In an effort to reverse another aspect of the Affordable Care Act (“ACA”), the Trump Administration published a proposed rule in late October that would allow employers to reimburse employees for medical expenses through a stand-alone health reimbursement account (“HRA”). Health care reform imposes a large excise tax on arrangements that reimburse employees for health care expenses without also providing a group health plan to employees. The penalty was intended to drive employers to purchase group insurance plans for their employees but posed a huge challenge for small employers who saw such reimbursements as a natural alternative to offering employee health care coverage. In the wake of rising health care costs, the Internal Revenue Service (“IRS”) recognized the burden such prohibition posed on small employers. As a result, in 2017, the IRS chipped away at the prohibition by allowing employers with less than 50 full-time employees to offer special stand-alone HRAs, known as “Qualified Small Employer Health Reimbursement Accounts” or “QSEHRAs.” The government now takes one step further by proposing to allow both small and mid-size employers to offer HRAs to their employees, even if they do not offer traditional group coverage. The Proposed Rule intends to accomplish two major goals: (1) permit HRAs to be integrated with individual health insurance coverage; and (2) expand the definition of benefits in order to allow reimbursement for stand-alone dental, limited scope vision, and other plans.
i. The Proposed Integration Rules
HRAs are tax-free, employer-funded accounts used to pay for out-of-pocket, qualified medical expenses. HRAs have been part of the health care market for years, but the ACA tried to discourage the use of HRAs to prevent employers from pushing employees with health risks into the individual market. Currently, employers can only offer an HRA to their employees if it is “integrated” with a major group medical plan sponsored by the employer. Under the new Proposed Rule, employers would be able to offer HRAs to employees with individual health insurance coverage if certain conditions are met. For example, under the Proposed Rule, an employer cannot offer a stand-alone HRA and a traditional group health plan to the same group or class of employees. Additionally, while HRA reimbursement amounts can vary to reflect age-based health coverage pricing, reimbursement amounts cannot vary based on the health-risk posed by the employee. In other words, the general rule requires that the HRA integrated with individual health insurance coverage be offered on the same terms to all employees of the same class (e.g., full-time, part-time, seasonal, etc.).
ii. Limited Excepted Benefits under the Proposed Rule
The Proposed Rule also offers employers the opportunity to offer an HRA to its employees, even if its employees do not have any major medical coverage at all. Under the Proposed Rule, an HRA will be considered a “limited excepted benefit” exempt from the integration rules if: (1) the HRA is not an integral part of the plan; (2) the HRA does not provide reimbursements in excess of $1,800 per year; (3) the HRA does not reimburse premiums for certain health insurance coverage; and (4) the HRA is made available under the same terms to all similarly situated individuals. The HRA is not an “integral part of the plan” if the participant is offered the opportunity to enroll in an employer-sponsored group health plan. Additionally, the HRA cannot reimburse the participant for premiums for individual health insurance coverage, coverage under a group health plan, or Medicare parts B or D. Rather, the HRA could reimburse employees for premiums for dental plans, limited scope vision plans, or other “excepted benefits.”
iii. The Proposed Rule and QSEHRAs
HRAs under the Proposed Rule are different from QSEHRAs. QSEHRAs have specific, stringent requirements and only apply to employers with less than 50 full-time employees. However, QSEHRAs have a higher statutory dollar limit on reimbursements. While an employer-sponsored QSEHRA can reimburse employees up to $5,050 for individuals and $10,250 for families, a stand-alone HRA under the new Proposed Rule can only reimburse employees for up to $1,800 worth of medical expenses. In other words, some small employers hoping to reimburse employees up to the highest dollar amount available might find that QSEHRAs are a more attractive option. Another difference between QSEHRAs and the stand-alone HRAs under the Proposed Rule is the ACA consequences applicable to employers. Under the Proposed Rule, if group health plan coverage is unaffordable for an employee enrolled in the stand-alone HRA, the employer will be subject to ACA penalties if the employee opts out of coverage and qualifies for a premium tax credit subsidy. In contrast, QSEHRAs do not impose penalties on employers if the reimbursements do not make health coverage “affordable,” because small employers eligible to establish QSEHRAs are not subject to the pay-or-play mandate.
If you have any questions about the HRAs, QSEHRAs, or the new Proposed Rule, please contact one of our employee benefits attorneys.
EFFECTIVE: JANUARY 1, 2019
The IRS has released the 2019 cost-of-living adjustments applicable to the dollar limits and thresholds for retirement plans and health and welfare benefit plans. Plan sponsors should update their systems and formulas to include the limits that have been adjusted.
To view the chart, click here.
