A 401(k) plan is among the most valuable benefits an employer can offer — and one of the most tempting targets for criminals. With billions of dollars held in employee retirement accounts, fraudsters are constantly seeking ways to exploit plan sponsors, administrators and participants.
If your organization sponsors a 401(k), you have a fiduciary duty under the law to act prudently and solely in participants’ interests, which includes safeguarding plan assets and sensitive personal data. That means staying alert to emerging scams, understanding your plan provider’s security measures and ensuring your team follows best practices.
Review basic safeguards
Like most plan sponsors, you likely rely on a service provider to help administer your 401(k). Staying informed about its protective systems and policies is essential. Most providers carry cyberfraud insurance that extends to plan participants, but there may be limits if the provider determines that you (the sponsor) or participants contributed to a breach.
Your plan’s documents may require participants to adopt the provider’s recommended security practices, such as checking account information “frequently” and reviewing correspondence “promptly.” Make sure everyone understands what these terms mean. And if you haven’t already, develop a strong communication and education strategy that trains new participants on antifraud measures and refreshes everyone regularly.
Fortify cybersecurity
In recent years, several 401(k) plan sponsors have faced lawsuits for failing to adequately protect participants’ personal data after accounts were hacked. Although every organization needs comprehensive and up-to-date cybersecurity, be especially vigilant if you store plan information on your own servers.
Two-factor authentication is now standard, but it may not be enough. Many cybersecurity advisors recommend implementing multifactor authentication — which combines something users know (a password), something they have (a device) and something they are (a biometric identifier) — to counter increasingly sophisticated fraud schemes.
Just as important, invest time and resources in teaching participants to follow strict cybersecurity protocols when managing their accounts. Encourage them to:
- Choose unique, complex passwords and change them often,
- Avoid storing usernames or passwords in browsers or unsecured files, and
- Be cautious if they have trouble logging in or if a sign-in page looks unusual.
Train participants to exercise caution if they’re approached by anyone claiming to represent the government, law enforcement, the plan provider or a financial institution. Rather than responding directly, a participant should use verified contact information to independently confirm the legitimacy of any inquiry.
More complex schemes have involved criminals posing as fraud investigators or plan representatives and urging participants to transfer funds to “safer” accounts — where their money will, of course, disappear. Provide participants with a reliable number to call for official plan information or to verify any unexpected communications.
Secure funds for everyone’s benefit
Keeping employees’ retirement savings secure also means staying compliant with 401(k) contribution rules. The U.S. Department of Labor requires plan sponsors to deposit participants’ contributions as soon as they can be segregated from their employer’s assets — and no later than the 15th business day of the following month. (This is an outer limit, not a safe harbor.)
For smaller employers (those with fewer than 100 participants), a safe harbor rule specifies that contributions made within seven business days of the pay date are deemed timely. Following these timelines helps ensure compliance, protects participants’ savings and reinforces confidence in your organization’s retirement plan.
Demonstrate your commitment
Protecting your 401(k) plan from fraud is key to fulfilling your fiduciary duty. However, it’s also an opportunity to build trust and strengthen employee engagement. A secure plan encourages participation and demonstrates your commitment to participants’ long-term financial well-being. We can help you evaluate your organization’s internal controls — for your 401(k) and across all operations — to identify vulnerabilities and strengthen safeguards against fraud.