Welcome to Pensions, Benefits & Investments Briefings, Nossaman’s podcast exploring the legal issues that impact governmental, private and non-profit pension systems and their boards. Be sure to subscribe wherever you listen to podcasts so you don't miss an episode!
- Reflections on the Demise of the SEC’s Private Fund Adviser Rules: LP and GP Perspectives
In this episode, Nossaman's Yuliya Oryol and guests Chris Hayes and Jason Mulvihill provide LP and GP perspectives on the SEC’s Private Fund Adviser Rule. Chris and Jason were deeply involved with the proposed Rule – one worked with ILPA on behalf of the LP community to lobby the SEC to adopt the Rule in order to help institutional investors in their negotiations with GPs, while the other worked with the AIC on behalf of the GP community and was instrumental in expressing GP objections and opposition to the Rule and developing the successful litigation to challenge to the Rule.
After extensive advocacy by the Institutional Limited Partners Association (ILPA) and others on behalf of the Limited Partner (LP) community in support of stronger regulation of private funds, the Securities and Exchange Commission (SEC) adopted the Private Fund Adviser Rule (Rule) on August 23, 2023. The Rule consisted of five new rules: the Private Fund Audit Rule, the Quarterly Statements Rule, the Restricted Activities Rule, the Adviser-Led Secondaries Rule and the Preferential Treatment Rule, plus two rule amendments addressing annual compliance documentation and retentions of books and records.
However, on June 5, 2024, a three-judge panel of the U.S. Court of Appeals for the Fifth Circuit, unanimously vacated the Rule. The Fifth Circuit held that the SEC exceeded its statutory rulemaking authority under the Investment Advisers Act of 1940 in adopting the Rule. The SEC could have asked for a rehearing en banc in the Fifth Circuit or it could have appealed the decision to the U.S. Supreme Court. Instead, the SEC determined not to do anything further to ensure survival of the Rule. As a result, the Rule is dead - at least for now and the foreseeable future.
Transcript: Reflections on the Demise of the SEC’s Private Fund Adviser Rules | LP and GP Perspectives
0:00:00.0 Yuliya Oryol: Welcome to another episode of Pensions, Benefits and Investments Briefings. My name is Yuliya Oryol. I'm a partner at Nossaman and Co-chair of the Firm's Pensions Benefits & Investments Practice Group. For over 25 years my legal practice is focused exclusively on the investor side and public and private market transactions. The majority of the practice group's clients are public pension systems and other institutional investors who invest in private funds as limited partners or LPs. This episode will provide our listeners with LP and GP perspectives on the SEC's Private Fund Adviser Rules. The rule would have imposed significant new compliance and regulatory requirements on private fund advisors. The rule is actually five new rules, the private fund audit rule, the quarterly statements rule, the restricted activities rule, the advisor led secondaries rule and the preferential treatment rule plus two rule amendments addressing annual compliance documentation and retention of books and records.
0:01:05.8 YO: The private fund adviser rule was adopted by the SEC on August 23rd, 2023. Not surprisingly, it was challenged by the GP community and on June 5th, 2024, a three judge panel of the US Court of Appeals for the Fifth Circuit unanimously vacated the private fund adviser rule. The Fifth Circuit held that the SEC exceeded in statutory rulemaking authority under the Investment Advisers Act of 1940 and adopting the rule. The SEC declined to request a rehearing and bunk at the Fifth Circuit, and it also did not appeal the Fifth Circuit's decision to the US Supreme Court. In fact, the SEC had until early September, 2024 to do so, and the deadline has now passed. The SEC said that it's proud of the rule and the benefits it would have conferred to the investors and private funds. It also stated that the agency has made a strategic decision to focus its resources on adopting and implementing other items on its rulemaking agenda.
0:02:10.7 YO: It indicated that it was disappointed with the Fifth Circuit's decision, and I know many LPs including Nossaman clients are disappointed as well. Today, we will gain insight from two experts who are deeply involved with the proposed rule. Our speakers are Jason Mulvihill and Chris Hayes. Jason is the founder and president of Capital Asset Strategies. He previously served for 12 years as the General Counsel, head of Government Affairs and Chief Operating Officer of the American Investment Council, AIC, which represents the leading private equity and private credit GPs. Jason's role at AIC included leading the GP engagement with legislatures and regulators. He developed the AIC successful litigation strategy on the SEC private fund advisers rule, and was instrumental in supporting the GPs in their efforts to challenge the rule. Jason is joined by Chris Hayes, his business partner, who serves as the managing partner of Capital Asset Strategies.
0:03:10.5 YO: Chris led the policy and legal best practices efforts as the head of policy at the Institutional Limited Partners Association, ILPA from 2017 to 2022. ILPA represents over 650 institutional LPs invested in private funds globally. Chris spearheaded the legislative and regulatory efforts at ILPA to achieve the policy changes that resulted in the SEC private funds advisers rule. Chris also previously served as general counsel at the Small Investor Alliance, working on behalf of middle market GPs. Their firm Capital Asset Strategies is a policy and regulatory consulting firm that provides bespoke government relations, regulatory guidance, due diligence and strategic engagement services to clients in the financial services and digital asset industries.
[music]
0:04:13.5 SI: Welcome to Pensions, Benefits & Investments briefings, Nossaman's podcast, exploring the legal issues impacting governmental, private and nonprofit pension systems and their boards.
0:04:35.2 YO: I am really excited to speak with Chris and Jason today and to hear their unique perspectives, reflections on lessons learned, as well as discuss with them their thoughts on how institutional investors and private fund advisers should move forward in their interactions and negotiations of private fund terms. Given what has happened with the rule, I think we should start first with Chris to discuss the reasons why this rulemaking came about. Chris, can you share with us a little bit about the origin of the SEC private fund adviser rule and also ILPA's role in pushing for reforms to the investment advisers act?
0:05:10.9 Chris Hayes: Sure. Thanks Yuliya, and thanks for having me here along with Jason. Many people maybe don't understand a little bit of the history here before the private fund adviser rule was proposed and there's a little bit of history before that happened, and it really starts with sort of ILPA's role in representing its LP members. So, I think when many folks who work at ILPA, including myself, sort of thought about ILPA's role of helping LPs, it's really about how do we help our members achieve higher returns in the alternate investment space, particularly private equity, and achieve that with sort of less downside risk. Whether that's in terms transparency, governance, et cetera, in the fund agreements in particular. And my role there was really at the forefront of two of those items, which really around best practices, which is essentially encouraging all of ILPA's members to push for certain standards certain minimum standards around transparency, governance, alignment of interest in their fund agreements and the idea being that representing a large number of folks in the market will result in a meaningful improvement in the fund terms that all LPs will be able to receive small or large in the marketplace.
0:06:19.2 CH: And the advocacy work was really the other end of the coin, which is really about how do we ensure that the SEC continues to have sort of oversight over the managers that LPs are investing in to make sure that we have someone looking over the shield of GPs where maybe we don't have the particular information access or specific rights to access that information and that we have service someone keeping them, making sure they're following the rules and following the fund agreement in addition to ourselves. And then also thinking about, how do we potentially push forward to achieve a certain number of required standards in the investment advisers act, which governs these managers, which were given capital to. And for a long time when I joined ILPA, we were in sort of a defensive node trying to prevent rollbacks to SEC oversight of these funds.
0:07:12.3 CH: And we were pretty successful in doing that because we thought, the SEC's roles was important and certain rules that touched the investment contract were critical, and there were various legislative items to kind of remove the registration requirement or roll back some of the rules under the registration requirement. And we were successful in defeating those. Somewhere along the way, after many conversations with, particularly in-house legal counsel at LPs, external legal counsel like yourself, Yuliya, there's sort of a consistent concern about some of the provisions of the terms, and much of those really revolved around transparency and governance terms. So fiduciary duty provisions, having to negotiate to receive the ILPA fee template, for example, other sort of basic things that we thought were basic minimum standards. And so the idea sort of developed to think about how could we essentially go to improve the market for LPs through making some of these requirements mandatory in the fund agreement or requiring that, fee and expense reporting information would have to be acquired rather than requested in the negotiation process.
0:08:13.5 CH: And so originally that idea really took the shape of a legislative effort, and we tried around 2019 to try and move that forward, but it was sort of overshadowed by other actors in the political space that wanted to go much further than ILPA did. In terms of, we were seeking some pretty modest reforms around some of the items I just mentioned. We had a draft legislation called the Investment Adviser Alignment Act that we tried to move forward, but it was overshadowed by efforts by Congress to move something that was much more holistic that included many provisions that we actually thought would prevent LPs from receiving the returns from the investment in the first place and went a bit further. And so that sort of sucked a lot of the air out of the sales of us to move that forward. And ultimately the legislative strategy was not really potentially achievable.
