With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.
HIPAA-Covered Entity Data Could Be Subject to CCPA
What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.
Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.
What This Means for HIPAA-Covered Entities
Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.
As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team
Calendar Year 2019
The following summary describes the most common penalties applicable to retirement, health, and welfare plans in 2019 through ERISA and other federal laws. This list serves as an important reminder that noncompliance with laws relating to your company’s benefit plans could result in significant penalties.
- Furnish Reports. Failure to furnish reports (e.g., pension benefit statements) to certain former participants and beneficiaries or maintain records: $30 per employee.
- COBRA. Failure to provide an initial COBRA notice or an election notice on a timely basis, as required by COBRA: $110 per day.
- Form 5500. Failure or refusal to properly file annual Form 5500 report required by ERISA § 104: Up to $2,194 per day.
- Notification of Benefit Restrictions. Failure to notify participants under ERISA §10(j) of certain benefit restrictions and/or limitations arising under Internal Revenue Code §436: Up to $1,736 per day.
- Notification of Automatic Contribution Arrangement. Failure to furnish automatic contribution arrangement notice under ERISA §514(e)(3): Up to $1,736 per day.
- Form M-1. Failure of a multiple employer welfare arrangement to file report required by regulations issued under ERISA §101(g): Up to $1,597 per day.
- Information Requested by DOL. Failure to furnish information requested by the Secretary of Labor under ERISA §104(a)(6): Up to $156 per day, not to exceed $1,566 per request.
- Blackout Notice. Failure to furnish a blackout notice under ERISA § 101(i): Up to $139 per day.
- Right to Divest Notice. Failure to furnish a notice of the right to divest employer securities under ERISA § 101(m): Up to $139 per day.
- CHIP Notice. Failure by an employer to inform employees of Children’s Health Insurance Program (CHIP) coverage opportunities (each employee is a separate violation): Up to $117 per day.
- State Coverage Coordination. Failure by a plan administrator to timely provide to any State the information required to be disclosed regarding coverage coordination under ERISA §701(f)(3)(B)(ii); each participant/beneficiary is a separate violation: Up to $117 per day.
- Failure by any plan sponsor of a group health plan, or any health insurance issuer offering health insurance coverage in connection with the plan, to meet the requirements of ERISA §§702(a)(1)(F), (b)(3), (c) or (d); or §701; or §702(b)(1) with respect to genetic information: Up to $117 per day during non-compliance period.
- Minimum penalty for de minimis failures to meet genetic information requirements not corrected prior to notice from the Secretary of Labor: $2,919 minimum.
- Minimum penalty for failures to meet genetic information requirements which are not corrected prior to notice from the Secretary of Labor and are not de minimis: $17,515 minimum.
- Cap on unintentional failures to meet genetic information requirements: Up to $583,830.
- CSEC. Failure of Cooperative and Small Employer Charity Act (CSEC) plan sponsor to establish or update a funding restoration plan: Up to $107 per day.
- Prohibited Distribution. Distribution prohibited by ERISA §206(e): Up to $16,915 per distribution.
- SBC Distribution. Failure to provide Summary of Benefits Coverage under Public Health Services Act §2715(f): Up to $1,156 per failure.
- Failure of a multiemployer plan to certify endangered or critical status under ERISA §305(b)(3)(C) treated as a failure to file annual report: Up to $2,194 per day.
- Failure to furnish certain multiemployer plan financial and actuarial reports upon request under ERISA §101(k): Up to $1,736 per day.
- Failure to furnish estimate of withdrawal liability upon request under ERISA §101(l): Up to $1,736 per day.
- Failure by a plan sponsor of a multi-employer plan in endangered status to adopt a funding improvement plan or a multiemployer plan in critical status to adopt a rehabilitation plan. Penalty also applies to a plan sponsor of an endangered status plan (other than a seriously endangered plan) that fails to meet its benchmark by the end of the funding improvement period: Up to $1,378 per day.
Health Care Reform.
- Failure to offer coverage to 95% of eligible full-time employees with Minimum Essential Coverage. Penalty applies if one full-time employee receives federal premium subsidy for marketplace coverage: $2,500 per full-time employee (minus the first 30).
- Failure to offer affordable coverage (less than or equal to 9.56% in 2018 and 9.86% in 2019) or failure to provide “minimum value” coverage (60%+ of total allowed costs): $3,750 per full-time employee receiving a subsidy or $2,500 per full-time employee (minus the first 30).
- Failure to comply with health care reform mandates: $100 per day.
