DOL Announces Opening of Voluntary Information Collection from Plan Administrators for New Lost and Found Database
[35935]
November 25, 2024
TO: ICI MembersPension Committee
Pension Operations Advisory Committee SUBJECTS: Pension RE: DOL Announces Opening of Voluntary Information Collection from Plan Administrators for New Lost and Found Database
On November 18, 2024, the Department of Labor (DOL) announced the start of its information collection in order to establish the Retirement Savings Lost and Found online searchable database as directed under §303 of the SECURE 2.0 Act.[1]
DOL is requesting that retirement plan administrators, through their recordkeepers, voluntarily provide information to the database, through an intake portal that was opened to begin accepting data as of November 18, 2024. The scope of information requested is the generally same as the reduced scope described in the revised Information Collection Request (ICR) published in September 2024, with two additional data elements included (as described below). DOL also announces an enforcement policy related to the provision of data to the database.
Background
Section 303 of the SECURE 2.0 Act directs DOL, by December 29, 2024, to create a national online, searchable database to be managed by DOL, containing information on tax-qualified retirement plans to enable retirement savers to search for the contact information of their plan administrator and locate the benefits they have earned. The Act also requires plans to report certain information to DOL (in a manner and form prescribed by regulations), effective with respect to plan years that begin after December 31, 2023.
In April 2024, DOL submitted a proposed ICR to OMB, proposing to request that plan administrators (or their authorized representative, such as a recordkeeper) voluntarily furnish specified information to establish the database.[2] DOL requested, to the extent possible, the information listed in the statute (data elements detailed in ERISA section 523(e)), as well as several additional data elements, all dating back to the date a plan became subject to ERISA.
On September 12, 2024, DOL published a revised ICR modifying its earlier proposed ICR.[3] In response to comments objecting to the breadth of the initial proposed ICR, DOL significantly narrowed the scope of the voluntary information request, requesting the name and social security number of any participant who separated from service, is owed a benefit, and is age 65 or older, as well as current contact information for the plan.
ICI submitted comment letters in response to both the proposed and revised ICRs, explaining that the voluntary nature of the ICR itself raises concerns for service providers.[4] Service providers generally do not disclose employees' personally identifiable information (PII) except as required by law, and their service agreements generally include restrictions on sharing plan and participant information to third parties. Therefore, it would be difficult for a service provider to justify voluntarily providing the information requested, even to a federal agency. In response to the proposed ICR, our letter also objected to the expansive scope of the requested information.
Announcement of Voluntary Information Collection
In the recent announcement of the approved ICR, DOL indicated that it has established a portal for plan administrators or their recordkeepers to submit information directly into the Lost and Found database. The portal was open for data submission as of the date of the announcement (November 18). DOL also created a template (a table, in Microsoft Excel/CSV format, which may be downloaded, populated and then uploaded directly to the database) and line-by-line instructions to assist filers.[5] In the announcement, DOL responded to a number of concerns raised by commenters, as described below.
Security Issues. Several commenters to the proposed ICR expressed concerns regarding the security of the database and the data transfer. Commenters also raised concerns about fraud, if the public is allowed to search the information freely, and that certain property finders may use data scraping technology to obtain and use the information. In the announcement, DOL responds, noting "that the Retirement Savings Lost and Found is being developed in accordance with the U.S. Department of Commerce National Institute of Standards and Technology SP 800-53 Revision 5 security controls, including implementation of all applicable privacy controls."[6] DOL describes other security precautions it has taken, including that the data will be encrypted, searches will produce search results particularized to the user, and in order to search the database, users must create log-in credentials. DOL believes these precautions will thoroughly mitigate the risks of unintended disclosure or fraud.[7]
Scope of Request. The scope of data being requested is similar to that described in the revised ICR, including the name and social security number of any participant who separated from service, is owed a benefit from the plan, and is age 65 or older, as well as current contact information for the plan administrator. In response to comments, DOL has added two new data elements to allow filers to indicate whether the benefit has been paid and the date of payment. This is intended to mitigate concerns about individuals obtaining false positives from search results.
Fiduciary Concerns and Enforcement Policy. Several commenters expressed concerns about the voluntary nature of the request and providing data without participant consent. Commenters cited the fiduciary obligation under ERISA to take prudent measures to protect participants' personal information and mitigate cybersecurity risks. Commenters also raised concerns about liability under state privacy laws.[8] In response to these concerns, DOL reassures plan fiduciaries that if they furnish data as described in the announcement (including following the instructions for transmitting the data), "they will have satisfied their duty under section 404 of ERISA to ensure proper mitigation of cybersecurity risks."[9] Further, DOL announces an enforcement policy intended to "incentivize and encourage" plans to voluntarily submit data.[10]
The Department will not take enforcement action under ERISA against any plan fiduciary, or recordkeeper or other party acting on behalf of the plan, for responding to this information collection request without first obtaining participant consent to the extent required by state law provided that the plan fiduciary acts reasonably and in good faith in responding to this information collection request. [11]
Cost of Reporting. Commenters noted the costs associated with collecting, formatting, and transmitting the data, and DOL confirms that the reasonable cost of voluntarily reporting the data is a permissible use of plan assets.[12]
Participant Opt-Out. The statutory language in SECURE 2.0 requires that participants be allowed to opt out of inclusion in the Lost and Found database.[13] In response to comments regarding this requirement, DOL explains that initially, participants may opt out by submitting a request through DOL's website. If a participant opts out through this method, DOL will suppress that participant's data from appearing in search results on the database.[14] DOL does not offer an option that would allow participants to opt out of the transmission of their data from the plan to DOL. DOL is considering adding an online opt-out feature directly to the Lost and Found, rather than through DOL's website.
