89 FR 224 pgs. 91787-91802 - Retirement Savings Lost and Found
Type: NOTICEVolume: 89Number: 224Pages: 91787 - 91802
Pages: 91787, 91788, 91789, 91790, 91791, 91792, 91793, 91794, 91795, 91796, 91797, 91798, 91799, 91800, 91801, 91802FR document: [FR Doc. 2024-27098 Filed 11-19-24; 8:45 am]
Agency: Labor Department
Sub Agency: Employee Benefits Security Administration
Official PDF Version: PDF Version
[top]
DEPARTMENT OF LABOR
Employee Benefits Security Administration
Retirement Savings Lost and Found
AGENCY:
Employee Benefits Security Administration, Department of Labor.
ACTION:
Announcement of voluntary information collection request.
SUMMARY:
[top] This notice announces that the Office of Management and Budget's
DATES:
Information may be submitted immediately.
ADDRESSES:
Information may be submitted at https://lostandfound-intake.dol.gov/.
FOR FURTHER INFORMATION CONTACT:
For questions regarding how to submit data in response to this information collection request: contact Division of IT Operations Support, Office of Program Planning, Evaluation and Management, Employee Benefits Security Administration, (202) 693-8610. For general questions regarding section 523 of the Employee Retirement Income Security Act, contact Stephen Sklenar, Office of Regulations and Interpretations, Employee Benefits Security Administration, (202) 693-8500. These are not toll-free numbers.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
The Department of Labor's Employee Benefits Security Administration (Department or EBSA) is now collecting information from retirement plan administrators in order to establish and maintain the Retirement Savings Lost and Found online searchable database described in section 523 of the Employee Retirement Income Security Act of 1974 (ERISA). This database will help connect missing participants and other individuals who may have lost track of their retirement benefits with retirement plans that may be holding such benefits. This information collection request is voluntary.
The information being collected is basic information about individuals of a certain age who may be owed benefits under ERISA retirement plans. Specifically, EBSA is requesting the name and social security number of any participant who separated from service, is owed a benefit from the plan, and is age 65 or older. EBSA also is asking for current contact information for the plan administrator so that individuals meeting these characteristics may contact the plan administrator and make an inquiry.
The scope of this information collection request is very narrow. It is much narrower than what was previously proposed by the Department and what is ultimately going to be necessary to establish and maintain the complete database contemplated by section 523 of ERISA. 1 The Department narrowed the scope of its proposal in response to public concerns that the proposal was overly broad and unnecessarily burdensome. As supported by commenters, the Department is starting its information collection efforts by focusing on information about individuals who are at or near normal retirement age and who are owed a benefit by the plan. This is because such individuals are more likely to benefit sooner from a functioning Retirement Savings Lost and Found database than other age cohorts. Future efforts through notice and comment, however, will be needed to gradually expand the database to fully implement section 523 of ERISA.
Footnotes:
1 ?89 FR 26932.
II. Summary of Burden
In summary, the final information collection request has a 3-year average hour burden of 26,017 hours with an equivalent cost of $4,660,421 and a cost burden of $0. 2
Footnotes:
2 ?The total burden for this information collection is estimated as an hour burden. The hour burden is measured as the time for recordkeepers to obtain authorization, the time for plan administrators to provide authorization to the recordkeepers, and the time for recordkeepers to provide data to the Retirement Savings Lost and Found database. Costs accounted for in the hour burden are not included in cost burden to avoid double counting, resulting in a cost burden of zero. The act of transmitting the data to the Retirement Savings Lost and Found is a cost burden but since that will occur electronically, the Department subsumed the minimal cost of that activity within the hour burden.
A summary of paperwork burden estimates follows:
Type of Review: Revision.
Agency: Employee Benefits Security Administration, U.S. Department of Labor.
Title: Retirement Savings Lost and Found.
OMB Control Number: 1210-0172.
Affected Public: Businesses or other for-profits, Not-for-profit institutions.
Estimated Number of Respondents: 150,920.
Estimated Number of Annual Responses: 150,940.
Frequency of Response: Annual.
Estimated Total Annual Burden Hours: 26,017.
Estimated Total Annual Burden Cost: $0.
III. Background
A. Section 303 of SECURE 2.0
Section 303 of the SECURE 2.0 Act of 2022, which was enacted on December 29, 2022 (SECURE 2.0), 3 amended part 5 of subtitle B of title I of ERISA to add Section 523, which requires the Department, not later than 2 years after the date of enactment and in consultation with the Secretary of the Treasury, to create an online searchable database, to be known as the Retirement Savings Lost and Found. Among other things, SECURE 2.0 requires that this database allow retirement savers who may have lost track of their retirement plan to search for the contact information of their plan administrator in order to make a claim for benefits that they may be owed under the plan.
Footnotes:
3 ?Consolidated Appropriations Act, 2023, H.R. 2617.