In light of the current trend toward state-mandated paid family and medical leave laws, recent tax reforms added a provision to the tax code allowing certain employers to claim a business credit based on wages paid to employees on family and medical leave, subject to certain conditions. The new provision, added by the Tax Cuts and Jobs Act, offers a general business credit of up to 25% of wages paid to certain qualifying employees while they are on family and medical leave. The credit will incentivize employers to offer paid family and medical leave, which will also help prepare employers for impending state and local paid leave laws. The credit is generally effective for wages paid in taxable years beginning after December 31, 2017 and is not available for wages paid in taxable years beginning after December 31, 2019. Therefore, employers interested in utilizing the credit should act quickly in the event Congress does not act to extend the credit beyond 2019.
The employer tax credit is calculated as a percentage of the amount of wages paid to a qualifying employee while on family and medical leave (as defined by the Family and Medical Leave Act of 1993 or “FMLA”) for up to 12 weeks per tax year. The credit is available only if the rate of pay for employees on leave is at least 50% of the employee’s normal wages. The credit is a minimum of 12.5% of the wages paid during leave and is increased by 0.25% for each percentage point by which the amount paid to a qualifying employee exceeds 50% of the employee’s wages (up to a maximum credit of 25% of wages paid).
A qualifying employee is any employee under the Fair Labor Standards Act who has been employed for one year or more and, for the preceding year, had compensation that did not exceed the maximum statutory amount. For an employer claiming a Section 45S credit for wages paid to an employee in 2018, the employee must not have earned more than $72,000 in 2017. Employers taking advantage of the credit must reduce deductions for wages and salaries paid or incurred by the amount determined as a credit. Additionally, any wages taken into account for other general business credits may not be used toward the paid family and medical leave credit.
In order to take advantage of the credit, employers must establish written policies and procedures that operate in accordance with the requirements of the new Internal Revenue Code Section 45S as added by the Tax Cuts and Jobs Act. For example, each year, employers must provide at least two weeks of paid family and medical leave to all full-time qualifying employees, and prorate the same benefits for employees working part-time. Additionally, as noted above, whatever paid leave is offered by the employer cannot be paid at less than 50% of the wages the employee normally receives. Employers can offer up to 12 weeks of paid leave annually under their written policies. The credit is available to employers that are not subject to the FMLA, so long as the employer offers paid family and medical leave consistent with the credit’s minimum standards and establishes a written policy governing the leave.
For purposes of the paid leave credit, “family and medical leave” includes leave taken for any of the following reasons: childbirth; placement of a child for adoption or foster care; caring for a spouse, child, or parent with a serious health condition; a serious health condition causing an employee to be unable to perform his or her work functions; qualifying events due to a spouse’s, child’s, or parent’s coverage on active duty or called to duty in the Armed Forces; or, caring for a spouse, child, parent, or next of kin that is a service member. However, employers should recognize that paid vacation leave, personal leave, or medical or sick leave provided by the employer will not be considered family and medical leave unless it specifically covers one of the aforementioned events. Additionally, leave provided under state and local law may not be included in calculating the employer credit. In other words, the Section 45S credit is unavailable regarding paid leave that is required under state or local law.
The IRS intends to provide employers with more guidance on the employer tax credit, including information on how paid family and medical leave will interact with other employer-provided paid leave, state and local leave laws, controlled group rules, and more. Until the IRS issues further guidance, please contact one of the McGrath North Employee Benefits or Labor and Employment attorneys with any questions or concerns.
Under new guidance, small businesses now have more opportunity to offer affordable health care coverage to their employees. In June, the Department of Labor issued a Final Rule on Association Health Plans (AHPs) that will allow small employers to group together to buy insurance. The Final Rule is intended to help small businesses and self-employed individuals obtain health care coverage at a lower cost and increase their bargaining power with insurance companies.
The new rules focus on how ERISA defines “employer” for purposes of sponsoring a health plan. Under ERISA Section 3(5), the term “employer” is defined as “. . . any person acting directly as an employer, or indirectly in the interest of an employer, in relation to an employee benefit plan; and includes a group or association of employers acting for an employer in such capacity.” Under ERISA, bona fide employer groups or associations could sponsor a joint welfare plan only by satisfying a very high standard. Specifically, employers intending to establish an association benefit had to demonstrate both a commonality of interests unrelated to providing benefits and a certain level of control over the plan and trust. Employers were prohibited from banding together for the sole purpose of establishing a welfare benefit plan. If an association or group of employers could meet these criteria, the association or group would be treated as an employer sponsoring a single health plan for its employer members and the plan will be regulated as a group health plan under ERISA.
