Compliance April 11, 2018

Judge Consolidates Franklin Templeton Self-Dealing ERISA Lawsuits, Rejects Dismissal Motions

According to multiple underlying complaints, which can now proceed to a consolidated trial, all of the several dozen mutual funds offered by the plan during the proposed class period were managed by Franklin Templeton or its subsidiaries.

Reported by

The U.S. District Court for the Northern District of California has ruled against Franklin Templeton’s twin motions for dismissal and summary judgement of a lawsuit alleging self-dealing within the company’s defined contribution retirement plan, among other claims.

The district court’s ruling also consolidates the case with a similar lawsuit filed in August 2016, given the closely related matters raised by plaintiffs in that challenge. Together, the complaints allege the defendants breached their fiduciary duties by causing the Franklin Templeton retirement plan to invest in proprietary funds offered and managed by the firm and its subsidiaries, when better-performing and lower-cost funds were available.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

According to the plaintiffs, all 40 mutual funds offered by the plan during the proposed class periods were managed by Franklin Templeton or its subsidiaries. The plan also included a company stock fund, which invests in common stock of Franklin Templeton, and a collective trust, managed by State Street Global Advisors, which is intended to track domestic large-capitalization stocks as represented in the S&P 500 Index. Prior to 2015, the S&P 500 Index Fund was the only passively managed, and only non-proprietary, option in the plan, the complaints allege.

The now-consolidated case has received one prior ruling from the district court, which rejected Franklin Templeton’s motion for summary adjudication. That motion had unsuccessfully argued that the original complaint violates a covenant not to sue contained in the agreement the lead plaintiff signed when he was terminated.

This new ruling to consolidate the cases and allow them to proceed comes just about a week after the parties appeared for a hearing before the court, on April 3, 2018.

Concerning the motion for summary judgement, the Franklin Templeton defendants asserted that plaintiff’s suit should be barred by a covenant not to sue in a severance agreement. The court disagrees, according to the following line of logic: “In defendants’ view, the release and covenant not to sue broadly promises that the employee, plaintiff, releases all claims including ERISA claims and will not bring any lawsuit relating to those claims. Plaintiff argues, however, that the release is subject to the carve-out and the carve-out covers this lawsuit. The carve-out provides an exception for ‘any right that relates to … the employee’s vested participation in any qualified retirement plan.’ Plaintiff argues that her suit seeks to vindicate rights that relate to her vested participation in the plan. Regardless of whether the severance agreement applies to plaintiff’s claims, the Ninth Circuit’s holding in Bowles v. Reade prevents its enforcement here.”

In that case, the Ninth Circuit held that a plan participant cannot settle, without the plan’s consent, a § 502(a)(2) breach of fiduciary duty claim seeking “a return to the plan and all participants of all losses incurred and any profits gained from the alleged breach of fiduciary duty.”

The text of the new district court decision details several counterarguments to this conclusion, but the judge is not swayed.

Concerning the motion to dismiss, Franklin Templeton argued the court should dismiss the complaint on a number of diverse grounds. The firm suggested the first-to-file doctrine bars plaintiff’s suit, and that plaintiff fails to state a claim on all four asserted causes of action. None of these approaches was successful. For example, the court states in no uncertain terms that it will not apply the first-to-file rule here: “Where two duplicative suits are pending in the same district, the Ninth Circuit has applied the claim-splitting doctrine rather than the first-to-file rule.” Each of the subsequent arguments alleging that plaintiffs fail to state a claim similarly fail.

It should be noted that Franklin Templeton has strongly denied these allegations of inappropriate self-dealing. The firm shared the following statement with PLANSPONSOR: “This second lawsuit was filed by the same law firm that filed the pending Cryer action against the Company, on behalf of a plaintiff who is already a member of the Cryer class. Both actions are premised on the same alleged core facts and seek duplicative relief for the identical class. The court’s decision to consolidate the actions does not change the underlying nature of the litigation or afford the plaintiffs the prospect of any additional remedies. Franklin Templeton takes pride in its 401(k) plan, which offers a generous matching program and provides employees with a diversified line-up of investment choices, including proprietary and non-proprietary funds. The Company is defending against the litigation aggressively.”

The full text of the decision is available here.

Opinions April 11, 2018

What Plan Sponsors Need to Know About DC Plan Cybersecurity

Retirement plan sponsors that take cybersecurity seriously are less likely to see their participants’ assets and personal information affected by a successful cyberattack.
Reported by

For most of the past decade, cyberattacks have been on the rise.

 

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

In 2015 alone, more than $1 billion in losses were reported, according to the FBI’s Internet Crime Complaint Center. It is not unreasonable to assume that eventually retirement plans would make tempting targets for cybercriminals. After all, personal data is the lifeblood of any benefit plan. The flow of this private data between parties, internally and externally, is what makes a benefit plan tick. It also makes these plans unique targets that many organizations—even those with enterprise-level cybersecurity policies—have not considered.

