DOL seeks information for SECURE 2.0 lost-and-found database 

April 30, 2024

In a new proposed information collection request (ICR), the Department of Labor (DOL) lays out the information regulators seek to collect from retirement plan administrators to establish the Retirement Savings Lost and Found database required by the SECURE 2.0 Act of 2022 (Div. T. of Pub. L. No. 117-328). Terminated participants will be able to use this online database to locate their lost retirement benefits. DOL hopes plan administrators will voluntarily provide extensive historical information — much of which goes beyond what the act requires — to help the agency meet its Dec. 29 deadline for setting up the database. If the ICR is approved substantively intact, sponsors will need to carefully consider whether to provide the requested data, including discussing with legal counsel any potential risks under applicable privacy laws. Comments are due June 17.

SECURE 2.0’s provision establishing the lost-and-found database describes its purpose as to “allow an individual to search for information that enables the individual to locate the administrator of any plan … with respect to which the individual is or was a participant or beneficiary, and provide contact information for the administrator of any such plan.” Consistent with this purpose, administrators must provide plan information and participant information for certain terminated vested participants beginning with the 2024 plan year.

Reported plan information includes up-to-date contact information for the plan and administrator, including notice of any changes since the prior year or events like mergers or spinoffs. Reported participant data is generally restricted to the participant’s name and taxpayer identification number. Plan administrators already report most of this information on IRS Form 8955-SSA, Annual Registration Statement Identifying Separated Participants with Deferred Vested Benefits, with one exception: The act requires administrators to report contact and account/contract information for benefits that were mandatorily rolled over to an individual retirement arrangement (IRA) or for which an annuity contract was purchased.

The new reporting requirement is generally limited to individuals whose benefits were distributed from the plan during the year. The act makes no mention of how DOL should gather information on other groups of terminated participants not specifically covered by the new reporting requirements, such as newly and previously terminated vested participants whose benefits haven’t yet been distributed and participants whose benefits were distributed before the 2024 plan year. Many practitioners — and DOL itself — assumed the information for these other participants would come directly from IRS, using data collected from Form 8955-SSA, leaving DOL to collect only the additional information not reported on that form.

Despite expectations, IRS has now indicated that it won’t authorize releasing the data to establish the lost-and-found database due to the Internal Revenue Code’s confidentiality provisions for returns and return information. While SECURE 2.0 directs DOL to establish the database “in consultation with” the Treasury Department, the act contains no provision authorizing IRS to share tax information with DOL.

Without IRS’s historical data, DOL apparently has little choice but to request information directly from plan administrators. Since SECURE 2.0 grants the agency no authority to compel reporting for plan years before 2024, DOL is requesting that plan administrators voluntarily report a significant amount of historical information to help build the database. (The ICR doesn’t address how DOL will implement prospective reporting.)

SECURE 2.0 requires that plan administrators report only a participant’s name and tax identification number. The provision does not require plan administrators to report a participant’s date of birth or contact information, other information about the participant’s benefit, or information about the participant’s designated beneficiaries. However, the information requested in the proposed ICR extends well beyond the statute’s scope (and existing Form 8955-SSA reporting requirements).

In addition to the statutorily required information, DOL proposes requesting historical plan information from plan administrators (or their authorized representative), including:

• The plan’s previous names and plan numbers and the date of the changes
• The name and employer identification number (EIN) of any prior plan administrators and the date of the change
• The name and EIN of any prior plan sponsors if different from the plan administrator and the date of the change

The ICR also seeks the following additional information on terminated vested participants:

• For each terminated vested participant, the date of birth, contact information (mailing address, email address and telephone number), and the “nature, form and amount of benefit”
• For those whose benefit has been fully paid out in a lump sum or another manner, the date and amount of distribution
• For those whose benefit is reported as an annuity — apparently including participants who retired from terminated vested status, but not those who retired from active status — whether the benefit has started and if so, the start date of the annuity, and the monthly benefit
• For those past normal retirement age who have not responded to plan communications or whose contact information in the first bullet may no longer be accurate, the participant’s name, date of birth, Social Security number (SSN), and the same contact items sought in the first bullet
• For those whose benefit was transferred to the plan, the name and plan number of the transferring plan and the date of the benefit transfer
• For any designated beneficiary of a terminated vested participant, the name, date of birth, contact information (mailing address, email address and telephone number), and SSN

