One of the last things pension plan participants would want to learn as they get ready to celebrate the Christmas holiday is that personal data from their pension accounts may have been compromised. This is the case, unfortunately, for approximately 30,000 Now:Pensions customers whose names, postal and email addresses, birth dates and the equivalent of Social Security numbers were hacked and posted on line. According to reports, the UK company, which helps to administer millions of workplace pensions, attributed the incident to a third-party service provider.

Of course, the challenge of managing the cybersecurity risk of third-party service providers does not exist solely across the pond. During a recent SPARK Cybersecurity Virtual Event, Tim Hauser, Deputy Assistant Secretary for National Office Operations at DOL’s Employee Benefts Security Administration (EBSA), observed

When a plan fiduciary is hiring somebody who is going to be responsible for confidential, personal information, or who’s going to be running systems to keep track of people’s account balances and the like, there’s a responsibility to make sure that you’ve hired that person prudently, that firm prudently…And if you think about plans and the universe I described, that’s just shy of $11 trillion, and with personal health and pension data, there are a lot of tempting targets there and what we’ve seen in our own enforcement actions, especially in our criminal programs, vulnerabilities are taken advantage of.

According to Hauser, the U.S. Department of Labor is developing guidance for plan sponsors in the U.S. that would cover cybersecurity issues and third-party service providers for retirement plans.

Just as so many other organizations affected by a breach experienced by one of their third-party service providers, Now:Pensions has provided notification to pension account holders and regulators. Reports indicate the breach occurred over a three-day period in mid-December and the compromised data had been obtained “by an unknown third party.”

At this point, similarly-situated organizations might be considering whether to move away from the service provider that caused the incident. Here are some reasons why that may not be the best course of action. However, one to-do list item that should be a given following a breach like this is to revisit the procurement process for selecting service providers, update it as needed to make sure it appropriately addresses cybersecurity risks, and ensure it is prudently implemented.

When it comes to ERISA employee benefit plans, hiring a service provider is in and of itself a fiduciary function. When considering a plan service provider’s level of cybersecurity, there are a number of steps plan sponsors and administrators can take to prudently assess the data privacy and security capabilities of potential plan service providers. Some examples include:

  • Take the general threats and vulnerabilities of plan service providers into account when conducting the organization’s enterprise data security risk assessment.
  • Meet with the service provider’s IT lead, but also others in the service provider’s organization – legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the service provider.
  • Require the service provider to complete a detailed list of pointed data privacy and security questions, the answers to which to be actively evaluated by your IT team, counsel, and/or consultant.
  • Ask about prior data security incidents and how they were handled.
  • Review the service provider’s policies and procedures.
  • Require the service provider to submit to an independent data security audit/review, penetration test.
  • Ask the service provider about its data breach response plan, and how often it is practiced. Plan to include the service provider when you practice your own response plan, and gauge their openness to that.

This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the service provider presents. In addition, it is appropriate to incorporate appropriate representations and additional protections concerning data privacy and security in the ultimate services agreement. The point is that because of the critical role service providers play, and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to evaluate plan service providers privacy and data security risk should happen at the procurement stage and on an ongoing basis, not just when a breach happens.

The IRS released final regulations on the provisions of the Tax Cuts and Jobs Act (“TCJA”) that added Section 402(c)(3) of the Internal Revenue Code, effective January 1, 2018, special rollover relief for qualified plan loan offset (“QPLO”) amounts.

As per our initial blog on the TCJA change, distributing a plan loan offset occurs under the terms of a plan when a participant’s accrued benefit is reduced (or offset) to repay the loan. Distributing a plan loan offset amount may occur, among other circumstances, where the plan terms require that, if the participant’s request for a distribution occurs, a loan be repaid immediately or treated as in default. However, the  TCJA provisions for QPLOs apply to unpaid accrued loan amounts that are offset from the participant’s plan account at plan termination or at or after severance from employment if the plan provides that the accrued unpaid loan amount must be offset because of such events.  Before this law change, the deadline to roll over any plan loan offset was the 60th day after the date the loan offset arose.  But for QPLO amounts, as of January 1, 2018, the deadline is the filing due date (including extensions) for the participant’s tax return for the year in which the loan offset amount arises.

The main highlights of the final regulations are:

  1. No changes were made to the originally proposed regulations except that the terms of the final regulations are only required to be applied to QPLO amounts that are treated under the regulations as distributed on or after January 1, 2021.  This means that the properly coded Form 1099Rs for QPLO amounts treated as such under the regulations would not be due until 2022 and later years. Note this does not change the general 2018 effective date of the TJCA amendment adding QPLO provisions to the Code.
  2. The regulations specifically define a plan loan offset occurring because of severance from employment as an offset for failure to timely repay a loan that occurs by the first anniversary of the date of the employee’s severance.
  3. Several helpful examples are given that illustrate the operation of the QPLO rules in a variety of distribution and repayment failure circumstances.