Section 523(a) of ERISA expressly directs the Secretary to establish an online searchable database which, inter alia, allows an individual to locate information about a plan if the individual is or was a participant of that plan. Section 523(e) of ERISA expressly authorizes the Department to collect certain information for plan years beginning after December 31, 2023. For example, it authorizes the Department to collect the information described in sections 6057(b)(1) through (4) and 6057(a)(2)(A) and (B) of the Internal Revenue Code of 1986 (Code). It also authorizes the Department to collect the names and social security numbers of participants and former participants described in Code section 6057(a)(2)(C) ( i.e., individuals who separated from service covered under their plans and who are entitled to deferred vested benefits) and identify those who were fully paid their deferred vested benefits. Finally, it authorizes the Department to collect the names and social security numbers of each participant or former participant in the plan with respect to whom vested benefits were distributed under section 401(a)(31)(B) of the Code or to whom a deferred annuity contract was distributed.
B. IRS Form 8955-SSA
[top] Much of the foregoing information is currently reported to the Internal
Footnotes:
4 ?The Form 8955-SSA is the designated successor to Schedule SSA (Form 5500). The Schedule SSA attachment to the Form 5500 was the vehicle the IRS used to collect this information until the Schedule SSA was replaced by the stand-alone IRS Form 8955-SSA.
Initially, citing concerns under section 6103 of the Code, 5 IRS indicated that it would not authorize the release of this data to the Department for the purpose of communicating either directly with participants and beneficiaries about retirement plans that may still owe them retirement benefits or indirectly through the Retirement Savings Lost and Found online searchable database. As explained below in section VII F of this notice, however, the Department believes the issues are now resolved and that it will be able to receive the information reported on Form 8955-SSA.
Footnotes:
5 ?See 26 U.S.C. 6103 (confidentiality and disclosure of returns and return information).
Nevertheless, the Department is moving forward with the voluntary information collection request because of the uncertainties associated with the Form 8955-SSA data, concerns about the completeness and accuracy of that data, and the importance of complying with the statutory deadline contained in section 523 of ERISA. Accordingly, the Department continues to request that plan administrators voluntarily furnish the information specified below directly to the Department.
C. Terminated Vested Participants Project
Separate from the database required by SECURE 2.0, the Department administers the Terminated Vested Participants Project (TVPP or missing participant program). The TVPP has three key objectives for defined benefit pension plans. First, to ensure these plans maintain adequate census and other records necessary to determine (a) the identity and address of participants and beneficiaries due benefits under the plan, (b) the amount of benefits due under the plan, and (c) when participants and beneficiaries are eligible to commence benefits. Second, to ensure these plans have appropriate procedures for advising participants with vested accrued benefits of their eligibility to apply for benefits as they near normal retirement age and the date they must start required minimum distributions under federal tax law. Third, to ensure these plans implement appropriate search procedures for terminated participants and beneficiaries for whom they have incorrect or incomplete information. Since 2017, the Department has recovered more than $7 billion for such "missing" participants and beneficiaries.
IV. April 2024 Proposed Information Collection Request
On April 16, 2024, the Department published for notice and comment in the Federal Register a proposed information collection request (April 2024 Proposed ICR) setting forth a proposed framework for a voluntary information collection. The April 2024 Proposed ICR contained three broad categories of information, as follows: (1) Information From Plans With Separated Vested Participants; (2) Information From Plans That Distributed Benefits Under Section 401(a)(31)(B) of the Internal Revenue Code; and (3) Information From Plans That Distributed Annuities. 6 The specific information in each category of the April 2024 Proposed ICR is set forth below in Section IV. The Department received thirteen comment letters in response to the April 2024 Proposed ICR. The commenters' concerns are addressed in Sections V-VII.
Footnotes:
6 ?89 FR 26932.
A. Plans With Separated Vested Participants
The April 2024 Proposed ICR, in relevant part, sought to collect the following information for any plan with a participant or former participant described in 26 U.S.C. 6057(a)(2)(C) ("separated vested participant"):
1. Name and plan number of plan as reflected on the most recent Form 5500 Annual Return/Report of Employee Benefit Plan or Form 5500-SF Short Form Annual Return/Report of Employee Benefit Plan (individually and collectively "Form 5500"). If the plan had names other than the name on the most recent Form 5500, provide the prior names and plan numbers and include the date of change.
2. Name, employer identification number (EIN), mailing address, and telephone number of the plan administrator as reflected on the most recent Form 5500. If the plan had plan administrators other than the plan administrator on the most recent Form 5500, provide the names and EINs of the prior plan administrators and include the date of change.
3. Name, EIN, mailing address, and telephone number of the plan sponsor as reflected on the most recent Form 5500, if different than the plan administrator. If the plan had plan sponsors other than the plan sponsor on the most recent Form 5500, provide the names and EINs of the prior plan sponsors and include the date of change.
4. Name, date of birth, mailing address, email address, telephone number, and social security number (SSN) of each separated vested participant.
