Spark announces best practices to protect against retirement fraud
The Spark Institute's standards build upon DOL cybersecurity guidance to provide more clear-cut practices designed to defeat retirement account fraud.
The $35.4 trillion in total retirement assets in the U.S. are at risk of account takeovers and fraud as cybercriminals have been actively targeting retirement savings, according to the Spark Institute.
On Wednesday, the retirement organization’s data security oversight board announced standards designed to protect retirement accounts from fraud in light of heightened cybersecurity threats. The recommendations build upon the Department of Labor cybersecurity guidance released in April and provide more clear-cut guidance to defeat retirement account fraud and protect the retirement benefits of America’s workers, according to the announcement.
While it’s clear that cybersecurity poses a major risk to 401(k)s and other retirement plans, guidance has been lacking on how plan fiduciaries should address it, according to a February report from the Government Accountability Office. The GAO report pointed to several instances of 401(k) accounts being raided by thieves, events that have been well-publicized as a result of the private litigation that followed.
The GAO acknowledged that plan sponsors, record keepers and others have little to go on as far as guidance from the Department of Labor, and that it also isn’t clear whether fiduciaries have responsibility to minimize cybersecurity risks, according to the report.
To address the issue, the Spark Institute developed a fraud controls chart intended to highlight a minimum set of controls that should be considered and set expectations for all parties involved, including plan sponsors, participants and record keepers.
The chart highlights best practices for protection in seven categories: authentication; establishing account access; reestablishing account access; contact data; communications; fraud surveillance; and customer reimbursement policy.
“The protection of retirement accounts can only be fully realized with a partnership among plan sponsors, fiduciaries, record keepers, participants — and advisers, when applicable,” Tim Rouse, executive director of the Spark Institute, said in a statement. “With this in mind, our recommended controls should be implemented among all individuals and organizations involved in a retirement plan.”
Some examples of best practices include plan sponsors requiring that record keepers provide multi-authentication options and ensuring that a fraud reimbursement policy has been established and is available to participants.
For participants, one best practice is to review communications and statements sent by the plan sponsor or record keeper in a timely manner and immediately report any unauthorized activity. Meanwhile, record keepers should verify participant identities during credential resets and the verification must involve controls beyond relying on publicly available information.
For participants, one best practice is to review communications and statements sent by the plan sponsor or record keeper in a timely manner and immediately report any unauthorized activity. Meanwhile, record keepers should verify participant identities during credential resets and the verification must involve controls beyond relying on publicly available information.
“We know that cyberthreats are only going to increase,” Rouse said. “And we also know that protecting plan assets means that the retirement industry has to make a concerted and coordinated effort to fight fraud over the long term.”
Learn more about reprints and licensing for this article.
