Media

Protect Your 401(k)

05/28/2019

Though some employers may not think so, the truth is that in today’s world 401(k) plans are subject to fraudulent activity and that the often-overlooked retirement plan can be the perfect place for it to occur. For example, in late 2017, several news outlets reported a scheme targeting individual 401(k) accounts. The U.S. Attorney’s office in Colorado had filed a lawsuit to recover up to $2 million in losses due to fraudulent distributions from retirement plan accounts. The lawsuit, filed December 4th, 2017 in federal court, sought to seize up to $342,335 in assets from five individuals that deposited funds from the alleged scheme. Multiple banks, including JP Morgan Chase Bank, Bank of America, PNC Bank, and Wells Fargo, received the fraudulent transactions. According to the suit, the FBI’s Denver Division was contacted in November 2016 by Great-West Financials’ VP of Internal Audit regarding allegations of fraudulent transfers from clients’ 401(k) accounts by JP Morgan. At that time, Great-West Financial had 20 participants affected with a loss of at least $1 million and a potential loss in excess of $2 million.

As in many 401(k) plans, participant victims of the fraud established an account online with the plan’s recordkeeper (in this case Great-West). Great-West maintains a call center to assist with questions when contacted by a plan participant, utilizing a four-part authentication process that employs biographical identifiers set up by the plan participant. Using this biographical information (e.g. name, Social Security numbers, or date of birth) obtained through phishing scams and password hacking, the scammers were able to provide accurate information to change the online profile and ultimately affect a distribution. According to the suit, Great-West observed that unauthorized individual(s) had been fraudulently using this process to obtain access to funds held in retirement accounts. Upon obtaining access, the funds were able to be transferred from those retirement accounts to other bank accounts without the knowledge or consent of the actual participant. The FBI indicated that Great-West wasn’t the only recordkeeper that was targeted by fraud schemes. In the end, Great-West reimbursed all funds to the participant’s account.

Please note, in this instance, neither the TPA nor Great-West had experienced a data breach. The participant’s personally identifiable information (PII) was obtained by other means prior to contacting Great-West or submitting the distribution request. It appears that the PII was obtained through scams aimed at the participant. This being the case, what can you do to help mitigate distribution fraud?

  • Educate your participants on password management. Many times, the retirement plan account password is the same, or very similar, to another password in an account that may have been breached. Changing passwords and using stronger, randomly-generated passwords goes a long way towards protecting PII.
  • Review your account transactions. Online access that is available 24/7/365 has taken the scrutiny from quarterly or annual statements. Reviewing your account on a frequent basis can help identify fraudulent activity quickly.
  • Don’t use security questions in a participant’s profile the hacker may potentially be able to find the answers to from information which can be found publicly, such as on social media.
  • Ask for verification of distributions and loans if the recordkeeper allows for it. It might seem to be an excessive burden to approve individual transactions but checking with an employee by cell phone or protected communication channels will prevent a lot of problems down the road. Remember, if the participant’s email was the source of the hacked information, the hacker could still be accessing email accounts undetected.
  • Establish a system of checks and balances within your own human resources and accounting departments. Fraud can occur in many ways, and hacking seems to be the most prevalent today. Internal personnel have the power to request and direct retirement distributions for the plan’s recordkeeper.

It’s good practice to review your retirement plan’s transactions each month like you would your company bank account or credit card accounts. If you see any questionable transactions, please contact your TPA immediately.

©2019 Benefit Insights, LLC All rights reserved.

Categories

Articles

News

Advisor Connect

News Flash!

News Flash!

Defined Contribution plans: Form 5500 news! Effective for plan years beginning on or after January 1, 2023, the determination of a large or small plan will be based on the number of participants with an account balance as of the beginning of the year, rather than the...

read more
Beneficiary on File?

Beneficiary on File?

As part of the enrollment process, participants are asked to elect a beneficiary. However, this step is often not completed or kept up to date as time goes on, which can make death distributions more complicated than they need to be. When a participant names a...

read more
Plan Participants: The More They Know, The Better

Plan Participants: The More They Know, The Better

As a plan sponsor, do you feel your employees have a clear understanding of the company’s retirement plan? Do most utilize it as a tool to save for retirement—and, if not, do they understand the benefit that they are missing? According to the 2022 PLANSPONSOR...

read more
SECURE 2.0 is a GO!

SECURE 2.0 is a GO!

In 2019, the Setting Every Community Up for Retirement Enhancement (SECURE) Act increased the Required Minimum Distribution (RMD) age for retirement plan participants from age 70 1/2 to 72. Additionally, it introduced opportunities for Long Term Part Time (LTPT)...

read more