We are available to help plan administrators understand and implement these final regulations.  Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

An Arkansas law regulating pharmacy benefit managers’ (PBMs) generic drug reimbursement rates, and affecting the cost of prescription drugs provided under ERISA-governed benefit plans and the administration of those plans, is not preempted by ERISA, the U.S. Supreme Court has held unanimously. Rutledge v. Pharmaceutical Care Management Association, No. 18-540, 2020 U.S. LEXIS 5988 (Dec. 10, 2020).

With Justice Sonia Sotomayor writing for the unanimous court, the Court held that Arkansas’s law is simple rate regulation and “ERISA does not pre-empt state rate regulations that merely increase costs or alter incentives for ERISA plans without forcing plans to adopt any particular scheme of substantive coverage.” The Court explained that the law only sets a floor for pharmacy reimbursements by PBMs. It is not directed at ERISA plans, and the fact that PBMs may pass their increased costs on to ERISA plans is not ERISA’s concern.  More…

Approximately a quarter of the workforce covered by a traditional pension plan is in a multiemployer plan, according to the U.S. Bureau of Labor Statistics. Many manufacturers that participate in such plans are unaware their largest contingent liability may stem from their allocable share of unfunded vested benefits or withdrawal liability.  More info…

Section 162(m) of the Internal Revenue Code (“Code”), which disallows the deduction by any publicly held corporation with respect to certain compensation paid to a covered employee over $1,000,000, was amended by the 2017 Tax Cuts and Jobs Act (“TCJA”).  One change made to Section 162(m) of the Code as part of the TCJA was that if an individual is a “covered employee” for a taxable year, the individual continues to be a covered employee for all future taxable years, including after termination of employment.

Separately, notwithstanding the general prohibition on the discretionary delay of payments under Section 409A of the Code, the Treasury Regulations under Section 409A provide that an employer may choose to delay a payment under a plan if it reasonably believes the deduction with respect to the payment will not be permitted under Section 162(m) of the Code (the “Delay Exception”). While such discretion is not required to be included within a plan document, some plans do mandate deferral of payment where it is reasonable to believe the payment will not be deductible under Section 162(m) of the Code.  As a result of the change made by the TCJA noted above, such a provision could effectively prevent a payment from ever becoming payable because once an individual is a covered employee the individual never loses that status, even after termination of employment.

In response, in the Preamble to proposed Treasury Regulations under Section 162(m) of the Code, the Internal Revenue Service announced that if a plan subject to Section 409A of the Code is amended to remove any Delay Exception language, the amendment will not result in an impermissible acceleration of payment under Section 409A of the Code (normally such an amendment would cause a Section 409A of the Code violation).  However, the plan amendment must be made no later than December 31, 2020.  The Preamble clarifies that the amendment can be made to apply to amounts that are not grandfathered for Section 162(m) of the Code purposes only or that it can apply to all amounts deferred (both grandfathered and non-grandfathered for Section 162(m) of the Code purposes).

The Preamble indicates this special rule will be incorporated into Treasury Regulations under Section 409A of the Code and that taxpayers may rely on the guidance in the Preamble until certain future guidance is issued.

We recommend that employers review their nonqualified deferred compensation plans as soon as possible to determine if an amendment is necessary.  Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

This term, the U.S. Supreme Court returns to a challenge to the Affordable Care Act (ACA). In the consolidated cases of California v. Texas (No. 19-840) and Texas v. California (No. 19-1019), the Court will consider whether a group of states and private individuals have standing to challenge the ACA. If that procedural hurdle is cleared, the Court then must consider whether the ACA’s individual mandate is constitutional, and, if it is not, whether that requirement can be severed from the ACA or whether the entire ACA must fall.  More…

The U.S. Supreme Court will hear the second of several ERISA disputes this term, the first issue we discussed as the term began, October 5, 2020.  Monday, November 2, 2020, the Justices will consider whether the Railroad Retirement Board’s denial of a claimant’s request to open a prior benefits decision is a “final decision” reviewable by the courts in Salinas v. U.S. R.R. Ret. Bd. (No. 19-999).

The issue before the Court is a straightforward question of statutory interpretation. Section 355(f) of the Railroad Unemployment Insurance Act (RUIA) provides that any claimant, certain railway labor organizations, certain of the claimant’s employers, “or any other party aggrieved by a final decision under [§ 355(c)]” may obtain a court review of “any final decision of the Board” if they follow the prescribed claims procedures.

The Board construes the provision as limiting court review to the types of final decisions listed in § 355(c) of the RUIA. In support of its position, it argues that the term “other” in the phrase “any other party aggrieved by a final decision under [§ 355(c)]” indicates the other categories in the list of individuals or entities that can seek review also must have been “aggrieved by a final decision under [§ 355(c)].” Since § 355(c) does not encompass decisions regarding reopening claims, there is no right to appeal such a decision. This construction is appropriate, the Board said, because reopening of claims is a matter of “agency grace,” not a statutory requirement.

The petitioners disagree, contending the phrase “any final decision” in § 355(f) means just that – every decision is a claimant’s “last stop” at the administrative level, including a denial of a request to reopen a claim. They argue that the Board’s limited reading of the statute cuts off claimants’ recourse in the courts prematurely, potentially depriving them of benefits owed to them but mistakenly denied and violating “bedrock principles of agency accountability.”

