May 2017
Employee Benefit Plan Resources presented by Hawkins Ash CPAs
In This Edition
Cybersecurity of Employee Benefit Plans
ACA Repeal and Replacement
New Expectations for Hardship Distributions
The Importance of Timely Employee Deferral Remittances




Cybersecurity of Employee Benefit Plans
How does your plan protect its data? The answer to this question can vary widely among plans, because there are no federal requirements that directly apply to benefit plans. This lack of guidance leaves plan sponsors and fiduciaries to determine the best way to protect sensitive participant information. The Department of Labor's 2016 ERISA Advisory Council recently conducted a study examining cybersecurity risks affecting benefit plans and outlined recommendations for establishing and implementing a strategy to safeguard plan data. Here are six aspects to consider when establishing a cybersecurity risk management strategy.

 

1. Understand Plan Data

Plan sponsors should understand the processes related to how plan data is handled and who handles it. Consider what information needs to be protected, where this information is stored, and who can access it.

 

2. Establish a Cybersecurity Framework

The components of the framework should address the following questions:

  • How will your plan identify risks?
  • Once risks are identified, how will your plan protect against these risks?
  • How will breaches be detected?
  • Once breaches are detected, how will your plan respond?
  • Once the breach is controlled, how will your plan recover?

3. Process Considerations

While the risk of a data breach can never be completely eliminated, there are several policies plan sponsors can put in place to reduce a data breach such as:

  • Limit access to sensitive information as much as possible to only those employees who need information to perform their job duties.
  • Ensure that staff with access to confidential information receive adequate training on cybersecurity risks.
  • Go on a "data diet". Do not collect information for which there is no specific purpose. Delete information when it is no longer needed.
  • Establish designated individuals to be responsible for the execution of the cybersecurity framework.
  • Evaluate service providers. Plan sponsors should get an understanding of their providers' security procedures and use this information in their own risk identification process.

4. Customize Your Strategy

Every plan has different risks and the cybersecurity strategy should be customized to fit each plan's specific environment. In forming its strategy, the plan sponsor should consider the plan's resources, integration of the strategy with a larger organization, cost, insurance coverage, and industry or governmental certifications.

 

5. Strike the Right Balance

The plan sponsor should strive to strike the right balance between properly protecting the plan's data and incurring reasonable expenses in accordance with ERISA guidelines.

 

6. Compliance With State Law

Some states, including Wisconsin and Minnesota, regulate the disclosure of data breaches to the state and consumer reporting agencies. Become familiar with the requirements to avoid any fines or penalties for late disclosure. Many of these regulations have short time deadlines.


 

Risk management should be a dynamic strategy that evaluates and responds to risks as they arise. Every plan is unique and it is the responsibility of plan sponsors to determine the strategy that is the most appropriate for their plans.  The tactics outlined above provide a basis that plan sponsors and fiduciaries can use to increase the effectiveness of their cybersecurity policies.

 


If you have any questions on managing cybersecurity risk, please contact a member of the Hawkins Ash CPAs employee benefit plan team for assistance.  

Author: Robin Earleywine, CPA
608.793.3127

ACA Repeal and Replacement
The Affordable Care Act (ACA) requires Applicable Large Employers (ALE's are 50 or more full-time equivalent employees) to report health insurance information on Form 1095-C to employees.

Congress recently passed the American Health Care Act (AHCA). The bill has now moved to the Senate. It is reported that the Senate is currently drafting its own version of a bill and not using the AHCA House bill that was passed.

There certainly will be changes coming with the currently enacted ACA. In the meantime, ALE's will need to adhere to the reporting  compliance requirements in 2017. For 2017, you will need to continue to track and monitor all the compliance requirements attributable to the ACA for ALE's. As we all know, potential changes in laws can take significant time to be finalized. 

We will continue to keep you posted regarding any changes to the ACA, and how those changes apply to you. As you move into 2017, you will need to continue to follow all the compliance related to the ACA.  
 
Contact: Lance Campbell, CPA
[email protected]
507.252.6674
New Expectations for Hardship Distributions
New guidance released for IRS field auditors in February of this year indicates that more extensive documentation requirements will be required for 401(k) plans offering hardship distributions.

To qualify for the hardship distribution, the participant must show that the hardship event occurred and that the 401(k) distribution was necessary to meet the financial need.