5. Nature, form, and amount of benefit of each separated vested participant.
6. If the vested benefit of each such separated vested participant was fully paid in a form other than an annuity ( i.e., lump sum payout) to the separated vested participant, provide the date and the amount of the distribution.
7. If an annuity form of benefit, state whether the separated vested participant has begun receiving benefits, the date of the annuity commencement, and the monthly benefit.
8. Name, date of birth, mailing address, email address, telephone number, and SSN of any separated vested participant of normal retirement age or older who is owed a vested benefit, and who has been unresponsive to plan communications about their benefits or whose contact information as set forth in paragraph 4 above, the plan has reason to believe is no longer accurate.
9. Name, date of birth, mailing address, email address, telephone number, and SSN of any designated beneficiary of the separated vested participant.
10. With respect to any participant whose benefit was transferred to the plan in the manner described in Line 9 of the Form 8955-SSA, provide the name and plan number of the transferor plan. Include the date of transfer to the plan.
B. Plans That Distributed Benefits Under Section 401(a)(31)(B) of the Internal Revenue Code
[top] The April 2024 Proposed ICR, in relevant part, sought to collect the following information for any plan that
1. Name of plan and plan number as reflected on the most recent Form 5500. If the plan had names other than the name on the most recent Form 5500, provide the prior names and plan numbers to include the date of change.
2. Name, EIN, mailing address, and telephone number of the plan administrator as reflected on the most recent Form 5500. If the plan had plan administrators other than the plan administrator on the most recent Form 5500, provide the names and EINs of the prior plan administrators and include the date of change.
3. Name, EIN, mailing address, and telephone number of the plan sponsor as reflected on the most recent Form 5500, if different than the plan administrator. If the plan had plan sponsors other than the plan sponsor on the most recent Form 5500, provide the names and EINs of the prior plan sponsors and include the date of change.
4. Name, date of birth, mailing address, email address, telephone number and SSN of each participant or former participant with respect to whom any amount of the vested benefit was distributed under section 401(a)(31)(B) of the Code.
5. With respect to such participant or former participant, the name of the designated trustee or issuer described in section 401(a)(31)(B) of the Code.
6. With respect to such participant or former participant, the address of the designated trustee or issuer described in section 401(a)(31)(B) of the Code.
7. With respect to such participant or former participant, the amount of the distribution.
8. With respect to such participant or former participant, the account number of the individual retirement plan to which the amount was distributed.
9. With respect to such participant or former participant, the name, date of birth, mailing address, email address, telephone number, and SSN of any designated beneficiary.
C. Plans That Distributed Annuities
The April 2024 Proposed ICR, in relevant part, sought to collect the following information for any plan that distributed benefits pursuant to an annuity contract described in 29 CFR 2510.3-3(d)(2)(ii):
1. Name and plan number of plan as reflected on the most recent Form 5500. If the plan had names other than the name on the most recent Form 5500, provide the prior names and plan numbers to include the date of change.
2. Name, EIN, mailing address, and telephone number of the current plan administrator as reflected on the most recent Form 5500. If the plan had plan administrators other than the plan administrator on the most recent Form 5500, provide the names and EINs of the prior plan administrators and include the date of change.
3. Name, EIN, mailing address, and telephone number of plan sponsor as reflected on the most recent Form 5500, if different than the plan administrator. If the plan had plan sponsors other than the plan sponsor on the most recent Form 5500, provide the names and EINs of the prior plan sponsors and include the date of change.
4. Name, date of birth, SSN, mailing address, email address, and telephone number of each participant or former participant with respect to whom an annuity contract, described in 29 CFR 2510.3-3(d)(2)(ii), was distributed.
5. With respect to such participant or former participant, the name of the issuer of the annuity contract.
6. With respect to such participant or former participant, the address of the issuer of the annuity contract.
7. With respect to such participant or former participant, the contract or certificate number.
8. With respect to such participant or former participant, the name, date of birth, mailing address, email address, telephone number, and SSN of any designated beneficiary.
D. Historical Data
With respect to all three categories of information described above (in sections A through C), the April 2024 Proposed ICR sought historic information, to the extent available, dating back to the date the plan first became subject to ERISA or as far back as possible, if shorter. The Proposed ICR sought this data in an effort to establish the most effective Retirement Savings Lost and Found online searchable database possible.
E. Public Comments on April 2024 Proposal
Nearly every commenter objected to the breadth of the April 2024 Proposed ICR. One commenter, for instance, asserted that there is very little information the Department needs to build the Retirement Savings Lost and Found database contemplated by section 523 of ERISA. This commenter is of the view that "the only information needed is the participant's name, the plan name and the plan's contact information, and any updates to the latter two."? 7 This commenter suggested that the Department reevaluate what actually is needed for the database to function and focus on collecting only that information.
Footnotes:
7 ?Comment Letter of US Chamber of Commerce, page 3.
