DOL slashes info request for SECURE 2.0 lost-and-found database 

October 7, 2024

Retirement plan administrators may be relieved to see the substantially reduced information collection request (ICR) from the Department of Labor (DOL) relating to data necessary to establish the Retirement Savings Lost and Found database required by the SECURE 2.0 Act of 2022 (Div. T. of Pub. L. No. 117-328). Terminated participants will be able to use this online database to locate their lost retirement benefits. In a proposed ICR issued earlier this year, DOL anticipated asking administrators to furnish extensive historical information, but the agency submitted a narrower revised ICR after receiving significant criticism from commenters. Although complying with the revised ICR will remain voluntary, without the data collection, DOL anticipates finding itself unable to meet the Dec. 29 statutory deadline for establishing the database. The Office of Management and Budget (OMB) is reviewing the ICR and will accept public comments through Oct. 15 before deciding whether to approve it.

SECURE 2.0’s provision establishing the lost-and-found database requires plan administrators to provide plan and participant information for certain separated vested participants, starting prospectively with the 2024 plan year. The statutory reporting requirement — which isn’t covered by the ICR — is generally limited to individuals who received distributions of their plan benefits during the plan year. SECURE 2.0 makes no mention of how DOL should gather information on other groups of terminated participants, including those terminated in earlier years. DOL and many practitioners assumed much of the historical information would come directly from IRS, using data collected on Form 8955-SSA, Annual Registration Statement Identifying Participants with Deferred Vested Benefits. However, IRS declined to release the information to DOL, citing certain confidentiality provisions in the Internal Revenue Code. DOL then decided to request historical information directly from plan sponsors and administrators, but with no authority to mandate reporting, the agency proposed making compliance voluntary.

The proposed ICR would have requested extensive historical information on all separated vested participants and their designated beneficiaries, including benefit amounts and distribution dates, complete contact information, dates of birth and Social Security numbers. DOL also proposed requesting similarly exhaustive details on former separated vested participants whose benefits were mandatorily rolled over to an individual retirement account (IRA) or for whom annuities were purchased. The proposal would also have asked for current and historical plan, plan sponsor, and plan administrator information. DOL wanted administrators to report this information back to when the plan first became covered by ERISA (or as far back as possible).

The proposal generated significant pushback from the retirement plan community. Commenters stated that the proposed ICR greatly exceeded DOL’s authority under SECURE 2.0. They also said that complying with the request would be burdensome and expose administrators to potential liability for data breaches. In response, DOL revised the ICR to include only a small fraction of the information in the original proposal. As under the proposed ICR, reporting under the new request is voluntary.

Separated vested participants aged 65 and older. Now DOL is only requesting basic information for a more limited set of separated vested participants. The revised ICR seeks only the names and Social Security numbers of any separated vested participants ages 65 or older still owed a plan benefit. In the reporting instructions accompanying the revised ICR, DOL states that these participants include current separated vested participants as well as:

• Deceased participants who would be aged 65 or older if still living and whose beneficiaries are entitled to a benefit
• Those whose benefits have been conditionally forfeited due to the administrator’s inability to locate the participant or beneficiary
• Those whose benefits are in pay status

None of the documentation provided with the ICR explains exactly what DOL means by “separated vested participants aged 65 or older in pay status.” This presumably includes participants who have commenced only part of their benefit but have a separate entitlement to another benefit (for instance, participants who took a return of their employee contributions but have a deferred employer-provided annuity). Clarification would be helpful.

DOL explains that this reporting excludes terminated participants whose benefits were mandatorily rolled over to an IRA or for whom annuities were purchased.

Current plan information. The revised ICR requests only the following current plan, plan sponsor and plan administrator information from the most recent Form 5500, Annual Return/Report of Employee Benefit Plan:

• Plan name and number
• Plan sponsor name, employer identification number (EIN) and phone number
• Plan administrator information, including the name, EIN, in-care-of name (if applicable), phone number and address

DOL has created a direct electronic reporting portal for plan administrators or recordkeepers to upload the requested information via an Excel template. Once OMB approves the revised ICR, DOL will open the portal to the public. DOL cautions administrators not to report the information via EFAST2. (The proposal would have asked for the information as an attachment to the 2023 Form 5500, although DOL also said it was looking to develop a portal for this purpose.)

In the reporting instructions, DOL asks plans to file the requested information at least annually but preferably more frequently (e.g., quarterly) to keep the database up to date.

How plans will respond to this voluntary collection remains uncertain. The requested information still doesn’t conform to what administrators are legally required to provide under SECURE 2.0, and DOL has no authority to compel them to respond. Although DOL explains that the data will be protected by multiple security measures, administrators should consult their legal counsel about potential privacy and security risks associated with sharing participants’ personally identifiable information with DOL.

Moreover, the direct value of the database to most plan administrators is questionable: The database is meant to help individuals locate their lost pension benefits, but plans won’t be able to use it to track down missing participants. In an accompanying supporting statement, DOL admits that it can’t “estimate with great certainty” the number of recordkeepers willing to provide the information, However, the agency expects the 20 largest recordkeepers are the most likely to respond, subject to authorization from their client plan administrators. DOL also says that plan administrators may choose to file themselves — rather than relying on their recordkeepers — but expects that number to be small.

In its supporting statement, DOL acknowledges that commenters requested it continue to work with IRS and the Social Security Administration to obtain Form 8955-SSA data directly from one or both of those agencies. Although it’s unclear what circumstances might have changed after IRS’s initial refusal, DOL reports ongoing discussions with both agencies. In the meantime, DOL hopes plan administrators will furnish the requested information so the agency can meet its Dec. 29 statutory deadline for establishing the database.

• Submission for OMB review (Federal Register, Sept. 12, 2024)
• Lost-and-found supporting statement (OMB, Sept. 5, 2024)
• Lost-and-found upload template (OMB, Aug. 23, 2024)
• Lost-and-found instructions (OMB, Aug. 22, 2024)
• Galley mockup of ICR changes (OMB, Aug. 16, 2024)
• Div. T of Pub. L. No. 117-328, the SECURE 2.0 Act (Congress, Dec. 29, 2022)

• User’s guide to SECURE 2.0 (regularly updated)
• DOL seeks information for SECURE 2.0 lost-and-found database (April 30, 2024)
• Sifting through SECURE 2.0's Retirement Savings Lost and Found (Sept. 21, 2023)