution rate of 5% (but employees may adjust this rate up or down or opt-out of at any time).

As contributions are made to IRAs, contributions are capped at the annual federal IRA maximum (currently $6,000; $7,000 if age 50 or above).

Much like requirements under the Employee Retirement Income Security Act of 1974 (“ERISA”), employers must remit funds deducted from the earnings of each participant for deposit in IRAs on the earliest practicable date (consistent with applicable rules).

The IRAs are portable and thus employees retain the accounts when they move jobs.  Employees may roll the accounts over into employer plans where eligible.

The law does not provide for any employer contribution and does not provide for contributions by New York City.

How will the Program be Administered?

A retirement savings board will be established to oversee the program.  The board will consist of three members appointed by the Mayor.

The board will have the power:

  • To determine the start date of the program;
  • To contract with financial institutions and administrators;
  • To minimize fees and costs associated with the administration of the program;
  • To create a process for those not employed by a covered employer to participate; and
  • To conduct education and outreach to employers and employees.

The board will work with the Comptroller to select the investment strategies and policies and must report annually on its activities and actions.

When do Employers Need to Comply?

The new law takes effect 90 days after enactment, but the board has up to two years to implement the program.

Affected employers need not take any immediate action, but they should continue to monitor developments in this area to ensure that they are prepared to comply when the program is ultimately implemented.

Are there any Penalties for Failing to Comply?

Yes.  The legislation provides for per employee penalties that escalate with multiple violations.  Penalties for failure to comply with recordkeeping requirements may also apply.  And actions may be brought against employers who fail to enroll employees or who fail to timely remit employee contributions under the program rules.

Is the Program covered by ERISA?

The law enacting the program provides specifically that the program is not intended to be a retirement program covered by ERISA.

Conveniently, the program comes just following a decision by a three-judge panel in the U.S. Court of Appeals for the Ninth Circuit that affirmed a district court’s dismissal of a challenge to California’s CalSavers program.  The panel held that ERISA does not preempt the California law that creates CalSavers, a state-managed mandated IRA program for eligible employees of certain private employers which do not provide their employees with a tax-qualified retirement plan.

This decision bolsters the position taken by New York City (and the many other state and local jurisdictions which have enacted these mandatory IRA-based retirement plans in recent years) that such plans and programs are not covered by ERISA.

Jackson Lewis continues to monitor developments in the changing employee benefits landscape.  Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

Fiduciary Investment Advice: Implications Of Department Of Labor Prohibited Transaction Exception 2020-02

Employers who sponsor and maintain retirement plans on behalf of their employees and who engage investment advisors to provide investment-related advice to participants may take comfort in knowing there is a new prohibited transaction exemption under the Employee Retirement Income Security Act of 1974, as amended (“ERISA”) and the Internal Revenue Code (the “Exemption”) designed to protect plan participants. Department of Labor (“DOL”) PTE 2020-02, Improving Investment Advice for Workers & Retirees, became effective on February 16, 2021. On April 13, 2021, the DOL issued implementing guidance further explaining the protections afforded under the Exemption and how to realize these protections.

The Exemption focuses on investment advisors and is designed to protect the interest of participants more systematically in retirement plans and makers of individual retirement accounts (IRAs) (collectively “Retirement Investors”). It applies when such Retirement Investors engage with investment advisors who are providing fiduciary advice over the management of retirement plan and/or IRA assets for a fee or seek rollover distributions. With these transactions, there is the potential for the investment advisor to steer participants to investments providing the advisor with increased compensation as a result of their investment related advice, which would implicate the prohibited transaction rules of ERISA and the Internal Revenue Code. The DOL weighed the value of that advice against the risks and concluded that an exemption from the prohibited transaction rules was needed – with guardrails.

The Exemption very squarely places the responsibility for compliance with its requirements on outside investment advisors. The Exemption regulates the conduct of “Investment Advice Fiduciaries” who provide investment and/or rollover advice. “Investment Advice Fiduciaries” are investment advisers, broker-dealers, banks, and insurance companies and their employees, agents, and representatives. An important aim of the Exemption is to make sure that Investment Advice Fiduciaries adhere to stringent standards designed to ensure that their investment recommendations reflect the “best interest” of Retirement Investors.

In order to rely on the Exemption, besides other requirements, Investment Advice Fiduciaries must provide certain disclosure and meet specified standards of conduct.

