There are a lot of questions surrounding ERISA (Employee Retirement Income Security Act) fiduciary duties. Namely, who is a considered a fiduciary under the Act can sometimes be unclear.
Generally, ERISA protects a retirement plan’s assets by requiring persons who exercise “discretionary control or authority” over plan assets. However, this fiduciary duty can extend to anyone with discretionary responsibility and authority over the plan. The duty also extends to anyone who provides investment advice to a plan for compensation, among others, according to the U.S. Department of Labor. Generally, this includes plan trustees, plan administrators and the investment committees.
The Importance of TPAs
As a general rule, a Third-Party Administrator is not a plan fiduciary so long as the TPA (Third Party Administrator) Agreement does not exclude its fiduciary responsibilities. However, a TPA can be a plan fiduciary if the TPA retains and performs certain 3(16) services including:
- Distribution of required employee notification and other required regulatory disclosures by the appropriate deadline
- Reviewing and approving distributions of participant’s plan assets and loan requests
- Signing and submitting required governmental filings including Form 5500
- Signing the plan documents as Plan Administrator
- Monitoring plan service providers
However, one court has established that TPAs may be liable under certain circumstances. The United States District Court for the Northern District of Illinois recently decided the case of Bartnett v. Abbott Laboratories, et al. In this case, the Court held that Alight Solutions, who was the TPA for the Abbott Corporate Benefits Stock Retirement Plan, could be held liable for an ERISA fiduciary breach claim. Specifically, the Court relied on precedent from the Eastern District of Pennsylvania which held that a TPA could be held liable under a breach of fiduciary duty theory for “failing to enact procedures and safeguards to protect plan and participants from cybercriminals.”
This holding, and the holding out of the Eastern District of Pennsylvania, present the possibility of fiduciary liability for TPAs going forward. This liability results from cyber and data breach claims which result in the loss of plan assets.
Data security and data breaches will continue to be a legal issue that companies will need to continue to review for many years to come. These companies will need to adopt and amend their existing data security policies.
For More Information
If you have questions regarding ERISA fiduciary duties as a Plan Administrator or Third Party Administrator, or you are a business concerned about your own liability exposure due to cyber security and other issues surrounding your employee retirement plans under ERISA, please contact our office. Call us at (513) 241-0400 or use our contact form to schedule a telephone or video conference.