- Failure to file a correct 1094 or 1095 or failure to file the information returns on a timely basis: $270 for each return.
- Failure to furnish correct 1095 payee statement on a timely basis or failure to include all of the information required to be shown on a payee statement or the inclusion of incorrect information: $270 for each return.
- MHPAEA. Failure to comply with MHPAEA requirements: $100 per day for each individual to whom a failure relates.
- HIPAA. Failure to comply with HIPAA: Excise tax of $100 per day for each individual to whom the failure relates; civil penalties of $100 to $50,000 per violation, capped at $1.5 million per calendar year.
This summary is not intended to be a comprehensive list of all federal penalties that could apply to an employee benefit plan. Additionally, state and local law penalties are not included in this summary.
In an effort to reverse another aspect of the Affordable Care Act (“ACA”), the Trump Administration published a proposed rule in late October that would allow employers to reimburse employees for medical expenses through a stand-alone health reimbursement account (“HRA”). Health care reform imposes a large excise tax on arrangements that reimburse employees for health care expenses without also providing a group health plan to employees. The penalty was intended to drive employers to purchase group insurance plans for their employees but posed a huge challenge for small employers who saw such reimbursements as a natural alternative to offering employee health care coverage. In the wake of rising health care costs, the Internal Revenue Service (“IRS”) recognized the burden such prohibition posed on small employers. As a result, in 2017, the IRS chipped away at the prohibition by allowing employers with less than 50 full-time employees to offer special stand-alone HRAs, known as “Qualified Small Employer Health Reimbursement Accounts” or “QSEHRAs.” The government now takes one step further by proposing to allow both small and mid-size employers to offer HRAs to their employees, even if they do not offer traditional group coverage. The Proposed Rule intends to accomplish two major goals: (1) permit HRAs to be integrated with individual health insurance coverage; and (2) expand the definition of benefits in order to allow reimbursement for stand-alone dental, limited scope vision, and other plans.
i. The Proposed Integration Rules
HRAs are tax-free, employer-funded accounts used to pay for out-of-pocket, qualified medical expenses. HRAs have been part of the health care market for years, but the ACA tried to discourage the use of HRAs to prevent employers from pushing employees with health risks into the individual market. Currently, employers can only offer an HRA to their employees if it is “integrated” with a major group medical plan sponsored by the employer. Under the new Proposed Rule, employers would be able to offer HRAs to employees with individual health insurance coverage if certain conditions are met. For example, under the Proposed Rule, an employer cannot offer a stand-alone HRA and a traditional group health plan to the same group or class of employees. Additionally, while HRA reimbursement amounts can vary to reflect age-based health coverage pricing, reimbursement amounts cannot vary based on the health-risk posed by the employee. In other words, the general rule requires that the HRA integrated with individual health insurance coverage be offered on the same terms to all employees of the same class (e.g., full-time, part-time, seasonal, etc.).
ii. Limited Excepted Benefits under the Proposed Rule
The Proposed Rule also offers employers the opportunity to offer an HRA to its employees, even if its employees do not have any major medical coverage at all. Under the Proposed Rule, an HRA will be considered a “limited excepted benefit” exempt from the integration rules if: (1) the HRA is not an integral part of the plan; (2) the HRA does not provide reimbursements in excess of $1,800 per year; (3) the HRA does not reimburse premiums for certain health insurance coverage; and (4) the HRA is made available under the same terms to all similarly situated individuals. The HRA is not an “integral part of the plan” if the participant is offered the opportunity to enroll in an employer-sponsored group health plan. Additionally, the HRA cannot reimburse the participant for premiums for individual health insurance coverage, coverage under a group health plan, or Medicare parts B or D. Rather, the HRA could reimburse employees for premiums for dental plans, limited scope vision plans, or other “excepted benefits.”
iii. The Proposed Rule and QSEHRAs
HRAs under the Proposed Rule are different from QSEHRAs. QSEHRAs have specific, stringent requirements and only apply to employers with less than 50 full-time employees. However, QSEHRAs have a higher statutory dollar limit on reimbursements. While an employer-sponsored QSEHRA can reimburse employees up to $5,050 for individuals and $10,250 for families, a stand-alone HRA under the new Proposed Rule can only reimburse employees for up to $1,800 worth of medical expenses. In other words, some small employers hoping to reimburse employees up to the highest dollar amount available might find that QSEHRAs are a more attractive option. Another difference between QSEHRAs and the stand-alone HRAs under the Proposed Rule is the ACA consequences applicable to employers. Under the Proposed Rule, if group health plan coverage is unaffordable for an employee enrolled in the stand-alone HRA, the employer will be subject to ACA penalties if the employee opts out of coverage and qualifies for a premium tax credit subsidy. In contrast, QSEHRAs do not impose penalties on employers if the reimbursements do not make health coverage “affordable,” because small employers eligible to establish QSEHRAs are not subject to the pay-or-play mandate.
