Plan Progress Webinar: Benchmarking Your Recordkeeper

Experts discussed what to evaluate when benchmarking recordkeepers, the differences between an RFI and an RFP and what to ask about cybersecurity processes.

Selecting the best recordkeeper for retirement plan participants and monitoring that recordkeeper are part of a plan sponsor’s fiduciary duties. What should sponsors benchmark and how?

A recent PLANSPONSOR webinar, “Plan Progress: Benchmarking Your Recordkeeper,” called upon industry experts to tackle this question, along with the latest trends for employers to consider.

Tim Rouse, executive director at the SPARK [Society of Professional Asset Managers and Recordkeepers] Institute, began the discussion by distinguishing the differences between a request for information (RFI) and a request for proposals (RFP), noting that an RFI is typically less formal than an RFP and might not necessarily indicate a sponsor is interested in changing vendors, whereas an RFP does. “RFIs are used by plan sponsors when they are checking market conditions and an RFP is used when they made a commitment to seriously look at changing vendors,” he said.

Kerrie Casey, a retirement plan consultant for SageView Advisory Group, said RFIs are appropriate for benchmarking plans, noting that every plan sponsor should be going through a benchmarking process on a yearly basis. “The RFI gives plan sponsors a good idea of how the market looks,” she said.

RFPs can also be costly, said Casey, so larger plans that can afford them are more likely to go through the RFP process. However, she warned large employers to tread carefully. For example, she said, while large employers are not required to work with the cheapest recordkeeper, they must justify the value compared to the cost, especially if participants are paying the fees.

When comparing services, always question document provisions, Casey added. She said sponsors should ask: “Is it an individually designed plan? Do you have any quirky plan provisions?”

“You want to make sure your recordkeeper can operationally support that to make the process easier,” she continued. “These are all very unique to plan sponsors and should be called out in the RFP.”

Ben Taylor, vice chair of SPARK’s Data Security Oversight Board, noted that there’s been an increase in the amount of cybersecurity questions plan sponsors are asking, given recent cyberattacks on organizations of all sizes and the latest Department of Labor (DOL) guidance on the topic. “Plan sponsors really need to figure out how to connect their due diligence with cybersecurity,” he emphasized.

Casey added that as part of annual due diligence, plan sponsors should be inquiring about any new services their recordkeeper is offering or any updates on the recordkeeper’s performance. “[Plan sponsors] should be bringing their recordkeepers in and asking what’s new, whether that’s financial wellness, cybersecurity, how they performed on their financial audits or what new services they are offering to prospective clients,” she said.

“The key thing is to know how to ask and exchange that information,” Taylor added.

He said plan sponsors can also inquire about the recordkeeper’s penetration testing results, which assess whether a firm’s cybersecurity processes are accurate. Taylor recommends employers ask about their providers’ scores and their processes—how often were hackers found versus how often were they missed? How will the recordkeeper deal with a breach? Will it have a procedure in place if a cyberattack occurs? What cybersecurity framework is it employing, and has it been audited against that standard? “Develop a language where you ask about all those key elements in the DOL’s guidance,” Taylor recommended.

Lastly, Casey suggested that plan sponsors ask about plan participants and see what employees are doing to mitigate their own cyber risk. Recordkeepers can create a report on what participants are doing and the state of their cybersecurity efforts. These results can then drive new communication strategies.

“This can help plan sponsors put in communications to help people create their accounts,” Casey said. “Raising awareness around this can hopefully get more people involved in the protection of their assets.”