P R E C I S I O NExpert Guidance and Creative Solutions for Retirement Professionals VOL 2 2014

A DWC ERISA CONSULTANTS PUBLICATION

An Rose Employee By Any Other Name

Plan Documents: More Like Guidelines

or Actual Rules?

Doing M&A The Right Way

Accidents Will Happen

Sometimes Simple Isn’t

Control Yourself: Plan Compliance

and Internal Controls

Bad Things Happen. How To Be Prepared.

Don’t Be The Next Target for a Data Breach

A DWC ERISA CONSULTANTS PUBLICATION 2014

FROM THE EDITORS TABLE OF CONTENTS

Security is a word that means many things to many people.

To an investment professional, it might refer to a stock or

mutual fund. To a nervous parent of a teenager, it might

mean driving a really safe vehicle. To the technologically

astute, it could be safeguarding sensitive data. To someone

contributing to their 401(k) plan, it could most certainly

refer to saving enough for a comfortable retirement.

What do all of these have in common? Maybe many

things, but the one that jumped out at us is that they all

require proactivity. Business moves at a hectic pace, and

it is really easy to fall into approaching our day-to-day

activities reactively. Sometimes, that is just the nature of the

beast, but being proactive means getting in front of issues

before they become problems. And, preventing problems

leads to enhanced security, whether it is protecting data

or establishing internal controls to ensure greater plan

compliance.

This year’s edition of PRECISION Magazine is all about being

proactive. We are pleased to bring you articles from our

team of internal experts as well as guest authors who know

the value of leading the process rather than reacting to it.

The good news is that whether the situation calls for

advance planning or knowledgeable reaction, you’ve come to

the right place.

Keith Clark, Doug Hoefer and Adam Pozek Partners, DWC ERISA Consultants, LLC

2. Don’t Be The Next Target for a Data Breach Adam C. Pozek, ERPA, QPA, QPFC

5. An Rose Employee By Any Other Name Szilvia Frazier, ERPA, QPA Cindy Banta, QKA

9. Plan Documents: More Like Guidelines or Actual Rules? Adam C. Pozek, ERPA, QPA, QPFC

11. Doing M&A The Right Way Amy E. Ouellette, CFP®, ERPA, QPA

14. Accidents Will Happen Joni L. Jennings, ERPA, CPC

18. Sometimes Simple Isn’t Doug Hoefer

21. Control Yourself: Plan Compliance and Internal Controls Ilene H. Ferenczy, Esq.

24. Bad Things Happen. How To Be Prepared. Rick Alpern

A DWC ERISA CONSULTANTS PUBLICATION 2014 2.

Don’t Be The Next Target for a Data Breach By Adam C. Pozek, ERPA, QPA, QPFC

The TJX Companies, Target and AT&T are just

three of the big names to have been victims of

massive data breaches in which sensitive personal

and financial information was compromised.

Although it might seem that large companies are

the only potential victims, the risk is shared by

any organization that houses or transmits such

information.

If you think about it, the data necessary for ongoing

administration of employee benefit plans is enough

to make an identity thief’s mouth water – names,

social security numbers, birth dates, addresses –

pretty much everything except mother’s maiden

name, favorite pet and name of first grade teacher.

With the rapid evolution of technology and the

sophistication of the bad guys who wish to exploit it

to their advantage, it is increasingly critical that we

take steps to prevent them.

Rules of the Road

All but three states have enacted laws restricting

when and how sensitive information can be

electronically stored and transmitted, even for

employers dealing with employee information.

If you do business in Europe, the EU has

enacted the Directive on Privacy and Electronic

Communications.

In some of the strictest states, there are monetary

penalties imposed on any party that does not take

affirmative steps to protect certain information. For

example in Massachusetts, sending unencrypted

personal information over the internet can result

in civil penalties of up to $5,000 per violation.

That means e-mailing an employee census file for

10 employees without some form of password

protection or encryption could result in hefty fines

even if there is no actual theft of the data.

In addition, both the SEC and FINRA have standards

that investment professionals must follow to protect

client records, and the SEC’s Office of Compliance

Inspections and Examinations recently announced

that it will begin examining broker-dealers and

registered investment advisors with an eye on

cybersecurity governance.

Protect Yourself and Your Data

While there are plenty of high tech methods of

protecting your data, there are some simple and

inexpensive steps you can also take.

Create a Data Usage Policy

For starters, create a company policy that describes

how sensitive information can and cannot be used

and by whom. This can be as simple as indicating

that all personal information is to be held in the

strictest of confidence at all times or as robust as

breaking down the entire who, what, why, when

and where. Note that data can be stolen in very low

tech ways such as dumpster diving on trash day. So

do not overlook something as obvious as requiring

discarded hard copies to be shredded rather than

just tossed in the trash can.

Once the policy is in place, be sure to communicate

it to all employees. Consider including it in your

employee handbook or otherwise making it a

condition of employment, similar to other company

policies and procedures. Highlighting it creates

awareness at all levels of the organization and can

make data security a part of the company culture.

Have a Rhyme and Reason for Data Accessibility

Start by asking whether all employees need to access

all information all the time in order to effectively do

their jobs. If not, consider restricting their system

permissions to only that data or those systems they

A DWC ERISA CONSULTANTS PUBLICATION 20143.

Evaluate Data Transmission Methods

When transmitting sensitive information over the

internet, try to use secure portals to upload or

download information in lieu of e-mailing it. For

example, our client portal employs leading edge

password protection and encryption to ensure

our clients’ connections to our system are secure

and direct. That means employee census files

are uploaded directly to our secure site and not

transferred over the unprotected internet. Many

professional firms and service providers that work

with protected information have similar portals.

If a secure connection is not available, files should,

at a minimum, be password protected prior to

transmission via e-mail or other means. Even the

most ubiquitous desktop applications (Microsoft

Office, Adobe Acrobat, etc.) allow this functionality

with only a couple of additional clicks when saving

files. Of course, the recipient will need the password

in order to open the file, but be sure you send it

via a follow up e-mail or alternative means rather

than including it in the message that contains the

protected file. After all, sending both the file and the

password in the same message does not offer much

protection if it gets hacked.

Still another option is to implement logic on your

e-mail server that automatically encrypts outbound

messages that include sensitive information. Many

e-mail setups, including cloud-based Microsoft

Exchange services, offer this functionality at a

nominal additional cost, and most include a setting

designed to detect and encrypt strings of numbers

that follow conventional formats such as social

security numbers, credit card numbers, etc. Even if

a user forgets to take precautions with the data, the

server will do it for them.

need. This could be determined by employee, title,

job classification, location, etc.

It is also critical to review and understand how

various systems handle passwords. At a bare

minimum, a password should be required to access

all systems that contain sensitive information.

However, many systems include settings that can

easily enhance security by:

• Preventing common, easily-guessed passwords

such as “1234” or even “password”;

• Setting passwords to expire at regular intervals

such as every 90 days;

• Prohibiting previously used passwords or those

that are too similar to either the company name

or an individual’s user ID; and

• Requiring passwords to be a certain length

or include certain types of characters such as

upper and lower case letters, numbers and/or

punctuation marks.

Assess the risks and burdens of these different

options to determine which, if any of them, make

sense for you.

Don’t Be The Next Target for a Data Breach ... continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 4.

Remember Mobile

For all of the aforementioned reasons, do not

forget to consider how mobile devices factor into

the equation. Some high profile data breaches

have occurred when employees took unprotected

laptops on business trips only to have them stolen.

If employees can access sensitive data from their

laptops, tablets and/or smartphones, make sure:

• Those devices are password protected;

• Mobile access is limited to only the data the

employee would be able to see while in the office;

and

• You can remotely erase the device if lost/stolen or

at least disable/reset that user’s login information.

All are important considerations as today’s notion of

“the workplace” is much broader than it once was.