0:09:02.9 CH: And so we started thinking about other ways in which we could encourage some movement on these issues. In addition to continuing our best practices work with LPs, continuing to organize LPs to try and negotiate as a group to get better results in their fund agreements. And obviously this was also a time where it was a bit more of a seller's market in the private fund space. We saw an opportunity when the Biden administration came into power that there might be a more amenable SEC to doing some of these things through rulemaking where we believe they had some existing authority to do these things, but also would be limited on how far they could go to not do the things that we thought were problematic. And obviously when you ask government to do anything, what comes out of it is a bit imperfect, but kind of that just kind of goes with the territory of, using a blunt instrument to solve some of these problems.
0:09:53.1 CH: And so after many efforts of educating, talking to the SEC, talking to folks in Congress about these issues, we were excited to see that chair Gensler at the SEC had taken on these positions and was interested in doing something which ultimately resulted in the private fund adviser rule that we saw come out and be proposed in 2022. Right, actually before I left ILPA. And so that is really sort of why these rules came about, because there was some political support to do that with the new staff and leadership at the SEC. There was a lot of education that was done from the LP and ILPA perspective about some of the challenges in the marketplace, particularly around negotiating fund agreements and concerns that we had heard repeatedly from our members, predominantly on the legal teams at LPs in their outside legal counsel about the significant slip in terms that we had seen since the global financial crisis.
0:10:48.3 CH: And this was really an effort to try and attack this from a different angle. That's really, I think from the ILPA perspective, from the LP perspective, where many of the rule kind of came from, and I think many people aren't fully aware of maybe that effort and why that happened, which was something that was actually, brought to the ILPA board and they thought it was an effort that we should look at trying to advance forward. And I think actually LPs were somewhat surprised that it was achieved and was proposed. And so that maybe resulted in sort of the LP perspective on the rule in being sort of surprised that this rule had had popped up.
0:11:23.7 YO: No, I totally agree with you Chris. Many LPs were surprised how it played out and hopeful, really hopeful that there would be some change as a result of rules with the way LPs and GPs interact. But I'm curious what Jason thinks about what has come down and if he could share out his experience from the GP perspective on how the GP community responded to ILPA's efforts in Congress and at the SEC.
0:11:50.9 Ason Mulvihill: Happy to Yuliya and again thanks again for allowing me to join this conversation. I think to contextualize the objections to the rule from GPs, I think it's important to start off with the fact that GPs view LP/GP cooperation and the fund investment negotiations as really the best way to work out contractual differences and preferences among sophisticated parties, all represented by sophisticated counsel. If an LP does not like the terms it's getting for prospective investment in one of the funds, it has many other options of funds to invest in. And many other GPs with proven track records will be willing to negotiate with them. The LP has a lot more leverage in this process than many who were pushing for this rule were prepared to fully acknowledge. And I think the basic relationship between LPs and GPs over the long term that has been obtained through negotiation has been very, very productive for LPs.
0:12:41.6 AM: For most of the last 40 years, private equity has been the best performing asset class for defined benefit pension plans, insurance companies, university endowments, sovereign wealth funds, and many other sovereign sophisticated investors. The system works well overall, and if it isn't broke as the saying goes, don't fix it. I think it's also probably relevant to note that the battles over increasing regulation of the LP/GP relationship have, as Chris pointed out, taken on many forms over the past 10 years. Some of it had perhaps been driven by a regulator who wanted more power, even if not authorized by Congress. Over time, I think GPs had expressed objections to various pieces of extreme legislation on this topic. Chris had sort of alluded to some of the proposals like the Stop Wall Street Looting Act and the Draft Investment Adviser Alignment Act. Those bills did not advance and GPs have also actively engaged with the SEC throughout this time.
0:13:40.8 AM: When the SEC clarified standard of conduct for investment advisers and their fiduciary duties in 2019, 2020, we spent a very active time engaging with the SEC there. And we know that there were some efforts to try to change obligations to sort of reflect contractual preferences in that process. As the saying goes, obviously elections have consequences and Chair Gensler and his team, I think it would be fair to say were very skeptical from the word go about the private equity business model. Some would say they were downright hostile to it, and GPs, I think realized and understood in this environment that they would have to tell, their side of the story in Congress and that the regulators, even though we all realized that the SEC under chair Gensler had an agenda in mind on this topic from the start. So in addition, we had to try to keep the regulators educated and honest about the practical challenges of their proposal.
0:14:35.0 AM: We filed extensive comment letters that highlighted the many substantive flaws with the proposal, and we were pleased that several former SEC commissioners, chairman and chief economists from both Democratic and Republican run SECs had expressed serious concerns about the proposal and the failures of the economic analyses that accompanied the rule. Many members of Congress, including leaders from the Congressional Black Caucus, also expressed concern about the slip shot economic analysis that underlaid the rule and of its perhaps unintended consequences, particularly for smaller firms and minority run firms. GPs, I think, recognized in the context of this fight that they had to preserve the option to litigate against the rule if it was as extreme as it turned out to be. And they did so. When the final rule was released the decision to pursue litigation, I think was clear for a lot of people because of the lack of legislative authority to do what the SEC was doing.
0:15:35.0 AM: And secondarily because the Administrative Procedure Act has requirements, and I think there was a strong consensus amongst many legal community that the APA at least in regards to this rule, there were several violations at play. And so from a GPs perspective, the Fifth Circuit directly determined that the SEC lacked congressional authority to make the rule. Congress does not hide elephants in mouse holes as the saying goes. And the court did not even have to reach the APA issues raised in the rule because the lack of statutory authority. So, to sum up this fight was a marathon and not a sprint. And I think GPs stayed focused on obtaining the right policy outcome throughout. With all of that said, I think GPs remain as open and excited as they always are to work and find creative solutions for LPs to ensure that LPs are happy to invest along with them in growing and strengthening businesses throughout the economy.
0:16:35.2 YO: Thanks, Jason. As someone who represents exclusively LPs, I think it's fair to say that the majority of my clients supported the rule, at least they support some regulation to help their negotiations with GPs. I do have to admit that some LPs had mixed feelings about the rules, and they were concerned that perhaps the rule may hurt their ability to negotiate side letters, especially for the public pension systems who regularly negotiate side letters because there was a proposal on restricting preferential treatment, and as you alluded Jason to the cost of enforcement and the possibility that it would leave some players, some GPs out of a market because it would make it too expensive for them to participate, maybe such as emerging managers who couldn't afford the back office operational costs involved.
0:17:29.7 YO: I'm curious to see what you, Jason, and also Chris, think about why LPs had mixed feelings about the rule, and particularly from Chris, I would be interested in hearing about what you heard from the LP community in terms of the support. Would the result have been different if the LPs perhaps more vigorously supported the proposal, perhaps the divide between the investment staff and legal staff and some institutional investor communities also caused issues with the rule? So I'm just curious to discuss what you both think about how this rule could have played out differently if there was more support from the business and the legal community behind it.
0:18:11.6 CH: As many LPs know, the LP world is sort of a big tent. You obviously have a very diverse membership ILPA, but you also have a diverse group of LPs generally, right? All sorts of different types of institutions, different motivations, different commercial models engaging in this marketplace, all competing for allocation with specific managers. And then you have different views among those leaders, whether they're investment staff or legal staff, whether they're enmeshed in the terms, whether they're at an organization that is achieving the terms it wants in its side letters or strategic arrangements with managers or not. And all of that I think really comes into play with, how the engagement on the private fund advisor rule came out. Touching on a few of those items, I think, first and foremost sort of education, right? So when this rule came out, first of all, it was sort of unexpected as we mentioned before. And I think even though we were engaging on it, it was sort of a surprise that this was actually going to happen and that actually the regulatory environment for product funds could change. That sort of created some anxiety in the LP community, right? So a lot of LPs by nature are somewhat risk averse to changes in the market. And as you pointed out they're concerned about, hey, how will I invest in the future?
0:19:33.9 CH: How will this impact my access to managers? How will this impact my ability to deliver to my beneficiaries, wherever they might be, and sort of my return profiles and risk profiles? And will I get the same deal that I've been getting and expecting to get, depending on my institution size and influence in the market? And I think this will obviously present a significant amount of uncertainty to market participants and LPs about what that market would look like once the rule came into force, particularly, as you noted, the preferential treatment provisions where many LPs were sort of exerting their energies to achieve the results they wanted. And the reason those provisions were put in the rule was really a result of sort of this belief that the SEC had about that a rising tide would lift all boats, and that essentially, the terms in the agreement would be improved by larger LPs using their negotiation power to improve the overall document. And that negotiation power had been diluted by side letters so that smaller LPs would not achieve the benefits in the fund agreement. And we can discuss whether that's actually true in the market or not, but that was really the rationale, really backed up by a lot of the academic research that the SEC was relying upon.
