Retirement plan record keepers are concerned about two looming data privacy issues that could have a big impact on their business.
Lawsuits threaten companies' ability to cross-sell products, and cybersecurity looms as an increasing cost just as record keepers' margins are compressing, according to record-keeper executives at an InvestmentNews RPA Record Keeper roundtable discussion in New York in September.
"[If] somebody can figure out how to class action a lawsuit, that's where the financial risk is," said Bob Carroll, head of workplace distribution at MassMutual. "If somebody comes across and a judge says 'the plan sponsor and the participant own the data, period,' and we're not allowed to do things with the data that we need in order to administer plans … that's really where we get into a lot of trouble and the financials of the business fall apart really quickly. Not only for us, the adviser community, the [third-party administrator], everybody across the board."
A lawsuit over mismanagement of Vanderbilt University's retirement plan thrust the issue of participant data into the spotlight. That lawsuit alleged the university caused employees to overpay for investment and administrative services in two retirement plans because of excessive fees.
As part of the $14.5 million settlement, Vanderbilt was required to tell Fidelity Investments to refrain from using participants' information it acquires to market or sell them products unrelated to the plan, unless participants request that Fidelity do so.
Fidelity Investments was not a defendant in the lawsuit, but the provision against using participant data was thought to be the first of its kind for the industry, and could hamper a record keeper's ability to cross-sell products in the future.
A separate lawsuit against Northwestern University alleged that record keeper TIAA had inappropriately used data, such as contact information, asset size of account, employment status and age to market other products. That lawsuit was eventually dismissed.
In addition, several states are in various stages of considering or implementing laws around consumer data privacy. For example, the California Consumer Privacy Act, which gives consumers new rights regarding collection of personal data, takes effect in January 2020.
Record-keeper executives at the roundtable said more lawsuits around participant data could pose a risk for the entire industry. They also expressed concern that limiting a record keeper's ability to use participant data or cross-sell products undermines financial wellness initiatives that many employers are starting to implement.
It "flies a little bit into the face of employees looking to their employer for broader wellness and broader solutions," said Charlie Nelson, chief executive of retirement and employee benefits at Voya Financial Inc.
A partial solution may be for plans to give individual participants an outright choice on whether to share data, suggested Tim Rouse, executive director at SPARK Institute.
[Recommended video: Planners want Reg BI to set them apart from the competition]
"They can address some of the privacy issues as well as who can access (the data) and who doesn't," he explained.
Meanwhile, record-keeping firms also are concerned about cybersecurity risks.
"Cybersecurity wasn't [as big] an issue three years ago," Mr. Carroll of MassMutual said.
He said he fears beefing up cybersecurity will become expensive at a time when margins are compressing.
However, others said cybersecurity could help differentiate a firm and justify fees. "There could be some light at the end of the tunnel," Mr. Rouse said.
Investing in profitability, performance and people: Register for our Top Advisory Firm Summit.
It typically comes down to fees with retirement plan lawsuits, but the fiduciary evaluation could be linked to cybersecurity down the road if the Department of Labor or Congress moves to require that plan sponsors evaluate vendors' cybersecurity capabililties, he said.
Jay Cooper is a freelance writer.