The Final Rule expands the definition of employer for this purpose and, among other things, allows sole proprietors to participate in AHPs. Under the Final Rule, a bona fide group or association of employers will be treated as a single employer sponsoring a single health plan for its employer members (an AHP) if the following criteria are met:
- Purpose. The primary purpose may be to offer health coverage to employer members and their employees only if there is one substantial business purpose for the association that is unrelated to the provision of health coverage. A substantial business purpose exists if the group or association would be a viable entity absent the sponsorship of the health plan. Substantial business purposes include promoting common business or economic interests of a trade or community, and do not have to be for-profit.
- Employer Members Acting Directly As Employers. Each employer member must act directly as an employer of at least one employee participating in the plan.
- Organizational Structure. The employer members must have a formal organizational structure, including a governing body and bylaws (or similar formality).
- Control. The employer members must maintain control over the functions and actions of the association, as well as what employers may become employer members and participate in the plan.
- Commonality of Interest. The employer members must either be in the same trade or industry, or maintain their principal place of business in the same state or metropolitan area. A metropolitan area may include more than one state if the metropolitan area sprawls across state lines.
- Participation. Participation in the plan must be limited to the employees or former employees (and their beneficiaries) of employer members.
- Nondiscrimination. The plan must comply with ERISA’s group health plan nondiscrimination rules governing eligibility conditions, premiums, and contributions. Additionally, the plan cannot condition employer membership on a health factor of an individual who might become eligible to participate.
- Sponsor Cannot be a Health Insurance Issuer. The group or association sponsoring the plan cannot be a health insurance issuer or owned or controlled by a health insurance issuer. However, health insurance issuers can participate in the group or association as an employer member.
The Final Rule also expressly allows “working owners” to receive dual treatment as an employer and an employee simultaneously, which permits working owners to participate in AHPs. For purposes of the Final Rule, a “working owner” includes anyone who: (1) has an ownership right in a trade or business (including partners and self-employed individuals); (2) earns wages or self-employment income; and (3) either works 20 hours per week (80 hours per month) or earns wages that cover the working owner’s cost of coverage.
Finally, the Final Rule ensures that no joint-employer liability attaches to the employer members sponsoring an AHP. The Final Rule states “nothing in the final rule is intended to indicate that participating in an AHP sponsored by a bona fide group or association of employers gives rise to joint employer status under any federal or State law, rule or regulation.”
For fully-insured health plans, the rule will take effect starting September 1, 2018. New self-insured AHPs may operate under the new rule starting on April 1, 2019, and for any existing, self-insured AHPs the rule will be effective January 1, 2019.
If you have any questions regarding the Final Rule or AHPs, please contact one of our employee benefits attorneys.
After the 2016 publication of the Fiduciary Rule by the Department of Labor (“DOL”), and subsequent Fifth Circuit ruling casting doubt on such rule, the U.S. Securities and Exchange Commission (“SEC”) proposed two rules and an interpretation in order to clarify and provide an overview of the standards of conduct for investment professionals. On April 18, 2018, the SEC published proposed rules targeting broker-dealers and investment advisers. In publishing these rules and the interpretation, the SEC aims to raise the standard of conduct for broker-dealers when they provide recommendations to retail investors and reaffirm and clarify the terms of relationships that retail investors have with their investment professionals. Additionally, the SEC seeks to preserve retail investor access investment services and products, as well as raise retail investor awareness of whether they are a transaction with registered financial professionals.
The SEC is requesting comments on its proposal over the next 90 days. In general, the SEC rule tracks the principles of the DOL fiduciary rule fairly closely and seems to indicate that the SEC was motivated by elements of the DOL rule and ensuring that broker-dealers are subject to more uniform standards (e.g., best interest standards) without regard to the type of assets at issue (retirement versus non-retirement assets).
The SEC released Fiduciary Rule guidance for Investment Professionals that fills various gaps between investor expectations and legal requirements. The SEC rule contains three major proposals:
1. “Regulation Best Interest.” This proposed rule clarifies that broker-dealers shall not put their financial interests ahead of the retail customers’ interests in making recommendations on any securities transaction or investment strategy involving securities to retail customers.
a. Disclosure Obligation: Disclose to the retail customer the key facts about the relationship, including material conflicts of interest.
b. Care Obligation: Exercise reasonable diligence, care, skill, and prudence, to understand the product; have a reasonable basis to believe that the product is in the retail customer’s best interest; and have a reasonable basis to believe that a series of transactions is in the retail customer’s best interest.
c. Conflict of Interest Obligation: Establish, maintain and enforce policies and procedures reasonably designed to identify and then, at a minimum, to disclose and mitigate, or eliminate, material conflicts of interest arising from financial incentives; other material conflicts of interest must be at least disclosed.
2. “Form CRS.” The SEC would require both investment advisers and broker-dealers to provide retail investors a relationship summary, which is a standardized disclosure document no more than 4 pages in length that highlights the principal services offered, legal standards of conduct that apply, fees the customer will pay, and conflicts of interest that exist (among other things).