0:20:50.7 CH: And ILPA's membership is made up of a wide variety of large and small members. Large members who maybe are achieving a lot of what they wanted to achieve in the side letters or through particular strategic partnerships across multiple funds with GPs, and what were the implications for that? And smaller LPs who maybe would achieve more economic insights and information access than they would have previously, which really gets at some of the challenges we had seen around fund term transparency in the market, given that all these fund agreements are secret documents. And so I think that was certainly a driver of that anxiety and a division between large and small LPs. Overall, I think, as you noted, most LPs were supportive, at least from some of the polling I had seen, but larger LPs, I think, potentially had a bit more trepidation in the space. There's also individuals, right? So individuals who lead these organizations on the investment side may have different views about government regulation, and those are valid views, right? So when you think about, we have registered funds that solves a lot of the problems this rule addressed, and there's a reason we moved away from registered funds due to their cost and inefficiency and inability to do certain investment strategies to private funds.
0:22:02.2 CH: And the question is, how much regulation should be on a private fund? And ultimately, LPs pay the cost of that regulatory compliance. And what is the right balance of government involvement in this space? And I think there's a lot of different views with people's different political views, et cetera, investment views about that. And then lastly, I think there's a relationship aspect to this, right? So many LPs, particularly on the investment side, are having more regular interaction with their peers who are partners at GPs, and they have good personal relationships. And they say, "Look, I really like working with this particular GP. We're in a partnership together. I feel really confident." And I think this dynamic actually spreads more broadly in the industry beyond just these rules that, "Hey, I consider the LPA really a break the glass quote type document," and the terms are less important here.
0:22:47.3 CH: Whereas if you think about legal teams at LPs, and I think there's a real divide between legal and investment teams, and LPs should be thinking about how to bridge that divide and make sure there's more sharing of information. Legal teams are solely focused on the fund agreement and thinking about the downside risk of the terms in the agreement. Whereas I investment folks are more focused on this firm can generate X return and, okay, if I have to take some risk here on the downside side, I'm less concerned about that because the upside I'm getting. And I think one of the fundamental challenges that we've seen, particularly among data, is the ability for that fund agreement and what those terms mean and the downside risk of those terms to be considered more upfront when the investment decision is being made in particular LP organizations.
0:23:32.5 CH: And so I think all of those things resulted in a mixed reaction to the rule, which blunted the ability for ILPA or others to be effective, vigorous champions of the rule. For good or worse, obviously, there's a lot of concerns about those rules, and maybe that's okay. There were a variety of efforts that ILPA did do to obviously educate its members, which I thought was great. Obviously, organized letters to support it with a number of institutions signing on themselves, which I actually thought took a lot of courage for many LPs.
0:24:05.4 CH: It's always challenging to get LPs to sign on to those letters, given their concerns about alienating their GP partners and risking their allocations for supporting that regulatory change. And so I think that sort of shows why you had this mixed reaction. And that mixed reaction, I think, did a couple of things politically. First, you had an SEC and leaders of the SEC who sort of expected LPs to come out vigorously support the rule, and they were expecting that, and they didn't get the vigorous support that they expected. So that challenged some of the relationships with the agency and with folks on the Democratic side of the aisle that maybe would be more supportive of LP positions now and in the future. I think the second element that it impacted was GPs felt that LPs were divided, and therefore, it allowed them to more effectively challenge the rule, because they were able to point out that many LPs didn't like it either.
0:25:02.0 CH: And I'll note that the GPs had taken a pretty broad set of ideas into that rule proposal that was much more broad than even LPs had anticipated or asked for. And so that created its own concerns. So I think all of those elements are sort of why we saw the response we did and why we saw maybe GPs feel more comfortable with such a vigorous response. But obviously, Jason would know more about that.
0:25:27.5 AM: I'm happy to weigh in just for a few minutes. I know we have a couple of other questions. But to me, I think the mixed review that the rule received from LPs sort of underscored both the sorcerer's apprentice problem with running to the SEC to try to get contractual preferences enacted into law, and also, funnily enough, the benefits that negotiations between sophisticated parties yield. I mean, every LP is different, just like every GP is different. And a lot of times, LPs have very unique demands and issues that they need to resolve when they're going to make an investment.
0:26:01.4 AM: And I think, frankly, over time, sure, I'm sure there's counsel on both the LP side and the GP side that are not always thrilled with how one particular provision or an LPA comes out or another. But overall, the parties reach an agreement, or if they don't, LPs are under no obligation to invest with a particular GP. And that's as it should be. And I think sort of what happened was, I think that sort of the process that played out here, and I think the understandable concern that some LPs expressed about, you know, wondering, well, is this really what they were hoping for? And might they end up living in a reality that's actually worse than being able to sort of negotiate freely with other sophisticated parties for investment, and rather than being sort of restrained by a government mandate that the SEC didn't even have statutory authority to enforce. So, again, I think at the end of the day, the fact that there was some LP disagreement on parts of the rule is just indicative of the fact that it's very difficult to get government and sort of, kind of parse different provisions of a contract. And it's probably not the way government should be involved.
0:27:16.4 YO: Jason, do you think that the GP community sees the LPs as not being united in general? And does that play to their advantage in negotiating with LPs?
0:27:28.2 AM: I don't know that I would make a broad statement on that one way or the other. I will say this, that obviously, every time a GP raises a new fund, they negotiate, often extensively, with a wide variety of LPs who come to the table with different investment goals, different objectives, and also different on the legal side, different provisions that they care about for a wide variety of reasons. And I think by and large, LPs and GPs are willing to sort of negotiate and hash out and work in good faith to try to find, a solution that will encourage an LP to invest in a particular fund and the GP to have confidence that when they manage that fund and direct that fund, that it will yield great results for the LP and for the businesses in which they invest. So I don't know that GPs, every GP is different too. It's not like every GP is a carbon copy of the other. And I think just the nature of the types of investing that you're doing here, which is not retail investing, right? This is sort of sophisticated investing in illiquid assets in operational businesses over a long time window, sometimes three, five to seven, eight, nine years, depending on the business.
0:28:38.1 AM: I think it needs a relationship that's governed by contract that where there can be some consensus that's reached after sophisticated parties negotiate in good faith. And so I think from a GP perspective, I think most GPs would say it's better to negotiate in good faith with your sophisticated investors rather than have to sort of fit into a straitjacket that looks an awful lot like a RICS, but not allowing those LPs or GPs to contract to their specific concerns.
0:29:09.7 YO: Chris, I want to start with you and I afterwards would like to hear Jason's thoughts on this point as well. Do you think there was a chance that the rule proposal did not push forward on so many different issues or relied on different legal authorities? It might not have been challenged or struck down on litigation. I mean, what do you think the results would be for future rulemaking or legislation in this area?
0:29:31.7 CH: I think what's unique about the rule is it relied on a never tested provision in Dodd-Frank that appears sort of clear on its face that it would allow the SEC to have this authority, but had not exercised before, but was in a section that was really focused on retail investors. And I think it really was up to the particular circuit, obviously in this case, the Fifth Circuit, which is generally skeptical of agency rulemaking in general. So you would expect them to have a particular perspective on this. So I think if the rule had been brought in a different jurisdiction, a different circuit, perhaps the court could have interpreted it differently. I think that's possible. Although obviously the challenge was designed to be brought in the Fifth Circuit. I think if the rule was not so thorough, covering so many different issues, I do think there's the potential that the GP community might have accepted the rule. So for example, if you had just pushed forward on the fee template where many, I think the data was about 62% or something was the data we had of adoption by GPs in the market about the OPLA fee template.
0:30:42.2 CH: If the fee reporting and performance reporting requirements had been the only thing in that rule, perhaps the GP community would have been okay with that because they would have felt, "Hey, are you doing some of this already? Maybe it's not worth challenging it, upsetting our LPs," et cetera. And so I do think if the rule had been proposed with less items in it, potentially it might have moved forward without a litigation challenge. And secondly, if it had relied on not this new authority, although I'm not actually sure what other authority they would have had to be able to use, they did rely on older authority and rule 206, which also wasn't effective in the Fifth Circuit. So I'm not sure that would have made a difference, but perhaps the rule might've moved forward without a litigation challenge by the GP community, or it would have not been struck down, or you might've had more LP general support for it if it had not, for instance, included the side letter preferential treatment provisions. So in terms of where this might go in the future, I actually think this has really shut down any opportunities, right? So as we pointed out, legislative efforts have not been generally successful to move forward any kind of changes here in the rule.
0:31:51.2 CH: And I actually think the court decision will further erode any ability to do that. And I think the SEC in the future has been really under fire for a lot of its rulemaking initiatives in the courts. It's not a friendly Supreme Court to agency rulemaking, particularly given the recent removal of Chevron deference. So I don't see any kind of legislative or regulatory movement in the future here, unless there's some sort of financial crisis where there's a large financial services regulatory reform type bill where these provisions would be inserted somehow. That's the only thing I could see that might move it forward, but it's unclear sort of when or if that might even happen. And so I think where you're going to see most of the movement here is sort of enforcement examination activities by the SEC going forward, as opposed to rulemaking, and then any kind of industry related initiatives like that ILPA or the private funds community might come up with from a commercial perspective.