Work With Professionals

Data security is a big deal. In the same way that you

work with professionals for other critical yet complex

business needs, it is also important to work with

data security professionals. That might mean making

sure your internal IT staff has the necessary training

and experience to address your data security needs

or hiring an outside consultant to evaluate your

systems. If you are located or do business in a state

with particularly strict laws, this might mean hiring

an attorney to review your policies and procedures

to ensure you are in compliance. If you do not have

the expertise yourself, work with someone who does.

Select Partners That Take Data Security Seriously

Even if you have taken the necessary security

measures, you could still be vulnerable if your

business partners have not. There is a saying that

a chain is only as strong as its weakest link, and

the same is true with the data transmission chain.

Anyone with whom you share sensitive information

should have systems and procedures in place

designed to ensure its protection. If you are unsure

about a current or prospective partner’s data-

protection policies, ask them.

Conclusion

We are not data security experts, but we have

worked with outside professionals and implemented

procedures to provide secure transmission and

protect the sensitive information in our possession.

Although technology creates an ongoing game

of cat-and-mouse between those who wish to

misappropriate data and those who wish to protect

it, following the steps described in this article can be

a great start to making sure your data does not have

a target on it.

Adam is a nationally known writer and speaker and 20+ year veteran of the pension consulting business. He is a partner at DWC ERISA Consultants, where he works with businesses of all sizes and industries from across the country.

Even if you have taken the necessary security measures, you could still be vulnerable if your business partners have not.

A DWC ERISA CONSULTANTS PUBLICATION 20145.

An Rose Employee By Any Other Name By Szilvia Frazier, ERPA, QPA and Cindy Banta, QKA

As companies adapt to an ever-changing business

environment, it sometimes calls for the use of

different types of work arrangements. Some may rely

on more part-time workers, while others may choose

to work with independent contractors. Regardless

of the reason for using them, alternative work

arrangements present some unique challenges when

it comes to employee benefit plans.

Employee or Not?

This seems like such a simple question but it can

become complicated quickly. Making an accurate

determination is critical for several reasons.

• Exclusive benefit rule: This rule requires retirement

plans to be maintained exclusively for the benefit

of the sponsoring company’s employees. As a

result, the plan cannot be extended to anyone who

is not legally an employee of the company.

• Plan design: There is quite a bit of flexibility in

designing plans to include/exclude certain groups

of employees, but in order to take full advantage of

that flexibility, it is important to first have a solid

understanding of which workers are part of the mix.

• Nondiscrimination: Properly classifying workers is

an important first step to ensuring that a plan is

in compliance, provides the promised benefits and

does so in a manner that does not discriminate in

favor of Highly Compensated Employees (“HCEs”)

– generally those who own more than 5% of the

company or who have annual compensation

exceeding $115,000 (indexed for inflation).

Making the Determination

It is generally up to each employer to ensure its

workers are properly classified. While it is not quite

as simple as whether the worker’s pay is reported

on a Form 1099 versus a W-2, the IRS has provided

guidance for companies to consider. The so-called

“Twenty Factor Test” (found in Revenue Ruling 87-

41) focuses largely on whether the company has the

right to control the worker.

As a general rule, the following factors suggest

that the company has that right, and is likely in an

employer/employee relationship if:

The worker …

• Is required to comply with instructions regarding

when/where/how to work;

• Performs services at the company’s place of business;

A DWC ERISA CONSULTANTS PUBLICATION 2014 6.

• Must submit regular or written reports; and

• Is in a continuing relationship with the company.

The company …

• Has the ability to hire, supervise or terminate the

worker;

• Provides tools, materials and/or equipment for the

worker to use in performing services; and

• Pays/reimburses business expenses such as for

travel, etc.

Conversely, the following factors tend to support

a determination that the worker is an independent

contractor and not an employee if:

The worker …

• Has a significant investment in facilities,

equipment, etc. that are used for performing

services;

• Realizes a profit or loss;

• Provides similar services for more than one firm at

a time; and

• Makes services available to the general public.

Each determination is based on all the relevant facts

and circumstances, and there is no single factor or

combination of factors that will always lead to one

decision or the other.

Leased Employees

Many people think of “leased employee” as a generic

term that refers to any worker that comes from some

sort of staffing agency; however, the law includes a

very specific and lengthy definition. Although a true

Leased Employee is, by definition, a common law

employee of the leasing organization, he/she may

also be treated as an employee of the company for

which he/she performs services if all of the following

conditions are met:

• The recipient company pays a fee for the services

of the individual;

• The worker has performed services for at least

one year on a substantially full-time basis (at least

1,500 hours in a 12-month period); and

• The recipient company has primary direction over

the services rendered by the worker.

Self-Employed Individuals

For qualified plan purposes, a self-employed

individual is considered an employee, and may

participate in the company’s plan. Such individuals

include sole proprietors, partners of a partnership,

or the sole shareholder of a corporation.

Other Classifications

Other Than Full-Time

This is a broad group that may include subcategories

such as temps, part-timers, seasonal employees,

interns and per diem employees. What they all have

in common is that they are still employees regardless

of how many hours they work. That means they

must be provided benefits on the same basis as

other employees once they meet the plan’s specified

eligibility requirements. More on that later.

After deciding who is or is not an employee, it is important to consider other types of classifications

that come into play.

A DWC ERISA CONSULTANTS PUBLICATION 20147.

Miscellaneous

There are any number of other categories that

companies might use to classify their employees.

Some may be driven by extraneous factors – union

members, non-resident aliens, etc. – while others

may be the result of a particular company’s internal

structure – front office staff, factory floor workers,

senior managers, students, the owner’s children,

etc. As we will see in the next section, it is important

for companies that use different classifications

to describe them with some precision and apply

the categorization consistently. For example, if a

company employs students and wants to treat them

differently as a group, the company should define

whether the “student” group applies to all students

or just those enrolled full-time in an undergraduate

program or whatever other variations that may be

appropriate.

Plan Design

Now that we have identified who the employees are

and determined how they are classified, let’s consider

how those categories can be used to customize the

plan design. In other words, who is covered by the

plan and who can be excluded or treated differently

from the others?

Eligibility

According to the law, the strictest eligibility provisions

that a 401(k) plan can utilize are attainment of age

21 and completion of one year of service (defined as

12 months in which an employee works at least 1,000

hours). The plan can be more generous but not more

restrictive, and a plan can use different provisions for

different groups of employees. If a company has high

turnover in the first year, sticking to the maximum

requirements might make sense. If a company

wants to enroll new employees right away, requiring

only one month of service might be the way to go.

Perhaps a combination – one month of service for

salaried employees and one year of service for hourly

employees.

There is an important point to keep in mind,

however. Once in place, the provisions must be

applied consistently. This can present challenges

in plans that use more generous requirements.

Consider a company that employees all full-

time employees and has a one month eligibility

requirement. Fast forward a couple years, and

the company hires summer interns and part-time

employees. Based on the one month requirement,

those interns and part-timers join the plan a month

after they are hired.

Employee Exclusions

An employer may further restrict participation by

excluding named groups of employees as long as the

exclusion is based on some job characteristic other

than the amount of work performed. For example,

a plan cannot broadly exclude part-time or seasonal

employees, because a part-time employee may,

in fact, work 1,000 hours in a 12 month period,

causing the exclusion to violate the eligibility rules

described above. However, if all seasonal employees

happen to clean swimming pools, then pool cleaners

could be excluded, because the exclusion is based on

the type (not the amount) of work.

This is where precision matters. Let us return to the

“student” example. It is perfectly acceptable for a

plan to be written to exclude students as a broad

category, but being overbroad could result in the

unintended consequence of the company CEO being

kicked out of the plan when he or she decides to go

back to school to earn an MBA.

Nondiscrimination

As noted above, retirement plans cannot

An Rose Employee By Any Other Name … continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 8.

As consultants with DWC ERISA Consultants, Szilvia and Cindy bring many years of experience in working with businesses of all sizes in varying industries. They both enjoy being able to communicate complex subject matter in a way that resonates with their clients.

discriminate in favor of HCEs. And of course,

there cannot be a rule without a test to go with it.

That test is called the minimum coverage test, and

there are two variations – the ratio percentage test

(“RPT”) and the average benefits test (“ABT”).

