Key Fiduciary Considerations Impacting Your Retirement Plan

ARTICLE | July 15, 2025

Authored by RSM US LLP

The Employee Retirement Income Security Act (ERISA) places significant emphasis on fiduciaries to properly oversee and manage a retirement or other employee benefit plan. Litigation against fiduciaries can be initiated by either a plan participant or the Department of Labor (DOL). Fiduciaries can be held personally liable for losses a plan incurs due to a breach of duty and may be required to restore any profits made through improper use of plan assets. Failure to meet their duties could result in the DOL assessing civil penalties or, in severe cases, criminal prosecution resulting in fines and imprisonment. These consequences underscore the importance of fiduciaries adhering to their responsibilities to act solely in the interest of plan participants and beneficiaries. Specifically, fiduciaries should consider the following risk areas.

1. Plan expenses

One aspect of retirement plan management that is certain is the plan sponsor or the plan will incur expenses for third-party administration, investment management, reporting, and the preparation of disclosures, etc. Oftentimes, it is the case that the employers will pay plan operational expenses on behalf of the plan. Other times, the employer pays the expenses as a matter of convenience but seeks reimbursement for the expenses from the plan. As a plan fiduciary, the employer is responsible for ensuring that such reimbursements are reasonable and necessary, and the plan document provides procedures supporting the reimbursement. Failing these two requirements would be a prohibited transaction under ERISA and the Internal Revenue Code (Code). A best practice for plan fiduciaries is to establish a written agreement specifying how and when the plan can reimburse the employer for plan-related operational expenses.

Plan fiduciaries need to be especially careful when a plan sponsor advances or loans money directly to the plan for the payment of plan expenses. To avoid a prohibited transaction, the plan fiduciaries must document in writing that the plan intended to enter into a loan transaction with the plan sponsor and that doing so alleviates the plan’s financial need and enables the plan to meet its obligations to pay plan expenses. To meet the prohibited exemption, the loan agreement must not charge interest and must not require the plan to provide security for the loan.

2. Retirement plan cybersecurity

Too many plan sponsors rely on the plan trustee’s and recordkeeper’s protocols for cybersecurity without performing their own diligence. As plan sponsor, it is important for companies to understand that they are fiduciaries and, in many respects, are the primary fiduciary to the plan. With this responsibility, plan sponsors need to oversee the steps the plan is taking to protect the participants’ assets and personal data. Plan cybersecurity is an area of increasing DOL enforcement activity.

The DOL has cited the following cybersecurity best practices for plan sponsors and service providers to consider (refer to their publication):

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.

In addition to implementing these review practices, plan fiduciaries also have the responsibility to document their diligence – i.e., their consideration of each plan service provider’s cybersecurity practices and why they decided to engage one service provider over another.

Plan sponsors and trustees should inquire about a service provider’s cybersecurity practices both before engaging them and on a regular, periodic basis to gather information regarding the service provider’s cybersecurity credentials, proactive measures, and response plan in the event of a cybersecurity incident. For the DOL’s best practices for engaging services providers with strong cybersecurity practices, refer to their publication.

3. Hardship distribution policies

Changes in IRS regulations and the law have made it easier for participants to request hardship distributions, including the ability of the plan to permit employees to self-certify their eligibility to receive a hardship distribution. The regulations describe a hardship distribution as an in-service distribution made due to a participant’s immediate and heavy financial need, and the plan must limit the amount available to the amount needed to meet that need.

Self-certification simplifies the administration process for employers, as they can rely on their employees’ representation to support their immediate and heavy financial need. This protects the employee’s privacy and the employer from needing to investigate an employee’s personal situation. It also allows plan participants to access their funds more quickly, which is especially critical in hardship situations.

There are many benefits to employee self-certification, but there are still processes that should be in place to properly administer the distribution. This includes appropriate communication to the participant about the taxability of the distribution, that it cannot exceed the participant’s immediate and heavy financial need, that the participant agrees to retain documents supporting the need and the amount and to make them available to the employer upon request.