 

While we know that cyber threats cannot be eliminated, they can be managed and minimized with proper planning. In addition, equally as important as preventing a cyberattack is being ready to respond and recover from one.

 

To combat these concerns, the ERISA [Employee Retirement Income Security Act] Advisory Council looked into best practices and considerations for benefit plans. One of the most notable conclusions is that cybersecurity for benefit plans can’t be “checklist driven.” Given the number of variables that can be present, it is an issue that each organization needs to address individually. Therefore, the report focuses on a framework that organizations should follow in establishing and reviewing the cybersecurity policies for their benefit plans.

 

Gathering the Right Resources

 

Human resource (HR) and payroll professionals will be the employees who handle and transmit defined contribution (DC) retirement plan information most; however, they are usually not trained cybersecurity professionals. Typically, an organization will have one person who is responsible for the cybersecurity policies for the whole firm. A best practice is to involve this person in the discussions about the security of plan data. At the risk of creating a turf war, we believe it’s important that someone with knowledge of current cybersecurity threats and prevention methods be involved in the conversation. Ultimately, the size, scope and complexity of your cybersecurity plan should be consistent with the size and complexity of your organization and benefit plan structure.

 

Identifying What Data Is at Risk

 

A common misconception about cybersecurity and benefit plans is that the cybercriminals are after the assets in participants’ accounts.

 

While in some cases that’s true, there is an easier target—the participants’ private data. Understanding what data is at risk, how it is transmitted, and to whom, is an important part of protecting it. Sponsors should ask the following questions:

 

  • What private personal information is used in the administration of the benefit plan?
  • What is the origin of this data, and where is it stored internally?
  • How is access to this data controlled internally?
  • How often is it transmitted outside the organization and by whom?
  • How is the information transmitted?
  • What parties receive this data, and how do they secure it?

 

It is important that organizations look closely at where this data is stored and who has access to it. In one recent case, a payroll analyst was sick and logged in to complete payroll from home. To avoid a late deposit, the person downloaded the 401(k) transmittal file onto a personal computer, which had been compromised, before loading it into the plan website. In doing so, he not only exposed the file, but also his login credentials to the plan website. This was a failure of policy, control and education on the part of the plan sponsor. If any of the three had been in place, meaning if the plan sponsor had a policy against using personal computers, a control to monitor usage of personal computers, or even if the employee had been trained on the risks, the breach may not have occurred.

 

Establish a Policy

 

The U.S. Department of Commerce, along with the National Institute of Standards and Technology (NIST), developed a standard framework for reducing cyber risks. The key components of that framework are:

 

  • Identify. Once you understand what data can be exposed, work to identify ways that data could be exposed and compromised. Pay careful attention to third-party vendors and identifying the weakest link.
  • Protect. Develop physical and virtual safeguards as well as policies and controls to protect against the threats identified above. A key component of this is training employees who have access to personal plan information about the threats and about ways to prevent cybercrime.
  • Detect. Establish how breaches will be detected. Who will be responsible for this task within the organization? Is a third party necessary to detect potential breaches?
  • Respond and recover. In the event of a breach, what steps will be taken to address its short- and long-term impacts? Who will be responsible for the coordination of the response and recovery? The response aspect deals with how the organization will communicate the breach to those affected, as well as what resources will be provided. The recovery aspect deals with how any systems that were breached are secured, or in the event of a total failure, restored to service.

 

Research Third Parties and Their Policies

 

Third-party vendors can pose a substantial risk to private information. It is important that plan sponsors reach out to their vendors and understand what their cybersecurity policies are. This is especially important for smaller vendors. Large recordkeepers typically have dedicated cybersecurity teams, but smaller third-party administrators (TPAs) and brokers may not.

 

It’s important to note that some providers may be uncomfortable sharing all details of their cybersecurity practices. Most should be able to provide a summary document, however. A good place to start with large organizations is asking for both a SOC [Service Organization Controls] 1 and a SOC 2 Report. SOC 1 deals with internal controls over financial information. SOC 2 deals with the controls on private information.

 

Insurance Considerations

 

Cyber insurance policies are quickly becoming a standard for most organizations. It is important to understand the type of coverage you have. First-party coverage, for example, typically allows the organization itself to trigger a claim upon learning of a breach. Third-party coverage, however, is dependent on a lawsuit from a third party to trigger a claim. Carefully consider what is and is not included in your cyber insurance policy, as it is likely that it will play a large role in your response and recovery efforts.

 

Implementing DC retirement plan cybersecurity can take time and effort. However, in the end it’s worth it. Plan sponsors that take cybersecurity seriously are less likely to see their participants’ assets and personal information affected by a successful cyberattack.

 

Andrew Zito, AIF, is executive vice president, retirement plan services, at LAMCO Advisory Services, an independent retirement plan consulting and advisory firm.

 

This feature is to provide general information only, does not constitute legal or tax advice, and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of Strategic Insight (SI) or its affiliates.

«