If you have any questions about the HRAs, QSEHRAs, or the new Proposed Rule, please contact one of our employee benefits attorneys.
EFFECTIVE: JANUARY 1, 2019
The IRS has released the 2019 cost-of-living adjustments applicable to the dollar limits and thresholds for retirement plans and health and welfare benefit plans. Plan sponsors should update their systems and formulas to include the limits that have been adjusted.
To view the chart, click here.
In light of the current trend toward state-mandated paid family and medical leave laws, recent tax reforms added a provision to the tax code allowing certain employers to claim a business credit based on wages paid to employees on family and medical leave, subject to certain conditions. The new provision, added by the Tax Cuts and Jobs Act, offers a general business credit of up to 25% of wages paid to certain qualifying employees while they are on family and medical leave. The credit will incentivize employers to offer paid family and medical leave, which will also help prepare employers for impending state and local paid leave laws. The credit is generally effective for wages paid in taxable years beginning after December 31, 2017 and is not available for wages paid in taxable years beginning after December 31, 2019. Therefore, employers interested in utilizing the credit should act quickly in the event Congress does not act to extend the credit beyond 2019.
The employer tax credit is calculated as a percentage of the amount of wages paid to a qualifying employee while on family and medical leave (as defined by the Family and Medical Leave Act of 1993 or “FMLA”) for up to 12 weeks per tax year. The credit is available only if the rate of pay for employees on leave is at least 50% of the employee’s normal wages. The credit is a minimum of 12.5% of the wages paid during leave and is increased by 0.25% for each percentage point by which the amount paid to a qualifying employee exceeds 50% of the employee’s wages (up to a maximum credit of 25% of wages paid).
A qualifying employee is any employee under the Fair Labor Standards Act who has been employed for one year or more and, for the preceding year, had compensation that did not exceed the maximum statutory amount. For an employer claiming a Section 45S credit for wages paid to an employee in 2018, the employee must not have earned more than $72,000 in 2017. Employers taking advantage of the credit must reduce deductions for wages and salaries paid or incurred by the amount determined as a credit. Additionally, any wages taken into account for other general business credits may not be used toward the paid family and medical leave credit.
In order to take advantage of the credit, employers must establish written policies and procedures that operate in accordance with the requirements of the new Internal Revenue Code Section 45S as added by the Tax Cuts and Jobs Act. For example, each year, employers must provide at least two weeks of paid family and medical leave to all full-time qualifying employees, and prorate the same benefits for employees working part-time. Additionally, as noted above, whatever paid leave is offered by the employer cannot be paid at less than 50% of the wages the employee normally receives. Employers can offer up to 12 weeks of paid leave annually under their written policies. The credit is available to employers that are not subject to the FMLA, so long as the employer offers paid family and medical leave consistent with the credit’s minimum standards and establishes a written policy governing the leave.
For purposes of the paid leave credit, “family and medical leave” includes leave taken for any of the following reasons: childbirth; placement of a child for adoption or foster care; caring for a spouse, child, or parent with a serious health condition; a serious health condition causing an employee to be unable to perform his or her work functions; qualifying events due to a spouse’s, child’s, or parent’s coverage on active duty or called to duty in the Armed Forces; or, caring for a spouse, child, parent, or next of kin that is a service member. However, employers should recognize that paid vacation leave, personal leave, or medical or sick leave provided by the employer will not be considered family and medical leave unless it specifically covers one of the aforementioned events. Additionally, leave provided under state and local law may not be included in calculating the employer credit. In other words, the Section 45S credit is unavailable regarding paid leave that is required under state or local law.
The IRS intends to provide employers with more guidance on the employer tax credit, including information on how paid family and medical leave will interact with other employer-provided paid leave, state and local leave laws, controlled group rules, and more. Until the IRS issues further guidance, please contact one of the McGrath North Employee Benefits or Labor and Employment attorneys with any questions or concerns.
Under new guidance, small businesses now have more opportunity to offer affordable health care coverage to their employees. In June, the Department of Labor issued a Final Rule on Association Health Plans (AHPs) that will allow small employers to group together to buy insurance. The Final Rule is intended to help small businesses and self-employed individuals obtain health care coverage at a lower cost and increase their bargaining power with insurance companies.
