Though some employers may not think so, the truth is that in today’s world 401(k) plans are subject to fraudulent activity and that the often-overlooked retirement plan can be the perfect place for it to occur. For example, in late 2017, several news outlets reported a scheme targeting individual 401(k) accounts. The U.S. Attorney’s office in Colorado had filed a lawsuit to recover up to $2 million in losses due to fraudulent distributions from retirement plan accounts. The lawsuit, filed December 4th, 2017 in federal court, sought to seize up to $342,335 in assets from five individuals that deposited funds from the alleged scheme. Multiple banks, including JP Morgan Chase Bank, Bank of America, PNC Bank, and Wells Fargo, received the fraudulent transactions. According to the suit, the FBI’s Denver Division was contacted in November 2016 by Great-West Financials’ VP of Internal Audit regarding allegations of fraudulent transfers from clients’ 401(k) accounts by JP Morgan. At that time, Great-West Financial had 20 participants affected with a loss of at least $1 million and a potential loss in excess of $2 million.

As in many 401(k) plans, participant victims of the fraud established an account online with the plan’s recordkeeper (in this case Great-West). Great-West maintains a call center to assist with questions when contacted by a plan participant, utilizing a four-part authentication process that employs biographical identifiers set up by the plan participant. Using this biographical information (e.g. name, Social Security numbers, or date of birth) obtained through phishing scams and password hacking, the scammers were able to provide accurate information to change the online profile and ultimately affect a distribution. According to the suit, Great-West observed that unauthorized individual(s) had been fraudulently using this process to obtain access to funds held in retirement accounts. Upon obtaining access, the funds were able to be transferred from those retirement accounts to other bank accounts without the knowledge or consent of the actual participant. The FBI indicated that Great-West wasn’t the only recordkeeper that was targeted by fraud schemes. In the end, Great-West reimbursed all funds to the participant’s account.

In this instance, neither the TPA nor Great-West had experienced a data breach. The participant’s personally identifiable information (PII) was obtained by other means prior to contacting Great-West or submitting the distribution request. It appears that the PII was obtained through scams aimed at the participant. This being the case, what can you do to help mitigate distribution fraud?

    • Educate your participants on password management. Many times, the retirement plan account password is the same, or very similar, to another password in an account that may have been breached. Changing passwords and using stronger, randomly-generated passwords goes a long way towards protecting PII.
    • Review your account transactions. Online access that is available 24/7/365 has taken the scrutiny from quarterly or annual statements. Reviewing your account on a frequent basis can help identify fraudulent activity quickly.
    • Don’t use security questions in a participant’s profile the hacker may potentially be able to find the answers to from information which can be found publicly, such as on social media.
    • Ensure that your recordkeeper has established verification processes for distributions and loans. It might seem to be an excessive burden to approve individual transactions but checking with an employee by cell phone or protected communication channels will prevent a lot of problems down the road. Remember, if the participant’s email was the source of the hacked information, the hacker could still be accessing email accounts undetected.
    • Establish a system of checks and balances within your own human resources and accounting departments. Fraud can occur in many ways, and hacking seems to be the most prevalent today. Internal personnel have the power to request and direct retirement distributions for the plan’s recordkeeper.

RPG Consultants is proud to be a CEFEX-certified recordkeeper and third party administrator. Our CEFEX-ASPPA certification signifies our commitment to adhere to a standard of excellence and a dedication to recordkeeping and administration best practices. We undergo an annual comprehensive audit and demonstrate that we fully conform to high standards that are substantiated in law and proven best practices. Part of this audit is a review of our security measures and processes. We continue to monitor the industry and consult with experts to update our internal process and enhance security on all of our systems.

It’s good practice to review your retirement plan’s transactions each month like you would your company bank account or credit card accounts. If you see any questionable transactions, please contact us immediately.

This newsletter is intended to provide general information on matters of interest in the area of qualified retirement plans and is distributed with the understanding that the publisher and distributor are not rendering legal, tax or other professional advice. Readers should not act or rely on any information in this newsletter without first seeking the advice of an independent tax advisor such as an attorney or CPA.

©2019 Benefit Insights, LLC All rights reserved.