A different commenter asserted that, in many respects, the April 2024 Proposed ICR goes beyond what the Department is expressly authorized to collect under section 523 of ERISA. This commenter also contended that the April 2024 Proposed ICR goes beyond "what is reasonably necessary to ensure the proper administration and maintenance of the [Retirement Savings Lost and Found], as envisioned by Congress."? 8 This commenter suggested that, before moving on to additional services and functionality that might necessitate broader information requests, the Department should limit its information request to only those data elements that are necessary for participants to locate and receive information that is needed to access benefits owed them. In the commenter's view, such information did not include, for example, information regarding (a) beneficiaries; (b) participant and beneficiary contact information such as phone numbers, email addresses, and physical addresses; and (c) account balances.
Footnotes:
8 ?Comment Letter of SPARK, page 2.
A third commenter stated that the April 2024 Proposed ICR asks plan administrators for an "overwhelming" amount of information beyond what is specifically authorized. 9 Unauthorized and unnecessary information, according to this commenter, includes (a) plan sponsor information; (b) date of birth, mailing address, email address, and telephone number of the participant; (c) beneficiary information; and (d) historical information. This commenter believes that the April 2024 Proposed ICR unnecessarily complicates what was supposed to be a basic online database, raising serious privacy and administration concerns. Accordingly, the commenter urged the Department to narrow the April 2024 Proposed ICR and abandon the proposal.
Footnotes:
9 ?Comment Letter of the ERISA Industry Committee, pp 2-3.
[top] A fourth commenter stated that the April 2024 Proposed ICR requests significantly more information about participants and their beneficiaries than is authorized by the statute's limited list of data elements. 10 This commenter also argued that the proposal requests data dating back to the date a plan became covered by ERISA, while the statue
Footnotes:
10 ?Comment Letter of the Investment Company Institute, page 5.
11 ?See also Comment Letter of American Retirement Association (sharing this concern), page 2.
Another commenter expressed its concern with the April 2024 Proposed ICR's request for data on individuals that exceeds the data specifically described in the statute. 12 This commenter stated that the statute contemplates the name and taxpayer identifying number of terminated vested participants whose benefits were distributed during the plan year, together with certain limited additional information such as whether an annuity was distributed to such an individual and the name and address of the annuity issuer. This commenter asserted that the more personal information the Department requests beyond what is necessary, the greater the potential liability if such data is compromised, and the greater the possibility that plans will not provide any information. This commenter encourages the Department not to proceed with any voluntary information collection request, but instead proceed directly to the rulemaking process and limit the information required to what is required by the statute.
Footnotes:
12 ?Comment Letter of American Benefits Council, page 6.
This commenter also strongly objected to the historical information requested by the April 2024 Proposed ICR. This commenter argued that the statute does not contemplate requiring administrators to report the plan-related information described in Internal Revenue Code section 6057(b)(1)-(4) or 6057(a)(2)(A)-(B) on a retroactive basis, let alone as far back as to the date a covered plan became subject to ERISA. This commenter submits that the re-creation of historical plan data by administrators would in many cases be exceedingly challenging and time-consuming, and for some plans it will be impossible to produce.
V. September 2024 Revised Information Collection Request
A. Narrowed Scope of April 2024 Proposal
In response to the public comments received on the April 2024 Proposed ICR (discussed above in section IV E of this notice), the Department revised and republished the proposed ICR in September 2024 again soliciting public input (September 2024 Revised ICR). 13 As compared to the April 2024 Proposed ICR, the September 2024 Revised ICR proposed to significantly narrow the scope of collection to capture only information on separated vested participants who have reached age 65 and who are owed a benefit, as well as basic contact information for the plan administrator. Information on separated vested participants under the second proposal in September included deceased participants who would have been age 65 or older if they had survived and whose beneficiary is entitled to a benefit; separated vested participants aged 65 or older whose benefits were conditionally forfeited under Treasury Regulation section 1.411(a)-4(b)(6); and separated vested participants aged 65 or older who are in pay status. The comment period for the September 2024 Revised ICR closed on October 15, 2024, and five comments on the September Revised ICR were received.
Footnotes:
13 ?89 FR 74291 (Sept. 12, 2024).
B. Public Comments on Narrower Scope
Overall, commenters supported the narrower scope of collection in the September 2024 Revised ICR. Commenters, however, continued to raise a number of concerns including with respect to cybersecurity risks. These comments and concerns are addressed below.
VI. Final Information Collection Request
A. Decision To Narrow Information Collection Request
The Department does not agree with the position of those commenters described in Section IV.E who found it inappropriate for the Department to collect all of the information listed in the April 2024 Proposed ICR. Nevertheless, the Department generally agrees to structure the final information collection request to reduce cost and burden on responders in order to encourage participation. The Department has significantly narrowed the scope of the final information collection request in response to public comments. Generally speaking, this final information collection request is limited to the current contact information for the plan as well as the name and social security number of any participant who separated from service, is owed a benefit, and is age 65 or older. In this regard, the scope of the final information collection request is very similar to the scope of the September 2024 Revised ICR, with a few improvements made in response to public comments received on the September proposal.