Future Changes to the Lost and Found Database. While DOL significantly narrowed the scope of information it is collecting initially, DOL makes clear that it intends to expand the scope in the future. DOL states that it does not agree with comments that it is inappropriate for DOL to collect of the information DOL had initially proposed to collect (which included information going back to the date a plan first became subject to ERISA). DOL explains that it will gradually expand the database to fully implement the statutory requirement, and that the expansion will be made through a notice-and-comment process.[15]
As DOL previously explained, much of the information DOL wants to include in the database is currently reported to IRS on the Form 8955-SSA (Annual Registration Statement Identifying Separated Participants With Deferred Vested Benefits).[16] DOL initially attempted to work with IRS to obtain the information provided on the form directly from IRS; however, IRS responded that it will not release this information to DOL, citing concerns regarding IRS compliance with Code section 6103's privacy and disclosure restrictions. In the announcement, DOL notes that it has continued its discussions with IRS and the Social Security Administration regarding the use of Form 8955-SSA, and that DOL believes it will be able to use the data from the form in the future. Citing a 2013 GAO report, DOL also notes that the information from the Form 8955-SSA "may often be inaccurate, outdated, or incomplete."[17] In that regard, DOL asserts that, even if Form 8955-SSA data is shared with DOL, "such data would stand to benefit if supplemented by current recordkeeper data" and that the "minimal voluntary data collection requested here" will help ensure the accuracy of the database.[18]
No Safe Harbor for Missing Participants. ICI's letter to DOL suggested that to encourage plans to voluntarily provide the data, DOL could provide a fiduciary safe harbor on steps fiduciaries of defined contribution plans can take to fulfill their obligations under ERISA to locate missing participants. In the announcement, DOL responds that this request is outside the scope of the ICR and refers to its existing guidance regarding missing participants.[19]
Shannon Salinas
Associate General Counsel - Retirement Policy
Notes
[1] The announcement was published at 89 Fed. Reg. 91787 (November 20, 2024), available at https://www.govinfo.gov/content/pkg/FR-2024-11-20/pdf/2024-27098.pdf. DOL's news release, dated November 18, 2024, is available at https://www.dol.gov/newsroom/releases/ebsa/ebsa20241118-0, and a fact sheet is available at https://www.dol.gov/agencies/ebsa/about-ebsa/our-activities/resource-center/fact-sheets/retirement-savings-lost-and-found-information-collection-request. For a summary of the SECURE 2.0 Act, see ICI Memorandum No. 34795, dated January 12, 2023, available at https://www.ici.org/memo34795.
[2] For an overview of the proposed ICR, see ICI Memorandum No. 35685, dated April 17, 2024, available at https://www.ici.org/memo35685.
[3] For an overview of the revised ICR, see ICI Memorandum No. 35866, dated September 26, 2024, available at https://www.ici.org/memo35866.
[4] For a summary of ICI's comments in response to the proposed ICR, see ICI Memorandum No. 35745, dated June 18, 2024, available at https://www.ici.org/memo35745. For a summary of ICI's comments in response to the revised ICR, see ICI Memorandum No. 35883, dated October 16, 2024, available at https://www.ici.org/memo35883.
[5] 89 Fed. Reg. at 91792. The template and instructions are attached to the announcement as appendix A and appendix B.
[6] 89 Fed. Reg. at 91792.
[7] 89 Fed. Reg. at 91793.
[8] In response to this concern, DOL admits that it is unclear whether any of these state privacy laws apply in this specific circumstance, but assets that DOL has authority to collect the data under new section 523(e) of ERISA. Further, DOL cites comments that such laws often have exemptions for information provided to government authorities to comply with a regulatory inquiry, and DOL counters that no one has suggested that DOL is not a government authority or that the data collection is not a proper regulatory function. DOL does not, however, comment on the fact that the voluntary nature of the collection may affect the application of state privacy laws. 89 Fed. Reg. at 91793.
[9] 89 Fed. Reg. at 91793.
[10] 89 Fed. Reg. at 91788.
[11] 89 Fed. Reg. at 91793.
[12] 89 Fed. Reg. at 91794. Note that in DOL's summary of the burden of the voluntary information collection, DOL estimates a three-hour average time burden, with an equivalent cost, but does not believe there to be any separate cost, aside from the time burden. 89 Fed. Reg. at 91788.
[13] ERISA section 523(c)(2).
[14] Participants may submit the opt-out request at https://www.dol.gov/agencies/ebsa/about-ebsa/ask-a-question/ask-ebsa.
[15] 89 Fed. Reg. at 91788 and 91791. DOL also confirms that it will take the comments it received on the ICR into consideration for any future improvements to the program. 89 Fed. Reg. at 91794.
[16] The IRS provides this information to the Social Security Administration, who then provides it to separated vested participants when they file for Social Security benefits.
[17] 89 Fed. Reg. at 91794 (GAO report cited at footnote 20).
[18] 89 Fed. Reg. at 91794.
[19] 89 Fed. Reg. at 91795. While DOL suggests that the request is outside the scope of the project, DOL does include a section in the announcement (as it did in the initial proposed ICR) touting its terminated vested participants project, focused on locating missing participants and ensuring that plans implement appropriate search procedures for terminated participants and beneficiaries. 89 Fed. Reg. at 91789.