Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Protect Retirement Plan Participant Data from Misuse by Third Parties

Fiduciaries should be wary of allowing vendors to cross-sell financial products

A group of people working in a call center.

There is a growing trend of using participant data to cross-sell financial products unrelated to plan recordkeeping by large recordkeepers and asset custodians of employer-sponsored retirement plans. In light of the fact that plan fiduciaries are ultimately legally responsible for the management and mismanagement of a retirement plan, this trend to use participant data may raise issues for employers in their role as plan sponsors and fiduciaries.

Recently, numerous plan fiduciaries have been swept up in a wave of excessive fee litigation for failing to provide prudent investment options at a reasonable fee for plan participants—a trend that is likely going to continue and reach more retirement plans. Excessive fee litigation has pressured plan fiduciaries to renegotiate and monitor fees charged by service providers.

Due to reduced fees, service providers have turned to other options to expand their businesses. Some service providers are using participant data acquired through the administration of retirement plans to sell and market services unrelated to those plans.

There is no definitive case law or other legal guidance prohibiting or restricting service providers from using plan participants' personal information to cross-sell financial products. Nevertheless, there are several reasons plan fiduciaries may want to be wary of allowing such personal information gleaned from plans to be used for non-plan–related purposes.

Excessive Fee Litigation

Some of the claims in the excessive fee litigation cases against plan fiduciaries include fiduciary breaches for allowing excessive recordkeeping and investment management fees. Arguments that participant data is an Employee Retirement Income Security Act (ERISA) plan asset have fallen flat. However, several settlements for excessive fee cases have included terms that require a contractual restriction on the service provider's ability to cross-sell products or services not related to the plan or plan participants unless a participant first requests them.

Protecting participant data is becoming part of the solution to excessive fee cases because it helps mitigate the movement of plan assets from a lower-cost retirement vehicle (the retirement plan) to a higher-cost retirement vehicle (an individual retirement arrangement or IRA).

Fiduciary Duty and Personal Data

While the argument that participant data is an ERISA plan asset has not convinced courts, participant data still has value and plan fiduciaries must monitor the services of service providers, which are generally not plan fiduciaries. A fiduciary can determine that using participant data to sell non-plan financial services is an improper use of that data.

Plan sponsors may want to provide restraint on what service providers do, including limiting use of participant data for purposes outside of the administration of the retirement plan. Participant personal data is valuable to service providers. Plan fiduciaries may monitor and prevent service providers from using the data in ways in which it was not intended.

DOL Audits

In its plan audit reviews, the U.S. Department of Labor (DOL) has asked for the uses of plan participant data. Specifically, the DOL is requesting documents and communications describing the use of participant data by the plan sponsor or any service provider for the direct or indirect purpose of cross-selling or marketing products and services.

The DOL is asking about cross-selling by service providers as part of its audit review, and it is likely formulating a position that will scrutinize the use of participant data in this context.

DOL Fiduciary Rule

Issued by the DOL in 2017, the Fiduciary Rule provided that retirement advisors must act in the best interests of their clients and make certain disclosures to their clients. The rule would have treated as fiduciaries service providers that recommended or solicited plan participants to roll over retirement plan assets. If a service provider was treated as a plan fiduciary, the service provider likely would not use plan participant data to cross-sell financial products unrelated to the plan because of the increased legal risk.

The Fifth Circuit Court of Appeals vacated the rule in March 2018, so it never went into effect. Nevertheless, the DOL is considering reviving the Fiduciary Rule. The DOL has its eye on State Privacy Laws

Several states have passed consumer data protection laws, and others are considering them. These laws may require an additional layer of compliance for data maintained by service providers for plan administration.

Some state laws contain significant carveouts for employers and for the use of information for employment; however, plan retirement services are distinct from the individual retirement products marketed to participants through cross-selling, and these individual retirement services are arguably outside the scope of the employment relationship.

Plan fiduciaries that permit service providers to use participant information may be at risk of violating state privacy laws. Allowing cross-selling could raise significant compliance issues under state law for plan fiduciaries and service providers.

Risk Mitigation

A plan fiduciary's duty extends to limiting the plan's litigation risk. The law surrounding the use of plan data for solicitation purposes is unsettled, but as suggested by DOL actions and new state laws, this is an area of growing concern at both the state and federal levels. A fiduciary may direct the actions of the service provider and also may act to prevent unauthorized use of personal data.

Key Takeaways

Plan fiduciaries may want to draft language for plan service agreements that limits the use of participant information acquired while providing recordkeeping services similar to the provisions required in the excessive fee settlements. Whatever approach plan fiduciaries take in managing participant data, under ERISA, they are ultimately responsible for the management—and mismanagement—of their retirement plans.

Kevin L. Burch is a shareholder in the Indianapolis office of law firm Ogltetree Deakins, and Matthew Hoffman is an associate in the firm's Indianapolis office. © 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C. All rights reserved. Republished with permission.


​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.