The new rules focus on how ERISA defines “employer” for purposes of sponsoring a health plan. Under ERISA Section 3(5), the term “employer” is defined as “. . . any person acting directly as an employer, or indirectly in the interest of an employer, in relation to an employee benefit plan; and includes a group or association of employers acting for an employer in such capacity.” Under ERISA, bona fide employer groups or associations could sponsor a joint welfare plan only by satisfying a very high standard. Specifically, employers intending to establish an association benefit had to demonstrate both a commonality of interests unrelated to providing benefits and a certain level of control over the plan and trust. Employers were prohibited from banding together for the sole purpose of establishing a welfare benefit plan. If an association or group of employers could meet these criteria, the association or group would be treated as an employer sponsoring a single health plan for its employer members and the plan will be regulated as a group health plan under ERISA.
The Final Rule expands the definition of employer for this purpose and, among other things, allows sole proprietors to participate in AHPs. Under the Final Rule, a bona fide group or association of employers will be treated as a single employer sponsoring a single health plan for its employer members (an AHP) if the following criteria are met:
- Purpose. The primary purpose may be to offer health coverage to employer members and their employees only if there is one substantial business purpose for the association that is unrelated to the provision of health coverage. A substantial business purpose exists if the group or association would be a viable entity absent the sponsorship of the health plan. Substantial business purposes include promoting common business or economic interests of a trade or community, and do not have to be for-profit.
- Employer Members Acting Directly As Employers. Each employer member must act directly as an employer of at least one employee participating in the plan.
- Organizational Structure. The employer members must have a formal organizational structure, including a governing body and bylaws (or similar formality).
- Control. The employer members must maintain control over the functions and actions of the association, as well as what employers may become employer members and participate in the plan.
- Commonality of Interest. The employer members must either be in the same trade or industry, or maintain their principal place of business in the same state or metropolitan area. A metropolitan area may include more than one state if the metropolitan area sprawls across state lines.
- Participation. Participation in the plan must be limited to the employees or former employees (and their beneficiaries) of employer members.
- Nondiscrimination. The plan must comply with ERISA’s group health plan nondiscrimination rules governing eligibility conditions, premiums, and contributions. Additionally, the plan cannot condition employer membership on a health factor of an individual who might become eligible to participate.
- Sponsor Cannot be a Health Insurance Issuer. The group or association sponsoring the plan cannot be a health insurance issuer or owned or controlled by a health insurance issuer. However, health insurance issuers can participate in the group or association as an employer member.
The Final Rule also expressly allows “working owners” to receive dual treatment as an employer and an employee simultaneously, which permits working owners to participate in AHPs. For purposes of the Final Rule, a “working owner” includes anyone who: (1) has an ownership right in a trade or business (including partners and self-employed individuals); (2) earns wages or self-employment income; and (3) either works 20 hours per week (80 hours per month) or earns wages that cover the working owner’s cost of coverage.
Finally, the Final Rule ensures that no joint-employer liability attaches to the employer members sponsoring an AHP. The Final Rule states “nothing in the final rule is intended to indicate that participating in an AHP sponsored by a bona fide group or association of employers gives rise to joint employer status under any federal or State law, rule or regulation.”
For fully-insured health plans, the rule will take effect starting September 1, 2018. New self-insured AHPs may operate under the new rule starting on April 1, 2019, and for any existing, self-insured AHPs the rule will be effective January 1, 2019.
If you have any questions regarding the Final Rule or AHPs, please contact one of our employee benefits attorneys.
After the 2016 publication of the Fiduciary Rule by the Department of Labor (“DOL”), and subsequent Fifth Circuit ruling casting doubt on such rule, the U.S. Securities and Exchange Commission (“SEC”) proposed two rules and an interpretation in order to clarify and provide an overview of the standards of conduct for investment professionals. On April 18, 2018, the SEC published proposed rules targeting broker-dealers and investment advisers. In publishing these rules and the interpretation, the SEC aims to raise the standard of conduct for broker-dealers when they provide recommendations to retail investors and reaffirm and clarify the terms of relationships that retail investors have with their investment professionals. Additionally, the SEC seeks to preserve retail investor access investment services and products, as well as raise retail investor awareness of whether they are a transaction with registered financial professionals.