3. Commission Interpretation of Investment Adviser Standard of Conduct. The SEC has proposed its interpretation of the fiduciary duty investment advisers owe to their clients in hopes that the interpretation will reaffirm and clarify the principles relevant to fiduciary duty and related legal obligations.
If you have any questions or concerns regarding the new SEC proposed rules and interpretation, please contact one of our employee benefits attorneys.
In passing the Bipartisan Budget Act of 2018 (the “Act”), Congress loosened the reins on hardship withdrawals from 401(k) and 403(b) plans. The Act eases limitations on amounts eligible for hardship withdrawal, eliminates the six-month suspension requirement on elective deferrals after making a hardship withdrawal, and removes the requirement that a participant obtain all available loans before obtaining a hardship withdrawal. Starting in 2019, employees will find it much easier to make hardship withdrawals from their employer-sponsored retirement plans should an employer choose to implement these voluntary changes.
Prior to the Act, participants in a 401(k) or 403(b) plan could only make a hardship withdrawal from elective deferral contribution amounts. Hardship distributions from employer matches, non-elective contributions, or earnings on elective deferrals were prohibited. However, under the new rule, Congress has removed this prohibition and expanded on the amounts eligible for hardship withdrawal. The Act allows employees to take a hardship distribution from elective deferral earnings and employer contributions.
The Act also eliminates the six-month suspension of contributions after a hardship withdrawal. In other words, employees no longer have to wait six-months before making further contributions to their retirement plan and are able receive employer matching contributions immediately after taking a hardship distribution. Removing the prohibition on contributions during this six-month period provides administrative simplicity for employers and helps employees continue to save for retirement.
Finally, Congress used the Act to eliminate the rule requiring participants to take all available loans, even loans available under other qualified plans, before taking a hardship distribution. Although the requirement that participants take all other available distributions before obtaining a hardship withdrawal still remains intact, the removal of the participant loan requirement makes it easier for employees to take a hardship withdrawal and helps them avoid loan repayments.
As employers consider implementing these new changes, they should ensure they continue to educate participants on the importance of saving for retirement. While the ease on hardship withdrawal restrictions may prove beneficial for some employees, others could end up significantly limiting their retirement savings (especially considering the 10% penalty tax applied to hardship withdrawal amounts). Employers should also consider the administrative simplicity that comes with removing the six-month suspension on contributions following a hardship withdrawal and expanding the types of contributions that are eligible for hardship distribution. If you are considering making any of these changes to your company’s retirement plans or have any questions on the new law, please contact our employee benefits group.
The Top 10 Tax Reform Impacts On Employee Benefit Plans, Executive Compensation, And Fringe Benefits
On December 20, 2017, Congress passed the Tax Cuts and Jobs Act (the “Act”), which some consider to be the most sweeping tax reform in 30 years. While the main focus of tax reform is to reduce tax rates for corporations and individuals, the law also impacts employee benefit plans and fringe benefits offered to employees. This client alert summarizes key provisions of tax reform and its impact on employee benefit plans.
- Elimination of the ACA’s Individual Mandate. Despite initial disagreement on the issue, the House and Senate agreed to eliminate the shared responsibility payment for individuals failing to maintain minimum essential health care coverage. The Act reduces the penalty for failure to obtain health coverage to $0, effectively eliminating the provision. The individual mandate will remain in effect for the years 2017 and 2018; the penalty will be reduced to $0 starting in 2019.
- Employer Tax Credit for Paid Family and Medical Leave. The Act adds a new tax credit for employers offering paid family and medical leave to employees. This provision comes on the heels of many states either implementing or considering the implementation of paid family leave. New York and Rhode Island both recently enacted paid leave laws. In order to be eligible for the credit of 12.5% of wages paid during leave, employers must have a written paid leave program that pays qualified employees at least 50% of their wages and must provide employees at least two weeks of annual paid family and medical leave. The employer credit will increase to as much as 25% of wages if the employer provides 100% continuing wages up to the 12-week maximum. The tax credit will go into effect for wages paid in 2018 and 2019.
- Elimination and Modification of Certain Fringe Benefits. The Act makes many changes to fringe benefits offered by employers to employees.
- Qualified Transportation Fringe Benefits. The new law eliminates the deduction for qualified transportation fringe benefits and transportation, payments, or reimbursements in connection with travel to and from work, except as necessary for an employee’s safety, which is not defined: and, an 8-year exception for qualified bicycle commuting. Additionally, tax-exempt entities must treat nondeductible qualified transportation fringe benefits or parking facilities as unrelated business taxable income (UBTI).