DOL also requests similarly exhaustive detail on former terminated vested participants whose benefits were mandatorily rolled over to an IRA or for whom annuities were purchased. In addition to the statutorily required basic information for these individuals — which includes only identifying information for the participant, the institution holding the funds, and the account or contract number — the proposal requests information like complete contact details for each participant and designated beneficiary, their dates of birth, and the benefit amount distributed.

The act’s reporting requirements apply prospectively beginning with the 2024 plan year. However, to establish “the most effective” database possible, the ICR would request data back to when the plan become covered by ERISA. For some plans, that could extend as far back as the law’s enactment 50 years ago. DOL recognizes that some plans may not have maintained full historical data but nonetheless encourages plan administrators to provide whatever data is available as far back as possible.

DOL proposes that plan administrators will provide this information in an attachment to the 2023 Form 5500, Annual Return/Report of Employee Benefit Plan, which is generally due the last day of the seventh month after the end of the 2023 plan year. (Plans can get an automatic 2-1/2–month extension — from July 31 to Oct. 15 for a calendar-year plan). DOL notes that although filed with Form 5500, the attachment would not be part of the 5500 filing, which is publicly available. DOL says it is also looking to develop an electronic filing portal so administrators can directly provide the information via an Excel template that DOL will make available.

Given the breadth of the data requested and the extent of details exceeding what the act specifies, DOL will likely receive considerable comments. The agency’s response to that feedback may change the scope of the final ICR. But if the final request is substantively similar to the proposal, plan sponsors and administrators will need to decide whether — and to what extent — to provide the requested information.

SECURE 2.0 requires DOL to “take all necessary and proper precautions” to protect individuals’ personal information contained in the database. The proposed ICR explains in general terms how DOL will safeguard the participant data. The agency says it will encrypt the data at all times — both at rest and during transmission — and will employ extensive logging and monitoring mechanisms as well as data-masking techniques. Public users will have no access to sensitive data, and government access will be strictly controlled. However, the proposal doesn’t address how the program will let individuals voluntarily opt out of the database, as required by the statute. Sponsors should consult their legal counsel about potential privacy and security risks associated with sharing the requested data with DOL (e.g., applicable privacy laws may allow disclosure when required by law, but whether voluntary reporting would meet that standard is unclear).

DOL maintains a separate initiative called the Terminated Vested Participant Program (TVPP) to help ensure that terminated vested participants receive the benefits to which they’re entitled. Through the TVPP, the agency investigates plans that appear to have systemic issues keeping track of former participants and paying benefits when due. Although SECURE 2.0 limits DOL’s use and disclosure of lost-and-found database information to help individuals seeking their benefits, the ICR appears to suggest that DOL also intends to use this additional data for TVPP.

Though DOL admits that it doesn’t have authority to compel administrators to provide data beyond the limited items specified by SECURE 2.0, the agency points to its “general authority to investigate and collect information” under other sections of ERISA. DOL also believes plan administrators that follow best practices should already have much of the requested information easily available. The proposal stops short of saying whether failure to voluntary report might trigger an investigation.

• Proposed information collection request (Federal Register, April 16, 2024)
• Div. T of Pub. L. No. 117-328, the SECURE 2.0 Act (Congress, Dec. 29, 2022)
• Missing participants — best practices for pension plans (DOL, Jan. 12, 2021)
• Compliance assistance release 2021-01, Terminated Vested Participants Project Defined Benefit Pension Plans (DOL, Jan. 12, 2021)

• User's guide to SECURE 2.0 (regularly updated)
• Sifting through SECURE 2.0's Retirement Savings Lost and Found (Sept. 21, 2023)
• DOL issues guidance on missing participants (Jan. 19, 2021)