The RPT is a head count test and looks only at the

number of people covered by the plan. Without

getting too far into the weeds, as long as a plan covers

at least 70% of company’s non-HCEs, it satisfies the

RPT. In other words, the plan can exclude up to 30%

of the non-HCEs and still pass the test.

The ABT considers the amount of benefits each

person receives and can sometime be used to prove

the plan is nondiscriminatory even if the RPT fails.

Conclusion

As you can see, proper employee classification

should be carefully considered in relation to your

retirement plan. Proactive planning in the beginning

and being mindful of changes to workforce

demographics can prevent unintended consequences

down the road. When dealing with alternative work

arrangements or excluding employee classes from

your plan, it is best to work with knowledgeable

experts who can guide you through the process.

A DWC ERISA CONSULTANTS PUBLICATION 20149.

Spend any amount of time dealing with retirement

plans, and sooner or later the plan document

will become a topic of conversation…maybe

not an overly exciting topic, but an important

one nonetheless. The law requires retirement

plans to have, maintain and follow their written

plan documents. Any time an employer takes an

action that is not consistent with provisions in

the document, the IRS considers it an operational

failure, and that is not a good thing.

Seems pretty straight-forward, right? Guess

again. From time to time, the question of intent is

brought into the mix. Sometimes, outside notes

or other documentation are consulted as possible

justification to do something contrary to the plan

documents. Several years ago, the United States

Supreme Court actually addressed this in its Kennedy

v. Plan Administrator for DuPont Savings and Investment

Plan opinion.

Although every case is based on its unique facts,

SCOTUS was clear that plan documents must be

followed no matter what anyone’s intention may or

may not have been.

This issue comes up outside the courtroom as well.

We once worked with a small employer whose

plan was audited by the IRS. It turns out that for

several years, investment gains were allocated in a

manner that did not agree with the plan document

provisions...clearly an operational failure. But the

result was that the employees got too much as a

result of the error, and the owner of the company got

short-changed.

You are probably thinking there was no harm to the

employees, so the IRS could not have possibly cared.

While a logical conclusion outside the retirement

plan world, it is incorrect in this context. The auditor

required correction and assessed a mid-five-figure

penalty against the employer.

Believe it or not, the reason for this article is not

to attempt to scare you into following your plan

document - although I guess that would not

necessarily be a bad result – the following the

document part, not the scaring part. The reason is

that with some careful, proactive review, the plan

document can be your friend as well as an important

part of your internal controls that ensure plan

compliance. [See “Control Yourself: Plan Compliance

and Internal Controls” on page 21.]

Even though intentions don’t matter (at least not to

the Supreme Court or the IRS) once the document

is written, a collaborative discussion about those

intentions ahead of time allows the plan document

to be written so that it reflects the company’s goals

and objectives for the plan. Do you want to exclude

certain classes of employees from participating in

the plan? Proper preparation of the plan document

can probably make that happen, while less attention

to those details could result in the unintended

inclusion of certain employees. [See “An Rose

Plan Documents: More Like Guidelines or Actual Rules? By Adam C. Pozek, ERPA, QPA, QPFC

“… ERISA forecloses any justification

for enquiries into expressions of intent,

in favor of the virtues of adhering to

an uncomplicated rule. Less certain

rules could force plan administrators to

examine numerous external documents

purporting to be waivers and draw

them into litigation like this ...”

A DWC ERISA CONSULTANTS PUBLICATION 2014 10.

Employee By Any Other Name” on page 5.]

How about making sure that profit sharing

contributions are calculated only on base salary and

not bonus or giving that group of key employees

you just hired vesting credit for service with their

previous company? Yep. Careful document drafting

can accommodate those also. And these are only a

few of many examples.

What if company goals or workforce demographics

change? Are you stuck abiding by a now outdated

plan document? The answer is a resounding “Yes.”

That is until you amend your plan document to

reflect the changes. Although some provisions can

only be changed prospectively (sometimes not

until the start of the next year), there are very few

provisions that cannot be changed by adopting a

formal written amendment.

It is a good idea to discuss the specifics of the

change, including the motivation behind it, with

someone who is knowledgeable about plan design

and plan documents to make sure the proposed

change is the most efficient means of accomplishing

the goal. There might also be other related provisions

or potential unintended consequences that should

be addressed at the same time. For example, if a

company wants to amend its plan to allow Roth

401(k) contributions, they likely also want to amend

the loan and distribution provisions so that Roth and

pre-tax deferrals are treated the same.

The good news is that there is no time like the

present to review your plan document. From

now through April 2016, almost all 401(k) and

other defined contribution plans are required to

completely rewrite their documents (a process

known as a restatement) to incorporate language

from previous law changes.

Unlike the pirate’s code, the plan document really

is more like actual rules and not just guidelines.

This mandatory restatement is a great opportunity

to lift the hood on your plan, keep what you like

and change what needs to be updated to ensure it

continues to meet your goals and provide valuable

benefits for you and your employees.

Adam is a nationally known writer and speaker and 20+ year veteran of the pension consulting business. He is a partner at DWC ERISA Consultants, where he works with businesses of all sizes and industries from across the country.

CH

EA

P T

EC

H T

OO

L #

30

Postmates (www.PostMates.com)

It’s a busy time of year; you’re working late at the office for the eighth night in a row; and you’re

getting really tired of all the local fast food joints that deliver. Just check in with Postmates on your

iOS or Android device to place an order from any restaurant in town, and the service will send

someone to pick it up and deliver it right to your door. Maybe you’re stuck in your hotel room

without a rental car when your computer battery dies – not just runs out of juice, but completely

dies. Postmates will send someone to the local electronics store to get you a new one and bring it

to your hotel. Any restaurant or store … you name it.

Deliveries are usually made in under an hour. The app itself is free, but there is a minimum delivery

fee of $5 with the actual charge based on the distance. Think of it as the personal assistant version

of Uber. Postmates is currently available in 10 cities across the country and is rapidly expanding

into new markets.

A DWC ERISA CONSULTANTS PUBLICATION 201411.

Doing M&A The Right Way By Amy E. Ouellette, CFP®, ERPA, QPA

Congratulations! You’re buying (or selling) a company!

Call your lawyer; call your accountant; call your …

Third Party Administrator? With all the hullabaloo

surrounding this kind of transaction, the 401(k) plan

is often overlooked until well after the fact, which

can leave the parties facing some unintended and

often unpleasant issues to resolve.

Background

Before going any further, we should clarify a few

terms that will be used in this article. Any reference

to “plans” or “retirement plans” generally refers

to 401(k) plans specifically. Although many of

the same concepts apply to other types of plans,

there are also some variations. Second, when we

talk about a “transaction,” we are referring to the

actual purchase or sale of the business. Last but not

least, references to a “stock” transaction assume at

least an 80% transference of ownership. There are

additional nuances that are beyond the scope of this

article when the percentage transferred is below that

threshold. Now, back to the article.

If you are the seller and also sponsor a plan,

the transaction often determines what, if any,

ongoing plan responsibilities you have and how the

participants are impacted. The driving force behind

these impacts is the type of acquisition – stock or

asset – so we will start by reviewing the difference

between the two.

The First Critical Question – Stock or Asset?

Acquiring a company via a stock purchase means

that the buyer is purchasing the ownership of the

entity from the seller. The purchased company

remains intact through the transaction but has a

new owner(s). Everything owned by the company

is now owned by the buyer, and any employees are

usually treated as employees of the buyer, either

directly or indirectly. If the buyer keeps that entity

open and running, it is a separate but related

employer (shared ownership but a separate taxable

entity). Think of it as buying a house along with the

furniture and all the contents.

An asset sale, on the other hand, leaves the seller as

the owner of the company and transfers only certain

things of value that the seller’s company owned, such

as equipment, property (e.g. physical, intellectual),

client lists, etc. The seller may eventually shut down

the business entirely, but the sale itself does not

determine that end result. Employees of the seller can

be, but are not automatically, hired by the acquiring

entity; however, if/when the buyer does hire them,

they are considered new employees. Think of an asset

sale as buying the furniture out of a house and leaving

the current owner with the house itself.