0:32:54.1 YO: Jason, what are your thoughts on this?
0:32:56.2 AM: Yeah, I think the SEC lacked the authority to do this rule as the Fifth Circuit decided. And I don't think that removing parts of the rule would have solved that fundamental threshold problem for the SEC. And Congress had been clear for a long time before this rule, including after Dodd-Frank, that the fundamental differences between the way RICs were regulated and so-called 3C1, 3C7 funds were regulated, were different and were to be maintained. So even when after Dodd-Frank, most private fund advisors were required to register with the SEC, that same division was maintained. And I think just by removing one part of the proposal wouldn't have made all of the other parts all of a sudden magically get an authority that was acceptable and passed muster with the courts. I think the fact that the SEC had to rely on 211H, and then on sort of very, very broad, general anti-fraud sort of catch-all language highlights the fact that they didn't have good legal authority to pursue the rule. And they were sort of grasping at straws a bit, or perhaps grasping at straws is the wrong analogy.
0:34:11.1 AM: I think the SEC swung for the fences in an unauthorized power grab on this issue, and they missed. And the consequences of that error, to Chris's point, are not trivial, particularly in a post-Chevron deference era ushered in by the Supreme Court's recent Loper-Bright decision, and at a time when the SEC's ALJ system, Administrative Law Judge system, has also been invalidated by the court, and the JFSC decision. I think it's very hard to see how the SEC could have prevailed, even if they had taken this case to a different circuit, or even if it wasn't brought in the Fifth Circuit. And so I think there's some long-term consequences there. I think one of the positive ones is the SEC has to follow the law just like everyone else, including all their regulated entities. And I think that's a good reminder here for the agency that, probably their rules will have to be a little more closely linked to actual congressional authorization than they may have been in the past. And to the extent there is legislation that comes about to make changes, whatever that legislation is, it's probably going to have to be more expressed and detailed, and granting regulators express authority, including the SEC, if they want the SEC to do X, Y, or Z. Chris makes a very good point that, it doesn't look like in the near future there will be opportunity for legislation in the space. I don't see that ripening any time soon either.
0:35:39.0 AM: That said, I think it's always important to remember that in 2006, after the Goldstein decision, the DC Circuit struck down the SEC's registration requirements for hedge fund advisors. And as a practical matter, a number of years later, Dodd-Frank imposed registration requirements for most private fund advisors. And so, over time, I think it's true that legislation, could be a way you can see further amendments, but obviously there's no clear path at this time that would suggest that that's in the offing anytime soon, and what will shake it up. So, I think at the end of the day, the court made the right decision. I think the SEC was sort of going through an exercise of expressing its policy preferences for what they wanted to do with private funds with this rule. And unfortunately for them, they just lacked the authority to do it. And the court reminded them of that fact.
0:36:40.3 YO: Well, Chris, if all of that is true, how do you think the LP community moves forward from this rule? I mean, what happens with ILPA and with the rule itself? I mean, given your experience, what do you think of the best practices initiatives that ILPA worked so hard to implement, such as the templates that we worked on together on the LPA and the subscription agreement templates and all its other efforts? What do you think will happen with all those initiatives and do they continue pushing the GP community in other ways since they can't do that now through the SEC?
0:37:19.1 CH: And I think one thing that's fundamentally changed since the rule was proposed is really the market environment. So the higher rate environment that we've seen since the rule was proposed in 2022 has changed the fundraising dynamics, I think, in the private fund market, thereby giving maybe LPs more leverage than they might have had previously. Although, of course, I'm not the one negotiating these documents. That's my sense is that the fundraising market has tightened in certain places. And that does give more ability to maybe move forward with best practices standards, unlike during the time between the global financial crisis and the post-COVID rate increases. So I think the market dynamics are a pretty important element that maybe gives some of these best practices efforts, including ILPA obviously has put out for comment its new updates to the fee template, which I think are a bit more tailored and more engaged and have taken some feedback out of what the SEC rules have done. And so they're continuing to hopefully move those forward. I also think LPs can think more about how to standardize things. I think one of the biggest challenges in the best practices space was really GPs were on board, I think, with some of these best practices elements, if it was sort of a standard document that they could print out.
0:38:39.5 CH: I think the problem was essentially many folks wanted the standard reporting, but then they also wanted bespoke reporting on top of that, which really negated the economic value for GPs to sign up for standard. And we sort of expected if the rule had come into force by the SEC that some of that standardization would have occurred because everybody would be required to put out a basic minimum standard, and maybe that would have created more efficiencies in the space. And so I still think that remains to be seen. The other thing I think LPs can think about outside the regulatory arena is really trying to do more around a couple of initiatives that we worked on at ILPA. One was really around trying to help smaller LPs group together, sort of, and I know, Yulia, we've had a number of conversations about this with California pensions and folks like this, about how do we get LPs to do sort of group purchasing, group, smaller LPs banding together in a way that's antitrust compliant to allow them to write larger cheques to managers and then receive better terms in the fund agreement. And more of those sort of efforts, which are challenging given that many LPs are competitors for allocation, but maybe the market dynamics have shifted a bit since we last tried this, are efforts that I think are worthwhile.
0:39:57.1 CH: There's also some new emerging technology, and we explored this when I was at ILPA, around fund terms and in sort of how do we kind of understand what's market and promote more transparency about what terms are market in these fund agreements over time so that LPs can be better equipped in negotiating, and then also LP legal counsel can be bringing forth concerns about fund terms earlier in the investment process with GPs. And so, if the lawyer at the pension can bring in, hey, you know, just like the investment team will bring in what the projected great returns from this fund will be, and the legal team can bring in, okay, here's where I see the problems in the fund agreement at the time the investment decision is made rather than six to eight months later when they're looking at the fund agreement and that decision's already been made, you're presenting a more holistic picture so that LP leaders, CIOs, heads of PE can make those decisions having all the information up front rather than more thinking about it from an investment perspective. And then if there's problems in the fund agreement later on, it's very hard to sort of reverse that decision or raise those issues to stop moving forward.
0:41:11.2 CH: And so, I think there's some technological tools that are out there with some of these various vendors that hopefully could sort of digitize those fund agreements and create a data set of fund terms. Now, I think, many of those providers, unfortunately, have been gobbled up by larger platforms lately and maybe aren't providing as much of that service or less interest in providing that service, but hopefully some other players sort of pop up and can do that. But I think that's really the way that ILPA and other LPs can kind of continue to move the ball forward to improve sort of their downside risk in these fund agreements and achieve some better results.
0:41:52.1 YO: Thanks, Chris. And Jason, given what you heard today from Chris and myself and the discussion about some of the concerns that the LP community has had in the past and the reasons for ILPA's advocacy on behalf of LPs in changing some of the practices, do you think the rule and the recent elevation of these issues will result in any meaningful changes in the market and GP practices, perhaps?
0:42:20.5 AM: Well, I certainly think the industry, GP side, LP side as well, are going to remain engaged going forward on all of this. I think, first and foremost, GPs remain focused on continuing to deliver the impressive returns, net of any fees and carry to LPs, and LPs are going to likely, going to continue to invest robustly in the asset class, because overall, despite certain provisional questions with different legal agreements, it's a fundamentally very good deal for LPs and LPs are pleased with it.
0:42:48.2 SI: I think as before the private fund advisor rule, LPs and GPs, they're going to continue to negotiate in a system that works for both sophisticated parties, all represented by counsel. I think the ILPA template will remain very relevant as it was before PFAR. And I think Chris highlighted a very important point. I mean, I think whenever all of ILPA's members kind of get on the same page and say, look, this is how we want all of our information reported, and we don't want a bunch of additional bespoke reporting, I think that could lead to more standardization in reporting with some efficiencies for LPs and GPs de facto on both sides.
0:43:32.5 AM: But again, I suspect the market, and maybe this is not such a bad thing for LPs, I suspect that the market will stay more flexible with reporting and so that LPs ultimately will get the reasonable information they want in the form they want it, regardless of whether or not it's a standard form or not. I suspect that's sort of where it's going to go. And honestly, I think a lot of the terms that we've touched on today and that I know LPs and GPs care about are going to remain matters for contractual negotiation when there's a new fundraising going on. And I think that's as it should be.
0:44:10.2 YO: Thanks, Jason. I think to wrap up our discussion today, my own observation is that the rules will have an impact on the private fund industry. I have no doubt that ILPA will continue its involvement to advocate for LPs, and some investors, including my own clients, are already negotiating contractual terms influenced by the rules in their LPs and side letters. I do hope that the rules will serve as instructive guidelines for both the LPs and the GPs going forward. So I thank you both for this wonderful conversation today. I've learned a lot from both of you, and I appreciate your contribution to this important and evolving area. We conclude this podcast now with a big thanks to Chris and Jason for contributing to our knowledge in this important and evolving area.