- Moving Expenses. The Act eliminates the moving expense deduction for employees’ qualified moving expense reimbursements. Starting in 2018 and lasting for eight years, employees must include reimbursed qualified moving expenses in income.
- Employer-Provided Meals. Starting in 2018 until 2026, employers will be limited to a 50% deduction for meal expenses provided on or near business premises. Employers are subject to the 50% limitation on deductions for food or beverages if the expenses are excludible from employees’ income as de minimis fringe benefit and for the convenience of the employer.
- Entertainment Expenses. Employers will lose their deduction for expenses related to entertainment, amusement, or recreation under the Act. Effective in 2018, employers can no longer take a deduction for 50% of entertainment expenses related to the employer’s business.
- Employee Achievement Awards. An employer deduction for the cost of an employee achievement award for length of service, safety award, and awards given during meaningful presentations must be pursuant to a qualified plan award, which does not favor highly compensated employees and the average cost of which per recipient cannot be more than $400 in a year. Such awards may be tangible personal property such as pins, jewelry or other items from a catalog.
- Onsite Gyms. The new law repeals the employer deduction for onsite gyms and characterizes amounts used to pay for on-premises athletic facilities as UBTI.
- Modification of Limitation on Deductible Employee Remuneration. Public employers should start reviewing their compensation arrangements in light of the new law. Section 162 of the Internal Revenue Code prohibits publicly traded companies from deducting more than $1 million per year in compensation paid to or accrued for senior executive officers. However, under pre-Act law, exceptions applied for: (a) commissions; (b) performance-based remuneration; (c) payments to a tax-qualified retirement plan; and (d) amounts that are excludable from the executive’s gross income. In an effort to reform executive compensation, the Act eliminates the exemption for commissions and performance-based pay under Internal Revenue Code Section 162. The Act also modifies the definition of “covered employee” for purposes of Section 162, expanding the definition to include the principal executive officer, the principal financial officer, and the three other highest paid officers. If an individual is a covered employee at any time on or after January 1, 2017, the individual remains a covered employee for all future years. Under a transition rule, the changes do not apply to any remuneration subject to a written binding contract in effect on November 2, 2017 and which was not modified in any material respect after that date.
- Extended Rollover Period for Plan Loan Offset Amounts. Prior to the Act, participants in a qualified plan were given 60 days to repay an outstanding plan loan that became due upon the participant’s termination of employment. However, tax reform extends the 60-day rollover deadline until the due date of the participant’s tax return for the year in which the amount is treated as distributed from the participant’s account. In other words, participants have a longer time period in which they can contribute to an IRA or another qualified employer plan in an amount equal to the plan loan offset amount. The contribution will be treated as a rollover offsetting the outstanding plan loan upon separation from employment. Employees whose plans terminate, or who separate from employment while they have outstanding plan loans, will have an extension for contributing the loan balance to an IRA or eligible retirement plan to prevent the loan from being taxed as a distribution.
- Medical Expense Deduction. Although the House originally wanted to repeal the medical expense deduction, the Act instead implements a temporary reduction of the medical expense deduction floor to 7.5% during 2017 and 2018. Starting in 2019, the deduction floor will return to its previous floor (10%). This means the threshold for employees to claim an itemized deduction for unreimbursed medical expenses will be reduced to 7.5% of adjusted gross income for the years 2017 and 2018.
- Recharacterization of Roth IRA Contributions. The Act repeals the rule allowing for the recharacterization of Roth IRA contributions as traditional IRA contributions to unwind a Roth conversion. As a result, beginning in 2018, recharacterization cannot be used to unwind a Roth conversion.
- More Flexibility for 529 Savings Accounts. Under pre-Act law, funds in a Code Section 529 college savings account could only be used for qualified higher education expenses and nonqualified withdrawals were subject to a 10% additional tax. The new Act expands the use of 529 accounts to allow withdrawals for elementary or secondary schools. This provision will allow individuals to withdraw up to $10,000 per year for tuition at an elementary or secondary public, private, or religious school. The Act also provides the ability to rollover a 529 plan to an ABLE account (a tax-advantaged savings account for individuals with disabilities and their families) if the rollover is made within 60 days of the distribution.
- Disaster Relief Through Eligible Retirement Plans. After the call for relief due to an uptick in natural disasters, the Act allows 401(k) plans and other eligible retirement plans to make “qualified 2016 disaster distributions” of up to $100,000 per individual prior to January 1, 2018, to victims of federally-declared major disasters occurring in 2016. The distributions will not be subject to the 10% excise tax on early distributions and can be included in income ratably over three years. All or part of the distributions can be repaid to a qualifying plan if the repayment occurs during the three-year period.
