Best Practices for Monitoring Retirement Plan Service Providers

Retirement plans are an important (and enticing) benefit job seekers look for when choosing between employment opportunities. However, when an employee decides to participate in a retirement plan, they likely are unaware of all the working parts behind the implementation of their participation. Employees trust the plan sponsor to fulfill its fiduciary duty of not only carrying out the implementation of the plan in compliance with the Employee Retirement Income Security Act (ERISA), but also monitoring the plan’s service providers.

The plan sponsor should have a well-documented process breaking down the responsibilities of individuals implementing the plan and a “tone at the top” mind set to make sure these processes are in place, exercised, and regularly reviewed for improvement. Plan sponsors also depend on other professionals (service providers) to advise and assist with ERISA compliance. Because of this dependence, although you have found a service provider that you trust and that meets your plan’s needs, it is good practice to continue monitoring the service provider as part of your fiduciary duty.

To assist business owners in carrying out their responsibilities under ERISA to monitor plan service providers, the Employee Benefits Security Administration has prepared the following tips which may be a helpful starting point:

  • If the service provider will handle plan assets, check to make sure the provider has a fidelity bond, which isa type of insurance that protects the plan against loss resulting from fraudulent or dishonest acts.
  • If a service provider must be licensed (attorneys, accountants, investment managers or advisors), check with state or federal licensing authorities to confirm the provider has an up-to-date license and whether there are any complaints pending against the provider.
  • Make sure you understand the terms of any agreements or contracts you sign with service providers and the fees and expenses associated with the contracts. In particular, understand what obligations both you and the service provider have under the agreement and whether the fees and expenses to be charged to you and plan participants are reasonable for the services to be provided.
  • Prepare a written record of the process you followed in reviewing potential service providers and the reasons for your selection of a particular provider. This record may be helpful in answering any future questions that may arise regarding your selection.
  • Receive a commitment from your service provider to regularly provide you with information regarding the services it provides.
  • Periodically review the performance of your service provider to ensure that they are providing the services in a manner and at a cost consistent with the agreements.
  • Review plan participant comments or any complaints about the services, and periodically ask whether there have been any changes in the information you received from the service provider prior to hiring (e.g. does the provider continue to maintain any required state or federal licenses).

Another excellent way to monitor your service provider is by reviewing their Service Organization Control (SOC 1) report. SOC 1 reports are third-party assessments of the operating effectiveness of an organization’s controls and are your key as a plan sponsor to gauge the level of monitoring over the service organization necessary to ensure all proper controls are in place for your plan. Because SOC reports are very long and detailed documents, plan sponsors typically file them away without looking at them until it is needed for an audit, so it may be advantageous to know where to look to find the information most helpful. Some of the most helpful information for the plan sponsor will come from the independent service auditor’s report, control objectives and complementary user controls. The independent service auditor’s report states an auditor’s official opinion on the service organization’s system and operating effectiveness of controls. The control objectives are a series of statements that address how risk is going to be effectively mitigated. Lastly, the complementary user controls are operative measures that exist on the plan sponsor level to ensure that the service provider is receiving the information it needs to execute its responsibilities and that such information is accurate.

When mistakes are made, a lot of the time they are not detected until the plan is under audit, allowing for this mistake to go uncorrected a year or more after it is made. Depending on the type of error, the more time that passes, the more costly it is to correct. It is recommended to monitor service providers and implement the actions listed above on an annual basis (at the very least) to help plan sponsors be more proactive and less reactive in eliminating costly deficiencies and correcting mistakes timely.