0:45:00.4 YO: Thank you also to our listeners for joining us for this episode of Pensions, Benefits & Investments Briefings. For additional information on this topic and other public pension issues, please visit our website at nossaman.com. And don't forget to subscribe to Pensions, Benefits & Investments Briefings wherever you listen to podcasts so you don't miss an episode. Until next time.
[music]
0:45:24.1 SI: Pensions, Benefits & Investments Briefings is presented by Nossaman LLP and cannot be copied or re-broadcast without consent, content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only. It is not attended as legal advice and does not create the attorney-client relationship. Listeners should not act solely upon this information without seeking professional legal counsel.
- Cybersecurity Risk Management for Pension Plan Administrators: Tips for Staying Ahead of the Hackers
With recent well-publicized data breaches impacting pension systems and their retirees nationally, as well as increased Department of Labor scrutiny surrounding cybersecurity policies and procedures implemented by ERISA employee benefit plan fiduciaries upon audit, the topic of cybersecurity risk management is even more top of mind for pension plan administrators. In this episode of Pensions, Benefits & Investments Briefings, Ashley Dunning and Michelle McCarthy welcome Peter Dewar, President of Linea Secure, and Amy Timmons, Senior Vice President of Administration & Technology Consulting at Segal, to discuss pension systems’ cybersecurity risk management and the impacts of artificial intelligence (AI), social engineering and “whaling,” as well as best practices and lessons learned with respect to pension systems’ cybersecurity risk management.
Transcript: Cybersecurity Risk Management for Pension Plan Administrators: Tips for Staying Ahead of the Hackers
0:00:00.0 Ashley Dunning: With recent well publicized data breaches impacting pension systems and the retirees nationally, as well as increased department of labor scrutiny surrounding cybersecurity policies and procedures implemented by employee benefit plan fiduciaries upon audit, the topic of cybersecurity risk management is even more top of mind for pension plan administrators. Today, we will gain insights from three experts on pension systems cybersecurity risk management, continuing a discussion we began in our podcasts nearly two years ago. In this podcast, we will continue our focus on highlighting best practices and discussing lessons learned with respect to pension systems cybersecurity risk management.
[music]
0:00:56.2 Speaker 2: Welcome to Pensions, Benefits & Investments Briefings, Nossaman's podcast exploring the legal issues impacting governmental, private and nonprofit pension systems and their boards.
0:01:11.5 AD: Welcome to another episode of Nossaman's Pensions, Benefits & Investments Briefings. I'm Ashley Dunning, Co-chair of Nossaman's Pensions, Benefits & Investments Group, and I'm joined today by three experts to help us address this important topic of cybersecurity risk management. First, I'm joined by my law partner Michelle McCarthy, who specializes in legal compliance advisory work for both ERISA and governmental plans, including among other topics, Department of Labor guidance on how plans governed by ERISA are to address cybersecurity risks. We also are joined by two leading cybersecurity experts who consult with pension plans globally. Peter Dewar, President of Linea Secure, and Amy Timmons, Senior Vice President of Segal Consulting. Welcome, Michelle, Peter, and Amy.
0:02:07.1 AD: So, starting first with Michelle to give us a little context here, it's my understanding that historically, the US Department of Labor or DOL has been relatively quiet with respect to fiduciary's responsibilities to protect ERISA-covered benefit plan data. That is until April 2021 when it issued new guidance for addressing cybersecurity risks associated with benefit plans. What changed?
0:02:35.5 Michelle McCarthy: It's important to note that leading up to the issuance of the guidance, there were a number of data breach incidents and cyber thefts that involved employee benefit plans, and that included a number of identity thefts and fraudulent withdrawals of participants retirement funds. And with these types of employee benefit plans, especially pension plans, it's critical to remember that there is a lot at stake. Because in addition to holding billions of dollars in assets, employee benefit plans contain personal data regarding participants, including the names, date of birth, addresses, phone numbers, Social Security numbers, beneficiaries, and with respect to health and welfare plans, it could include health data, among other things.
0:03:21.3 MM: And while the assets that are taken from an employee benefit plan can be quantified, the value of the stolen data is effectively unknown. Through issuing this guidance, I think the DOL was just clearly trying to signal to plan sponsors and fiduciaries that it expects them to implement strong cybersecurity practices and oversight of third party providers so as to reduce an organization's exposure to cybersecurity events.
0:03:48.9 AD: That's really helpful context. Thank you. Could you please summarize the Department of Labor's cybersecurity guidance that they've now promulgated? And specifically what does it direct both plan sponsors and fiduciaries to do?
0:04:04.5 MM: Sure. So the first piece of the DOL guidance is titled Tips for Hiring Service Providers, and this outlines factors that business owners and fiduciaries should consider when selecting retirement plan service providers. Specifically, it recommends that fiduciaries ask about the service provider's data security standards and audit results and benchmark those against industry standards. It also recommends that plan sponsors and fiduciaries ask about past security events and responses and evaluate service providers track record with respect to prior security incidences, like how have they responded to litigation or security leaks.
0:04:40.5 MM: It also recommends that plan sponsors confirm that the service provider has adequate insurance coverage that would cover losses relating to cybersecurity and identity theft, including losses caused by both internal threats and external threats, for example, employees versus third party fraudulent access to participant accounts. Finally, the guidance provides that plan sponsors should ensure that the services agreement permits the plan fiduciary to review the service providers cybersecurity compliance audit results, and require ongoing compliance with cybersecurity standards.
0:05:11.7 MM: There were two other pieces of DOL guidance. The first of these is called The Cybersecurity Best Practices. This is directed squarely at ERISA plan record keepers and service providers who have access to plan-related IT systems and plan data. For example, like a plan administrator that the plan sponsor would share the participant data with. This is probably the most detailed of the three pieces of sub-regulatory guidance, and it summarizes 12 best practices that service providers should implement to mitigate exposure to cybersecurity risks. Since Amy is going to be discussing these best practices in more detail, there's no need for me to summarize them here.
0:05:46.6 MM: But I would just say that although this guidance is specific to service providers, the DOL points out that plan fiduciaries should be aware of these best practices so as to enable them to make prudent decisions when hiring a service provider. For this reason, we've been recommending to our clients that are plan fiduciaries issuing RFIs or RFPs or negotiating agreements with service providers to use this as guidance to determine the minimum standards to request as representations from service providers when entering into new agreements. And we also recommend that the plan sponsor engage in meaningful negotiations over these types of terms, and that they document what they've done in order to ensure that these cybersecurity practices are complied with by the third parties that they hire.
0:06:32.7 MM: The last piece of DOL guidance is called Online Security Tips. This is directed at plan participants and beneficiaries, and it informs them of ways to keep their online information and account safe. And some of these security tips include the use of multi-factor authentication, keeping contact information current and avoiding phishing attacks. And we just recommend that plan fiduciaries, plan sponsors circulate these, provide notices to plan participants in order to help plan participants know ways that they could mitigate their exposure to cybersecurity threats. And this also is important that plan sponsors do circulate these types of notifications to plan participants in order to demonstrate to the DOL that they have complied with the guidance.
0:07:21.2 AD: Michelle, that was very helpful for providing the DOL guidelines here. And I'd like to turn to Amy now to have you share with us what you're seeing with regard to organization's compliance with DOL guidance regarding cybersecurity, if they're an ERISA plan or even if they're not necessarily governed by it, but perhaps looking to it for that guidance. And where are you seeing the biggest gaps between the DOL guidance and what organizations are actually doing?
0:07:56.6 Amy Timmons: So thank you, Ashley. The DOL guidance has really set the standard for most organizations on what they should be doing with regards to cybersecurity, whether they are an ERISA plan, whether they're a health plan or a pension plan, and whether they're public sector or not, it has become sort of the baseline measurement of how well you're doing on cybersecurity. If I look at the organizations that we've worked with, most of them are striving to comply. They're looking at the guidance and assessing where they're at, and most of them have done a pretty good job on the basics.
0:08:33.7 AT: But for each of the 12 different guidelines, there's gaps. So, if you are looking at having a well documented cybersecurity program or an effective business resiliency program, those things are on paper. They may be very well written on paper, but they haven't been tested or tested regularly. The second part of that program though is making sure the user knows what to do. And that's been another gap, is that the users don't know what to do. IT knows, but the business user, which is a person usually first faced with a hack or a breach, and they don't know what to do. So it's educating that average user.