The SEC is requesting comments on its proposal over the next 90 days. In general, the SEC rule tracks the principles of the DOL fiduciary rule fairly closely and seems to indicate that the SEC was motivated by elements of the DOL rule and ensuring that broker-dealers are subject to more uniform standards (e.g., best interest standards) without regard to the type of assets at issue (retirement versus non-retirement assets).
The SEC released Fiduciary Rule guidance for Investment Professionals that fills various gaps between investor expectations and legal requirements. The SEC rule contains three major proposals:
1. “Regulation Best Interest.” This proposed rule clarifies that broker-dealers shall not put their financial interests ahead of the retail customers’ interests in making recommendations on any securities transaction or investment strategy involving securities to retail customers.
a. Disclosure Obligation: Disclose to the retail customer the key facts about the relationship, including material conflicts of interest.
b. Care Obligation: Exercise reasonable diligence, care, skill, and prudence, to understand the product; have a reasonable basis to believe that the product is in the retail customer’s best interest; and have a reasonable basis to believe that a series of transactions is in the retail customer’s best interest.
c. Conflict of Interest Obligation: Establish, maintain and enforce policies and procedures reasonably designed to identify and then, at a minimum, to disclose and mitigate, or eliminate, material conflicts of interest arising from financial incentives; other material conflicts of interest must be at least disclosed.
2. “Form CRS.” The SEC would require both investment advisers and broker-dealers to provide retail investors a relationship summary, which is a standardized disclosure document no more than 4 pages in length that highlights the principal services offered, legal standards of conduct that apply, fees the customer will pay, and conflicts of interest that exist (among other things).
3. Commission Interpretation of Investment Adviser Standard of Conduct. The SEC has proposed its interpretation of the fiduciary duty investment advisers owe to their clients in hopes that the interpretation will reaffirm and clarify the principles relevant to fiduciary duty and related legal obligations.
If you have any questions or concerns regarding the new SEC proposed rules and interpretation, please contact one of our employee benefits attorneys.
In passing the Bipartisan Budget Act of 2018 (the “Act”), Congress loosened the reins on hardship withdrawals from 401(k) and 403(b) plans. The Act eases limitations on amounts eligible for hardship withdrawal, eliminates the six-month suspension requirement on elective deferrals after making a hardship withdrawal, and removes the requirement that a participant obtain all available loans before obtaining a hardship withdrawal. Starting in 2019, employees will find it much easier to make hardship withdrawals from their employer-sponsored retirement plans should an employer choose to implement these voluntary changes.
Prior to the Act, participants in a 401(k) or 403(b) plan could only make a hardship withdrawal from elective deferral contribution amounts. Hardship distributions from employer matches, non-elective contributions, or earnings on elective deferrals were prohibited. However, under the new rule, Congress has removed this prohibition and expanded on the amounts eligible for hardship withdrawal. The Act allows employees to take a hardship distribution from elective deferral earnings and employer contributions.
The Act also eliminates the six-month suspension of contributions after a hardship withdrawal. In other words, employees no longer have to wait six-months before making further contributions to their retirement plan and are able receive employer matching contributions immediately after taking a hardship distribution. Removing the prohibition on contributions during this six-month period provides administrative simplicity for employers and helps employees continue to save for retirement.
Finally, Congress used the Act to eliminate the rule requiring participants to take all available loans, even loans available under other qualified plans, before taking a hardship distribution. Although the requirement that participants take all other available distributions before obtaining a hardship withdrawal still remains intact, the removal of the participant loan requirement makes it easier for employees to take a hardship withdrawal and helps them avoid loan repayments.
As employers consider implementing these new changes, they should ensure they continue to educate participants on the importance of saving for retirement. While the ease on hardship withdrawal restrictions may prove beneficial for some employees, others could end up significantly limiting their retirement savings (especially considering the 10% penalty tax applied to hardship withdrawal amounts). Employers should also consider the administrative simplicity that comes with removing the six-month suspension on contributions following a hardship withdrawal and expanding the types of contributions that are eligible for hardship distribution. If you are considering making any of these changes to your company’s retirement plans or have any questions on the new law, please contact our employee benefits group.
The Top 10 Tax Reform Impacts On Employee Benefit Plans, Executive Compensation, And Fringe Benefits
On December 20, 2017, Congress passed the Tax Cuts and Jobs Act (the “Act”), which some consider to be the most sweeping tax reform in 30 years. While the main focus of tax reform is to reduce tax rates for corporations and individuals, the law also impacts employee benefit plans and fringe benefits offered to employees. This client alert summarizes key provisions of tax reform and its impact on employee benefit plans.
