Sifting through SECURE 2.0’s Retirement Savings Lost and Found 

September 21, 2023

Starting with the 2024 plan year, retirement plan administrators must begin reporting certain information about terminated participants to the Department of Labor (DOL) for a new Retirement Savings Lost and Found database required by the SECURE 2.0 Act of 2022 (Div. T of Pub. L. No. 117-328). DOL has until Dec. 29, 2024, to establish an online database that terminated participants can use to locate their lost retirement benefits. Sponsors will have to provide information so DOL can keep the database up to date but won’t be able to use it to track down missing participants. Reporting requirements include information already provided on the IRS Form 8955-SSA, Annual Registration Statement Identifying Separated Participants with Deferred Vested Benefits, as well as new details on mandatory rollovers and deferred annuity contracts.

Beginning with the first plan year starting after Dec. 31, 2023, administrators for retirement plans subject to the vesting standards in ERISA Section 203 (29 USC § 1053) will have to give DOL certain information regarding terminated participants. This requirement applies to qualified defined benefit (DB) and defined contribution (DC) plans, as well as Section 403(b) plans.

Much of the information required by SECURE 2.0’s lost-and-found provision already must be reported on Form 8955-SSA. Plan administrators use this form to comply with the annual reporting requirements of Internal Revenue Code (IRC) Section 6057(a). The form collects information about recently terminated vested participants, including their names, taxpayer identification numbers, and the nature, amount, and form of payment of their deferred benefits. Plan administrators must also report changes in plan status and may optionally update previously reported information, such as when a participant’s benefit will be paid from a different plan or when the participant began receiving benefits. The Social Security Administration (SSA) maintains this information and gives it to individuals when they apply for social security benefits.

Information reported on Form 8955-SSA falls into three categories:

• Plan information, including the plan’s name and the plan administrator’s name and address
• Changes in plan status, including a change in the plan’s name or the plan administrator’s name or address, termination of the plan, or the plan’s involvement in a plan merger, consolidation or spinoff
• Benefit distributions to participants during the plan year, including the name and taxpayer identification number of any participant (i) previously reported on a Form 8955-SSA whose benefit was fully paid out, (ii) whose benefit was mandatorily rolled over into an individual retirement account (IRA) under IRC Section 401(a)(31)(B) or (iii) on whose behalf the plan purchased a deferred annuity contract.

The lost-and-found provision requires plan administrators to report additional information for mandatory rollovers and purchases of deferred annuity contracts during the applicable plan year. For each terminated participant whose benefit was subject to mandatory rollover, plan administrators will have to provide the name and address of the designated IRA trustee or issuer and the participant’s account number. For deferred annuity contracts, plan administrators will need to provide the name and address of the issuer of the annuity and the contract or certificate number.

The new reporting requirements complement but don’t replace IRC Section 6057(a), so plan administrators presumably will continue to file Form 8955-SSA (or perhaps a successor form with a dual purpose). The statute doesn’t specify exactly when or how plan administrators will provide the required additional information, instead directing DOL to develop regulations on the timing, form and manner for reporting. DOL’s spring 2023 regulatory agenda indicates that the agency expects to begin meeting with stakeholders but offers no estimated timetable for regulations on these reporting requirements.

Whether DOL will piggyback off Form 8955-SSA or develop an entirely new form remains to be seen. Regardless, plan administrators who already routinely use Form 8955-SSA to report changes to participants’ benefit entitlements will need to gather some additional information relating to participants who received mandatory rollovers or for whom the plan purchased a deferred annuity contract.

Plan administrators will first have to report information for participants who receive a benefit distribution in the plan year starting in 2024. The law doesn’t appear to require reporting of a plan’s current census of terminated vested participants or distributions previously reported on Form 8955-SSA. Instead, the act instructs DOL to create the database “in consultation” with IRS. Presumably, DOL will establish the initial database using information previously reported on Forms 8955-SSA and use subsequent reporting from plan administrators to update the lost-and-found registry. However, previously filed Forms 8955-SSA wouldn’t include the additional reporting elements for mandatory rollovers and deferred annuity contracts, raising questions about whether and how DOL might try to gather that information.

Recent DOL investigations have often focused on missing participants, and the agency has issued best practices for plan sponsors and administrators trying to locate these individuals. But administrators won’t be able to use the new database to help with this process: The lost-and-found program is intended solely to provide individuals with contact information so they can claim their retirement benefits. The program won’t gather any participant information that might help plan administrators track down missing participants. In fact, plan administrators and sponsors apparently won’t have any access to the database at all. The information will be accessible only to participants and DOL employees assisting participants, apparently preventing the agency from using this data in retirement plan audits and investigations.

Cybersecurity in retirement plans is another area of recent DOL enforcement activity. The Retirement Savings Lost and Found database may raise new concerns about bad actors using information gained though cybersecurity breaches to fraudulently obtain missing participants’ retirement benefits. While SECURE 2.0 requires DOL to “take all necessary and proper precautions” to protect this participant information, the agency hasn’t discussed any steps to confirm the identities of individuals using the database. DOL must also allow individuals to contact the agency to opt out of the database altogether. Whether these protections will be sufficient to deter potential fraud remains to be seen.

• Div. T of Pub. L. No. 117-328, the SECURE 2.0 Act of 2022 (Congress, Dec. 29, 2022)

• User’s guide to SECURE 2.0 (regularly updated)