Courts are now sorting out who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests.

Can the employer, as the plan sponsor, be held responsible when an outside service provider honors a suspicious distribution request?

One federal court recently dismissed such a case against the employer because the plan's website provider was alleged to have processed and authorized a fraudulent online distribution request without adequate participant confirmation. However, employers are plan fiduciaries with a duty to select and monitor the performance of plan service providers. This opens the door to potential claims against employers for their alleged failure to pick service providers with adequate cyber security practices - even if the employer's own data systems are secure and well maintained.

What should an employer do about this?

Service providers for 401(k) and other retirement plans require access to personal data on participants including name, age, address, date of hire, compensation and possibly social security number. This data is necessary to allow plan administrators and recordkeepers to properly allocate plan contributions and earnings to individual participant accounts, to prepare participant statements and for income tax reporting purposes.

Your retirement plan may have an outside third party administrator (TPA) to assist with plan administration. However, a TPA typically is not a fiduciary to the plan and does not act as “plan administrator” (that’s usually the employer itself as provided in a typical TPA services agreement). This leaves the employer ultimately responsible for the plan’s compliance with all applicable legal requirements. So, even if your TPA makes a mistake, the employer is likely on the hook for any resulting liability because the TPA’s services agreement usually imposes damage limits and employer indemnities that protect the TPA.