0:09:17.1 AT: If you look at the next kind of group of guidelines, which include information security roles and responsibilities, strong access controls, strong technical controls, and a secure system development lifecycle program, those, many of them were loosened during COVID or have been loosened up for hybrid work or remote work. Now is the time to be reviewing them and see if they're still appropriate in today's environment and what you are doing in your work environment with your people. Not all of them are up to date. There's been new roles created, there's been new needs, people have changed roles, and there's new tools that can help you monitor and track roles, and those things need to be implemented to better secure yourself.
0:10:03.6 AT: Another guideline is conduct periodic cybersecurity awareness training. What I'll say is the key word in there is periodic. It's not a one and done. I've seen a lot of clients have hired people, done great training for them and then never done it again. And so the thing is to continually train your employees about cybersecurity awareness and what they can expect. Encrypting sensitive data store and transit, pretty standard. Most people are doing this, but what I'll say is make sure you encrypt everything. You're encrypting your phones, you're encrypting your laptops, you're encrypting your tablets, you're encrypting your desktops, et cetera, et cetera, et cetera. Anything that can be touching that data should be encrypted.
0:10:54.2 AT: Conduct prudent annual risk assessments and have reliable annual third party audit of security controls. What we're seeing clients facing is there are a variety of standards. There's NIST, there's HIPAA, there's SOX, there's SPARK, there's ISO. So, first question is, which standard do you comply with or which standard do you assess yourself with? And then the second piece is making sure it's done by a third party, giving you that fresh objective set of eyes looking at it. Appropriately responding to past cybersecurity incidents, Michelle already highlighted this when she talked earlier. You can't do an assessment and have audit or assessment findings and not do anything.
0:11:33.9 AT: In the DOL eyes, at least from our experience, that's even worse than not doing the assessment at all, because then you are knowingly allowing a gap in your security. But I will say, at the end of the day, the biggest one needing action is in fact assessing the security of your third party service provider and making sure that their security is sufficient for your needs and that you're comfortable with them. And then, depending on your findings, if it is a vendor that is not secure or you don't feel comfortable with their security, it then becomes a decision for senior management and trustees to determine if you wanna continue to do business with them, or if you wanna help them and work with them to get their security to a level you're comfortable with.
0:12:23.3 AD: Amy, thank you for all of that detail. You ended on third party vendors and risk, and I'm gonna ask Peter a specific question on that. Peter, how do you specifically recommend that plan fiduciaries manage supply chain or third party risks, particularly in light of recent publicly reported incidents that include exposure to annuitant information that Michelle referenced in her introductory comments?
0:13:04.8 Peter Dewar: Hey, Ashley. Thanks for that question. Supply chain risk management is a very difficult task for many pension funds and organizations generally because the vendors there to use to support many parts of normal business operations, for example, from IT services to actuarial and investment services and beyond, and each service area comes with its own risk profile. We recommend that pension funds specifically adopt a supply chain risk management program that will quantify the level of risk each vendor represents to the fund assets, either financial or confidential information, develop a governance policy on how supply chain risk will be managed and measured, and then evaluate if your supply chain is within compliance of your expectations.
0:13:45.3 PD: Extend your cybersecurity controls to third parties that have access to sensitive information, ensuring that the protections that you've deemed necessary to manage your organizational cybersecurity risk is extended to those that provide critical services to you. And then perform due diligence, by actively verifying that agreed upon cybersecurity controls are working as planned. This could be accomplished by reviewing either SOC reports or executing formal audits yourself or assessments by and doing that by gathering information through questionnaires as was mentioned before, or performance surveys.
0:14:26.8 PD: Now, we believe that the best time to encourage a third party to comply with your expected security governance is to include those provisions in your agreements at the beginning of a relationship or during the renewal period. That's when you have an opportunity to encourage them by gently nodding them along that these controls are important to us and that we require them to maintain our cybersecurity governance that we've put in place to protect our information. And now, you as a third party who has access to that information need to also make sure that those controls are working appropriately.
0:15:09.3 AD: Great ideas. Thank you. Turning back to you Amy, what are the emerging issues or concerns with cybersecurity that you see organizations having?
0:15:19.7 AT: I will say that the biggest issue right now is artificial intelligence, which is a hot topic everywhere, but paired with that is social engineering. The first reported case of artificial intelligence voice hack happened in March 2019 where hackers convinced a CEO of a UK energy company to send $243,000 to a hacker because they recognized their boss's voice. In October of 2021, fraudsters used AI voice to convince a bank employee to transfer $35 million to a fraudulent account. These are things that aren't necessarily covered by cyber liability insurance because you voluntarily sent the money, and if you don't admit that something happened, you won't get your IT people to quickly try and pull things back.
0:16:18.7 AT: Fake images are all over the internet, all over the news. You can see those all the time. One of my favorite stories on the fake images is in 2019, a 17 year old generated a fake congressional candidate that was certified by Twitter and Ballotpedia as a legitimate candidate for the election. It's all fake. And then, more entertaining, June in 2022, Metaphysic, is a company, appeared on America's Got Talent and demonstrated a real time deep fake of a singer performing as Simon Cowell. So, it's all over the media. People are going to fall for, oh, I recognize their voice, oh, I recognize that image, that face if I'm on video with them, and it's problematic in every case.
0:17:10.3 AT: So, what I would say is the three biggest risks from my perspective are AI paired with social engineering. Getting fooled to give information that you shouldn't that allows hackers to get money, get into your system, get information, steal. Part of that is paired with the second biggest risk, which is unknown policies, making sure that people know who is authorized to do what kind of transfers, what's their span of authority, what are your policies and what are the verification steps to make sure it's a legitimate request? And finally, where we're seeing big attacks is on what is called whaling. It's phishing, but it's phishing for targeted executives and key people who have that span of control and that access to transfer money, approve of access to systems and information. Staying on top of those are really some of the biggest risks we're seeing with clients.
0:18:14.7 AD: So much to think about, Amy. I'm sure your examples give people a lot of pause when they think they also would recognize somebody's voice, certainly their image. That's typically the way that sort of, in my world, one verifies things. And as you point out, that doesn't work with social engineering and AI. And I'm sure the whaling comment will be of interest to many who listen to this podcast as there are some who are going to be more targets for what you're talking about. Peter, in light of all of this and what you also see in your world, consulting on these issues, what are some of the best practices that you would recommend for organizations to adopt so that they can manage this evolving cybersecurity threat?
0:19:04.8 PD: I think it's best that an organization design and implement a comprehensive information security governance program that proactively manages cybersecurity risk, rather than reacting to each evolving risk as it comes out. The program should align with best standards for enterprise risk management, such as the National Institute of Standards and Technology's Risk Management Framework, the NIST 800-53 Revision 5 Cybersecurity Standards, or the International Organization for Standardization, ISO 27000 series. And there are many others that I won't mention. The program components could include the review and development of governance, cybersecurity and risk management policies, a classification of the data that's collected, generated, and used by the organization.
0:20:00.8 PD: It could include the development of incident response plans that include the testing of such plans. Also designing and implementing a vulnerability management program so that you could be aware of the evolving threats, as many of our audience have heard about the recent threats that have affected pension fund operations. And so you want to be aware of the evolving threats and determine if you're affected by them. Also, performing penetration testing so that you could see if threats that are out there become actual vulnerabilities for your organization and could be exploited by threat actors. We recommend also creating a cybersecurity awareness and training program so that the organization's staff becomes aware of the threats that they could be exposed to based on the role within the organization.
0:20:56.9 PD: We recommend developing a system security plan for major applications that specify the security controls, that protects the technology, data and people that use the systems. This should also be consistent with the overall organization security posture and policies. But significantly, organizations should develop a way to measure if they're progressing or regressing in any of the areas identified. Some organizations utilize a scoring methodology that makes it easier to communicate the results of an information security program to non-technical parties such as your board and executive staff. These are some of the things, Ashley, that we recommended organizations do, especially develop an information security program with a comprehensive governance structure that manages cybersecurity risk management similar to the way that risk is managed across the organization in other areas.
0:21:58.5 AD: Thank you. That's a lot to think about. Amy, without necessarily repeating some of the insights that Peter provided, and I'm sure are right up there for you as well in terms of best practices, are there any other key activities that you're seeing organizations take to better protect themselves?
0:22:20.2 AT: Other than, as Peter said, it is testing, it's training, it's having that plan and making sure that everybody understands it, there's a couple other activities. One particular to pension plans is encouraging your actives and retirees to register for their online accounts. I can't tell you the number of times and talking with people, they're like, "Oh, I'm not signing up for my online account because then I won't be exposed to that evil hacker." You're actually worse off. As an organization, encouraging people to register and make sure that they're the ones registered for the account, because one of the biggest hacks on pension sides has been finding those inactive accounts and registering and signing up people for those accounts and redirecting their pensions. So that's a huge one. It's a very simple thing to be doing, but it's very important for the safety of the organization and your membership.