- Elimination of the ACA’s Individual Mandate. Despite initial disagreement on the issue, the House and Senate agreed to eliminate the shared responsibility payment for individuals failing to maintain minimum essential health care coverage. The Act reduces the penalty for failure to obtain health coverage to $0, effectively eliminating the provision. The individual mandate will remain in effect for the years 2017 and 2018; the penalty will be reduced to $0 starting in 2019.
- Employer Tax Credit for Paid Family and Medical Leave. The Act adds a new tax credit for employers offering paid family and medical leave to employees. This provision comes on the heels of many states either implementing or considering the implementation of paid family leave. New York and Rhode Island both recently enacted paid leave laws. In order to be eligible for the credit of 12.5% of wages paid during leave, employers must have a written paid leave program that pays qualified employees at least 50% of their wages and must provide employees at least two weeks of annual paid family and medical leave. The employer credit will increase to as much as 25% of wages if the employer provides 100% continuing wages up to the 12-week maximum. The tax credit will go into effect for wages paid in 2018 and 2019.
- Elimination and Modification of Certain Fringe Benefits. The Act makes many changes to fringe benefits offered by employers to employees.
- Qualified Transportation Fringe Benefits. The new law eliminates the deduction for qualified transportation fringe benefits and transportation, payments, or reimbursements in connection with travel to and from work, except as necessary for an employee’s safety, which is not defined: and, an 8-year exception for qualified bicycle commuting. Additionally, tax-exempt entities must treat nondeductible qualified transportation fringe benefits or parking facilities as unrelated business taxable income (UBTI).
- Moving Expenses. The Act eliminates the moving expense deduction for employees’ qualified moving expense reimbursements. Starting in 2018 and lasting for eight years, employees must include reimbursed qualified moving expenses in income.
- Employer-Provided Meals. Starting in 2018 until 2026, employers will be limited to a 50% deduction for meal expenses provided on or near business premises. Employers are subject to the 50% limitation on deductions for food or beverages if the expenses are excludible from employees’ income as de minimis fringe benefit and for the convenience of the employer.
- Entertainment Expenses. Employers will lose their deduction for expenses related to entertainment, amusement, or recreation under the Act. Effective in 2018, employers can no longer take a deduction for 50% of entertainment expenses related to the employer’s business.
- Employee Achievement Awards. An employer deduction for the cost of an employee achievement award for length of service, safety award, and awards given during meaningful presentations must be pursuant to a qualified plan award, which does not favor highly compensated employees and the average cost of which per recipient cannot be more than $400 in a year. Such awards may be tangible personal property such as pins, jewelry or other items from a catalog.
- Onsite Gyms. The new law repeals the employer deduction for onsite gyms and characterizes amounts used to pay for on-premises athletic facilities as UBTI.
- Modification of Limitation on Deductible Employee Remuneration. Public employers should start reviewing their compensation arrangements in light of the new law. Section 162 of the Internal Revenue Code prohibits publicly traded companies from deducting more than $1 million per year in compensation paid to or accrued for senior executive officers. However, under pre-Act law, exceptions applied for: (a) commissions; (b) performance-based remuneration; (c) payments to a tax-qualified retirement plan; and (d) amounts that are excludable from the executive’s gross income. In an effort to reform executive compensation, the Act eliminates the exemption for commissions and performance-based pay under Internal Revenue Code Section 162. The Act also modifies the definition of “covered employee” for purposes of Section 162, expanding the definition to include the principal executive officer, the principal financial officer, and the three other highest paid officers. If an individual is a covered employee at any time on or after January 1, 2017, the individual remains a covered employee for all future years. Under a transition rule, the changes do not apply to any remuneration subject to a written binding contract in effect on November 2, 2017 and which was not modified in any material respect after that date.
- Extended Rollover Period for Plan Loan Offset Amounts. Prior to the Act, participants in a qualified plan were given 60 days to repay an outstanding plan loan that became due upon the participant’s termination of employment. However, tax reform extends the 60-day rollover deadline until the due date of the participant’s tax return for the year in which the amount is treated as distributed from the participant’s account. In other words, participants have a longer time period in which they can contribute to an IRA or another qualified employer plan in an amount equal to the plan loan offset amount. The contribution will be treated as a rollover offsetting the outstanding plan loan upon separation from employment. Employees whose plans terminate, or who separate from employment while they have outstanding plan loans, will have an extension for contributing the loan balance to an IRA or eligible retirement plan to prevent the loan from being taxed as a distribution.
