Plan Sponsor Guide: Selecting & Monitoring Service Providers

Congratulations on your decision to sponsor a retirement plan - one of the most valuable benefits you can deliver to your employees! While you can expect a number of significant rewards from your efforts, your plan’s fiduciaries must be careful to comply with some of the most technical and consequential rules and regulations under the law.

In order to protect employees’ savings, the Employee Retirement Income Security Act of 1974, as amended (ERISA) mandates that any person(s) responsible for managing or administering a retirement plan (the plan’s “fiduciaries” or “you”) act prudently. The Department of Labor (DOL) is tasked with periodically investigating ERISA-covered plans to ensure the fiduciaries are complying with applicable laws and regulations.

When it comes to selecting service providers for your plan, prudence requires you to follow an objective process, which takes into account relevant information (or that which the fiduciaries should know to be relevant), in order to make a well-informed decision to enter into, extend or renew an arrangement to provide services to your plan and/or your participants.

If you lack the expertise to act prudently, ERISA requires you to hire professional assistance. To ensure that you comply with your fiduciary duties, you should consider hiring a knowledgeable retirement plan advisor or consultant. Often times, these professionals can help you develop and maintain a process that streamlines prudent decision-making while managing fiduciary risk.

Overview of Fiduciary Responsibilities

ERISA requires plan sponsors to act prudently when making decisions relating to the management or administration of the plan. These “fiduciary functions” must be performed solely in the interests of plan participants and beneficiaries, with the exclusive purpose of providing benefits, while defraying reasonable expenses.

Hiring a service provider in and of itself is a fiduciary function. At a minimum, the DOL suggests you survey a number of service providers by providing them each with complete and identical information about the plan and what services you are looking for in order to make a meaningful comparison.
When evaluating the service providers’ responses, you should consider the nature and scope of the proposed services to ensure the arrangement is necessary and reasonable. Factors to consider include the capacity
in which the service provider will serve (i.e., fiduciary vs. administrative or ministerial), potential conflicts of interests and relevant background, experience and credentials of the person(s) actually providing the service(s). You should identify the specific level of support provided for each category of service and compare the services proposed by other service providers.

When comparing fees, it is critical for you to focus on the value of services provided. You may find that some service providers are less expensive because they simply do not provide as much assistance or they lack the necessary expertise vis-à-vis their competitors. At the end of the day, it may be that the more experienced service provider is a better choice given its ability to deliver more expansive services that can save you and your employees valuable time while helping to manage risk and drive better outcomes.

You get what you pay for, in other words, and fiduciary decisions are evaluated based upon the process used to determine whether or not the services are necessary and reasonable in light of the value delivered to the plan by the third-party service provider. According to the DOL, “fees and expenses are one of several factors to consider when you select and monitor plan service providers….The level and quality of service….will also affect your decisions.”¹

Additionally, fiduciaries should document their selection (and monitoring) process, the ultimate decisions made and, when using a committee, they should educate committee members on their roles and responsibilities.

Documenting The Needs Of Your Plan

When selecting a service provider, the fiduciaries must first take reasonable steps to determine what services are necessary. Services can typically be broken down into two primary types: 1) plan-level services necessary to maintain general plan operations (i.e., recordkeeping, consulting, administrative support, legal services, etc.); and 2) participant- level services based upon the specific needs of your plan’s participants (i.e., investment education, advice or management).

Your plan’s need for plan-level services will depend upon the complexity of the plan and the experience of the plan’s fiduciaries. ERISA permits the plan fiduciaries to arrange for certain expenses to be billed to the plan or participant accounts. Indeed, where fiduciaries lack the expertise to evaluate relevant information (or that which they should know to be relevant), they are required to hire professional assistance.
You should be careful, however, to ensure that any services you elect to be paid by the plan or its participants inure to the benefit of the participants and not solely the plan sponsor or fiduciaries. It is generally acceptable for the company or the plan fiduciaries to derive an “incidental” benefit (as a result of making a fiduciary decision) so long as the decision is made solely in the interests of providing benefits to the plan’s participants.

With respect to participant-level services, the plan fiduciaries simply need to ask the question: How much and what sort of help do our participants need to make informed decisions about retirement planning and investing? Companies with investment-savvy employees may require only basic participant-level services; however, you should keep in mind that your duties run to all participants and beneficiaries such that you should consider the lowest common denominator when evaluating their needs.