The IRS "safe harbor" list of hardship events includes:
  • Purchase of participants primary residence
  • Unreimbursed medical expenses sustained by the participant or certain family members
  • Tuition expenses of the participant or certain family members
  • Payment to prevent  the participants imminent foreclosure or eviction from their primary residence
  • Funeral expenses for certain family members
  • Repair expenses to the participants primary residence due to qualified casualty loss
Confirming that a participant qualifies for the hardship is clearly necessary. In the past, the IRS permitted this through attestation by the participant that no other assets existed to meet the need. However, what has been considered proper attestation or certification of the hardship and financial need varied from plan to plan and from employer to employer. The new guidance creates conformity and prevents employers from being in the position of reviewing and judging the financial position of its employees.

The new guidance requires that the employer or third party administrator, prior to making the hardship distribution, obtain documentation of the hardship. Documentation may be in one of two forms. The first would be source documents that include medical or repair bills, tuition invoices, contracts or escrow documents. The second would be a summary of information from source documents.  With either approach, sufficient detail must be present to support the need for the hardship distribution.

If the summary approach is taken, the employee must provide the summary of the hardship and expenses and certify that the information provided is true and accurate. Additionally, the plan sponsor and/or administrator must provide the employee with the following facts:
  • The hardship is taxable and additional taxes could apply.
  • The amount of distribution cannot exceed the immediate financial need.
  • Hardship distributions cannot be made from earnings on elective contributions or from QNEC or QMAC accounts, if applicable.
  • The recipient must agree to preserve source documents and to make them available at any time, upon request, to the employer or administrator.
The guidance issued to IRS field auditors was effective February 23, 2017 and clearly states that the new procedures apply to any open audits. For plans not already requiring source documents or summary information to be provided, it may be valuable to request from participants who have taken hardship distributions during open examination years to produce the source documentation or at least a summary. This may mitigate some of the potential risk from open years and bring the plan as close to retrospective compliance as possible.

Note: the statute of limitations on IRS examinations for a given plan year is three years after the filing of the Form 5500 in relation to that year.

Author: Leslie Smith
715.384.1978

The Importance of Timely Employee Deferral Remittances
Many employee benefit plan sponsors know that participant contributions to a retirement plan that are withheld by an employer need to be remitted to the trust in accordance with the guidelines of the Department of Labor (DOL) Regulation 2510.3-102. This needs to occur no later than the fifteenth business day following the end of the month in which amounts are contributed by employees or withheld from their wages. Many plan sponsors, however, overlook that they are required to remit those contributions to the trust on the earliest date that they can be reasonably segregated from the plan sponsor's general assets.
 
The fifteenth business day is the absolute latest permissible remittance date and is not to be viewed as a safe harbor date for doing your deposits (it should only be used if there is no other possible earlier date to remit the funds).  As a best practice, deposit contributions to the trust as quickly as you would payroll taxes.  For plans that have less than 100 participants, there is a DOL safe harbor rule available of depositing remittances within seven business days.
 
Develop procedures to remit participant funds to ensure a timely consistent pattern is established. If funds can be remitted within two days of payroll and you then remit within nine days of payroll, the DOL can view that nine-day remittance as late. It can be deemed a prohibited transaction under the Internal Revenue Code.  It is deemed a prohibited transaction as it views the plan sponsor as holding the employee funds for the employer's use and it prevents participants from making investment earnings during that timeframe.  Along with lost earnings to participants, a prohibited transaction can also lead to excise tax charges to the plan sponsor.
 
If you do have a late remittance, it is best to correct it through the DOL's Voluntary Fiduciary Correction Program (VFCP).  Deposit the late remittance as soon as possible, and you will need to calculate the earnings from the date you are doing the deposit from the date that the participant contributions should have been deposited.  There is a DOL online calculator available to assist with calculating these amounts using a simplified earnings calculation.  Self-correction under the VFCP may provide relief from the excise tax provided certain criteria are met and possibly even help minimize plan risk for audit. It is in your best interest to correct late remittances prior to the IRS Form 5500 filing so it reflects that corrections have been made and are not outstanding.
 
Make sure that the days to remit funds do not go against any amounts set forth in your plan document.  In cases of not following the plan document, there may have to be an application to correct under the Internal Revenue Service Employee Plans Compliance Resolution System.
 
Keep good records of unforeseen circumstances that resulted in a remittance outside of your typical pattern (payroll software glitches, personnel issues, etc.) in case you would ever be subject to a DOL or IRS audit.
 
Work with your payroll provider and other service providers to determine the earliest possible date of remittance, establish procedures to ensure those remittances happen on those dates, and train all personnel including backup personnel to help prevent any prohibited transactions.  If you do have instances of late remittances or plan noncompliance, work with your trust company and service providers to make necessary corrections to minimize consequences.

Author: Erica Knerzer, CPA
608.793.3113

Stay Connected
www.HawkinsAshCPAs.com
1.800.658.9077