The Asset Sale – A Seller’s Perspective

What do these differences mean when it comes to

the retirement plans? Let us consider the seller first,

since the type of sale impacts the options more

immediately. Since the seller retains ownership

of the company in an asset sale, the seller retains

responsibility for the 401(k) plan. As part of the

transaction, there may be an agreement for the buyer

to assume the plan (via plan amendment) or agree

to accept assets via a trustee-to-trustee transfer

(via a separate “spin-off” agreement). However,

since doing so would result in the buyer likely also

assuming the associated risks and liabilities, our

experience is that this is a less common outcome.

Think audit risk, participant-lawsuit risk, unavailable-

historical-records risk and just general skeletons-in-

the-closet risk. If that doesn’t make you shudder …

Assuming the 401(k) plan is not transferred in the

sale, the seller may choose to continue sponsoring it;

A DWC ERISA CONSULTANTS PUBLICATION 2014 12.

however, it is recommended that they contact their

plan consultant to discuss the potential for a partial

plan termination if at least 20% of their participating

workforce leaves as part of the sale. The seller may

also opt to terminate the plan entirely if the goal

is to close the business or if there is no further

interest in making contributions for any remaining

employees. Regardless of the choice, it is the seller’s

responsibility to take the appropriate steps.

The Stock Sale – A Buyer’s Perspective

Since the buyer inherits everything in a stock sale,

they must ascertain whether the seller has a plan,

because it can impact their responsibilities and/or

the timing of the transaction. If the buyer does not

want to assume the seller’s plan, the seller must,

at minimum, execute a resolution to terminate the

plan prior to the sale. This is especially important

if the buyer already has its own plan and doesn’t

wish to juggle a second one. If the seller does not

terminate the plan prior to the sale, not only does

the buyer assume responsibility, but they lose the

ability to terminate the plan since they have what

is considered a “successor plan” (see http://www.

DWCconsultants.com/PlanTermination.php for

more information).

If the buyer does inherit the seller’s plan, either

intentionally or accidentally, there are generally three

options going forward.

• Freeze the acquired plan – requires full

maintenance of the plan, including the accounts,

documents, annual Form 5500 filing, etc. but

prohibits any further contributions;

• Merge the acquired plan into the buyer’s plan –

requires: (a) a close comparison of the provisions

of each plan to determine if any changes are

needed to accommodate protected benefits and

(b) separate accounting of the merged sources; or

• Separately maintain the acquired plan – requires

aggregation for certain compliance tests each year,

and depending on demographics, amending the

plans to more closely mirror one another.

What Happens To The Employees?

Again, it depends on the type of acquisition. In an

asset sale, employees that leave the seller and go to

work for the buyer are considered new employees

of the buyer. Service with the seller is generally not

automatically recognized, which can cause some PR

challenges. If the buyer wishes to count past service

with the seller for eligibility, vesting and/or allocation

purposes, they must amend their plan to specifically

recognize it. Otherwise, the employees “brought

over” are treated the same as any “Average Joe” hired

off the street.

In a stock sale, the buyer is essentially taking over the

seller’s entire business, including the employees who

are still at their same desk, doing the same work. In

other words, the buyer cannot treat these ‘acquired’

employees as new hires when it comes to the 401(k)

plan. Rather, as of the date of the purchase, the

buyer must recognize the employees’ service from

their original hire dates with the seller (i.e. the

newly acquired company) for all plan purposes

such as eligibility, vesting and allocations. There is

no amendment to “undo” this service recognition.

So it is important for the buyer to understand any

compliance and/or financial implications that may

result.

In or Out?

It is important for the buyer to consider whether

the acquired entity (via stock transaction) will be

maintained as a separate company or be merged

into the buyer’s. In other words, will the acquired

employees continue to work directly for the acquired

company (as a subsidiary of the buyer) or be

A DWC ERISA CONSULTANTS PUBLICATION 201413.

“transferred” to the buyer itself. This is important,

because the employees of related companies (e.g.

subsidiaries) are generally not permitted to join the

buyer’s plan until a separate joinder or participation

agreement is signed. However, they must still be

considered as “non-benefitting” employees when

performing annual compliance testing. As a general

rule, if this non-benefitting group is comprised of

more than 30% of the employees (across all related

companies), there could very likely be a testing

problem.

As a result, if the buyer wants to allow acquired

employees to join the plan, they should make

arrangements to sign the joinder/participation

agreement in advance of the enrollment date. If, on

the other hand, the buyer does not wish to provide

retirement benefits to these employees, it is critical

to project whether that exclusion will cause testing

problems for its plan. Note that self-destruction is

usually not a risk the moment the sale goes through.

There is a transition period that is often available

that runs through the end of the year following

the year of the transaction so that buyers have

time to conduct the necessary analysis and make

an informed decision as to how they will proceed.

However, that analysis takes time, so waiting until

the end of the transition period is not recommended.

Conclusion

It can be exhausting to consider all of the possible

twists and turns as you venture down the M&A

rabbit hole. So before signing on the dotted line and

potentially backing yourself into a corner, do not be

afraid to pick up the phone and give us a call. We can

help you gather the important facts to make sure your

401(k) and M&A are handled the right way.

For over a decade, Amy has worked in the financial consulting industry. She is a Principal and Team Leader at DWC ERISA Consultants. Amy is active with ASPPA (American Society of Pension Professionals & Actuaries). She was awarded their Academic Achievement Award in 2010 and currently serves on their Government Affairs subcommittee on 401(k) plans. She also sits on the Board of Directors of the ASPPA Benefits Council of the Great Northwest.

BU

YER

’S P

LAN

SELL

ER’S

PLA

N

Acquired employees may participate

Via amendment/participation agreement if under separate taxable

entity; Yes, if a direct employee of the buyer/plan sponsor

Yes, if hired as a new employee of the buyer’s company

Service is recognized for: Eligibility, Vesting, Allocations

Required Optional (via plan amendment)

Plan Sponsorship (responsibility for maintaining plan)

Transfers to buyer Retained by seller

Plan Termination (timing)

Prior to sale date; OR plan may be frozen and/or merged

but not terminated if buyer maintains its own plan

At any time; seller may continue to operate plan or terminate

ASSET SALESTOCK SALE

Doing M&A The Right Way ... continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 14.

plan, reversing improper distributions or some

combination of these and other steps.

Components of EPCRS

EPCRS is divided into three sub-programs – SCP,

VCP and Audit CAP. Since Audit CAP focuses on

correcting errors once the IRS has already discovered

them, we will focus on the other two.

Self Correction Program (“SCP”)

The ever-so-creatively-named Self Correction

Program allows a company to correct a mistake

on its own without asking the IRS for approval. An

operational failure, or a failure to operate a plan

strictly in accordance with plan documents, is the

only type that can be corrected under SCP, and

availability depends in part on the significance of the

failure and the timing of the correction. Keep in mind that an operational failure occurs even if the operation is more generous than what the plan document requires. [See “Plan Documents: More Like Guidelines or

Actual Rules?” on page 9.]

Accidents Will Happen By Joni L. Jennings, ERPA, CPC

If you are a music fan, you may be familiar with the

Elvis Costello song “Accidents Will Happen.” While

Elvis certainly didn’t have 401(k) plans in mind when

he wrote that song, he certainly could have. The

user’s guide for retirement plans consists of tens of

thousands of pages of laws and regulations, many of

which make about as much sense as Sanskrit. With

so many moving parts, it is usually a question of

“when” not “if” an accident will happen despite the

best of intentions.

Maybe you forgot to sign the required plan

amendment a few years ago; maybe you didn’t

realize that buying that new company requires

changes to your plan document; maybe you lost

track of time and didn’t let that new hire start

contributing to the plan on time. While these errors

may seem inconsequential, the IRS does not usually

look at it that way. No matter how innocent the

mistake might be, uncured accidents can come back

to haunt you. Never fear, EPCRS is here.