0:23:19.6 AT: One of the other big things that we've seen, and we had a client who had a ransomware attack and didn't have this in place, is having vendor partners at standby and ready to help you when something happens. And I do mean when, because this is not an if anymore, sooner or later something is going to happen that may look like a breach. And if you have cyber liability insurance, they have those vendor partners at standby and ready. But if you don't have that insurance, you need to have a pre-screened, already have a relationship with lawyers, with IT forensic experts, with public relations people, with credit monitoring services, all those things to be ready, because if you don't, it will take you months and months and months before somebody will even talk to you about it. And so you're just way behind on the recovery curve. So, those are probably the biggest things I would say that we're seeing to add on to what Peter already identified.
0:24:21.6 S2: Those are great takeaways, Amy, and probably of great interest to, whether it's retiree organizations who are trying to inform their own membership about why it matters that the retirees themselves sign up, as you say, for their online accounts, or the administrators who obviously are very busy with all sorts of things, but this has to be high on the to-do list if they don't have it in place already. To that point of staff and managing all of this risk, Peter, I'll end with a question for you. Noting that many funds are challenged to hire skilled and experienced staff to fill the unique roles required for cybersecurity personnel, do you have any recommendations for them as to what to do and and maybe identify some trends in the industry on this point?
0:25:14.4 PD: Yes, actually I do. So, the staffing challenge is not limited to pension funds, and is being experienced by many public and private entities as organizations compete for the same skilled resources. The challenge is more acute when the mission requires specialized resources in many disciplines and organizations are constrained by the number of personnel that could allocate to any one area, such as cybersecurity per se, which require both technical and non-technical skillsets. Some of the challenges include limited staff with the experience to address the magnitude of the problem being faced. Vulnerabilities are exposed on a daily basis. And IT and cybersecurity positions are very expensive.
0:26:00.2 PD: The magnitude of the threats across an entire organization, they're expansive, and the ability to identify those threats are limited if knowledge of inherent threats that pension funds specifically face are not understood. To solve this problem, many organizations are turned into virtual information security services that offer an array of options for them to choose from to address the needs that are not being met internally. These combined services include internal risk assessments, penetration testing, vulnerability management, security policy development and implementation, and third party risk management services. Also cybersecurity awareness and training, as Amy had discussed before, and this includes social engineering campaigns and application security plans to protect the major systems that you run.
0:26:54.8 PD: So, virtual services are scalable to meet the need of an organization where specialists in each domain could be used at a fraction of a cost to carry them, say, as staff members, covering the array of inherent risks and internal and external threats that funds would face. So, these are just some of the ways that organizations are trying to find outside resources rather than carrying expensive staff, especially in a narrow domain, but one that covers the entire organization. It's is very hard to find, say, a technical person that's familiar with the investment process, say, that has a lot of inherent risk. So, when you're moving financial assets around, we're finding that threat actors are inserting themselves into that conversation.
0:27:48.9 PD: As Amy pointed out, using voice impersonation, they were able to redirect funds. Well, they're doing that during, say, a capital call, a process where you have to fund an investment. And so a threat actor is trying to redirect the funds any manner that they can. It might be using AI or just using regular intercepts of email and so forth, but they're reading board minutes. So, they're understanding your business operation. They understand when you take a position in a certain asset or if you're using a certain service because usually the approval of that contract is public. So, they understand the third parties that you utilize, and they're becoming very smart about how to attack you because you are providing a lot of information publicly that they could consume and craft attacks to exploit any vulnerabilities they could find in your business operation.
0:28:55.4 PD: And these vulnerabilities might not be technical. They might just be business processes that you are performing that are required business processes, such as the use of an actuary. Most funds do an annual independent actuary evaluation, and threat actors know that you're providing a third party with a copy of your entire participant or census data to someone else. And if I could intercept that transaction that was recently occurred with another service that we are all aware of, then I could get access to your data without actually compromising your systems, but I could then compromise the third party. So, the problem is huge, and having the right services or staff mixture to mitigate the evolving threats is a challenge that many organizations are facing today.
0:29:55.5 AD: Thank you for that, those insights, and we will conclude this podcast now with a big thanks to all three of you, Michelle, Peter, and Amy, for contributing to our knowledge in this important and evolving area. For additional information on this topic and other pension issues, please visit our website, at nossaman.com, and don't forget to subscribe to Pensions, Benefits & Investments Briefings wherever you listen to podcasts so you don't miss another episode. Until next time.
[music]
0:30:30.7 S2: Pensions, Benefits & Investments Briefings is presented by Nossaman LLP, and cannot be copied or re-broadcast without consent. Content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only. It is not intended as legal advice and does not create the attorney-client relationship. Listeners should not act solely upon this information without seeking professional legal counsel.
[music]
- Risk Management Lessons for Directors and Officers from Recent Bank Failures
The first half of 2023 has seen three bank failures, Silicon Valley Bank, Signature Bank and First Republic Bank. In 2008–the last time multiple FDIC-insured banks failed–the collapse of the economy and massive bank reform followed. In this episode of Pensions, Benefits & Investments Briefings, Yuliya Oryol and Patrick Richard discuss risk management lessons for directors and officers to be drawn from these recent events. Were the challenges facing these banks unique, or are the risks more prevalent?
Transcript: Risk Management Lessons for Directors and Officers from Recent Bank Failures
0:00:00.7 Yuliya Oryol: Transcript: Today, we will be discussing the lessons learned from the recent bank failures, should the directors and officers of the regional banks have seen it incoming? What are the implications for the risk management of your business?
[music]
0:00:22.8 Speaker 2: Welcome to Pensions, Benefits & Investments Briefings, Nossaman's podcast exploring the legal issues impacting governmental, private and non-profit pension systems and their boards.
[music]
0:00:44.6 YO: Welcome to another episode in Nossaman's Pensions, Benefits & Investments Briefings. My name is Yuliya Oryol. I'm a partner at Nossaman and co-chair of the firm's pensions, benefits & investments group. I focus my legal practice primarily on representing public pension plans and other institutional investors nationally and internationally in connection with public and private market investments, including alternative investments and related regulatory work.
0:01:15.2 YO: I am joined today by Patrick Richard, also a partner at Nossaman and co-chair of the firm's corporate group. Patrick has more than three decades of experience as a commercial trial lawyer. He has significant trial experience, successfully representing publicly traded companies, individuals, government agencies as both defendants and plaintiffs.
0:01:36.0 YO: He has been lead counsel in over two dozen successful civil complex arbitrations, jury and bench trials. Patrick has particular experience representing the FDIC in complex business transactions and corporate governance litigation related to breach of fiduciary duties and business-toward actions. He has also worked on numerous governmental investigations related to financial fraud.
0:02:03.3 YO: As background, in March 2023, three regional banks, Silvergate Bank, Signature Bank and Silicon Valley Bank failed. First, Silvergate Bank and Signature Bank had massive exposure to cryptocurrency, and their problems were triggered as a result of turbulence caused by the collapse of cryptocurrency exchange FTX.
0:02:23.4 YO: Next came Silicon Valley Bank. This highly successful regional bank in Silicon Valley had decided to shift its bond portfolio to longer maturity rate bonds. And subsequently, its bond portfolio greatly decreased in value due to the many interest rate hikes imposed by the Federal Reserve. Ultimately, Silicon Valley Bank failed as a result of a bank run by its depositors who became concerned about the bank's liquidity, which was triggered after the bank sold its treasury bond portfolio at a significant loss.
0:03:00.0 YO: The vast majority of the depositors who withdrew their funds from Silicon Valley Bank were technology companies, portfolio companies, the venture capital firms and private equity firms, and wealthy individuals, many of whom were in the high-tech industry and whose account balances exceeded the 250,000 insured by the FDIC. To most everyone's surprise, the Federal Reserve decided to take extraordinary measures in order to prevent global contagion in the financial markets and prevent further panic if the bank collapsed.
0:03:32.3 YO: Despite the extraordinary move by the Fed officials to backstop billions of dollars in uninsured funds, Silicon Valley Bank was eventually shut down in March 2023 by the California Department of Financial Protection and Innovation.
0:03:42.1 YO: Finally, more recently and still spooked by the run on Silicon Valley Bank, depositors started withdrawing their money from First Republic Bank. First Republic had focused on high-net-worth individuals whose deposits were mostly uninsured since they exceeded the 250,000 FDIC limit. Despite the initial 30 billion capital infusion from a group of major banks, First Republic Bank was not able to regain confidence from its depositors and stockholders. On April 29th, the FDIC closed the bank and sold it to JPMorgan Chase.
0:04:16.9 YO: Patrick, there is so much here that we could talk about today, but let's start with risk management. What are the lessons learned from these recent bank failures for directors and officers?