Subsection VI B of this notice delineates the precise data points being sought under the final ICR. Unlike the April 2024 Proposed ICR, this final information collection request does not seek, among other things, data on: (a) historical practices dating back to the date the covered plan became subject to ERISA; (b) beneficiaries; (c) date of birth, mailing address, email address, and telephone number of each separated vested participant; (d) benefits distributed under section 401(a)(31)(B) of the Internal Revenue Code; and (e) benefits distributed pursuant to an annuity contract described in 29 CFR 2510.3-3(d)(2)(ii).
As supported by commenters, the Department is starting its information collection efforts by focusing on information about individuals who are at or near normal retirement age and who are owed a benefit by the plan. This is because such individuals are more likely to benefit sooner from a functioning database than other age cohorts. Future efforts, however, are needed to gradually expand the database to fully implement section 523 of ERISA. At this time, the Department is requesting only the following specific information.
B. Specific Information Requested-Limited to Plans With Separated Vested Participants Still Owed Benefits
For any plan with a participant or former participant described in 26 U.S.C. 6057(a)(2)(C)(i) and (ii) ("separated vested participant"), provide the following information with respect to that plan in accordance with filing instructions created by the Department:
[top] 1. Name and plan number of plan as reflected on the most recent Form 5500 Annual Return/Report of Employee Benefit Plan or Form 5500-SF Short Form Annual Return/Report of
2. Name, employer identification number (EIN), mailing address, and telephone number of the plan administrator as reflected on the most recent Form 5500.
3. Name, EIN, and telephone number of the plan sponsor as reflected on the most recent Form 5500.
4. Name and SSN of any separated vested participant aged 65 (or older) who is owed a vested benefit. This includes deceased participants who would have been age 65 or older if they had survived and whose beneficiary is entitled to a benefit; separated vested participants aged 65 or older whose benefits were conditionally forfeited under Treasury Regulation section 1.411(a)-4(b)(6); and separated vested participants aged 65 or older who are in pay status.
5. With respect to participants previously reported to the Retirement Savings Lost and Found as owed a benefit that has since been paid, indicate once their benefit has been paid and the date of the payment.
C. Scope-Beneficiaries
Commenters on the September 2024 Revised ICR objected to collecting information about beneficiaries. Commenters stated that information about beneficiaries is beyond the scope of section 523 of ERISA. The Department does not agree that information about beneficiaries is outside the scope of section 523 of ERISA. Regardless, the commenters misapprehended the scope of the September 2024 Revised ICR. Neither it nor the final ICR seeks to collect information about beneficiaries. The final ICR, however, does request data on deceased participants who still have benefits under the plan so that the deceased participant's beneficiary or survivor may use the Retirement Savings Lost and Found to search for that benefit.
D. Scope-Participants in Pay Status
Commenters questioned why the September 2024 Revised ICR sought to collect information on separated vested participants aged 65 or older who are in pay status in defined benefit plans. Commenters asserted that individuals in pay status are not "missing" or "lost." The final ICR seeks this information because these individuals are still owed a benefit under the plan. ERISA section 523 includes missing and lost individuals but is not limited to them.
E. Scope-Church Plans
One commenter on the September 2024 Revised ICR asked whether the Department intends the final ICR to cover non-electing church plans. The scope of the final ICR is coextensive with the scope of section 523 of ERISA. Section 523(a)(2) of ERISA generally limits the scope of section 523 to "a plan to which the vesting standards of section 203 apply." Since non-electing church plans are not subject to section 203 of ERISA, the final ICR does not cover such plans.
F. Method of Transmitting Data
The April 2024 Proposed ICR solicited public comment on two electronic methods to submit data to Retirement Savings Lost and Found. Under the first method, plan administrators (or their authorized representatives, such as recordkeepers) would be able to electronically submit data as an attachment to the Form 5500 using EFAST2. The second method mentioned was the establishment of a portal for plan administrators (or their recordkeepers) to submit the information directly into the Retirement Savings Lost and Found database as an alternative to submitting the information as an attachment to the Form 5500 using EFAST2. Under either method, the April 2024 Proposed ICR indicted that the Department would provide a model format that plan administrators could use to submit the information.
Overall, commenters offered support for both methods of electronically submitting the data. While generally supportive of the use of EFAST2, commenters questioned the feasibility of being able to submit a Retirement Savings Lost and Found attachment in time to meet the plan's deadline for filing the plan's 2023 Form 5500. Some commenters, noting that the Form 5500 is filed annually, suggested that the Retirement Savings Lost and Found data should be furnished more frequently than annually in order to keep the Retirement Savings Lost and Found current, e.g., at least quarterly. Some commenters raised privacy concerns with attaching certain Retirement Savings Lost and Found data (social security numbers) to the Form 5500 (which is a public filing). Other commenters expressed a preference for a direct upload portal for plan recordkeepers to submit information directly into the Retirement Savings Lost and Found database because this method would permit a single recordkeeper to submit bulk uploads on behalf of multiple plans simultaneously and would allow frequent uploads on regular basis, e.g., quarterly, monthly, or even more frequently, so that the Retirement Savings Lost and Found does not become stale.