Overview of EPCRS

The IRS created EPCRS, or the Employee Plans

Compliance Resolution System, in 1991 to provide

plan sponsors with a mechanism to fix mistakes.

Since then, EPCRS has seen more than 30,000

corrections, and Congress has even taken notice,

instructing the IRS to expand the program so that

more companies can take advantage of it.

Before diving into the deep end, let us take a

look at some of the general principles. First and

foremost, the program is designed to un-do the

error … in other words, to place participants in

the position they would have been in had the error

never occurred. For example, the correction may

involve making additional contributions to the

A DWC ERISA CONSULTANTS PUBLICATION 201415.

Any operational failure can be corrected under SCP

within two years of occurrence, and insignifi cant

failures have an unlimited correction window

and can even be self-corrected under audit. Of

course, “signifi cant” is one of those terms that

lawyers like because the meaning is so subjective. In

recognition of the ambiguity, the IRS does provide

a list of factors to be considered when making that

determination including the number of participants

involved, the amount of contributions/plan assets

involved, the number of years the failure occurred

and why it occurred.

Although IRS approval is not required as part of

SCP, it is important to keep documentation of the

corrections that have been made so that it is easy to

demonstrate all was handled properly if the plan is

ever audited and the agent wants to see proof.

Voluntary Correction Program (“VCP”)

Showing just as much creativity in naming, VCP is

for the voluntary correction of failures that are not

eligible for SCP. Specifi cally, it is used to correct

signifi cant operational failures that are more than

two years old as well as the other three types of

failures:

• Plan Document Failure: The plan document is

missing something it should contain or includes

language that it is not allowed to contain. Usually

occurs when a plan sponsor does not timely

update a plan document after a change in the law.

• Employer Eligibility Failure: A company sponsors

a plan it is not allowed to sponsor, e.g. a for-profi t

company with a 403(b) plan.

• Demographic Failure: The plan fails certain annual

nondiscrimination tests, such as the minimum

coverage test, and does not correct within the

timeframe permitted by IRS rules.

What also makes VCP different is that the correction

and supporting documentation must be submitted

to the IRS for review and approval. There are specifi c

forms, documents, etc. that must accompany the

application, and the IRS does charge a fee for the

review. The fee is based on the number of plan

participants and is far less expensive than any

penalties they would likely assess if the uncorrected

failure is discovered during an audit.

Depending on the complexity of the failure/

correction and the IRS’ current workload, the review

process can take 6 to 12 months to complete and

results in the IRS issuing a formal “Compliance

Statement” documenting their approval.

General Comments about Corrections

The IRS Revenue Procedure that spells out the

EPCRS program includes some sample corrections

for common errors but also allows for the use of

customized correction methods as long as they

are reasonable and in good faith. Again, the IRS

provides some factors for consideration. Here are a

few of them:

• Correction must be complete. In other words, if

the failure spans multiple years, all years must be

corrected.

• Corrections should generally keep assets in the

plan.

Accidents Will Happen … continued

Number of Participants Fee

20 or fewer $750

21 to 50 $1,000

51 to 100 $2,500

101 to 500 $5,000

501 to 1,000 $8,000

1,001 to 5,000 $15,000

5,001 to 10,000 $20,000

Over 10,000 $25,000

A DWC ERISA CONSULTANTS PUBLICATION 2014 16.

• When dealing with a nondiscrimination failure,

corrections should generally provide additional

benefits to non-highly compensated employees.

• Corrections should be based on the plan terms,

contribution limits, etc. at the time the failure

occurred.

In certain circumstances, the correction of an

operational failure may be made by retroactively

amending the plan document so that it matches

actual operation; however, the availability of this

method is very limited and almost always requires

IRS approval under VCP rather than self-correction

via SCP.

The IRS also tends to be more accepting of

situations in which the plan sponsor had controls in

place designed to prevent the failure but something

slipped through the cracks. [See “Control Yourself:

Plan Compliance and Internal Controls” on page 21.]

Sample Corrections

Not allowing an eligible employee to make 401(k) contributions

It is not an uncommon occurrence for a company to

lose track of exactly when a new employee becomes

eligible for the plan and forget to enroll them on

time. Since the plan document spells out when

employees become eligible, this is an operational

failure. Fortunately, it is one that can be easily

remedied through four easy steps:

1. Determine how much the employee would have

contributed.

2. Make a company contribution generally equal to

half that amount.

3. Make a company match contribution equal to

whatever match the employee would have received.

4. Adjust items 2 and 3 for missed investment gains

and deposit that amount.

Unless you are psychic, you may be wondering how

you are supposed to know how much the employee

would have contributed. It is usually based on the

average amount contributed by the group (either

non-HCE or HCE) of which the employee is a part;

however, for some plan designs such as safe harbor

plans, it might be a fixed 3% of pay.

If this failure is corrected within two years or it

impacts a small enough number of participants,

correction can be made through SCP. Again,

documentation is critical and should include

identification of the failure, calculation of the

corrective amounts and proof the contributions were

deposited.

Not timely starting loan payments when a participant

takes a loan

Participant loans fall under the jurisdiction of both

the IRS and the Department of Labor, and correcting

a loan failure under EPCRS gets you off the hook

with both agencies. That two-for-one sounds like a

good deal, right? Well, sort of. Unfortunately, since

the DOL is not fond of self-correction, loan failures

require formal approval via a VCP application.

The correction is as simple as re-amortizing the

loan from the discovery of the failure through the

end of the 5-year period (based on the original loan

date), including accrued interest and beginning

payments based on that new schedule. All of the

supporting documentation, including the old and

new amortization schedules, should be included

along with the VCP application.

That might seem like a lot of time and expense to

simply get the loan back on track; however, since

failure to make timely payments (no matter whose

fault it may be) causes a loan to be treated as a

taxable distribution, correction via VCP is the only

way to avoid the negative tax consequences and

A DWC ERISA CONSULTANTS PUBLICATION 201417.

added plan recordkeeping requirements that result

from a so-called deemed distribution.

Conclusion

EPCRS is a very useful tool when it comes to

correcting plan failures. Its continued growth and

evolution show the IRS’ commitment to encouraging

CH

EA

P T

EC

H T

OO

L #

21

Microsoft Office 365 (office.microsoft.com)

Sure, Apple has taken huge strides to expand from its niche in creative industries into broader

business use, but Microsoft Office is still the 800-pound gorilla when it comes to business

applications for word processing, spreadsheets and presentations. But at upwards of $400 per

installation for the full suite, it gets really expensive to keep the whole company on the most

current version, especially when considering that some users have both a desktop and a laptop,

each of which requires its own $400 installation.

That was then; this is now. Enter Office 365 – a subscription-based program that includes up

to five installations per user for as little as $12.50 per user per month. Not only that, but the

subscription also ensures the software is always up to date without having to write a big upgrade

check each time a new version is released.

But wait, there’s more. Each user can also install the mobile versions of Word, Excel, etc. on

their smartphones or tablets at no extra charge. It also includes applications for secure instant

messaging and web conferencing. Each subscription level includes enterprise-level e-mail

functionality, hosted on Microsoft’s servers, so you do not need dedicated IT staff to keep your

e-mail up and running.

If you need additional features, the $22 per user per month package includes increased storage

capacity, e-mail archiving and automatic encryption of outbound e-mails containing sensitive

information. Also thrown into the mix is an application called Yammer, which is almost like an

internal Facebook-type social media site just for your company. You can use it as a simple intranet

or open it up for full-blown inter-company collaboration.

With over 20 years in the pension consulting trenches, Joni brings a wealth of experience to her role as Principal and Team Leader at DWC ERISA Consultants. As a long-time volunteer for ASPPA (the American Society of Pension Professionals and Actuaries), she has served on the Government Affairs Committee and Conferences Committee, and she currently sits on the Board of Directors of the ASPPA Benefits Council of Atlanta.

compliance first and enforcement second. With that

said, this program like all those thousands of other

pages of rules can be complex, so it is important to

work with experienced professionals to go through

this process. When you do, however, you can change

your tune from “Accidents Will Happen” to “[EPCRS

gives you] Shelter from the Storm.”

