DOL goes live with SECURE 2.0 lost-and-found data collection 

December 12, 2024

The Department of Labor (DOL) has launched a new online portal for retirement plan administrators to voluntarily report information about separated vested participants ages 65 and older who are still owed a benefit. An accompanying final information collection request (ICR) explains that DOL seeks this information to help establish the Retirement Savings Lost and Found database by the Dec. 28 deadline specified in the SECURE 2.0 Act (Div. T. of Pub. L. No. 177-328). Terminated participants will be able to use this database to locate their lost retirement benefits. The ICR announces a fiduciary safe harbor and nonenforcement policy aimed at placating filers’ concerns about potential liability for cybersecurity breaches and compliance with state privacy laws. DOL also confirms it won’t use information provided in response to the ICR for plan audits.

Separated vested participants ages 65 and older. The final ICR seeks the names and Social Security numbers of any separated vested participants ages 65 or older who are still owed a plan benefit, including:

• Deceased participants who would be age 65 or older if still living and whose beneficiaries are entitled to a benefit (however, the final ICR doesn’t request any beneficiary information)
• Those whose benefits have been conditionally forfeited due to the administrator’s inability to locate the participant or beneficiary
• Those whose benefit payments have begun, even if not missing or lost (i.e., this would include defined benefit plan participants already in pay status and defined contribution plan participants receiving required minimum distributions)

DOL is starting its collection with this limited group because it believes these individuals are likely to benefit sooner from a functioning database. This reporting excludes terminated participants whose benefits were mandatorily rolled over to an IRA or for whom annuities were purchased.

Updates for previously reported participants. DOL added a mechanism to the final ICR for plans to indicate when a previously reported participant’s benefit has been fully paid, including the date of the payment. However, the final ICR doesn’t explain how administrators could correct situations where a plan’s report included a participant by mistake.

Current plan information. The final ICR also requests the following information about the plan, plan sponsor and plan administrator as reported on the most recent Form 5500, Annual Return/Report of Employee Benefit Plan:

• Plan name and number
• Plan sponsor name, employer identification number (EIN) and phone number
• Plan administrator name, EIN, in-care-of name (if applicable), address and phone number

Online reporting portal. Plan administrators or recordkeepers can upload the requested information via DOL’s reporting portal using an Excel template. Filers must have an account with Login.gov and create a user profile. The online portal accommodates a recordkeeper submitting a single report covering multiple plans, as well as multiple reports for plans with more than one recordkeeper. DOL cautions administrators not to report the information via EFAST2 (as contemplated in the agency’s original proposed ICR).

Service providers must obtain client consent. Service providers, such as recordkeepers, must obtain a plan fiduciary’s authorization before reporting on a plan’s behalf. DOL instructs administrators and service providers to maintain documentation of this authorization in their records.

Reporting costs may be paid from plan assets. In response to commenters’ requests for clarification, DOL confirmed that administrators can use plan assets to pay the reasonable costs associated with voluntary reporting.

ERISA fiduciary safe harbor. DOL will deem administrators who follow the agency’s instructions for submitting the requested information to have met their fiduciary obligations for mitigating cybersecurity risks when voluntarily reporting. DOL also indicates that plan fiduciaries won’t have ERISA liability for the agency’s conduct if there are security failures involving the database in the future, but the agency stops short of agreeing to make plans and recordkeepers whole for any losses or indemnify plan officials in the event participants file a lawsuit.

Nonenforcement policy. Commenters on the proposed ICRs also raised concerns that state privacy laws may require plan administrators to obtain participants’ consent since reporting is voluntary (e.g., applicable privacy laws may allow disclosure when required by law, but whether voluntary reporting would meet that standard is unclear). DOL confirmed it won’t assert ERISA violations against administrators and service providers acting reasonably and in good faith for failure to obtain participant consent where required under state privacy laws. However, this nonenforcement policy is only binding on DOL and wouldn’t extend to state regulators or private parties, such as plan participants.

Participant privacy protections. The final ICR explains that each individual will need to have an account with Login.gov to search the lost-and-found database. The database will only display results relevant to the individual conducting a search, and no general list of information will be publicly accessible. DOL believes this measure will mitigate the risk of fraud. For the time being, participants can opt out of the database by submitting a request via DOL’s website.

Statutorily mandated reporting. SECURE 2.0’s provision establishing the lost-and-found database requires plan administrators to provide plan and participant information for certain separated vested participants, starting prospectively with the 2024 plan year. This statutory reporting requirement — which isn’t covered by the ICR — is generally limited to individuals who received distributions of their plan benefits during the plan year, including those whose benefits were mandatorily rolled over to an IRA or for whom annuities were purchased. (See Sifting through SECURE 2.0’s Retirement Savings Lost and Found (Sept. 21, 2023).) DOL will need to implement this mandatory reporting requirement, presumably by issuing regulations.

Information from other agencies. SECURE 2.0’s reporting requirement doesn’t encompass information for participants who terminated in the current plan year or in earlier years. However, plans already report that information to IRS on Form 8955-SSA, Annual Registration Statement Identifying Participants with Deferred Vested Benefits. Since the statue directs DOL to consult with Treasury to establish the lost-and-found database, many practitioners assumed this information would come directly from IRS, but the agency initially declined to release the information to DOL, citing certain confidentiality provisions in the Internal Revenue Code. DOL has continued its discussions with IRS and the Social Security Administration (SSA) and now believes it will be allowed to access this information for the lost-and-found database. Even so, DOL has concerns that Form 8955-SSA data may be “inaccurate, outdated, or incomplete,” particularly for terminated participants whose benefits have been fully paid and shouldn’t appear in the lost-and-found database. Accordingly, the agency encourages administrators to voluntarily report the information requested in the final ICR to “ensure the accuracy of information contained in the database.”

• Announcement of voluntary information collection request (Federal Register, Nov. 20, 2024)
• Fact sheet (DOL, Nov. 18, 2024)
• News release (DOL, Oct. 22, 2018)

• DOL slashes info request for SECURE 2.0 lost-and-found database (Oct. 7, 2024)
• DOL seeks information for SECURE 2.0 lost-and-found database (April 30, 2024)
• Sifting through SECURE 2.0’s Retirement Savings Lost and Found (Sept. 21, 2023)
• User’s guide to SECURE 2.0 (regularly updated)