The Department established a portal for plan administrators or their recordkeepers to submit the information directly into the Retirement Savings Lost and Found database, instead of submitting the information as an attachment to the Form 5500 using EFAST2 as was contemplated by the April 2024 Proposed ICR. The Department also created an upload template to assist filers. 14 The template is a table, in Microsoft Excel/CSV format, designed to capture details on separated vested participants who have reached age 65 and who are owed a benefit, and basic information about their plans. The plan administrator or the plan's recordkeeper may download, populate, and then upload the completed Excel/CSV file directly with EBSA through RSFL. This direct portal approach allows recordkeepers to file on behalf of multiple plans simultaneously. RSFL requires filers to have a free Login.gov account, and to create a user profile. The Department has also developed line-by-line instructions to guide filers through the process. 15 The upload template and instructions are available at https://lostandfound-intake.dol.gov/template.xlsx.
Footnotes:
14 ?See appendix A.
15 ?See appendix B.
[top] Many commenters discussing the topic of transmitting data to the Retirement Savings Lost and Found also mentioned concerns about data security after the transfer. In response, the Department notes that the Retirement Savings Lost and Found is being developed in accordance with the U.S. Department of Commerce National Institute of Standards and Technology SP 800-53 Revision 5 security controls, including implementation of all applicable privacy controls. 16 Retirement Savings Lost and Found administrators will use the Department's login credential practices to access the Retirement Savings Lost and Found, including Multi-Factor Authentication login and Single Sign-On account access via Personal Identity
Footnotes:
16 ?To include AC-03(14)-Individual Access; PL-08-Security and Privacy Architectures; PT-05(2)-Privacy Act Statements; RA-08-Privacy Impact Assessments; SC-07(24)-Personally Identifiable Information; SI-12-Information Management and Retention; SC-28-Protection of Information at Rest; SC-28(1)-Cryptographic Protection. Additional information on individual security and privacy controls is available on the NIST Cybersecurity and Privacy Reference Tool web page, https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_1/home.
17 ?While at rest, the Amazon RDS encrypted DB instances will use the industry standard AES-256 encryption algorithm to encrypt the data on the server that hosts the Amazon RDS DB instances.
18 ?In transit, data passed from the user to the application will be protected via standard HTTPS/SSL encryption and data from the database to the application will be protected by TLS encryption.
VII. Miscellaneous
A. Fiduciary Duty To Mitigate Cybersecurity Risk
Several commenters raised concerns about data security and their potential exposure to liability under ERISA in the event of a future data breach involving the Retirement Savings Lost and Found. The commenters acknowledged that fiduciaries have an obligation under section 404 of ERISA to take prudent measures to protect participants' personal information and mitigate cybersecurity risks. The commenters stated that the April 2024 Proposed ICR and the September 2024 Revised ICR both had failed to provide sufficient information about the Retirement Savings Lost and Found's security features to enable plan fiduciaries to prudently conclude that furnishing the information described in the proposals would not constitute a breach of ERISA's fiduciary duties. The commenters concluded that this may prevent a significant number of plans from responding to the voluntary information collection request. The commenters requested a detailed description of the Retirement Savings Lost and Found's security protocols and asked that the Department agree to indemnify and otherwise make whole plans and their recordkeepers for losses that occur as result of a data security failure attributable to the Retirement Savings Lost and Found.
The Department agrees with these commenters that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks, which includes using only services that follow strong cybersecurity practices. The Department had not finished constructing the security protocols at the time of publication of the September 2024 Revised ICR. A more fulsome description, however, now is contained in Section VI F, above, of this notice.
The Department has taken great care to ensure the security and confidentiality of participant data and reassures plan fiduciaries that if they voluntarily furnish data in response to this information collection request and follow the instructions for transmitting the data to the Department, they will have satisfied their duty under section 404 of ERISA to ensure proper mitigation of cybersecurity risks. Accordingly, plan fiduciaries' submission of data to the Retirement Savings Lost and Found in accordance with the system's instructions on submissions will not violate fiduciaries' duties of prudence and loyalty, but rather would promote participant interests in securing promised benefits in accordance with those obligations. Such plan fiduciaries will not be subject to liability under ERISA for the Department's conduct in the event of a future security failure involving Retirement Savings Lost and Found. In light of this opinion, the Department need not address the commenters' request for indemnification.
B. State Privacy Laws
Several commenters requested that the Department address the interaction of state privacy laws with this voluntary information collection request. They raised concerns about potential liability under ERISA's fiduciary provisions and state law in connection with voluntarily furnishing certain personal information ( e.g., name, social security number, telephone number, date of birth, mailing address) under this information collection request without first obtaining participant consent.