Accidents Will Happen … continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 18.

Sometimes Simple Isn’t By Doug Hoefer

One of the most frequent phone calls we receive –

whether from a small business owner or an advisor

working with one – starts something like this …”I [or

my client] want to setup a retirement plan, but it has

to be simple and the lowest cost possible.”

What could be a better fit than a plan that has the

word “simple” in its name? Sometimes, that is a

great place to start. Other times, however, “simple”

really isn’t.

Background

In addition to the 401(k) plan, Congress created

several other types of retirement plans that are

intended to be easy for small businesses to setup

and maintain. They are the Simplified Employee

Pension (“SEP”) and the Savings Incentive Match

Plan for Employees or “SIMPLE” (how many hours

did Congressional staffers sit around trying to come

up with that name). The SIMPLE comes in two

flavors – the SIMPLE IRA and the SIMPLE 401(k).

Although all three of these options require minimal

documentation, no annual testing and limited (if

any) ongoing government filings, each imposes

limitations that often lead to a regular 401(k) plan

being an equally cost-effective option.

What’s The Difference and Does It Matter?

There are some significant differences that set these

plans apart from one another. Even if one of the

“simple” variety is a good fit now, it is a good idea to

keep the differences in mind as needs change.

Size Is Important

Employers of any size can implement SEPs and

401(k) plans; however, SIMPLE plans are only

available for companies with 100 or fewer employees

with at least $5,000 in compensation during the

immediately preceding calendar year.

Exclusive Plan

A SIMPLE plan must be the only plan an employer

maintains in a given calendar year. This most

often comes into play when a company decides to

transition from a SIMPLE to a regular 401(k) plan.

Such a transition can only occur at the beginning

of a subsequent year, and employers must generally

provide the employees with advance notification of

the discontinuance of the SIMPLE. So if you or your

client are considering a transition, you will generally

want to get started no later than October 1st to

prepare for the upcoming year.

There is no similar requirement that applies to SEPs

and 401(k) plans, so employers can maintain multiple

plans or transition from one type to another without

concern for the “exclusive plan” requirement.

Eligibility

401(k) plans and SIMPLE 401(k) plans are

allowed to have eligibility requirements as strict as

attainment of age 21 and completion of one year

of service. For this purpose, a year of service is a

12-consecutive-month period in which an employee

works at least 1,000 hours.

By contrast, neither SEPs nor SIMPLE IRAs can

limit eligibility the same way. In a SIMPLE IRA, the

maximum is to limit eligibility to those employees

who have earned at least $5,000 in compensation

in the two prior years and are expected to again in

the current year. SEPs can limit plan coverage to

those employees who have earned at least $550 in

compensation in at least three of the last five years.

There is no ability to exclude short service employees

– interns, etc. – if they meet these requirements.

A DWC ERISA CONSULTANTS PUBLICATION 201419.

Employee Deferrals

Unless adopted prior to 1997, salary deferrals are

not allowed in SEPs. Both SIMPLEs and 401(k)

plans allow deferrals, but there are some critical

differences.

First, a 401(k) plan allows deferrals up to $23,000

per year ($17,500 plus an additional $5,500 for

those age 50 or older). A SIMPLE, on the other hand,

caps deferrals at $14,500 ($12,000 plus $2,500) …

a whopping $8,500 less. For a business owner who

wishes to maximize his or her deferrals, the tax

savings alone can more than offset any additional

cost of having a regular 401(k) plan.

Another important difference is that SIMPLE plans

do not allow Roth deferrals, which could limit the

plan’s utility as an estate planning tool.

Employer Matching Contributions

SIMPLE plans carry a mandatory company

contribution, which can be either a match or profit

sharing contribution. If the match is chosen, the

mandatory formula is 100% of the first 3% deferred.

No additional matching contributions are permitted.

A 401(k) plan can include a discretionary matching

feature, meaning the company can decide from year

to year whether to make a match and, if so, how

much. Companies that prefer to “buy their way” out

of certain 401(k) compliance tests can agree to a

fixed safe harbor matching formula of 100% of the

first 3% deferred plus 50% of the next 2% deferred.

SEPs do not allow matching contributions.

Employer Profit Sharing Contributions

Employers that elect the profit sharing option for their

SIMPLE plans must contribute 2% of compensation

for each eligible employee. No additional profit

sharing contributions are permitted.

SEPs and 401(k) plans allow discretionary profit

sharing contributions of up to 25% of pay in total

and no more than $51,000 per employee. Again, that

discretion provides business owners with flexibility

as to if/how much they wish to contribute. As an

alternative to the two-tiered match safe harbor

(previously described), a 401(k) plan can make a

safe harbor profit sharing contribution equal to 3%

of pay.

With a SEP, each employee must receive a uniform

contribution (as a percentage of pay). So, if the

owner contributes 10% of pay for him or herself,

each employee must also receive 10% of pay. In

a 401(k) plan, there is much greater flexibility to

provide larger contributions to those who earn

more than the taxable wage base (referred to Social

Security Integration) or target contributions based

on job classification, e.g. owners and non-owners.

Vesting

A 401(k) plan can impose a vesting schedule of up to

six years on employer contributions (other than safe

harbor contributions); however, both SIMPLEs and

SEPs require employees to be immediately vested in

all company contributions.

Loans and In-service Withdrawals

Neither SEPs nor SIMPLEs allow participant loans

like 401(k) plans do.

If a participant takes an in-service withdrawal from

a 401(k) plan prior to age 59 ½, it is subject to

regular income tax as well as a 10% early withdrawal

penalty. SEP distributions are taxed similar to

distributions from a regular IRA, and those rules

generally resemble the 401(k) rules. For a SIMPLE,

however, if withdrawals are made within the first two

years of participation, the 10% penalty is increased

to 25%!

Sometimes Simple Isn’t … continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 20.

Plan Documents

All of these plan types require some form of

documentation of the plan and its provisions.

For SEPs and SIMPLEs that truly keep it simple –

little (if any) creativity in plan design, no related

companies or complex ownership structures, etc. –

the IRS has forms (allegedly DIY) that can be used.

• Form 5305-SEP

• Form 5304-SIMPLE - allows each eligible employee

to select his or her own financial institution. The

obvious downside is in a 10 employee company,

the plan sponsor could effectively have to send

contributions to 10 different custodians each pay

period.

• Form 5305-SIMPLE – the employer selects a single

financial institution for all plan accounts.

A 401(k) plan or a SEP/SIMPLE that cannot use

the IRS form must use a more traditional plan

document, which can follow an IRS pre-approved

format such as a prototype or be individually

customized. Many mutual fund families and other

financial institutions offer DIY prototypes which

may look straight-forward on the surface; however,

given the importance of the plan document, we

recommend working with someone with expertise

in that area. [See “Plan Documents: More Like

Guidelines or Actual Rules?” on page 9].

Annual Compliance Testing

SEPs and SIMPLE IRAs are not required to go

through the battery of annual compliance tests.

However, as we have described in this article, there

are plenty of rules that must be monitored to ensure

ongoing compliance.

SIMPLE 401(k) plans are required to satisfy the

minimum coverage test but are exempt from most of

the other tests normally associated with retirement

plans. A traditional 401(k) plan must comply with a

series of tests to ensure enough of the rank and file

employees are receiving adequate benefits, but given

the added flexibility of plan design, the testing can

be a trade-off that is well worth it.

Government Reporting

Similar to annual testing, neither the SEP nor the

SIMPLE IRA is required to file a Form 5500 each

year; whereas, both the SIMPLE 401(k) and the

“regular” 401(k) must do so. In addition, they must

file Form 8955-SSA to report former employees with

remaining balances in the plan.

Conclusion

SEPs and SIMPLEs can be extremely effective tools

for meeting the retirement plan needs of small

businesses, but they can be far from simple. Given

the flexibility in plan design – from initial eligibility to

targeting company contributions to key individuals –

a full-blown 401(k) plan can often provide benefits

to the business owner and employee alike that far

surpass the additional cost that may come with it.

