Oversight: Participant Data



Retirement plan service providers have access to participant data. Can they use the personal information of participants to cross-sell other financial products? As service providers are exploring this approach to business expansion, what do plan sponsors need to know and do toward protecting participant data?


Take Precautions

According to the Society for Human Resouce Management, retirement plan sponsors are increasingly confronting challenges related to the usage of participant data by third party service providers. Reminding us that ultimately, plan sponsors are legally responsible for “the management and mismanagement of a retirement plan,” SHRM urges caution noting: “Plan fiduciaries may want to draft language for plan service agreements that limits the use of participant information acquired while providing recordkeeping services….” Legal experts further point out that while “there is no definitive case law or other legal guidance prohibiting or restricting service providers from using plan participants’ personal information to cross-sell financial products,” there is good reason for plan fiduciaries to be “wary of allowing such personal information gleaned from plans to be used for non-plan–related purposes.”


As a plan sponsor, at a minimum, it is critical to understand how service providers are using plan data. The Department of Labor, when conducting audits, now routinely requests “documents and communications describing the use of participant data by the plan sponsor or any service provider for the direct or indirect purpose of cross-selling or marketing products and services.” It is also critical for retirement plan sponsors to keep up to date on state laws governing protections for consumer data. Experts at SHRM point out:


Several states have passed consumer data protection laws, and others are considering them. These laws may require an additional layer of compliance for data maintained by service providers for plan administration. Some state laws contain significant carveouts for employers and for the use of information for employment; however, plan retirement services are distinct from the individual retirement products marketed to participants through cross-selling, and these individual retirement services are arguably outside the scope of the employment relationship.

Plan fiduciaries that permit service providers to use participant information may be at risk of violating state privacy laws. Allowing cross-selling could raise significant compliance issues under state law for plan fiduciaries and service providers.


Because of the inherent risks associated with sponsoring a retirement plan, having protection is critical, and Colonial Surety makes it efficient and affordable. Our Fiduciary-Cyber Liabilty Insurance Pack covers defense costs and penalty limits up to $1,000,000, in the face of claims of alleged or actual fiduciary breaches of duty in connection with the employee retirement plan. Because cyber breaches can result in fiduciary breaches, we automatically include basic Cyber Liability coverage with Fiduciary Liability insurance.  Colonial makes it so efficient and reasonable for plan sponsors to secure protection, that you can do it in minutes, now:

Fiduciary-Cyber Liabilty Insurance Pack Here.



Important To Understand

The retirement plan service industry’s exploration of business expansion through the use of participant data has a connection to the swell of litigation around excessive fees. In fact, as SHRM explains, participant data protection arrangements are now being included in settlements over fees:


Excessive fee litigation has pressured plan fiduciaries to renegotiate and monitor fees charged by service providers. Due to reduced fees, service providers have turned to other options to expand their businesses. Some service providers are using participant data acquired through the administration of retirement plans to sell and market services unrelated to those plans…Some of the claims in the excessive fee litigation cases against plan fiduciaries include fiduciary breaches for allowing excessive recordkeeping and investment management fees. Arguments that participant data is an Employee Retirement Income Security Act (ERISA) plan asset have fallen flat. However, several settlements for excessive fee cases have included terms that require a contractual restriction on the service provider’s ability to cross-sell products or services not related to the plan or plan participants unless a participant first requests them.


Summing Up: Protection’s Best

Lawyers remind us that while federal and state laws are in flux related to the use and protection of retirement plan participant data, it is an area of “growing concern” and essential for plan sponsors to limit the plan’s litigation risk:


While the argument that participant data is an ERISA plan asset has not convinced courts, participant data still has value and plan fiduciaries must monitor the services of service providers, which are generally not plan fiduciaries. A fiduciary can determine that using participant data to sell non-plan financial services is an improper use of that data.

Plan sponsors may want to provide restraint on what service providers do, including limiting use of participant data for purposes outside of the administration of the retirement plan. Participant personal data is valuable to service providers. Plan fiduciaries may monitor and prevent service providers from using the data in ways in which it was not intended.


Remember, Colonial Surety makes it efficient and affordable for plan sponsors to protect themselves, their businesses and the retirement plan. Our value-added Fiduciary-Cyber Liability Pack coverage pack provides:


  1. Legal defense and coverage for penalties against claims of alleged or actual breaches of fiduciary duties.
  2. Defense against lawsuits and regulatory actions related to a cyber breach.
  3. Expert-led response, notification and crisis management services to prevent a cyber incident from spiraling into a disaster.


Fiduciary-Cyber Liability Pack Right Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.