4. Artificial intelligence (AI) in plan administration

AI can assist employers and recordkeepers alike with appropriately managing retirement plans. In addition to providing automation of repetitive tasks (e.g., completion and filing of participant notices, processing deferral elections, checking tax limits, etc.), AI can help increase accuracy when it comes to management of auto-enrollment and auto-escalation features in plans, thereby reducing the occurrence of operational failures.

AI can even be used to enhance participant engagement by monitoring plan provisions that are most utilized, giving employers the opportunity to weigh the administrative cost of implementing those provisions against the benefit of offering them (i.e., as measured by participant usage).

While AI is a helpful tool that can revolutionize plan administration and management, it is not a substitute for fiduciary involvement and decision-making. Plan fiduciaries still have the obligation to both 1) understand how AI is used in monitoring or administering retirement plans before it is implemented in plan operations, and 2) make prudent decisions that still involve their own assessment and judgment and not to over-rely on AI to fulfill this duty for them.

Plan trustees should also consider transparency with plan sponsors and recordkeepers in how they are using AI to monitor and analyze their plans and consult appropriate legal counsel to stay compliant with rules and regulations regarding AI usage, reporting, and data privacy.

5. Retirement income solutions

Employers have begun to worry that many participants are financially unable to retire, yet employers focus on managing investment line-ups for costs and performance and have not provided retirement-age participants with guidance on potential retirement savings strategies (e.g., combining target date or balanced type investment funds with an allocation to an annuity that can work to provide lifetime income). Plan fiduciaries can add value to participants by evaluating plan investment managers, understanding their available investment options and strategies, and requesting educational materials and presentations for their employees. Doing so demonstrates prudent fiduciary oversight and diligence on the part of the plan’s fiduciaries in seeking the best interests of plan participants. It also has the added benefit of increasing employee participation in the plan with the potential to yield stronger retirement outcomes.

6. Failure to review the recordkeeper’s SOC report annually – if at all

An often-overlooked responsibility of plan fiduciaries is to request and review a copy of each of the plan’s service provider’s Service Organization Control (SOC) report. This report is typically issued annually and obtained by service providers for purposes of evaluating their internal controls over financial reporting, such as accurately processing data, appropriately storing data in accordance with data privacy requirements, and implementing adequate cybersecurity protocols. Service providers, such as third-party administrators, investment managers, and payroll processors, obtain SOC reports to provide assurance to their clients (the plan fiduciaries) in protecting plan participant sensitive information.

While review of the SOC report is an essential fiduciary function, it is not a replacement for inquiring with service providers about their cybersecurity protocols in advance of hiring them and on an on-going basis. Both inquiring of the service provider regarding its practices, as well as a thorough review of the SOC reports, demonstrate diligence on the plan fiduciaries' part in providing effective oversight of a retirement plan.

A common misconception is that the plan fiduciaries can rely on the plan auditor’s review of the SOC reports to fulfill their fiduciary duties in this regard; however, the plan auditor’s review alone is not sufficient. Plan fiduciaries are still responsible for requesting copies of these reports from plan service providers, reading them, and documenting their findings from the reports (e.g., the entity has an unmodified opinion and is effectively managing internal controls over financial reporting, the entity’s SOC report indicates a modified opinion due to inadequate controls, etc.). They should also compare their findings to any issues documented by the plan auditor to demonstrate that a thorough assessment has been conducted.

7. Managing terminated participant accounts

A common situation many plan fiduciaries can relate to is having a terminated employee with money left behind in the 401(k) plan. If your plan does not have a practice of 1) actively getting participants to withdraw their funds voluntarily, or 2) involuntarily distributing or transferring small balances (i.e., those under $7,000), then the plan is at risk of a lost or missing participant problem.

