Plan records can take many forms. While no bright line legal definition of what constitutes a plan record exists, the DOL generally delineates between plan level and participant level records (although there is some overlap). Plan level records include various filings (e.g. 5500) and records used to support the filings. Records relating to non-discrimination and coverage testing, required disclosures, financial reports and evidence of the Plan’s fidelity bond are also types of plan level records. These types of records should be retained for at least 6 years. Participant level records relate to the determination of a participant’s benefit such as account records, census data, distribution and loan documents, Board and/or administrative committee minutes and resolutions, and plan and trust documents. Participant level records should be maintained as long as necessary to determine benefits due or which may become due. IRS guidance provides records should be maintained until all benefits have been paid and the Plan is no longer subject to audit. Participant level records as defined by the DOL and IRS guidance imply some records should be maintained indefinitely.
Other concerns relate to the form of the records and where they are stored. While many records are saved in electronic form, records also still exist on paper. Issues arise as to the location and ability to retrieve records that can exist on different platforms, locations and formats. Changes in service providers can cause records held by former providers to be inaccessible or available ‘for a price.’ So, what are ideas to help manage the risks?
Practitioners advocate the establishment of a written policy covering how records are maintained, reviewed, updated, preserved and discarded. Review by ERISA counsel and/or those charged with Plan governance is recommended. Review record retention policies of service providers that prepare or maintain plan records. When changing service providers consider any possible interruption in retrieving records held by the former provider that were not transferred to the new provider. Categorize and document records in an organized fashion that is conducive to easy identification and retrieval.
In addition to record retention, procedures to ensure the confidentiality and privacy of the records need to be considered. Confidential information is information that is not intended to be made public. Privacy relates to the collection, use, retention, protection, disclosure and disposal of personal information. Personally identifiable information is information that can be used to determine a person’s identity such as name, social security number, date of birth, etc. Payroll and HR records, enrollment forms and plan reports often contain personally identifiable information. Practices such as only sharing the minimum necessary can help protect confidential and personal information. Limiting personally identifiable information only to those who need access is recommended.
On the bright side it is rare for an issue to arise; but when it does, it can be very problematic. A request for various documents by a regulatory agency in connection with an audit or examination can result in significant time and expense. Having organized and efficient policies and procedures in place can go a long way to reduce stress, time and expense in compliant. A leak of confidential or private information can be devastating. The adage an ounce of prevention is worth a pound of cure is appropriate.
So how long should records be retained? Somewhere between a minimum of 6 years to indefinitely. Prudent and appropriate policies and procedures can go a long way to limit risk and compliance with fiduciary duties.