The Department notes that section 523(e) of ERISA explicitly authorizes the Department to collect, among other information, the "name and taxpayer identifying number" of affected participants or former participants. The Department also observes, however, that state privacy laws vary in their scope and application, it is unclear whether any apply in the specific circumstances at hand, and commenters acknowledged such laws often contain an exemption for information provided to government authorities to comply with a regulatory inquiry. No commenter suggested that the Department is not a government authority or that the Retirement Savings Lost and Found is not a proper regulatory function in light of section 523 of ERISA.
Further, the Department narrowed this voluntary information collection request to two pieces of sensitive data-the participant's name and social security number-both of which the plan has already reported to the federal government under section 6057 of the Code for purposes aligned with and integrated with the Retirement Savings Lost and Found. In any event, the Department will not take enforcement action under ERISA against any plan fiduciary, or recordkeeper or other party acting on behalf of the plan, for responding to this information collection request without first obtaining participant consent to the extent required by state law provided that the plan fiduciary acts reasonably and in good faith in responding to this information collection request. 19 The Department believes this enforcement policy, in combination with the narrower scope of the revised information collection request and participants' right to opt out of Retirement Savings Lost and Found, discussed in sections VI and VII of this notice, below, addresses the commenters' concerns. However, individuals with residual concerns or unique circumstances are encouraged to contact the Department directly for additional assistance.
Footnotes:
19 ?However, no party acting on behalf of a plan may furnish information in response to this information collection request without the approval or consent of a responsible plan fiduciary.
C. User Authentication as Protection
[top] Some commenters raised concerns that establishing a publicly accessible online searchable database storing sensitive personal information, such as social security numbers or information regarding retirement account balances, introduces the risk that this information will be disclosed to an unintended audience or possibly used for fraud. Generally, these commenters urged the Department to limit information returned from a search of the Retirement Savings Lost and Found to that related to the individual conducting the search and to prevent data "scraping," a process used by certain "property finders," "recovery agents," "heirfinders," and other data aggregators to mass collect information using other publicly accessible databases such as those used to search state unclaimed property funds. The Department understands these concerns and incorporated limitations to the search function to address this risk, such as requiring an authenticated account for each user searching the Retirement Savings Lost and Found and producing search results particularized to that account holder. Unlike other publicly available property search tools and engines, no general list of information will be accessible for the public to view. As such, the risk for unintended disclosure, or fraud using information collected from the Retirement Savings Lost and Found, is thoroughly mitigated.
D. Use of Plan Assets To Pay Cost of Voluntary Reporting
Commenters requested clarification regarding whether, and the extent to which, plan assets may be used, consistent with ERISA's fiduciary duties, to pay the cost of voluntary reporting. Commenters mentioned that such cost includes the cost associated with collecting, formatting, and transmitting the data, and that the scope of the final ICR obviously will impact costs. In the Department's view, the reasonable cost of voluntarily reporting the data under the revised ICR is a permissible use of plan assets because the purpose of the reporting is to connect separated vested participants with benefits owed them under the plan.
E. Participants' Opt-Out Rights
Commenters requested clarification on how participants may exercise their statutory right to opt-out of Retirement Savings Lost and Found. Section 523(c)(2) of ERISA provides that in establishing the Retirement Savings Lost and Found, the Department, in consultation with the Secretary of the Treasury, shall take all necessary and proper precautions to "allow any individual to contact the Secretary to opt out of inclusion in the Retirement Savings Lost and Found." Commenters observed that the Proposed ICR did not describe an opt-out mechanism or procedure.
The Department considered a number of options to enable participants to exercise this statutory right in a convenient and easy-to-use mechanism for participants of all ages, backgrounds, and abilities. Initially, participants may opt out online by submitting a request at https://www.dol.gov/agencies/ebsa/about-ebsa/ask-a-question/ask-ebsa. Instructions will guide the participant. If a participant chooses to opt out of the Retirement Savings Lost and Found, the participant's data will be suppressed from appearing in searches of the Retirement Savings Lost and Found. The participant's decision will be documented and referred to database administrators for execution. The Department is also considering adding an online self-service opt out feature directly to the Retirement Savings Lost and Found, but this option is not available now.
F. Alternatives to the Voluntary Information Collection Request
Commenters recommended the Department consider alternative methods for implementing the Retirement Savings Lost and Found. One commenter suggested that the Department consider hiring a private sector contractor to operate the Retirement Savings Lost and Found. Another commenter stated its concern that the voluntary ICR approach to populating the Retirement Savings Lost and Found with information will compromise the content and effectiveness of the Retirement Savings Lost and Found and, thus, the Department should abandon its current approach and instead proceed to formal notice and comment rulemaking.
The Department declines to abandon its current approach. The current approach gives the Department the best chance to comply with the Congressional directive in a timely manner. Under its current approach, the Department has substantially reduced the burden of responding to the ICR. In addition, the current approach does not foreclose the Department from making improvements to the Retirement Savings Lost and Found in the future. The Department will take the comments received on the ICR into consideration regarding any future improvements.