A missing participant is a person who has a balance in the plan, and the plan either 1) does not have valid contact information for them, or 2) has recent contact information on file, but the plan participant is unresponsive to communications from the employer. A common reason missing participants arise is employees terminate service and forget to roll their retirement account balance into an individual retirement account (IRA) or their new employer’s plan, if the new employer’s plan accepts rollovers.

As emphasized in DOL Field Assistance Bulletin 2025-01, ERISA requires plan fiduciaries to exercise sound judgment in ensuring retirement benefits are appropriately delivered to plan participants, and any distributions made from the plan must be evaluated by plan fiduciaries to weigh the benefit of issuing a participant’s owed funds against any potential adverse consequences (i.e., taxes imposed on the participant, the fiduciary needing to establish a new IRA in the participant’s name to deposit the funds into, any associated fees, etc.).

Pursuant to SECURE 2.0 Act section 303, the DOL established a Retirement Savings Lost and Found Database for the purpose of assisting plan sponsors and trustees with fulfilling their fiduciary duty to deliver benefits to participants and to assist plan participants with locating those retirement plan funds. Plan fiduciaries can use the Intake Portal for this database to report missing participant funds to the DOL to be claimed by lost or missing participants. Employers are encouraged to update submissions to the database at least annually to ensure that the database information is current. In issuing the Retirement Savings Lost and Found Fact Sheet, the DOL alleviated plan fiduciaries of their responsibility to track missing participants if they appropriately remit missing participant data to the Retirement Savings Lost and Found Database. For more information on utilizing the database and intake procedures, see the Retirement Savings Lost and Found Fact Sheet linked above.

In situations where a participant’s balance is less than the “force-out” limit (which was increased to $7,000 pursuant to SECURE Act section 2.0 for distributions made after December 31, 2023), plan fiduciaries are typically deemed to have met their responsibility with respect to appropriately distributing retirement assets to lost or missing participants if they establish an IRA in the participant’s name to deposit the funds into, regardless of whether they receive the individual’s consent to do so (this process is referred to as automatic portability). In automatic portability situations, the DOL grants plan fiduciaries a prohibited transaction exemption that allows them to move participant assets as a party-in-interest to the plan without incurring enforcement action. SECURE 2.0 Act section 120 further enhanced the automatic portability prohibited transaction exception by providing plan fiduciaries a waiver for obtaining a fee in connection with automatic portability transactions to encourage fiduciaries to seek remedies for issuing retirement funds to lost or missing participants.

8. The DOL’s Self-Correction Program

As of March 17, 2025, the DOL added a Self-Correction Component (SCC) to its Voluntary Fiduciary Correction Program (VFCP) for failures to timely remit participant contributions and loan repayments, as well as certain inadvertent participant loan failures. Before the SCC program, to correct through the DOL, the employer needed to file a VFCP application for the DOL’s review. The result of a successful VFCP application is that the DOL will issue a no action letter. However, this is a time-consuming process. The SCC provides an opportunity for plan fiduciaries to correct two types of fiduciary breaches under a somewhat simpler administrative process and with lower costs – however, with certain limitations.

Self-Correction of Delinquent Participant Contributions and Loan Repayments

1. The DOL capped the errors eligible for self-correction to small errors, defined as breaches not resulting in lost earnings of more than $1,000 for a given payroll period.
2. Errors eligible for correction under the SCC must be those where the employer is able to remit late deposits within 180 days of either withholding them from participants’ paychecks or receiving a payment from a participant (e.g., a loan payment paid outside of the payroll process).
3. The employer must calculate lost earnings using the DOL calculator and use the payroll date rather than the normal deposit date as the loss date.

Self-Correction of Eligible Inadvertent Participant Loan Failures

Eligible Inadvertent Participant Loan Failures are violations involving loans from a plan to a participant that can be self-corrected under the Internal Revenue Service's Employee Plans Compliance Resolution System (EPCRS). The SCC allows employers and plan officials to self-correct these violations under the VFCP and receive relief from EBSA enforcement action and civil penalties if they make a correction through EPCRS.