- Medical Expense Deduction. Although the House originally wanted to repeal the medical expense deduction, the Act instead implements a temporary reduction of the medical expense deduction floor to 7.5% during 2017 and 2018. Starting in 2019, the deduction floor will return to its previous floor (10%). This means the threshold for employees to claim an itemized deduction for unreimbursed medical expenses will be reduced to 7.5% of adjusted gross income for the years 2017 and 2018.
- Recharacterization of Roth IRA Contributions. The Act repeals the rule allowing for the recharacterization of Roth IRA contributions as traditional IRA contributions to unwind a Roth conversion. As a result, beginning in 2018, recharacterization cannot be used to unwind a Roth conversion.
- More Flexibility for 529 Savings Accounts. Under pre-Act law, funds in a Code Section 529 college savings account could only be used for qualified higher education expenses and nonqualified withdrawals were subject to a 10% additional tax. The new Act expands the use of 529 accounts to allow withdrawals for elementary or secondary schools. This provision will allow individuals to withdraw up to $10,000 per year for tuition at an elementary or secondary public, private, or religious school. The Act also provides the ability to rollover a 529 plan to an ABLE account (a tax-advantaged savings account for individuals with disabilities and their families) if the rollover is made within 60 days of the distribution.
- Disaster Relief Through Eligible Retirement Plans. After the call for relief due to an uptick in natural disasters, the Act allows 401(k) plans and other eligible retirement plans to make “qualified 2016 disaster distributions” of up to $100,000 per individual prior to January 1, 2018, to victims of federally-declared major disasters occurring in 2016. The distributions will not be subject to the 10% excise tax on early distributions and can be included in income ratably over three years. All or part of the distributions can be repaid to a qualifying plan if the repayment occurs during the three-year period.
- New Measure of Inflation. Tax bracket amounts, standard deduction amounts, personal exemptions, and various other tax figures are annually adjusted to reflect inflation. Rather than using the Consumer Price Index for All Urban Consumers or “CPI-U” in order to make inflation adjustments to certain amounts, including benefit-related amounts, the new Act provides that inflation adjustments will be made using the Chained Consumer Price Index for All Urban Consumers or “C-CPI-U”. This index usually increases at a lower rate, resulting in smaller annual increases to certain benefit limits, such as HSA and FSA contributions.
If you have questions or concerns regarding the impact of tax reform on your benefit programs, please do not hesitate to contact one of our employee benefits attorneys for assistance.
The recent Equifax and Yahoo security breaches impacted an astounding number of people, serving as a fire alarm to individuals and businesses regarding cybersecurity. Due to the fact 401(k) plans are the primary savings vehicle for Americans, immediate attention should be directed towards the protection of 401(k) plan assets from cyber risk. This article focuses on considerations and measures 401(k) plan sponsors and fiduciaries can take to protect plan participants and, in so doing, fulfill their fiduciary obligations with respect to guarding against cyberattacks on their 401(k) programs. This article is written in the context of 401(k) plans. However, this discussion is applicable to most benefit plans.
A Fiduciary Matter
Plan fiduciaries, including plan sponsors and fiduciary committees, have the broad duty under the Employee Retirement Income Security Act (“ERISA”) to act solely in the interest of plan participants and beneficiaries “with care, skill, prudence and diligence…” This standard requires plan fiduciaries to take all actions to serve plan participants and beneficiaries and monitor service providers. Recently, there has been much substantial guidance and discussion regarding the monitoring of plan fees and expenses. Although the Department of Labor (the “DOL”) has not officially issued guidance on the actions fiduciaries should take in the present climate, the recent news of massive cybersecurity breaches should lead fiduciaries to focus on cybersecurity with the same zeal applied to monitoring plan fees and expenses. By addressing cybersecurity risks, fiduciaries limit their exposure and, more importantly, they will protect the plan participants and beneficiaries whom they serve.
In recent years, firms and vendors that work with retirement plans have offered and encouraged plan sponsors and their fiduciary committees to attend fiduciary training. Fiduciary education should include a section on cybersecurity and measures that should be taken to reduce cyber threats to 401(k) plans.
Advisory Council Guidance
In 2016, the ERISA Advisory Council (the “Council”) held hearings and investigated the cybersecurity threat. The Council articulated actions that should be taken to protect against the cybersecurity threat and, in early 2017, issued a report entitled “Cybersecurity Considerations for Benefit Plans” (the “Report”). The published study serves as recommendations to the DOL. The DOL has not issued guidance directly addressing cybersecurity. Until the DOL issues guidance, the Report provides meaningful guidance to plan sponsors and fiduciaries.