- New Measure of Inflation. Tax bracket amounts, standard deduction amounts, personal exemptions, and various other tax figures are annually adjusted to reflect inflation. Rather than using the Consumer Price Index for All Urban Consumers or “CPI-U” in order to make inflation adjustments to certain amounts, including benefit-related amounts, the new Act provides that inflation adjustments will be made using the Chained Consumer Price Index for All Urban Consumers or “C-CPI-U”. This index usually increases at a lower rate, resulting in smaller annual increases to certain benefit limits, such as HSA and FSA contributions.
If you have questions or concerns regarding the impact of tax reform on your benefit programs, please do not hesitate to contact one of our employee benefits attorneys for assistance.
The recent Equifax and Yahoo security breaches impacted an astounding number of people, serving as a fire alarm to individuals and businesses regarding cybersecurity. Due to the fact 401(k) plans are the primary savings vehicle for Americans, immediate attention should be directed towards the protection of 401(k) plan assets from cyber risk. This article focuses on considerations and measures 401(k) plan sponsors and fiduciaries can take to protect plan participants and, in so doing, fulfill their fiduciary obligations with respect to guarding against cyberattacks on their 401(k) programs. This article is written in the context of 401(k) plans. However, this discussion is applicable to most benefit plans.
A Fiduciary Matter
Plan fiduciaries, including plan sponsors and fiduciary committees, have the broad duty under the Employee Retirement Income Security Act (“ERISA”) to act solely in the interest of plan participants and beneficiaries “with care, skill, prudence and diligence…” This standard requires plan fiduciaries to take all actions to serve plan participants and beneficiaries and monitor service providers. Recently, there has been much substantial guidance and discussion regarding the monitoring of plan fees and expenses. Although the Department of Labor (the “DOL”) has not officially issued guidance on the actions fiduciaries should take in the present climate, the recent news of massive cybersecurity breaches should lead fiduciaries to focus on cybersecurity with the same zeal applied to monitoring plan fees and expenses. By addressing cybersecurity risks, fiduciaries limit their exposure and, more importantly, they will protect the plan participants and beneficiaries whom they serve.
In recent years, firms and vendors that work with retirement plans have offered and encouraged plan sponsors and their fiduciary committees to attend fiduciary training. Fiduciary education should include a section on cybersecurity and measures that should be taken to reduce cyber threats to 401(k) plans.
Advisory Council Guidance
In 2016, the ERISA Advisory Council (the “Council”) held hearings and investigated the cybersecurity threat. The Council articulated actions that should be taken to protect against the cybersecurity threat and, in early 2017, issued a report entitled “Cybersecurity Considerations for Benefit Plans” (the “Report”). The published study serves as recommendations to the DOL. The DOL has not issued guidance directly addressing cybersecurity. Until the DOL issues guidance, the Report provides meaningful guidance to plan sponsors and fiduciaries.
Among the recommendations offered by the Report is the establishment and operation of a security risk management strategy. The nature of the strategy depends largely on the business and the employee benefit plans involved. Universal elements of the strategy include establishing who is responsible for the design and implementation of the strategy, ongoing monitoring to guard against hackers and monitoring activity that includes testing, training those with access to plan data, hiring practices (including background checks), limiting user access to certain payroll or HR personnel and the establishment and execution of data retention and encryption policies and practices.
A very critical element of the cybersecurity risk management strategy is the selection and monitoring of third party service providers. Third party service providers, such as 401(k) plan record-keepers, will have access to sensitive participant data. This information includes names and the associated addresses, social security numbers, beneficiary information and bank information of plan participants. Moreover, 401(k) plans, with liquid assets, may be readily accessed by cyber criminals. Due to the fact plan sponsors do not control their hiring process and internal controls, extra care must be taken in the selection and monitoring of such providers.
The Report offers a list of questions plan sponsors should pose to their benefit plan providers which include:
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will the plan(s) data be maintained and protected?
- Will the data be encrypted at rest, in transit and on devices, and is the encryption automated (rather than manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate to permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring and what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (such as Service Organization Control or SOC reports or a similar report or certification)?
- What is the level and type of insurance coverage that is available?
- What is the level of financial and fraud coverage that protects participants from financial damage?
- If the service provider subcontracts to others, will the service provider insist on protections (as noted above) in its agreement with the subcontractor?
- What controls does the service provider have in place over physical assets that store sensitive data, including when such assets are retired or replaced (servers, hard drives, mobile devices, etc.)?
- What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)?
Service Provider Agreements
Several of the questions that plan sponsors should pose to their service providers can be addressed in the service agreement between the plan sponsor and the service provider. Service agreements should include a section specifically addressing cybersecurity specifically. The provisions, at a minimum, should require the third party provider to maintain adequate controls to protect sensitive data, including data breach notice requirements to the affected participant and the plan sponsor, and provide for external audits or reviews. Since several state laws require notice to affected individuals in the event of a breach, the service agreement should clearly define who (plan sponsor or service provider) has the duty to act in accordance with state law in the event of a breach.