The bottom line is that since “simple” sometimes

isn’t, it is of critical importance to work with experts

who understand the ins and outs, can help you

articulate your plan-related objectives and analyze

the options to ensure you have the best plan to

meet your needs. Where do you find such an expert?

Simple! Just give us a call.

As a co-founder at DWC ERISA Consultants, Doug uses his industry expertise and collaborative approach to help clients and investment professionals design optional plans. As a provider/vendor specialist, he is able to guide clients through their many options to arrive at solutions that best meet their needs.

A DWC ERISA CONSULTANTS PUBLICATION 201421.

Control Yourself: Plan Compliance and Internal Controls By Ilene H. Ferenczy, Esq.

The phrase “internal controls” is one I’ve heard

throughout my 26-year marriage to an internal

auditor. (I was never quite sure what it meant, but

I knew he was always looking for them!) Lately,

however, I’m hearing those words used more and

more in connection with retirement plans. In fact,

IRS representatives are talking about internal

controls as a means of encouraging compliance by

plan sponsors with the law and regulations relating

to their plans.

Those who commonly work with retirement

plans recognize that there are myriad rules with

which to comply, many of which are completely

counterintuitive. Owners of companies that sponsor

retirement plans are rarely specialists in this arcane

area of the law, but are concentrating on being

doctors and manufacturers and service companies

and the like. Even HR people can give only so much

attention to the retirement plan while juggling

health insurance, payroll, workers’ compensation

and discrimination policies. When there is so much

to know and do and so little time to devote to the

process, the only way to make sure that things are

done right is to set up guidelines and follow them.

To that end, IRS speakers to the retirement plan

community emphasize how important internal

controls can be. Not only can they ensure that you

are doing what is needed, but the IRS looks upon a

company that has controls and experiences an error

despite those controls differently than a company

that does not put that much thought into how the

plan operates. To err is human, the IRS believes,

but such an error can be more easily excused if it

happened despite your best efforts. Companies

with internal controls are deemed to have a “culture

of compliance.” As a result, companies with good

internal controls are likely to find that the IRS is

more lenient when an error is discovered on audit

than it is with companies that play it more loosely.

So, what kinds of things can a company do to have

good internal controls? Here are some suggestions:

• Have a listing of responsible parties and service providers

for the plan. These may include several people, such

as:

- Plan administrator

- Third party plan administrator (TPA)

- Financial advisor

- Fundholder/recordkeeper

- Attorney

You may want to outline who is responsible for

which kinds of issues, to assist your staff or your

future HR director to know who does what. (By

the way, do you know what each of these entities

does? If not, perhaps you need a list of what needs

to be done and who is responsible for each item.)

Internal controls are those functions

and systems maintained by the plan

sponsor to ensure that the plan

operates properly. These may include

procedures and checklists, systems

for quality review, policies, lines of

authority … basically anything you do

to keep the trains running on time.

A DWC ERISA CONSULTANTS PUBLICATION 2014 22.

• Make sure that all plan documents are kept together

and easily locatable. This includes the legal

document (usually an adoption agreement (the

check-the-box part) and a basic plan document

(the boilerplate part)), any amendments, the

summary plan description and summaries of

material modifications, and the various procedures

adopted with the plan documents. Sometimes,

having a chart of plan provisions and where they

are found in the document is helpful to give easy

access of information. However, make sure not to

rely too heavily on the chart; the plan document

is what controls. By the way, you are required to

share these documents with a participant who

asks to see them. So having them in one spot also

helps you comply with this obligation.

• Have written procedures for what you do, so that people

can act in your absence (and the next generation

of people fulfilling your role will know what to

do). For example, you may need procedures for

determining the amount to deposit each payroll

period, how to transmit the deposit to the trust

(along with necessary documentation), the

deadline for the deposit, and how to transmit all

of this information to the recordkeeper. This can

help you make sure that deferral deposits and loan

payments are handled correctly.

• Speaking of loan payments, know your loan procedures.

For example, have a worksheet for determining the

maximum loan amount (if it is done in-house) or

a procedure for sending the TPA the information

it needs to process the loan. The plan is required

to have a formal loan procedure outlining how

you evaluate and approve or disapprove loans,

how you determine the interest rate, how loan

payments must be remitted, and when the loan is

considered to be in default; do you know where

yours is?

• QDRO procedures are also required for all plans. These

can help you understand what you need to do

when a proposed QDRO is received. If you send

them on to a service provider for review, such as

your TPA or attorney, what do you need to send to

them to get the review process started?

• Have a retirement plan “phone tree.” This will help

the people in your organization know who to call

when there is a question on the plan, and the order

in which they should be contacted. Perhaps your

tree might be:

- If you have a question and cannot find the

answer in the plan or our procedures, call the

VP of HR.

- If the VP can’t answer, call the TPA.

- If the TPA can’t answer, call the attorney.

This enables the people in your organization to

take action more quickly and understand when

it is appropriate to call the service providers. If

permission is needed at one of the steps, let them

know that.

• Have a list of deadlines relating to the plan and calendar

them. When are deposits due? When is the employer

contribution due? When are Forms 5500 due?

When does the accountant need information about

the plan deduction? And so on …

• Should you have Plan governance documents? Plan

governance documents are terrific if your company

is large enough that you have more than one

person in the company involved with the plan.

Handling things with a prudent procedure is basic

to showing you are a good fiduciary. Having the

procedure in place is the first step. Knowing who

is responsible for what activities ensures that the

right people are making the right decisions in the

right way. Be careful, however, to make sure that

you follow the governance documents if you have

A DWC ERISA CONSULTANTS PUBLICATION 201423.

Control Yourself: Plan Compliance and Internal Controls … continued

them. Having a procedure and failing to follow it

can be evidence that you do not have good internal

controls.

All of this can be summed up by: know what you

need to do and how to do it. Internal controls ensure

that things are handled properly. And, if you are

doing things right, you are much less likely to get

your plan into trouble if and when the government

comes calling.

Ilene Ferenczy is a partner in the Ferenczy Benefits Law Center, a boutique firm specializing in employee benefits law and working with plan sponsors and service providers. She is the author of numerous books including Employee Benefits in Mergers and Acquisitions, the co-editor-in-chief of the Journal of Pension Benefits with DWC’s Adam Pozek and has worked with many providers to update their service agreements to comply with the DOL’s fee disclosure regulations. To learn more about Ilene and her firm, visit www.FerenczyLaw.com.

CH

EA

P T

EC

H T

OO

L #

52

Key Ring (www.KeyRingApp.com)

It seems like just about every store, service, etc. has a loyalty program that comes with its own

shiny card. Just looking at the airlines, hotel chains and rental car companies you might use for

business travel, you probably need to carry an extra wallet. Throw in grocery stores, fast food

joints and other retailers, and it’s time to carry around one of those contraptions the Vegas dealers

use that holds five decks of cards.

Key Ring makes that all go away. Available for both iOS and Android, this free app allows you to

enter all your loyalty cards using your device’s camera. With many loyalty programs pre-loaded,

simply snap a photo of the barcode on your card, and it is instantly saved to your account. Did I

mention that the app will then alert you when any of the stored vendors offer coupons, specials,

discounts, etc.? Want to take advantage of one of those coupons? Just tap the screen to instantly

add the item to a shopping list.

One of the features that sets Key Ring apart from other similar apps is the ability to sync to other

devices or share individual cards with other people. So, set up your cards one time and have them

securely sync to your online account and to any of your other mobile devices. Get a new phone?

No problem. Just download the app, sign in to your Key Ring account and all your cards appear.

Have a single gas rewards card that you share among your family? No problem. Just select “Share

Card” and enter the recipient e-mail address to share it with your spouse, kids, etc.

Key Ring boasts the highest levels of encryption, so if you are comfortable doing that sort of thing,

you can also add your credit cards, drivers license, insurance card, etc. which can be a life-saver if

you lose or forget your wallet.

A DWC ERISA CONSULTANTS PUBLICATION 2014 24.

