Compliance May 17, 2024

Reg S-P Requires Advisers to Inform Customers of Data Breaches

In addition to other registrants, advisers will have 30 days to inform their clients of any substantial data breach.

Reported by

The Securities and Exchange Commission finalized amendments to Regulation S-P on Thursday. The rule will require broker/dealers, registered advisers, investment companies and transfer agents to develop policies to protect customer data and to inform affected customers of a data breach within 30 days.

The updates to Reg S-P were first proposed in March 2023. Like the proposal, the final rule requires covered institutions to maintain written policies that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,” and maintain an “incident response program.”

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Covered parties must also “provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.” This notification must take place “as soon as practicable, but not later than 30 days” from when the institution learned of the breach.

SEC Chairman Gary Gensler explained in a statement that the purpose of customer notification is to “help ensure that customers receive sufficient notice to take measures to protect themselves from harm that might result from the breach.” Under pre-existing rules, there is no mandate to inform customers of a breach, according to Gensler.

In the event reporting a breach to a customer could compromise national security or public safety, the attorney general may request a 30-day extension. The final rule said that the SEC would also consider additional delays. In response to commenters, the SEC indicated that it has created an interagency line for this purpose and guidance on how covered parties can request an exemption. It also clarified that local and state law enforcement can make such a request on their own behalf.

David Oliwenstein, a partner with Pillsbury Winthrop Shaw Pittman, says that covered parties must disclose a breach unless the party reasonably determines that there is minimal risk of “substantial harm or inconvenience” regarding sensitive customer information. He says that they will have to “apply a commonsense framework” since this phrase is not specifically defined.

Oliwenstein says the SEC will expect covered parties to have policies on employee training, network security, internal notifications, and the confirmation and classification of incidents. There will also be an “expectation from the regulators that registrants actually take measures to test the adequacy of their programs,” which can include the simulation of a breach to “see how folks respond internally, and identify weaknesses.”

Larger institutions will have 18 months to comply with the rule and smaller institutions will have 24 months from the effective date, which is 60 days after its entry in the Federal Register. The proposal initially provided for 12 months for both.

 

Client Service May 17, 2024

Expanding Retirement Plan Automation

Experts at EBRI discussed how automation features for emergency savings and other vehicles can help underserved communities save for retirement.

Reported by

The retirement industry has seen the power of automated workplace retirement saving and auto-escalation of deferral rates. But how else might automation be used as a reasonable tool to help workers save more?

Plan sponsors and providers at the Employee Benefits Research Institute’ 2024 Spring Policy Forum discussed how pension-linked emergency savings accounts, as well as other tax-advantaged savings vehicles, can help underserved communities save for retirement during a webinar on Thursday titled the “Multistakeholder View on Benefits of Auto-Enrollment.”

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

Ben Roberge, director of financial and retirement programs at Unum, has been an early mover for auto-enrollment in a 401(k)-linked emergency savings vehicle.

During the webinar, he said the firm started in 2022 by launching an opt-in emergency savings program where employees could, on a post-tax basis, contribute to their 401(k) up to $10,000 in year.

Auto Play

Roberge said, though the firm felt automatic enrollment was key to true success, when the program launched its recordkeeper Fidelity Investments didn’t have the capability to provide automatic enrollment into the emergency savings. But, due in part to such strong traction from voluntary participation, Unum worked with the recordkeeper to build a second channel of auto-enrollment, which has been live for over a year now.

“We’re seeing really great results, especially since we launched the auto-enrollment,” he said. “We did limit this to non-highly compensated employees so that we don’t get in any trouble with nondiscrimination testing.”

Average account balances for those in the program were about $1,500 and people did take withdrawals, according to Roberge. He noted that taking withdrawals is what the program is designed for; it’s there for employees to use whenever they need money for emergencies or a rainy day.

“Although people are taking withdrawals, 80% of employees that have contributed to this through the post-tax contributions will have an account balance,” he said. “It’s there when you need it, and people are still contributing. They are still having an account balance.”

Studies have shown that emergency savings are especially important for low-income households. Low-income households with at least $1,000 in emergency savings were half as likely to withdraw money from their workplace retirement savings accounts during the pandemic, according to research from Blackrock.

While plan sponsors have appeared supportive for emergency savings overall, some early movers have veered away from tying them to the 401(k) plan in favor of setting up separate savings accounts. In January, Delta Air Lines announced a partnership with Fidelity through which the airline would contribute to emergency savings accounts for employees.

Underserved Communities

Jason Jagatic, head of global and workplace thought leadership at Fidelity, pointed to another kind of automation: the automatic porting of workplace savings to another account when an employee moves jobs and providers. Jagatic said these functions are beneficial to underserved communities in particular, as they are often made up of part-time workers who shift employers frequently.

“Where we see some opportunities now is giving part-time workers access into the private retirement system,” he said. “When you look at part-time workers, they are overwhelmingly women, people of color, caregivers and people with disabilities. They haven’t been able to participate [in the system]. Some are bringing together multiple part-time opportunities to create their full-time income.”

Fidelity, along with some of the country’s other largest recordkeepers, is part of the Portability Services Network providing the porting of retirement assets. The services went live among some recordkeepers in November 2023, with others coming online this year and into the future.

Jagatic said Fidelity is looking at other opportunities to support underserved communities through automation of retirement savings that can stay with the worker through their careers.

Sarah Faye Pierce, head of government relations at Paychex, echoed Jagatic’s statements. She said expanding access and bringing participants in, particularly with auto-enrolment, does mean new people are in the system, contributing and saving for the first time.

“Over time we’re building flexibility with emergency savings, student loan repayment or matching, and other vehicles,” she said. “Those give confidence to lower income and underserved communities who are new first-time savers to stay in the system and continue to let that system work for them over time.”

«