In addition, service agreements should include provisions for the acceptance of liability on the part of the service provider after a data security breach and an indemnification provision in the event of a third party claim from a plan participant or other party. The agreement should further require the service provider to maintain cyber insurance at a level commensurate to the size and demographics of the plan.
At this time, plan sponsors should review existing service agreements. If the agreement lacks or has an insufficient cybersecurity provision, a revised agreement or agreement rider should be put in place.
In addition to the above steps fiduciaries can take to protect against cyber-attacks, cybersecurity should be incorporated into participant education. Just as a purse or wallet should not be left visible in a locked car, participants should take preemptive measures to protect their benefits. Participants can limit and even eliminate cyber risk before it occurs if they are aware of the threat and advised as follows:
- Regularly check their accounts for unauthorized activity.
- Protect their passwords and login information. If passwords need to be written and/or stored, they need to be in a locked file or otherwise secured. Participants should change their passwords regularly.
- Stolen laptops are a source of data breaches. Laptops should be protected with encryption.
- Participants should be instructed to read plan issued materials and not discount correspondence as “junk mail.”
Participant plan education should include materials addressing cybersecurity and, for live presentations, a discussion of best practices for cybersecurity.
Surrounded by the real and present threat of a cyber-breach, plan sponsors and fiduciary committees need to acknowledge the threat to employee benefits plans for which they are responsible. In keeping with the recommendations of the ERISA Advisory Council, plan fiduciaries should discuss, design and implement a “risk management strategy.” The strategy must be tailored to the business, the company’s benefit plans and the participant demographic. The critical elements of the strategy should include:
- Vendor Monitoring. Ask the critical questions outlined above of third-party service providers at the request for proposal stage as well as on an ongoing basis.
- Insurance. Verify not only cyber insurance coverage by third party service providers, but review the plan sponsor’s own fiduciary liability umbrella policy, and cybersecurity insurance coverage.
- Service Agreements. Negotiate, review and, to the extent necessary, update vendor contracts.
- Education. Educate participants on the importance of self-protection and vigilance.
By following these steps, plan sponsors and fiduciaries can fulfill their fiduciary obligations and, in so doing, protect the hard earned benefits of plan participants and their beneficiaries.
As 2017 comes to a close, many small employers are struggling to find affordable group health plans on the insurance market. Given the substantial impact increased premiums have on individuals and small employers, many small employers have sought out alternative mechanisms for providing health insurance to their employees. Qualified Small Employer Health Reimbursement Arrangements (“QSEHRAs”) might be their best option for providing tax-free reimbursements of medical expenses.
Under the Affordable Care Act’s (“ACA’s”) Market Reform rules, stand-alone Health Reimbursement Arrangements (“HRAs”) and employer payment plans used to reimburse employees for medical care expenses violate the ACA and are subject to Internal Revenue Code Section 4980D excise tax. The IRS quickly became aware of the negative impact this rule had on small employers and decided to create QSEHRAs, which became available to qualified small employers on January 1, 2017. QSEHRAs, unlike HRAs, are not subject to health care reform requirements for group health plans. At first, many areas of uncertainty surrounded the formation and implementation of QSEHRAs. However, the IRS released Notice 2017-67 in mid-October, which contains detailed guidance on the requirements for providing a QSEHRA to employees.
A QSEHRA must meet the following four basic requirements: (1) the QSEHRA must be funded solely by an eligible employer, and no salary reduction contributions may be made under the arrangement; (2) after an eligible employee provides proof of coverage, the QSEHRA must provide for the payment or reimbursement of medical expenses incurred by the employee or the employee’s family members; (3) the amount of payments and reimbursements for any year cannot exceed the statutory limits ($4,950 for self-only coverage and $10,050 for family coverage in 2017; $5,050 for self-only coverage and $10,250 for family coverage in 2018); and (4) the QSEHRA must generally be provided on the same terms to all eligible employees of the employer.
In order to qualify for a QSEHRA as a small employer, a company cannot be an Applicable Large Employer under the ACA (i.e., must have less than 50 full-time equivalent employees in the prior calendar year) and cannot offer a group health plan to any of its employees. If an employer’s workforce increases to 50 or more full-time equivalent employees during a calendar year, that employer will become an Applicable Large Employer before the first day of the following calendar year. Offering a group health plan to former employees or retirees will not disqualify the employer. However, if an employer endorses a particular policy, form, or issuer of health insurance, it will constitute a group health plan and disqualify the employer.