Most plans engage some degree of participant-level investment education or advice, and this service is easily justified as necessary. So long as the compensation paid is reasonable and any conflicts of interests have been addressed, then these services can be properly paid from plan assets.

At the end of the day, you are required to examine the specific services provided under your plan’s arrangements with service providers to ensure the plan isn’t being charged for services that are unnecessary or underutilized. It is strongly recommended that you consult with a knowledgeable, independent retirement plan advisor or consultant to better understand the various products and services that are typically appropriate for a plan like yours.

Covered Service Providers & Erisa 408(b)(2)

ERISA prohibits arrangements between the plan and various service providers. ERISA Section 408(b)(2), however, provides an exception for “reasonable arrangements” so long as the services are necessary. As described below, certain “covered service providers” (CSPs) are now required to deliver written disclosures to the plan’s “responsible plan fiduciary” (RPF) in advance of entering into, renewing or extending
an arrangement with the plan. The fiduciaries must evaluate each CSP’s disclosures and document the necessity of the services and the
reasonableness of the arrangement. Key points from ERISA Section 408(b)
(2) are summarized below for your quick reference; however, you should consult an experienced retirement plan consultant or ERISA attorney for additional information.

1. Information required to be disclosed by a CSP must be furnished in writing to the RPF for the covered plan. The rule does not require a formal written contract delineating the disclosure obligations.
2. CSPs must describe the services to be provided and all direct and indirect compensation to be received by a CSP, its affiliates, or subcontractors.
3. “Direct compensation” is compensation received directly from the plan. “Indirect compensation” is compensation received from any source other than the plan sponsor, the CSP, an affiliate, or subcontractor.
4. In order to enable the RPF to assess potential conflicts of interest, CSPs who disclose “indirect compensation” also must describe the arrangement between the payer and CSP, identify the sources for indirect compensation and services to which such compensation relates.
5. Compensation disclosures by CSPs will include allocations of compensation made among related parties (i.e., among a CSP’s affiliates or subcontractors) when such allocations occur as a result of charges made against a plan’s investment or are set on a transaction basis.
6. CSPs must disclose whether they are providing recordkeeping services and the compensation attributable to such services, even when no explicit charge for recordkeeping is identified as part of the service “package” or contract.
7. Some CSPs must disclose an investment’s annual operating expenses (e.g., expense ratio) and any additional ongoing operating expenses. For participant- directed individual account plans, such disclosures must include “total annual operating expenses” as required under the DOL’s participant-level disclosure regulation at 29 CFR §2550.404a-5, also known as 404(a)(5).
8. A CSP may provide current disclosure materials of an unaffiliated issuer of a designated investment alternative, or information replicated from such materials, provided that the issuer is a registered investment company (i.e., mutual fund), an insurance company qualified to do business in a state, an issuer of a publicly-traded security, or a financial institution supervised by a state or federal agency.
9. CSPs may use electronic means to disclose information, provided that the CSP’s disclosures on a website or other electronic medium are readily accessible to the responsible plan fiduciary, and the fiduciary has clear notification on how to access the information.

Evaluating CSP Disclosures

Fiduciaries are required to review and approve any covered service providers (CSPs) before entering into, renewing or extending any arrangement to provide services to the plan. You should develop and maintain an objective and prudent process for documenting your decision that both the terms of the arrangement and any compensation received by the CSP (and its affiliates) are reasonable.

The questions below are meant to serve as a guide for reviewing CSP disclosures. You should document in your fiduciary file any information reviewed by the fiduciaries and the basis for their decisions.

1. Do the services disclosed align with the needs of the plan?
2. Are all of the services likely to be utilized?
3. Are the terms of the arrangement reasonable (e.g., what advance notices or fees are required for the plan to terminate its obligations)?
4. Does the CSP have the appropriate experience, bonding and insurance to deliver the agreed upon services?
5. Are any special licenses or credentials required, and is the CSP in good standing with regulatory agencies?
6. How is the CSP compensated, and have any conflicts of interests been sufficiently addressed?
7. Is the value of the services reasonable in light of the compensation received by the CSP (and any affiliates)?

When it comes to evaluating the value of services provided, the DOL notes that “cost is only one factor to consider.” Value is dependent upon the nature and scope of services provided and the background and experience of the service provider. It is okay for the plan to pay an experienced service provider above average compensation if the service provider is delivering more expansive, necessary services. The matrix below represents the relationship between the value, opportunity cost, risk and participant outcomes.

