The apparent “hack” of a 401(k) participant’s account has led to a suit against the plan sponsor, the recordkeeper and the plan trustee/custodian to recover the stolen funds.
The suit claims that in September and October 2016, an unknown person or persons managed to steal plaintiff Naomi Berman’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the Estee Lauder Companies 401(k) Savings Plan. She has filed suit “to remedy the harm caused by the Defendant Lauder Plan fiduciaries’ failures to safeguard the Lauder Plan’s assets.”
What Happened
As it turns out, Berman was a former participant (she left employment at Lauder in March 2006 to become a teacher), but, as many participants do, she opted to leave her balance at Lauder after leaving employment there. By June 30, 2016, her balance there had grown to more than $90,000.
On Oct. 18, 2016, Berman received a document on Estee Lauder Companies letterhead in the mail confirming a distribution of $50,000 from the Lauder Plan to a checking account at TD Bank. Then on Oct. 24, she received another transaction confirmation from Lauder – this one for a distribution of $37,000 from her 401(k) account to a checking account at Suntrust Bank made on Oct. 7. That was followed by the delivery of her Q3 401(k) account statement, which included a withdrawal of $12,000 that had been distributed on Sept. 29 to an account at Woodforest National Bank.
Now, as you might expect, Berman never requested or authorized any distribution from the Lauder plan, and never had any account at Woodforest National Bank, Suntrust Bank or TD Bank. And, sadly, by the time she got the first distribution notice in the mail, all three distributions had been completed – even though, after receiving the first transaction confirmation, she telephoned the Hewitt Customer Service Center at the number provided on the confirmation notice – only to be told that her remaining account balance was $3,791.
‘After’ Math
According to the suit, between Oct. 24, 2016, and Jan. 2, 2017, Berman made at least 23 calls to Hewitt’s Customer Service Center regarding the unauthorized distributions – and ultimately, the Customer Service Center informed her that it had completed its investigation, no money had been recovered, and that her Lauder Plan account would not be made whole. The suit further claims that while the Customer Service Center said they would investigate the unauthorized distributions, they never provided her with any information regarding that investigation, and that “neither Lauder Inc., nor the Benefits Committee, nor Hewitt contacted Ms. Berman further regarding the unauthorized distributions.”
On or about Oct. 25, 2016, Berman reported the unauthorized distributions to the San Francisco Police Department and the FBI, and placed a fraud alert on her credit file with Equifax. On Nov. 7, 2016, State Street Bank & Trust Co., which served as custodian of the Lauder plan’s assets and provided investment management services to the plan, emailed Berman requesting that she complete an “Affidavit of Forgery” for each unauthorized distribution – but she heard nothing further from them.
Berman says that other than the unauthorized distributions from her Lauder plan account, she did not experience unauthorized activity in any of her financial accounts, and that prior to receiving the Oct. 10 Confirmation of Payment, she had no knowledge of the unauthorized distributions. The suit notes that “none of the Defendants contacted her prior to the distributions to obtain her authorization to make the distributions, and none of the Defendants notified her of the distributions by any means other than the mailed Confirmations of Payment and third-quarter account statement, until she telephoned the customer service center.”
The Parties
In addition to the plan sponsor fiduciaries, the suit claims that the plan’s recordkeeper Hewitt (now Alight) “exercised control over Lauder Plan assets by directing distributions from participants’ accounts, including the unauthorized distributions in this case.” The suit also names State Street Bank & Trust Co. as a defendant. The suit argues that since State Street was compensated for its services by investment management fees paid directly from the Lauder plan and by “‘soft dollar’ commissions,” it was a fiduciary of the plan “in that it exercised authority or control respecting management or disposition of the Lauder Plan’s assets, it exercised discretionary authority or discretionary control respecting management of the Lauder Plan, it had discretionary authority or discretionary responsibility in the administration of the Lauder Plan, and/or it provided investment advice for a fee or other compensation from the Lauder Plan.”
The suit notes that, “Defendants, and each of them, breached their fiduciary duties of loyalty and prudence by causing or allowing the Lauder Plan to make unauthorized distributions of plan assets; failing to confirm authorization for distributions with the plan participant before making distributions; failing to provide timely notice of distributions to the plan participant by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard Lauder Plan assets against unauthorized withdrawals; failing to monitor other fiduciaries’ distribution processes, protocols, and activities; and related acts and omissions.”
The suit also explains that ERISA §502(c), 29 U.S.C. § 1132(c), provides that any administrator who fails or refuses to comply with a request for any information which such administrator is required by ERISA to furnish to a participant or beneficiary by mailing the material requested to the last known address of the requesting participant or beneficiary within 30 days after such request may in the court’s discretion be personally liable to such participant or beneficiary in the amount of up to $100 a day from the date of such failure or refusal, and the court may in its discretion order such other relief as it deems proper. It also notes that on March 25, 2019, Berman’s counsel made a written request for Lauder plan documents – and that the Benefits Committee “has failed or refused to provide requested material since April 27, 2019.”
What This Means
At this juncture, there’s no indication of exactly how this allegedly unauthorized access happened. While there has certainly been a growing concern about cybersecurity risks, there have also been recent cases where individuals within the sponsoring employer and others where TPA or recordkeeping staff have taken advantage of their access to misappropriate funds.
What seems clear is that we’re likely to hear more about the need for processes such as two-factor authorization when it comes to transactions such as withdrawals.
