Skyscrapers and blue sky.

There is a growing trend of using participant data to cross-sell financial products unrelated to plan recordkeeping by large recordkeepers and asset custodians of employer-sponsored retirement plans. In light of the fact that plan fiduciaries are ultimately legally responsible for the management and mismanagement of a retirement plan, this trend to use participant data may raise issues for employers in their role as plan sponsors and fiduciaries.

Recently, numerous plan fiduciaries have been swept up in a wave of excessive fee litigation for failing to provide prudent investment options at a reasonable fee for plan participants—a trend that is likely going to continue and reach more retirement plans. Excessive fee litigation has pressured plan fiduciaries to renegotiate and monitor fees charged by service providers. Due to reduced fees, service providers have turned to other options to expand their businesses. Some service providers are using participant data acquired through the administration of retirement plans to sell and market services unrelated to those plans.

There is no definitive case law or other legal guidance prohibiting or restricting service providers from using plan participants’ personal information to cross-sell financial products. Nevertheless, there are several reasons plan fiduciaries may want to be wary of allowing such personal information gleaned from plans to be used for non-plan–related purposes.

Excessive Fee Litigation

Some of the claims in the excessive fee litigation cases against plan fiduciaries include fiduciary breaches for allowing excessive recordkeeping and investment management fees. Arguments that participant data is an Employee Retirement Income Security Act (ERISA) plan asset have fallen flat. However, several settlements for excessive fee cases have included terms that require a contractual restriction on the service provider’s ability to cross-sell products or services not related to the plan or plan participants unless a participant first requests them.  Protecting participant data is becoming part of the solution to excessive fee cases because it helps mitigate the movement of plan assets from a lower-cost retirement vehicle (the retirement plan) to a higher-cost retirement vehicle (an individual retirement arrangement or IRA).

Fiduciary Duty and Personal Data

While the argument that participant data is an ERISA plan asset has not convinced courts, participant data still has value and plan fiduciaries must monitor the services of service providers, which are generally not plan fiduciaries. A fiduciary can determine that using participant data to sell non-plan financial services is an improper use of that data. Plan sponsors may want to provide restraint on what service providers do, including limiting use of participant data for purposes outside of the administration of the retirement plan. Participant personal data is valuable to service providers. Plan fiduciaries may monitor and prevent service providers from using the data in ways in which it was not intended.

DOL Audits

In its plan audit reviews, the U.S. Department of Labor (DOL) has asked for the uses of plan participant data. Specifically, the DOL is requesting   documents and communications describing the use of participant data by the plan sponsor or any service provider for the direct or indirect purpose of cross-selling or marketing products and services. The DOL is asking about cross-selling by service providers as part of its audit review, and it is likely formulating a position that will scrutinize the use of participant data in this context.

DOL Fiduciary Rule

Issued by the DOL in 2017, the Fiduciary Rule provided that retirement advisors must act in the best interests of their clients and make certain disclosures to their clients. The rule would have treated as fiduciaries service providers that recommended or solicited plan participants to roll over retirement plan assets. If a service provider was treated as a plan fiduciary, the service provider likely would not use plan participant data to cross-sell financial products unrelated to the plan because of the increased legal risk. The Fifth Circuit Court of Appeals vacated the rule in March 2018, so it never went into effect. Nevertheless, the DOL is considering reviving the Fiduciary Rule. The DOL has its eye on retirement rollover transactions and wants to provide further protections for participants.

State Privacy Laws

Several states have passed consumer data protection laws, and others are considering them. These laws may require an additional layer of compliance for data maintained by service providers for plan administration. Some state laws contain significant carveouts for employers and for the use of information for employment; however, plan retirement services are distinct from the individual retirement products marketed to participants through cross-selling, and these individual retirement services are arguably outside the scope of the employment relationship. Plan fiduciaries that permit service providers to use participant information may be at risk of violating state privacy laws. Allowing cross-selling could raise significant compliance issues under state law for plan fiduciaries and service providers.

Risk Mitigation

A plan fiduciary’s duty extends to limiting the plan’s litigation risk. The law surrounding the use of plan data for solicitation purposes is unsettled, but as suggested by DOL actions and new state laws, this is an area of growing concern at both the state and federal levels. A fiduciary may direct the actions of the service provider and also may act to prevent unauthorized use of personal data.

Key Takeaways

Plan fiduciaries may want to draft language for plan service agreements that limits the use of participant information acquired while providing recordkeeping services similar to the provisions required in the excessive fee settlements. Whatever approach plan fiduciaries take in managing participant data, under ERISA, they are ultimately responsible for the management—and mismanagement—of their retirement plans.

Browse More Insights

Close up of calculator, data and stethoscope
Practice Group

Employee Benefits and Executive Compensation

Ogletree Deakins has one of the largest teams of employee benefits and executive compensation practitioners in the United States. As part of a firm that focuses on labor and employment law, our Employee Benefits Practice Group has a special ability to relate technical experience to the client’s “big picture” issues.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now