  • Disclosure Requirements: Investment Advice Fiduciaries must (i) acknowledge their fiduciary status under ERISA in writing and (ii) disclose the investment related services being provided and any material conflicts of interest they may have in providing those services.
  • Standards of Conduct: Investment Advice Fiduciaries must adhere to the “Impartial Conduct Standards” which require them to (i) investigate and evaluate investments, advise, and exercise sound judgment as knowledgeable and impartial professionals would (i.e., their recommendations must be “prudent”), (ii) act with undivided loyalty to Retirement Investors when making recommendations (in other words, they must never place their own interests ahead of the interests of the Retirement Investor, or subordinate the Retirement Investor’s interests to their own), (iii) charge no more than reasonable compensation and comply with federal securities laws regarding “best execution,” and (iv) avoid making misleading statements about investment transactions and other relevant matters.

For employers that maintain retirement plans for their employees, the plan fiduciaries are responsible for ensuring that their retirement plans comply with the requirements of ERISA and the Internal Revenue Code. This includes a duty to make the prudent selection of investment advisors and monitor these service providers. Beyond this, employers are not directly impacted by the Exemption.

The prohibited transactions rules of ERISA and the Internal Revenue Code are intricate and punitive when violated. Exemptions like PTE 2020-02 are adopted to balance these technical requirements and real-world transactions involving ERISA plan assets that should be permitted to occur in carefully defined ways to promote otherwise meritorious activities. As an employer, plan sponsor and fiduciary, your retirement plan(s) necessarily implicate these technical rules. Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

Remote Employees: The Geographic Tax and Benefits Challenges

As the COVID-19 vaccine has become readily available, and many employers contemplate employees returning to the office to work, both employers and employees have accelerated demands for new and permanent remote work location arrangements for a variety of jobs. Employers across the country are revisiting their business strategies, employment policies, and related legal and tax compliance measures with an eye toward improving their competitiveness for acquiring and retaining talent.  More

LGBTQ+ Protections Under the ACA are in Effect …Again!

The Department of Health and Human Services (HHS) announced Monday it now interprets—and will enforce—Section 1557 of the Affordable Care Act (ACA) to prohibit discrimination based on sexual orientation and gender identity, effective immediately. Section 1557 generally prohibits discrimination based on race, color, national origin, sex, age, and disability in any health program or activity receiving federal financial assistance.


Whether Section 1557 protects LGBTQ+ individuals from discrimination has received considerable attention and varying positions from HHS and the courts. The 2016 final rule interpreted “on the basis of sex” under Section 1557 as including “an individual’s internal sense of gender, which may be male, female, neither, or a combination of male and female, and which may be different from an individual’s sex assigned at birth.” The 2020 final rule on Section 1557 reversed the position taken in the 2016 final rule and walked back protections for gender identity, gender expression, sex stereotyping, and termination of pregnancy (addressed here). But a New York court issued an injunction on enforcing the 2020 final rule’s position, as discussed here, and several other courts have cases pending on whether the rule violates the Religious Freedom Restoration Act as to providers that have sincerely held religious beliefs against providing this care.

“Because of Sex”

In making Monday’s announcement, HHS relied on the United States Supreme Court’s 2020 decision in Bostock v. Clayton County.  The Court ruled that Title VII’s ban on “sex”-based discrimination prohibits discrimination based on sexual orientation and that Title VII prohibits discrimination against transgender claimants based on their transgender status. HHS noted that the rationale underlying Bostock—that the meaning of “because of sex” in Title VII includes discrimination because of sexual orientation and gender identity—applies to prohibiting sex discrimination applicable to Section 1557 under Title IX.

Employer Action Required

Given this new guidance and HHS’s statement that it will enforce this interpretation immediately, employers should review their plans to determine whether they need to take any action. The new guidance might not directly apply to certain employee health plans if neither the sponsoring employer nor the plan receives HHS funding. Still, HHS Secretary Xavier Becerra has stated, “It is the position of the Department of Health and Human Services that everyone, including LGBTQ+ people, should be able to access health care, free from discrimination or interference, period.”

Many questions remain unresolved about the scope of this guidance—but one thing is certain: HHS will have more to say on this issue, and so, too, will the courts. Thus, employers should know whether their plans contain provisions that could be discriminatory and could therefore put the employer at risk for enforcement action or discrimination claims.

Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

Mental Health Parity Compliance Returns to Forefront for Group Health Plan Sponsors

The Consolidated Appropriations Act, 2021 (CAA) amended the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) to include substantial new compliance requirements. The Department of Labor (DOL), Health and Human Services, and the Treasury (collectively, the Departments) have released much-anticipated guidance for group health plans necessitating action from plan sponsors.  More…

About That Pension Check… A Miscalculation Case With Broader Implications

The Ninth Circuit Court of Appeals recently addressed several issues of first impression in Bafford v. Northrop Grumman (9th Cir. April 15, 2021), a lawsuit involving retirees who received vastly overstated pension benefit estimates from the plan’s recordkeeper reminds employers of the importance of careful administration.   The case highlights the need to ensure that electronic recordkeeping systems and tools align with the plan terms.  Participant requests for plan or benefit information using online portals or other electronic means still demand timely and accurate responses as required by ERISA’s disclosure requirements.

