Skip to main content

You are here


401(k) ‘Fraudster’ Hack Case Drops a Defendant


Three parties have been sued as fiduciaries in a case involving theft of a 401(k) balance—a federal judge just let one off the case.

The participant-plaintiff whose account was stolen is one Paula Disberry, who worked for Colgate-Palmolive from December 1993 to March 2004, in England, Mexico and the United States. Disberry left Colgate-Palmolive to return to England in March 2004, but left her 401(k) savings in the Colgate-Palmolive plan. As of March 17, 2020, her account balance under the Plan was just over $750,000. Disberry moved to South Africa in 2008, and upon moving there she updated her contact information with the Plan. According to the suit (Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive Co., S.D.N.Y., No. 22-cv-05778, complaint filed 7/7/22) in June 2016, she again submitted to the Plan an update of her contact information, which consisted of her physical mailing address, email address and cellphone number. Her contact information has remained the same since that time.

The Fraud

Now, between then and August 2020 (when Disberry tried, but was unable to access her account), a “fraudster” managed to update contact information, obtained access to a PIN, change banking relationship information and ultimately initiate a check cut to the changed address that cleared out the account (details are available here). As for the parties involved here, there was the Colgate-Palmolive plan fiduciaries, Alight, who was both the plan’s recordkeeper and customer service center operator (which took the calls that produced the changes, and ultimately acted upon the instructions of the “fraudster” in initiating the distribution), and the Bank of New York Mellon who was the plan’s trustee (who actually cut the check). 

Plaintiff Disberry asserted that all three defendants were fiduciaries under the Plan and all of them breached their fiduciary duties of loyalty and prudence by “(1) causing or allowing the Plan to make unauthorized distributions of Plan assets; (2) failing to identify and investigate suspicious activities and red flags; (3) failing to identify and halt suspicious distribution requests; ( 4) failing to confirm authorization for distributions with Plaintiff before making distributions; ( 5) failing to provide timely notice of a request for distributions to Plaintiff by telephone or email; ( 6) failing to establish distribution processes to safeguard Plan assets against unauthorized withdrawals; and (7) failing to monitor other fiduciaries' distribution processes, protocols, and activities.”

Red Flags

She also alleged that “numerous red flags should have caused Defendants to become suspicious that fraudulent activity was taking place,” specifically that “(1) within the span of less than two months the fraudster changed Plaintiff’s phone number, email address, mailing address, and bank account information, and then requested an immediate cash distribution of Plaintiff’s entire $750,000 Plan account; (2) the fraudster changed Plaintiff’s contact information such that her phone number and email address were in one country while her mailing address was in a different country; (3) although Plaintiff was not yet 59 ½ years old, the fraudster asked for an immediate cash distribution instead of a tax protected roll-over distribution, resulting in an additional 10% tax penalty; ( 4) the fraudster failed to contact the International Benefits Department prior to requesting a distribution while residing in a foreign country, although the Plan's Summary Plan Description (‘SPD’) strongly recommended that this be done; and (5) there were numerous attempts to access Plaintiff’s Plan account via telephone and online within a short time span, many of which were unsuccessful.”

All three parties responded (separately) with a motion to dismiss them from the suit—the plan committee not that it wasn’t a fiduciary, but rather that it didn’t act in that capacity with regard to the actions in question—Alight that it wasn’t a fiduciary, and the Bank of New York Mellon that it didn’t have discretion with regard to its role here.


Judge Colleen McMahon (Disberry v. Employee Relations Comm. of Colgate-Palmolive Co., S.D.N.Y., No. 1:22-cv-05778, 12/19/22) noted that the “Plaintiff alleges, in an entirely conclusory fashion, that Alight exercised authority or control over the management or disposition of the Plan's assets, exercised discretionary authority or discretionary control respecting management of the Plan, and/or had discretionary authority or discretionary responsibility in the administration of the Plan.” For its part, Alight argued that it wasn’t a fiduciary, that it was performing purely ministerial tasks in “facilitating, directing and processing distributions from participants accounts"—and that there wasn’t a “sufficient link between the allegedly fiduciary actions that Alight took and the misconduct in which Alight is alleged to have engaged in.”

Judge McMahon noted that “this amalgamation of ‘defendants’ into a single entity is frequently fatal to complaints,” but noted that this specific suit “…does allege facts that are sufficient to tie the fiduciary acts of Alight to Alight.” 

Therefore, "putting the magic words in the contract, 'purely ministerial duties,' does not avoid fiduciary responsibility, if the characterization, 'purely ministerial duties,' is not correct,” Judge McMahaon noted, commenting that language in the service agreement “restricting discretionary activities does not automatically preclude a finding that Alight acted as a fiduciary if it did in fact exercise discretion.”  Ultimately, she noted that “…reading the Complaint in the light most favorable to the Plaintiff, it is not possible to dismiss out of hand the possibility that Alight would qualify as a ‘functional fiduciary’ within the meaning of ERISA, given its alleged role in directing the institution that held the Plan assets (BNY Mellon) to make the distribution in Plaintiff's case.” She also noted that “…Alight is specifically alleged to have violated its own protocols by not waiting two weeks after making an address change before processing a distribution request,” and denied their motion.