In response to commenters' requests that the Department continue to work with IRS, SSA, or both, to obtain Form 8955-SSA information directly from those agencies instead of requesting such information from plan administrators, the Department notes that it has continued its discussions with both agencies and believes it will be able to use the Form 8955-SSA data. The Department notes, however, that the Form 8955-SSA data may often be inaccurate, outdated, or incomplete. 20 For instance, current recordkeeper data can show if benefits have been paid out, whereas Form 8955-SSA data likely cannot. Access to payout data is critical to keep the Retirement Savings Lost and Found current and reduce the instances of "false positive" search results mentioned by the commenters. These commenters strongly encouraged the Department to make every possible effort to maintain as up-to-date information as possible so that the public has confidence in the integrity of Retirement Savings Lost and Found. To that end, even if Form 8955-SSA data is received, such data would stand to benefit if supplemented by current recordkeeper data. The minimal voluntary data collection requested here will enable plans and plan sponsors to ensure the accuracy of information contained in the database. Accurate data will serve the interests of both plans and plan participants in obtaining benefits to which they are truly entitled and in avoiding search efforts and inquiries to plans and plan sponsors based on erroneous information. As noted above, the current approach also gives the Department the best chance to comply with the Congressional directive in a timely manner.
Footnotes:
20 ?United States Government Accountability Office, Report GAO-14-92 (Nov. 2013), Private Pensions: Clarity of Required Reports and Disclosures Could be Improved.
G. Multi-Vendor Plans
Commenters raised a concern with what they described as "multi-vendor" situations. Commenters explained that this occurs when a plan has more than one recordkeeper, such as in the case of ERISA-covered 403(b) plans. Commenters stated that the Department did not address this situation in the April 2024 Proposed ICR or the September 2024 Revised ICR. Commenters are concerned that the Retirement Savings Lost and Found may not be able to intake and integrate more than one upload template for a single plan. The Department understands this issue and confirms that the Retirement Savings Lost and Found is able to accommodate multiple filings from different recordkeepers for the same plan.
H. Failure To Reflect Payments
Commenters raised concerns about what they described as "false positives." They described this as the potential for Retirement Savings Lost and Found searches to indicate that participants are owed previously distributed benefits if the Retirement Savings Lost and Found is not updated to reflect distributions. These commenters requested that the Department establish a mechanism for filers to submit data indicating that a participant has been paid their benefits. Otherwise, RSFL would show false positives, leading to confusion. These commenters suggested that the Department remove participants from the Retirement Savings Lost and Found once benefits are paid.
[top] The Department agrees with these comments on the need to reduce confusion and is taking the following actions. Two data elements are being added to the Retirement Savings Lost and Found upload template in Columns V and W. These modifications permit the filer to indicate (1) whether the present value of the total accrued benefit has been paid and (2) the date of payment. In addition, when searchers run queries, Retirement Savings Lost and Found results will display the payment information captured in these new fields, if applicable. This outcome will mitigate the concerns raised by the commenters.
I. Use of Information Collected
One commenter expressed concern that the Department would use information collected under the ICR to audit plans. Information collected under the ICR is considered information collected under section 523 of ERISA. Section 523(f) of ERISA imposes limits on how the Department uses information collected under section 523. The Department will respect the limitations in section 523(f) in connection with information obtained under the ICR.
J. Use of Other Authorities Under ERISA To Collect Information
Some commenters requested that the Department retract previously made statements that it has the authority to collect information through investigations and under a general grant of rulemaking authority. The Department declines to retract the statements. See sections 504 and 505 of ERISA. Questions regarding the Department's investigative authority and its general rulemaking authority are beyond the scope of this ICR.
K. Fiduciary Duty-Guidance on Missing Participants
One commenter requested that the Department issue guidance regarding the steps a plan fiduciary must take under section 404 to search for "missing" participants. This commenter's request is outside the scope of the ICR. In this connection, however, the Department notes that it has given extensive guidance with respect to missing participants, which can be found on its website. 21 If there are questions regarding that guidance or additional guidance needed on issues related to missing participants, interested parties should contact the Department with their questions or requests.
Footnotes:
21 ?See Compliance Assistance Release 2021-01; Best Practices for Pension Plans; and EBSA Field Assistance Bulletin 2021-01 ( https://www.dol.gov/agencies/ebsa/employers-and-advisers/plan-administration-and-compliance/retirement/missing-participants-guidance ).
Signed at Washington, DC, this 14th day of November, 2024.
Lisa M. Gomez,
Assistant Secretary, Employee Benefits Security Administration, U.S. Department of Labor.
BILLING CODE 4510-29-P
[top]
[Federal Register graphic "EN20NO24.085" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.086" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.087" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.088" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.089" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.090" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EN20NO24.091" is not available. Please view the graphic in the PDF version of this document.]
[FR Doc. 2024-27098 Filed 11-19-24; 8:45 am]
BILLING CODE 4510-29-C