Northrop Grumman sponsored a defined benefit plan and delegated administration of the plan to an Administrative Committee, which contracted with a recordkeeper to produce benefit statements for participants.  Two participants used the recordkeeper’s online benefits portal to calculate their monthly pension benefits.  Unfortunately, the online tool produced statements that grossly overstated the monthly pension benefits.  After the participants retired and began receiving the monthly pension benefits they were told they would receive, the recordkeeper notified them of the error and dramatically reduced their monthly benefits.

The participants sued the company, the plan administrator, and the recordkeeper, alleging that:

  • The company and the Administrative Committee violated the pension benefit statement requirements of ERISA and breached their fiduciary duties by providing incomplete and inaccurate benefit statements; and
  • The recordkeeper was liable for professional negligence and negligent representation under state law.

On appeal from the district court, the Ninth Circuit agreed that the participants’ ERISA fiduciary claims should have been dismissed, aligning with the First and the Fourth Circuit’s view that a named fiduciary is only liable for a fiduciary breach if they are performing a fiduciary function.  The court said that calculating pension benefits using a pre-set formula is a ministerial function, not a fiduciary function.  So a miscalculation error would not create a breach of fiduciary duty claim.

The Ninth Circuit also dismissed the pension benefit statement claim because of a procedural matter but used the opportunity to address a question of first impression among the circuit courts.  The question being whether a request for a pension benefit statement using an online tool would be treated the same as one made “in writing” under ERISA Section 105(a).  Citing the definition of “writing” in Black’s Law Dictionary (11th ed. 2019) as the “intentional recording of words in a visual form,” the Ninth Circuit rejected the notion that an online pension benefit statement request could never trigger the fiduciary obligation to respond.

Finally, addressing an issue of particular concern to plan service providers, the Ninth Circuit found that ERISA does not preempt the state law claims of professional negligence asserted against the recordkeeper.  The court was concerned that a finding of preemption would leave the plaintiffs without a remedy.  Under the existing two-pronged preemption analysis in the Ninth Circuit, a state law has a reference to ERISA plans if it acts immediately and exclusively on ERISA plans or if the existence of ERISA plans is essential to the law’s operation.  The court held that state negligence laws satisfied neither requirement.  To be preempted by ERISA under the second (connection with) prong, the claim must “bear on an ERISA-regulated relationship.”  Because the participants’ claims only arose out of the relationship between the recordkeeper and the participants, not an ERISA-regulated relationship, ERISA did not preempt the law under this prong of the test.

This case has important practical implications for plan fiduciaries and plan recordkeepers and their relationship to each other.  These concepts are not limited to pension plans.  Electronic systems, portals, and online tools are now the primary way employee benefits are offered and administered and need to be closely managed for compliance with the requirements of ERISA and the plan.  We recommend plan administrators address these important compliance measures and review the Department of Labor’s cybersecurity guidance with their recordkeepers.

Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans

Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The essence of today’s guidance:

Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

What that obligation means at this point is at least what EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:

Acknowledging ERISA-covered plans hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of the EBSA’s best practices include:

  • Maintain a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Implement a reliable annual third-party audit of security controls.
  • Follow strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.

The EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures. It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.

Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:

  • Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, “Trust, but verify.” This also applies to all third-party plan providers, even large, well-known organizations.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider’s response to the incident.
  • Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider’s own employees or contractors, or a third party hijacking a plan participant’s account.
  • Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.

It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider. Here are some reasons why.

Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.

COVID-19 Vaccination: Setting Up An On-site Program

The Biden administration reportedly has called for all people at least 18 to be eligible for the COVID-19 vaccine by April 19, 2021, two weeks earlier than its prior goal of May 1, and less than a week away. Most states have already done so. Without the barriers created by state-by-state priority rules, the rate of vaccinations is likely to increase, hopefully helping to contain a fourth wave in COVID-19 cases observed in recent weeks.

No more confusing rules, President Biden

A BenefitsPro article cites a 2017 survey from the Society for Human Resource Management (SHRM) that found almost 60 percent of employers offer on-site flu vaccinations. Naturally, with expanding availability of COVID-19 vaccination doses and widespread eligibility, organizations are asking whether setting up an on-site COVID-19 vaccination program is more involved than one offering flu shots. The short answer is yes.