That said, she explained that the denial of their motion did not mean that Alight would ultimately be determined to be a functional fiduciary, finding it “somewhat surprising that Plaintiff has not alleged an alternative claim against Alight under common law principles of negligence.” And—offering some unpaid advice to the plaintiff here by commenting that “the facts pleaded, if proved, would almost certainly suffice to make out a negligence claim against Alight if it turned out not to be a functional fiduciary under ERISA. I make note of this only because the statute of limitations on an ‘in the alternative’ common law claim will run sometime in March 2023; the clock is ticking.”

The Committee

Judge McMahon noted that the Committee “does not dispute that it had a fiduciary duty to Plaintiff. However, the Committee argues that the Complaint does not sufficiently allege that it breached that duty or that the Committee caused Plaintiffs loss”—and then agreed with the Committee. “Plaintiff is the unfortunate victim of a clever criminal. But the Committee—the one entity that inarguably can be sued under ERISA (and only under ERISA)—is simply not alleged to have done anything that violates ERISA.”

Judge McMahon then proceeded to acknowledge that the plaintiff was not required to exhaust administrative remedies to pursue a fiduciary breach claim, and that the suit as presented did allege breach of fiduciary duty and resulting loss due to those breaches. That said, she also commented that “the Committee is not an insurer against any and every possible wrongdoing; if it took reasonable steps to ensure that fraud and theft would be detected (which quite possibly includes by hiring a reputable contract administrator), it will not be deemed to have breached its fiduciary duty to Plaintiff, even though her account was drained by a thief. However, it remains to be seen whether the Committee did take reasonable steps to protect the assets of the Plan against fraud and theft.”

And—as she did with the allegations against Alight—though she denied their effort to dismiss the charges against them, “the court expresses no view about the ultimate merits of Plaintiff’s claim against the Committee.” She acknowledged that "ERISA's ‘fiduciary duty of care ... requires prudence, not prescience,” and that “this is a very thin complaint as against the Committee. The case involves a fraudster executing on a complex, international scam. The Plan was a victim of fraud and theft just as much as the Plaintiff was. An ERISA plan is not required to have procedures in place that account for every possibility—i.e., to act as an insurer against all losses. It must adopt reasonable procedures, but not absolutely air-tight procedures, to protect against the possibility of what happened here, which was a heinous crime.” But then noted that she was not granting the Committee’s motion to dismiss at the motion to dismiss stage.

BNY Mellon

Judge McMahon noted that “the only action that BNY Mellon took in connection with the fraud was to issue a check for the amount in Plaintiff’s account. Plaintiff has not alleged any facts to show that BNY Mellon had "authority" or "control" with respect to that action. Under the Master Trust Agreement, BNY Mellon is responsible for "provid[ing] benefit payment disbursement services for the Company's Plans," including creating and furnishing "checks, direct deposits, or wire transfers for participant benefit distributions as instructed by the Plans' recordkeeper(s)."

“As Plaintiff points out,” she continues, “the MSA stated that Alight must ‘Instruct disbursement agent daily for ... final distribution payments." The Complaint supports this; it specifically alleges that it was an Alight Benefits Information Center representative that spoke with the fraudster and "conducted the distribution transaction online." She noted that “there is no allegation that BNY had any interaction with the person who perpetrated the fraud—unlike Alight, which interacted with the fraudster repeatedly—or that BNY was aware of any of the ‘red flags’ identified by Plaintiff that might have caused it to question the bona fides of the transaction that Alight directed it to process. The agreement specifically withholds authority or control in the issuance of checks that would make BNY Mellon a fiduciary when performing this particular task.”

Perhaps more simply stated, “BNY Mellon is not alleged to have had any information except that Alight told it to cut a check for a particular amount made out to a particular person and sent to a particular address. The Complaint simply does not allege that BNY Mellon did anything except follow those instructions.”

As Plaintiff has not pleaded a link between any actions of BNY Mellon and the fraudulent conduct alleged in the Complaint, she has not established that BNY Mellon acted as a fiduciary,” Judge McMahon concluded—and granted BNY Mellon’s motion to dismiss the claims against it.

Leave to Amend

Judge McMahon noted that the plaintiff had asked for an opportunity to amend the suit against defendants if she granted their motions to dismiss, and while acknowledging that opportunity, she cautioned that “Plaintiff needs to move quickly with any proposed amendment—both for the reason stated above, and because I wish to see the case moving,” and proceeded to outline a schedule for discovery.

Stay tuned.