The issue before the Court is narrow but significant. The Board administers billions of dollars of retirement, disability, sickness, and unemployment benefits each year for hundreds of thousands of claimants under the RUIA and Railroad Retirement Act. A Supreme Court order limiting the availability of judicial review to a discrete list of decisions, as the Board argues is appropriate, would have a profound impact on those claimants.

The Internal Revenue Service recently announced its cost-of-living adjustments applicable to dollar limitations on benefits and contributions for retirement plans generally effective for Tax Year 2021 (see IRS Notice 2020-79). Most notably, many of the retirement plan limitations, including the limitation on annual salary deferrals into a 401(k) or 403(b) plan, remain unchanged. The more significant dollar limits for 2021 are as follows:

LIMIT 2020 2021
401(k)/403(b) Elective Deferral Limit (IRC § 402(g))

The annual limit on an employee’s elective deferrals to a 401(k) or 403(b) plan made through salary reduction.

 $19,500 $19,500
Government/Tax Exempt Deferral Limit (IRC § 457(e)(15))

The annual limit on an employee’s elective deferrals concerning Section 457 deferred compensation plans of state and local governments and tax-exempt organizations.

 $19,500 $19,500
401(k)/403(b)/457 Catch-up Limit (IRC § 414(v)(2)(B)(i))

In addition to the regular limit on elective deferrals described above, employees over the age of 50 generally can make an additional “catch-up” contribution not to exceed this limit.

 $6,500 $6,500
Defined Contribution Plan Limit (IRC § 415(c))

The limitation for annual contributions to a defined contribution plan (such as a 401(k) plan or profit sharing plan).

 $57,000 $58,000
Defined Benefit Plan Limit (IRC § 415(b))

The limitation on the annual benefits from a defined benefit plan.

 $230,000 $230,000
Annual Compensation Limit (IRC § 401(a)(17))

The maximum amount of compensation that may be taken into account for benefit calculations and nondiscrimination testing.

 $285,000

($425,000 for certain gov’t plans)

 $290,000

($430,000 for certain gov’t plans)
Highly Compensated Employee Threshold (IRC § 414(q))

The definition of an HCE includes a compensation threshold for the prior year. A retirement plan’s discrimination testing is based on coverage and benefits for HCEs.

 $130,000

(for 2021 HCE determination)

 $130,000

(for 2022 HCE determination)
Key Employee Compensation Threshold (IRC § 416)

The definition of a key employee includes a compensation threshold. Key employees must be determined for purposes of applying the top-heavy rules. Generally, a plan is top-heavy if the plan benefits of key employees exceed 60% of the aggregate plan benefits of all employees.

 $185,000 $185,000
SEP Minimum Compensation Limit (IRC § 408(k)(2)(C))

The mandatory participation requirements for a simplified employee pension (SEP) includes this minimum compensation threshold.

 $600 $650
SIMPLE Employee Contribution (IRC § 408(p)(2)(E))

The limitation on deferrals to a SIMPLE retirement account.

 $13,500 $13,500
SIMPLE Catch-up Limit (IRC § 414(v)(2)(B)(ii)))

The maximum amount of catch-up contributions that individuals age 50 or over may make to a SIMPLE retirement account or SIMPLE 401(k) plan.

 $3,000 $3,000
Social Security Taxable Wage Base

See the 2021 SS Changes Fact Sheet.

This threshold is the maximum amount of earned income on which Social Security taxes may be imposed (6.20% paid by the employee and 6.20% paid by the employer).

 $137,700 $142,800

The Supreme Court, whose new term begins today, the first Monday in October, will consider a number of cases impacting employee benefits and benefits litigation.  This is the first in a series analyzing these cases as they are heard by the Court.  The first issue up concerns prescription drug benefit regulation, and later in the series, we will address the hot button issue of the constitutionality of the Affordable Care Act, benefits for railroad workers, and considerations when including arbitration provisions in benefit plans.

On October 6, 2020, the U.S. Supreme Court will hear argument on ERISA’s preemptive effect on a state law regulating pharmacy benefit managers’ (PBMs) generic drug reimbursement rates in Rutledge v. Pharmaceutical Care Management Association (No. 18-540). The case considers regulation of PBMs under Arkansas law, but because a majority of states have enacted similar laws, the decision in Rutledge will extend beyond Arkansas.  More…

Notice 2020-68 from the IRS provides valuable clarification for sponsors of qualified plans, 403(b) plans, and 457(b) governmental plans, as well as IRA holders, related to certain provisions in the Setting Every Community Up for Retirement Enhancement Act of 2019 (SECURE Act) and the Bipartisan American Miners Act of 2019.

A new tax credit under the SECURE Act aims to offset the costs of establishing and maintaining a qualified employer plan that provides an eligible automatic enrollment arrangement (EACA). The $500 credit is also available to eligible employers that amend an existing plan to add an EACA.  More…