The country continues to operate under a national emergency due to a pandemic, not present during a typical flu season. Accordingly, concerns about safety and minimizing spread are significantly amplified. Individuals tend to be familiar with flu vaccines, not so with the current COVID-19 vaccines. Concerns over the emergency use authorization status of the COVID-19 vaccine, privacy, individual rights, school openings and childcare, effects on continued employment, liability, and so on are apparently not as prominent when getting an annual flu shot.

Taking those and other concerns into account, organizations considering setting up an on-site COVID-19 vaccination program have several issues to consider. Some of my colleagues and I assembled a nonexhaustive list of some of those issues (see our complete article here):

  • Getting Organized
  • Vaccine Administration and Reporting
  • Facility Suitability and Preparedness
  • Liability
  • Communications
  • Employment Issues
  • Privacy and Data Security

You can access our complete discussion here.

There is quite a bit to think about when setting up a COVID-19 vaccination program. While flu vaccination programs likely differ, prior experience with health fairs and flu vaccination offerings can be helpful reference points. Having a good team in place, careful planning, and the support and collaboration of an LHD or TPHCP, among other things, will help lead to a successful program.

Lawmakers Seek Clarity on EEOC Regulations Concerning Incentives for COVID-19 Vaccinations

Providing incentives for employees to get the COVID-19 vaccine continues to be on the minds of organizations as vaccinations pick up speed. However, concerns about privacy and the shifting positions on wellness program regulation has left many employers wary about implementing more robust incentives. According to Bloomberg, two GOP members of Congress are urging the Equal Employment Opportunity Commission (EEOC) to provide some clarity.

Employer-sponsored wellness programs come in many forms, such as:

  • An education campaign to inform employees about healthier eating habits.
  • A gym membership subsidy.
  • A health risk questionnaire to help employees be more informed about their health risks.
  • A walking program designed to decrease sedentary lifestyles.
  • Making health coaches available for engagement on general wellness and/or chronic health issues.
  • Satisfaction of key health-related measures – heart rate, cholesterol level, body mass index (BMI).

Such programs are often tied to group health plans and the incentives for satisfying program requirements come in the form of cash payments, reduced contributions toward premiums, points that can later be redeemed, and other creative arrangements. A key compliance challenge for many of these programs is the size of the incentive – the underlying issue being whether the size of the incentive causes a loss of voluntariness. Programs that are part of group health plans generally are subject to regulations issued under the Affordable Care Act (ACA) and the Health Insurance Portability and Accountability Act (HIPAA), although other rules including those referred to below may apply. The ACA/HIPAA regulations are relatively clear on incentive limits and are not what GOP members of Congress and business leaders have expressed concerns about.

Under the Americans with Disabilities Act, disability-related inquiries of employees generally must be job-related and consistent with business necessity, unless made in connection with a voluntary wellness program. It is that exception, specifically whether the program is voluntary, that is causing much of the concern about vaccination incentive programs. We outlined a brief history of the EEOC’s position on voluntariness here.

Depending on the design of a COVID-19 vaccination incentive program, disability-related inquiries may be involved, raising the question about voluntariness. Is a $50 gift card too much, what about $500, will that render the program involuntary? How about 2 days off with pay? It is worth noting that, according to the EEOC,

“[s]imply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.” 

On January 7, 2021, the EEOC proposed a new approach that might wind up providing employers some certainty, but those regulations have been withdrawn following a regulatory freeze issued by the White House on January 20, 2021. Under those proposed rules, however, incentives are permitted under such programs provided they are de minimis.

Sen. Richard Burr (R-N.C.) and Rep. Virginia Foxx (R-N.C.) observed to the EEOC in a letter obtained by Bloomberg, looking for a response by April 20, 2021:

“Employers actively working to protect their employees by increasing the number of workers receiving vaccinations through incentive programs are seeking assurance this action is allowable and does not violate important labor laws such as the Americans with Disabilities Act (ADA) and other statutes within the jurisdiction of the EEOC”

Additionally, the data privacy, confidentiality, security, and record retention of the information needed to administer such programs also raises compliance issues under federal and state law. This includes the confidentiality rule under the ADA, the HIPAA privacy and security regulations for programs that are part of group health plans, OSHA record retention requirements, and state reasonable safeguard and breach notification requirements.

Many organizations have moved forward offering a variety of incentive programs to spur employees to get a COVID-19 vaccine. The level of legal risk, if any, for those programs is a function of several factors – does the program include a disability-related inquiry, how large is the incentive, is the program part of a group health plan, how is the program administered and enforced, and how is the privacy and security of the data maintained.

It remains to be seen whether the EEOC will provide greater clarity on the voluntariness of incentives for COVID-19 vaccination programs. In the meantime, employers will need to think carefully about the design and implementation of their programs.