Recently, a 401(k) plan participant fell victim to an elaborate scheme perpetrated by overseas criminals and was defrauded of approximately $740,000. However, even friends, family members, and employers have been discovered stealing from 401(k) accounts, adding up to millions of dollars in losses every year. Here’s what your organization can do to help keep your employees’ retirement savings safe from theft.
Assessing Existing Protections
If your organization sponsors a 401(k) plan, assessing plan service providers’ protection systems and policies is essential. Most providers carry cyber fraud insurance that they extend to plan participants. But there may be limits to this protection if, for example, the provider determines that you (the sponsor) or employees (participants) opened the door to a security breach.
Your plan’s documents may say that participants must adopt the provider’s recommended security practices. These could include checking account information “frequently” and reviewing correspondence from the administrator “promptly.” Make sure you and your employees understand what these terms mean — and follow them.
Using Technology To Foil Thieves
In recent years, several 401(k) plan sponsors have been sued for not adequately protecting the personal data of participants whose accounts were hacked. Although every organization needs comprehensive and up-to-date cybersecurity protection, you should be even more vigilant if you keep 401(k) plan information on your servers.
Know that two-factor authentication when signing in to an account may not be enough. Some experts now encourage plan sponsors to enable three-factor authentication to foil fast-evolving fraud schemes. Also, employees should be strongly encouraged to follow strict security protocols when managing their 401(k) accounts. For example, they should:
- Choose complex passwords they don’t use on other sites — and change them often
- Never write down account logins/passwords or store them in their browsers
- Be suspicious if they have trouble logging in to their account or if the sign-in page looks different from what they’re used to
- Independently confirm the identity of anyone who contacts them claiming to be from the government, law enforcement, their 401(k) plan sponsor, or a financial institution, and asks for account information
Some more complex 401(k) plan schemes have involved crooks pretending to be fraud investigators. These criminals usually instruct account holders to move their savings to “safer” locations. Then, they abscond with the funds. Make sure employees have a number they can call for official plan information or if they need to verify someone who has contacted them.
A Rare But Worrisome Issue
Finally, although employer theft of employees’ 401(k) plan funds is relatively rare, some financially troubled organizations have been accused of illegally withdrawing or retaining participants’ 401(k) contributions. According to the Department of Labor, 401(k) sponsors must deposit participants’ contributions as soon as they can be segregated from the organization’s assets — no later than the 15th business day of the month after the amounts were withheld. A safe harbor rule for smaller organizations (fewer than 100 participants) says that employers should deposit contributions within seven business days of the withholding pay date.
For questions about protecting your organization’s assets and workers from fraud, contact us.