Any eligible employee or family member can participate in the QSEHRA. Reimbursements for medical care are tax-free to the employee if the employee has minimum essential coverage (MEC) for the month in which the medical care is provided. Medical care, as defined in Internal Revenue Code Section 213(d), includes health insurance premiums, but excludes out-of-pocket expenses already reimbursed from another source and premiums paid by the employee on a pre-tax basis, for coverage under a group health plan of another employer. However, the QSEHRA can reimburse an employee for premiums paid after-tax under a group health plan provided by a spouse’s employer. An initial submission of proof of MEC must be provided to the employer, in addition to proof of MEC with each new request for reimbursement for the same plan year. An attestation by an employee will constitute proof of coverage if it states that the employee and family members have MEC, provides the date coverage began, and includes the name of the provider.
A QSEHRA must be provided on the same terms to all eligible employees on a “uniform and consistent basis,” but may exclude the following employees: (1) employees that have not completed 90 days of service; (2) employees that are under age 25; (3) part-time or seasonal employees; (4) employees covered by a collective bargaining agreement if health benefits were the subject of good faith bargaining; and (5) nonresident aliens with no earned income from the employer or sources within the U.S. Former employees, retirees, and non-employee owners must be excluded from the QSEHRA. Furthermore, a 2% shareholder-employee of an S corporation does not constitute an employee for purposes of QSEHRAs.
IRS Notice 2017-67 provides many detailed rules on eligibility, nondiscrimination notice and reporting requirements, integration with other laws, and more. Complying with these rules is considerably important since failure to comply with the QSERHA requirements will result in a noncompliant group health plan and trigger ACA penalties. If you are a small employer and are interested in setting up a QSEHRA, please contact one of our employee benefits attorneys for more information on the legal requirements and implementation process.
According to the IRS, payments made to participants under certain fixed indemnity insurance policies must be included in the employees’ gross wages, unless the premiums are paid on an after-tax basis. Fixed indemnity health plans are plans that pay covered individuals a specified amount of cash for the occurrence of certain health-related events such as hospital visits or the diagnosis of a particular condition or disease (e.g., cancer). The benefit amounts paid to participants in the plan are not related to the amount of medical expenses actually incurred by the employee.
Earlier this year, the IRS released a Chief Council Advice Memorandum, CCA 201703013. The IRS concluded that “an employer may not exclude from an employee’s gross income payments under an employer-provided fixed indemnity health plan if the value of the coverage was excluded from the employee’s gross income and wages” or “if the premiums for the fixed indemnity health plan were originally made by salary reduction through a Section 125 cafeteria plan.” If the premiums are paid with after-tax dollars, the plan benefit payments are excluded from the employee’s gross income. Employer payments and employee premiums paid under a cafeteria plan towards fixed indemnity health plan coverage are not included in the employee’s compensation income at the time the amounts were paid since they are made through salary reduction under a cafeteria plan. Therefore, according to this memorandum, benefit payments associated with that coverage constitute taxable income.
The problem with fixed indemnity health plans for the IRS is the fact that cash payments are made to employees without regard to the actual amount of expenses incurred by the employee for medical care. Section 106(a) of the Internal Revenue Code (the “Code”) excludes from income premiums for accident or health insurance coverage that are paid by an employer. Section 105(b) of the Code allows employees to exclude amounts received through employer-provided accident or health insurance, if those payments are made as reimbursement for medical care related to personal injuries or sickness. However, the IRS reasons that since amounts received under employer-sponsored fixed indemnity health plans do not take into account the actual medical costs incurred, the reimbursements are not reimbursements for personal injury or sickness, and therefore must be included in gross income.
The IRS guidance also specifically discusses cafeteria plans. The IRS notes that under Section 125 of the Code, the employee has the option to receive cash instead of a salary reduction applied to purchase accident or health coverage. If the employee elects a pre-tax salary reduction for accident coverage instead of cash, that amount is excluded from gross income as employer-provided accident or health coverage under Section 106. However, if the employee elects a salary reduction for premiums toward a fixed indemnity health plan, the amounts payable as benefits to the employee under the plan will be includible in gross income since the cash reimbursement amount is provided to the employee without regard to the amount of medical expenses otherwise incurred.
In light of this guidance, employers offering fixed indemnity plans should carefully evaluate how premiums for that coverage is paid and the impact of that decision on future benefit payments. According to the IRS, when employees pay premiums for a fixed indemnity health plan through a pre-tax salary reduction under a Section 125 cafeteria plan, benefit payments under the policy will be treated as taxable income. If you are uncertain about the tax implications of your fixed indemnity benefits or have questions about this IRS guidance, please contact a member of the McGrath North employee benefits practice group.