Among the recommendations offered by the Report is the establishment and operation of a security risk management strategy. The nature of the strategy depends largely on the business and the employee benefit plans involved. Universal elements of the strategy include establishing who is responsible for the design and implementation of the strategy, ongoing monitoring to guard against hackers and monitoring activity that includes testing, training those with access to plan data, hiring practices (including background checks), limiting user access to certain payroll or HR personnel and the establishment and execution of data retention and encryption policies and practices.
A very critical element of the cybersecurity risk management strategy is the selection and monitoring of third party service providers. Third party service providers, such as 401(k) plan record-keepers, will have access to sensitive participant data. This information includes names and the associated addresses, social security numbers, beneficiary information and bank information of plan participants. Moreover, 401(k) plans, with liquid assets, may be readily accessed by cyber criminals. Due to the fact plan sponsors do not control their hiring process and internal controls, extra care must be taken in the selection and monitoring of such providers.
The Report offers a list of questions plan sponsors should pose to their benefit plan providers which include:
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will the plan(s) data be maintained and protected?
- Will the data be encrypted at rest, in transit and on devices, and is the encryption automated (rather than manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate to permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring and what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (such as Service Organization Control or SOC reports or a similar report or certification)?
- What is the level and type of insurance coverage that is available?
- What is the level of financial and fraud coverage that protects participants from financial damage?
- If the service provider subcontracts to others, will the service provider insist on protections (as noted above) in its agreement with the subcontractor?
- What controls does the service provider have in place over physical assets that store sensitive data, including when such assets are retired or replaced (servers, hard drives, mobile devices, etc.)?
- What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)?
Service Provider Agreements
Several of the questions that plan sponsors should pose to their service providers can be addressed in the service agreement between the plan sponsor and the service provider. Service agreements should include a section specifically addressing cybersecurity specifically. The provisions, at a minimum, should require the third party provider to maintain adequate controls to protect sensitive data, including data breach notice requirements to the affected participant and the plan sponsor, and provide for external audits or reviews. Since several state laws require notice to affected individuals in the event of a breach, the service agreement should clearly define who (plan sponsor or service provider) has the duty to act in accordance with state law in the event of a breach.
In addition, service agreements should include provisions for the acceptance of liability on the part of the service provider after a data security breach and an indemnification provision in the event of a third party claim from a plan participant or other party. The agreement should further require the service provider to maintain cyber insurance at a level commensurate to the size and demographics of the plan.
At this time, plan sponsors should review existing service agreements. If the agreement lacks or has an insufficient cybersecurity provision, a revised agreement or agreement rider should be put in place.
In addition to the above steps fiduciaries can take to protect against cyber-attacks, cybersecurity should be incorporated into participant education. Just as a purse or wallet should not be left visible in a locked car, participants should take preemptive measures to protect their benefits. Participants can limit and even eliminate cyber risk before it occurs if they are aware of the threat and advised as follows:
- Regularly check their accounts for unauthorized activity.
- Protect their passwords and login information. If passwords need to be written and/or stored, they need to be in a locked file or otherwise secured. Participants should change their passwords regularly.
- Stolen laptops are a source of data breaches. Laptops should be protected with encryption.
- Participants should be instructed to read plan issued materials and not discount correspondence as “junk mail.”
Participant plan education should include materials addressing cybersecurity and, for live presentations, a discussion of best practices for cybersecurity.
Surrounded by the real and present threat of a cyber-breach, plan sponsors and fiduciary committees need to acknowledge the threat to employee benefits plans for which they are responsible. In keeping with the recommendations of the ERISA Advisory Council, plan fiduciaries should discuss, design and implement a “risk management strategy.” The strategy must be tailored to the business, the company’s benefit plans and the participant demographic. The critical elements of the strategy should include:
- Vendor Monitoring. Ask the critical questions outlined above of third-party service providers at the request for proposal stage as well as on an ongoing basis.
- Insurance. Verify not only cyber insurance coverage by third party service providers, but review the plan sponsor’s own fiduciary liability umbrella policy, and cybersecurity insurance coverage.
- Service Agreements. Negotiate, review and, to the extent necessary, update vendor contracts.
- Education. Educate participants on the importance of self-protection and vigilance.
By following these steps, plan sponsors and fiduciaries can fulfill their fiduciary obligations and, in so doing, protect the hard earned benefits of plan participants and their beneficiaries.