Ongoing Monitoring of CSPs

Once you have selected a service provider, be prepared to monitor the level and quality of the services to make sure they continue to be reasonable and suitable based upon the needs of your plan.

Review any notices received from the CSPs about possible changes to compensation and the other information previously provided. If a CSP is paid indirectly (i.e., from revenue sharing generated by plan investments) and it stands to receive compensation in excess of the value of services provided, consider alternative methods for payment and/or whether there may be more appropriate share classes available.
Additionally, you should confirm and document the following on an ongoing basis:

• All services continue to be necessary in light of any changes to the plan or changing demographics and/or behaviors of participants;
• The services are provided in accordance with the terms of the arrangements;
  Required licenses, bonding and insurance continue to be current and the CSP is in good standing;
• Any compensation, paid directly or indirectly, is properly deducted and any excess amounts credited back to the plan; and
• Your participants’ overall satisfaction with the CSP and its services.

Finally, remember that your duty is an ongoing process; repeat the steps below as needed and periodically thereafter.

Information Security

When making decisions on behalf of a retirement plan, fiduciaries have a duty of prudence under ERISA. The DOL has confirmed that a prudent fiduciary has an obligation to mitigate cybersecurity risks.¹ This requires fiduciaries to take additional steps when selecting and monitoring services providers such as plan recordkeepers and third-party administrators (since these providers hold much of the plan’s data).² Plan fiduciaries may also wish to inform participants and beneficiaries of ways to reduce their risk by taking precautions online to protect their retirement accounts.³

For any service provider that holds plan data, including but not limited to, any personal information of participants and beneficiaries, consider asking the following questions to these service providers. Keep in mind that data security and techniques of cybercriminals evolves rapidly, so plan sponsors should ask service providers these questions periodically.

Sample Questions For Service Providers

• How are you complying with the DOL’s Cybersecurity Program Best Practices? Tip: Consider using the Cybersecurity Program Best Practices as a checklist to review the service provider’s response to this question.
• What is your standard for cybersecurity? Please attach your cybersecurity policy.
• How do you validate your practices and what levels of security standards have you met and implemented?
• Do you use a third party to conduct an annual audit of your cybersecurity protocols? If so, are we allowed to audit the results upon reasonable notice to you? For example, has a third party conducted an audit to award SOC 2 certification, which tests security, availability, confidentiality, processing integrity, and privacy to ensure compliance with pre-defined criteria.
• What claims, legal or regulatory proceedings, or other legal and regulatory actions (pending or anticipated) exist related to your firm’s cybersecurity protocols?
• Have you experienced past cybersecurity breaches? If so, please explain what happened, how you resolved it, and any information that would be material to the plan sponsor.
• What insurance policies are available that would cover losses caused by cybersecurity and identity theft breaches? Are we able to be a named insured on the insurance policy?

When contracting with a service provider that holds plan data, consider initially requiring these contract provisions or else negotiating for these provisions upon subsequent amendment.

Sample Contract Provisions With Service Providers

• Requirement for an annual third party audit to determine compliance with information security policies and procedures and the ability to review such audit results upon reasonable request;
• Clear identification of the service provider’s obligation to prevent disclosure of private or confidential information and meet a strong standard of care to protect such information. For example, the contract should make clear the service provider’s obligation to comply with all federal, state and local laws related to privacy and confidentiality;
• Provisions related to record retention and information security, including a provision that the service provider will maintain high standards of care related to such matters;
• Provisions related to notification and cooperation for cybersecurity breaches, including the procedure and coverage for any costs you and your participants and beneficiaries may incur in the event of a breach;
• Requirement related to insurance coverage for cybersecurity breaches, including coverage of damages and defense costs you may incur in the event of a breach.

Keep all documentation for your fiduciary file, including audits, documentation of compliance with the above items, contract negotiations, and request for proposal responses where the service provider may not be able to meet your requested level of security, but as a fiduciary you made a reasonable effort to balance the plan fees, mitigation of cyber risks, and other competing needs of the plan and its participants.

G-MAP

Model Administrative Procedures For Plan Governance

Fiduciaries must hire professional assistance when they lack the expertise to perform necessary functions. The act of hiring a service provider is a fiduciary function and requires a prudent process that considers relevant information to ensure services are necessary and reasonable. The following procedures are part of G-MAP (Model Administrative Procedures), Steps 3-5, a framework for selecting, monitoring and replacing service providers.