Bad Things Happen. How To Be Prepared. By Rick Alpern

We see it every day. The news is continually buzzing

about the most recent data breach or public

relations scandal. Target, P.F. Chang’s and Michaels

have recently had significant data breaches. And

in my backyard (Boston), the entire country is

getting a front row seat watching a PR nightmare

featuring two cousins battling for control of a local

supermarket chain. One side has been incredibly

savvy when it comes to spinning their message to the

public. The other side has been dreadful.

Whether it is a breach of your digital assets or just

a good old PR disaster, you would be well-served by

having a response team and communications plan

in place that you can activate should something

bad go down. The tough part is that every scenario

is different, and it is impossible to anticipate all of

them. However, below are some steps you can take

in advance and after a situation arises. Keep in mind,

one of my favorite problem-solving sayings while

putting together your plan: Some assembly required.

There is no one way to handle a PR hiccup. There are

so many factors involved that the final action steps

can’t be properly assembled until you know exactly

what you are dealing with.

Planning For the Problem

The best time to prepare for a data breach or PR

snafu is when you do not have one. As busy as you are

right now, perhaps you can set aside an hour or two

over the next month and begin to put a team and

plan in place that can be activated should a problem

occur. This kind of proactive planning will save

you both time and likely prevent you from making

costly missteps that could make a bad situation even

worse.

• Assemble a Crisis Management team. Meet with them.

Explain the purpose of the team and ask for their

input as to what they think should be done in the

event of a scandal or breach. People are smart

and like to be asked. Their ideas will foster a more

cohesive team and yield a better plan than if it was

simply dictated to them.

• So who makes “The Team?” It really depends on the

talent you have. “Some assembly required,” right?

Here are some likely choices.

- Marketing - You want someone in these

meetings who is always thinking about

your customers … what this crisis means to

them. And, your Marketing person should

instinctively own that portion of the crisis.

If not, tell him/her to. Also, your Marketing

person should be thinking about all of the

different ways you may want to communicate

the solutions that are determined.

- Head of IT - If the problem is a security breach

or web-related, you will need to have a broad

understanding of the problem and all of your

operating systems. Your head of IT should

be able to provide the broad picture of your

computer and online infrastructure. If you are

a small business, you might want to ask the

person who is the most proficient with your

computers.

- Webmaster - Many breaches involve or are

perceived to involve company websites.

Having this person on the team is smart. Your

Webmaster will likely have the whole view of

your website and how the site is built from

your customer’s point of view.

- Web Developer - Again, if the crisis is data

related, you will want to have access to the

developers who built your databases or coded

your site. They are a different breed than Heads

of IT or Webmasters. These are the folks who

A DWC ERISA CONSULTANTS PUBLICATION 201425.

handwrite code, line by line. Not always the

best communicators, but often the ones who

COMPLETELY understand how a site functions.

And since it is often the databases that are

breached, you want to make sure you know the

specific code writers for your database(s).

- Media Contact - This might be you, the

business owner. However, it does not have

to be. But it should be someone who is

comfortable and articulate in answering

questions and gifted in explaining things in a

simple way.

- An Outside Agency - You may want to bring

your PR or Marketing agency contact in for

this. Having an outsider’s perspective can

be really helpful. Usually this person already

has experience in crisis management. And,

having an outsider’s point of view can help to

positively challenge internal thinking, which is

not always accurate.

- An Executive Assistant - Have someone in the

meeting who is writing down EVERYTHING

and can recap the meeting. Particularly,

this person should highlight the next steps,

responsibilities and any great ideas or language

that comes out of the meeting.

When The Crisis Happens

Again, “some assembly required.” Every situation will

be different. But here are a few things to do/keep in

mind when a crisis is discovered.

• Time is a factor. If it is a data breach that is

discovered by just one client, you have to assume

there may be others. Solving this situation must

move to the top of your to do list.

• Pull together “The Team” and start implementing your

procedures.

- Define the problem. In layman’s terms be able

to explain what happened, when it happened,

how it happened and what you are doing

about it. Get this typed up and handed out

to the team. Everyone needs to be saying the

same thing and approaching the challenge the

same way.

- If there is not one clear, obvious solution, tap

the group to brainstorm options. Accept all

ideas until they stop flowing. Then, with the

team’s input, eliminate the weaker solutions

until you have mixed down the ideas into a

solid plan.

- Assign responsibilities. Don’t try to do

everything yourself. Trust your people to do

their jobs.

• Start getting out in front of things.

- Communicate to all internal stakeholders what

has happened and what the plan is to fix it.

Your people will deeply appreciate that you

thought to communicate with them first.

- If it is an issue that affects a small number of

people/clients, Pick. Up. The. Phone. Don’t

email bad news if you don’t have to. At the

agency we like to say, “Nothing takes the place

of showing up.” This is especially true when the

news you need to deliver is bad.

Bad Things Happen. How To Be Prepared. … continued

A DWC ERISA CONSULTANTS PUBLICATION 2014 26.

- If the problem affects a large group of people/

clients, you need to develop a notification

plan. Treat it almost like a media plan. Figure

out all of your touchpoints and determine

which ones you use to notify people and

clients. If there is a small core of clients

who account for a significant portion of

your revenue, call them in addition to the

notification plan.

• Remember to keep the message simple. Do not get too

technical. Most people glaze over when too much

information is shared. They just want to know

what you have already crystallized: What is the

problem? How did it happen? And, what are you

doing to fix it? There will be time to explain how

you will keep it from happening again.

• If you need to go before the media to explain the

situation, try to do the following.

- The president or CEO should be the

spokesperson for the company. In situations

like this, people want to know the top person

is involved and cares enough to be a part of

the solution.

- If the president is not comfortable explaining

the situation, he/she should definitely open up

the press conference and hand it off to those

who can eloquently address the problem.

- Rehearse. Rehearse. Rehearse. Have your

team pepper the spokesperson with tough

questions. Craft short responses. And then,

rehearse some more.

- Be ready for highly technical questions. And

when I say be ready, I mean have your most

knowledgeable person about the problem there

to be able to explain anything you cannot.

• Be sincere and empathetic.

- You must demonstrate that you care and

understand the problem you have caused. Fail

to do this, and the hole you are trying to dig

out of will get deeper.

• Make your clients whole. How you do this really

depends on the problem and severity. Do you

offer something free? Not charge for a service

for a specific time? Hard to know because every

situation is different. Just don’t lose sight of

the fact that you caused a problem and good

customer service dictates you do something to

make things right.

• Follow up incessantly. Don’t disappear after your

initial notification. Your clients will want to know

that you are working on the solution. They also

might need to vent. Continued follow up will allow

both things to happen.

To Management, the news of a PR crisis is the

equivalent of a well-placed punch to the gut. It drops

you to your knees, takes your breath away and leaves

you a little woozy. But you need to prepare for this

moment. Between bad judgment, hackers, human

error, etc., there are all sorts of ways PR nightmares

can happen. The cliché of, “not if it will happen, but

when it will happen” should be embraced. And,

as you know, there is no cookie-cutter solution

that makes the problem go away. You really have to

strap in and confidently lead your team through the

gauntlet. Ask a lot of questions, lean on your team

for support and always stay focused on doing the

right thing.

For 30 years, Rick has worked in the advertising, sales and marketing fields and currently serves as President of Single Source Marketing in Danvers, Massachusetts. He is an avid believer in asking questions and listening to clients in order to achieve the best results. Visit SingleSourceMarketing.com for more information.

The rulebook for our industry consists of laws and regulations. In other words, it is public domain, available to anyone who wants to learn it. That means book knowledge is not enough. We have to be able to explain and apply it in a practical manner.

Every member of the DWC team is encouraged to think beyond the conventional wisdom and put themselves in their clients’ shoes. Since the IRS and Department of Labor are involved, following regulations is of critical importance, but the strategy for doing so must be considered in the context of the day-to-day business environment.

What works for one client will not necessarily work for another. Having solid knowledge of the rules while keeping in mind business realities allows every DWC team member to be a strategic business partner to their clients rather than simply another service provider.

Understanding the mechanics is just the beginning.

DWCConsultants.com651.204.2600