These violations include:

1. Non-compliance with plan terms that incorporate requirements of the Internal Revenue Code regarding the amount, duration, or level amortization of the loan,
2. Loans that defaulted due to a failure to withhold from the participant's wages,
3. Failure to obtain spousal consent for a loan, or
4. Allowing a loan that exceeds the number of loans permitted under the plan.

Filing process and results

An employer using SCC must notify the DOL by submitting an SCC Notice with the required information through EBSA's web tool. They must also collect records related to the correction, including the SCC Retention Record Checklist and a penalty of perjury statement, and provide them to the plan administrator for recordkeeping. Unlike the VFCP application process, self-correctors will receive an email acknowledgment instead of a "no action" letter.

Excise tax relief

The SCC grants excise tax relief for transactions corrected under the SCC, provided self-correctors pay the amount of the excise tax owed to the plan.

Should an employer use SCC?

In assessing which DOL correction program to use (SCC vs. VFCP), plan fiduciaries should exercise judgment in weighing the pros and cons of the speed and lower cost of the SCC against the limited protection and eligibility that the program provides. In other words, if an employer takes the time to make an SCC filing, it might just be better to have legal counsel file a VFCP application and receive the full benefit of the no action letter.

9. The role of the board of directors in monitoring the plan committee

A board of directors may not be fully aware of it, but they can often be a plan’s “named fiduciary.” It is common for a plan document to say the employer is the named fiduciary unless the employer names a plan committee. Either way, the board has some degree of fiduciary responsibility. It is either the fiduciary by default (after all, the board is responsible for the overall management of the company) or, if it appoints a committee to oversee the plan, it needs to do so in a prudent manner.

To protect themselves as plan fiduciaries, members of the board of directors should document their review of the employees they appoint to the plan committee, including their qualifications, education, and experience in retirement plan matters. The board should also be involved in interviewing candidates for positions on the plan committee and for establishing reporting guidelines between the plan committee and the board so that the board is kept abreast of 401(k) plan developments.

The board of directors can charge the plan committee with responsibilities such as:

• Overseeing the administration of the plan in accordance with the terms of the plan document,
• Selecting and engaging service providers for the plan,
• Reviewing plan investment fees and investment options,
• Evaluating fees charged against the plan,
• Providing plan participant communications,
• Coordinating with ERISA legal counsel to execute any needed plan restatements or amendments, and
• Ensuring that the interests of plan participants are respected.

To define these responsibilities, the board of directors should create a written policy or charter for the plan committee to follow. This provides safeguards around transparency, visibility, and communication between the board and the committee, thereby allowing the board members to fulfill their fiduciary responsibilities of plan oversight.

10. Fidelity bond requirements vs. fiduciary liability insurance

Any plan fiduciaries who handle plan funds or property are required under ERISA to be bonded. The purpose of the fidelity bond is to protect a retirement plan against losses incurred due to misappropriation of plan assets by plan fiduciaries (e.g., theft, fraud, or dishonesty in managing plan assets). The fidelity bonds must cover at least 10% of plan assets handled, with a minimum coverage of $1,000 and a maximum of $500,000. However, for plans holding employer securities, the maximum coverage increases to $1,000,000.

Employers can meet this obligation by purchasing an ERISA fidelity bond or a crime insurance policy that reimburses the plan and not the employer for any theft or mishandling of plan funds.

While similar in name, fidelity bonds are not to be confused with fiduciary liability insurance. Fiduciary liability insurance refers to insurance for a fiduciary against claims caused by their breaches of fiduciary responsibilities.

Fiduciaries should review plan policies and documentation to confirm that they have current ERISA fidelity bond coverage and should also have procedures in place for how to review and address claims for misappropriation of plan assets.

Got questions? Connect with your advisor with any questions about this article.