0:04:27.6 Patrick Richard: Well, thank you, Yuliya. And, yes, while there are any number of takeaways from these recent events, I see it as a tension between sales and growth on the one hand and prudent risk management on the other. Based on my experience, our experience litigating bank failure cases, I really don't think there's anything new here. These are known risks. Growth, high concentration on the balance sheet, et cetera, these have all happened before. That's why I call them known risks. So, the first lesson, if you're an officer or director, especially of a bank, is you need to understand and satisfy yourself that your bank has a strong, experienced risk manager and risk management culture.
0:05:17.6 YO: Risk management culture, what do you mean by that?
0:05:21.6 PR: Sure. As anyone who's been involved in a bank or any other business, there are many risks that face your enterprise: Operational risks, competitive risks, economic risks, specific market risks for acceptance of your company's products. There's financial risks, running out of capital, whether you're a start-up or the risk of a run on the bank or simply your costs of capital increase beyond what you can handle. There are regulatory risks, litigation risks, among others.
0:05:57.1 PR: But even though risk management is challenging, these types of risks, these types of risks are well-known. So whether the precise risk will overtake your bank or business, that can't be predicted precisely any more than turning points in the economy can be predicted. But the risks are there. They're known. The risk that I think is an overarching thematic risk that's helpful and particular for directors who are not making management decisions and they're not necessarily down in the weeds on a lot of these other risks, they can understand and remember that growth, rapid growth beyond your peers, that is a red flag. That is a risk to your bank or business.
0:06:45.9 YO: That's interesting because it seems to me that business growth should be seen as a positive and yet you also talk about risk. Why is it a risk?
0:06:54.9 PR: If you look at any of the postmortems on failed banks going back to this crisis or the SNL crisis decades ago, the risk of growth is a risk for two reasons. If it's rapid growth on your balance sheet, there's two things that should be looked at closely. One, rapid growth can mean that your growth outpaces your risk management. Then you see this with banks where the number of credit officers, for example, doesn't keep up with the number of new account officers, loan officers, and production. So it's simply, sometimes growth means that your risk management infrastructure is not keeping up.
0:07:44.1 PR: The other risk of rapid growth... And again, if you're growing two, three times others in your space or your peer group, look at the concentration on your balance sheet. Are you achieving rapid growth through an increase in a certain class of risk, whether it's questionable loans, looser underwriting, a high concentration in a certain geographic area, high concentration of cryptocurrency, or investing in what you might think was perfectly safe, long-term notes, treasury notes, when you have short-term liabilities like bank deposits. So those two things outpacing your risk management infrastructure or achieving growth through higher concentration, which, of course, is a well-known risk.
0:08:32.5 YO: But banks cannot avoid risk, can they? I mean, what in particular is the role of a board member than particularly an outside board member and risk?
0:08:43.3 PR: Sure. And I heard this a lot when I would be talking to or cross-examining former CEOs and board members, members of the bank's loan committee who would sit back and say, "Well, all lending involves risk" as though that was a sufficient explanation. Who knew? We couldn't predict it. We were just unlucky.
0:09:06.8 PR: And the flip side is, while it's true you have to take risk in order to be successful, you absolutely have to identify and manage the risks unique to your enterprise. So for the outside board member, that means, first, educating yourself on what is your role. There's actually a lot of literature from the FDIC and other regulators on guidance for board members, including outside board members. You need to inform yourself. You need to be active. You need to ask the tough questions. It basically means you need to bring a healthy skepticism to management.
0:09:43.1 PR: So in this case, again, it comes back to the main lesson learned. If you're the outside board member, you need to understand your enterprise's risk management culture and the leadership of your risk management team. Silicon Valley Bank, for example, really had no chief risk officer at the time of its failure.
0:10:00.0 YO: Wow. I didn't realize that was the case. But you're talking about banks. And are these risks then unique to banks and other financial institutions?
0:10:12.1 PR: They're unique in this sense, Yuliya. Banks, unlike other businesses, are required to be operated in a safe and sound manner because they're accepting insured deposits from the FDIC. Banks are not supposed to take on the same level of risk as a startup company or high tech company or other businesses. On the other hand, every business, wherever it is in its business cycle, faces enterprise risk management.
0:10:43.0 PR: And so I would say the common theme, the common risk is, what are you incentivizing? Who's getting bonuses and for what? If you follow that, that's an important part of prudent risk management. So, for example, in the abstract, you could say, well, gee, how could opening new bank accounts pose a risk to a bank? Well, if you're giving a bonus to people just for opening new bank accounts, you better audit that program to see if those are all bonafide new accounts, or you can end up with a problem like Wells Fargo had. So follow the money, see what it is you're incentivizing folks to do. And that's a major role for not just the managers, but the outside board member to understand, what are we incentivizing?
0:11:33.9 YO: The directors and officers you're talking about were fiduciaries, and they had fiduciary duties. Can you talk a little bit about that and explain the type of fiduciary duties directors and officers in the financial institutions are expected to have?
0:11:49.9 PR: Sure. And I think there's really two aspects to this. One, I think all directors generally understand that fiduciary duty means you have to put the interest of the bank ahead of your own, right? You have to avoid self-dealing. You have a fiduciary duty of loyalty. But you also have a fiduciary duty of competence, to be informed, to be an active independent director. That's your oversight role. That's your fiduciary duty.
0:12:20.9 PR: Not showing up to meetings or not asking questions or not informing yourself, many would argue, especially if it's a postmortem of a failed bank, you fell out on your job. You did not fulfill your important role. You had a job to do. You had a fiduciary duty.
0:12:39.2 YO: Finally, based on your experience in trying cases for the FDIC, what are some of the red flags directors and officers should be aware of regardless of the industry?
0:12:49.7 PR: Sure. One would be if... Like, there's a host of regulatory and reporting and requirements faced by publicly traded companies, banks, and other regulated businesses. But that's not the end of risk management. That's the beginning of risk management. You as a director need to understand the dominant culture of your enterprise. Is it a dominant sales culture, growth, growth, growth, sales, sales, sales? What is the risk management culture?
0:13:21.8 PR: It needs to be top down. Is the chief credit officer or chief risk manager engaged? Does management listen to them? Does the board listen to them? There's tendency to downplay risks. And the role of the outside board member is to bring that broader perspective. It's not enough to say, well, we've been around 40 years like Silicon Valley Bank or 140 years. Bear Stearns, Lehman Brothers those institutions had been around a long time.
0:13:51.0 PR: It comes back to known risks. The economy is cyclical. There are ups and downs. And you need to bring that perspective to your risk management. Learn from these recent events. As Warren Buffet has said, "It's good to learn from your own mistakes, but it's better to learn from someone else's mistakes." So that would be my overarching takeaway from these recent events.
0:14:17.5 YO: Thank you so much, Patrick. This conversation and your insights have been extremely informative and instructive. And thank you to our listeners for joining us on this episode of Pensions, Benefits and Investments Briefings. For additional information on this topic and other pension issues, please visit our website at nossaman.com. And don't forget to subscribe to Pensions, Benefits, and Investments Briefings wherever you listen to podcasts so you don't miss another episode. Until next time.
[music]
0:14:51.6 Speaker 2: Pensions, Benefits & Investments Briefings is presented by Nossaman LLP and cannot be copied or re-broadcast without consent. Content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only. It is not intended as legal advice and does not create the attorney-client relationship. Listeners should not act solely upon this information without seeking professional legal counsel.
[music]
- Secure 2.0 Brings Big Changes to Retirement Plans
Congress recently passed the SECURE 2.0 Act of 2022. Building on the Setting Every Community Up for Retirement Enhancement Act of 2019, SECURE 2.0 attempts to expand retirement plan coverage and increase retirement savings opportunities for United States workers. In this episode of Pensions, Benefits & Investments Briefings, Michelle McCarthy and Ashley Dunning discuss the key provisions of SECURE 2.0 most likely to impact 401(k) and 403(b) plans sponsored by large private-sector employers and also touch upon a few of the provisions that will impact 401(a) plans administered by governmental retirement systems.
Transcript: Secure 2.0 Brings Big Changes to Retirement Plans
0:00:00.0 Ashley Dunning: Setting Every Community Up for Retirement Enhancement Act of 2019, or the SECURE Act, was enacted on December 20th, 2019, as part of the Further Consolidated Appropriations Act of 2020. It was the first significant piece of federal retirement plan legislation to be enacted in more than a decade. Congress enacted the second on December 29th, 2022, the SECURE Act 2.0. In this episode of Pensions, Benefits & Investments Briefings, we summarize the key provisions of SECURE 2.0, most likely to impact 401(k) and 403(b) plans sponsored by large private sector and nonprofit employers. We'll also touch on a few of the provisions that will impact 401(a) plans administered by governmental retirement systems.
0:01:03.8 Intro: Welcome to Pensions, Benefits & Investments Briefings, Nossaman's podcast exploring the legal issues impacting governmental, private and nonprofit pension systems and their boards.
0:01:25.5 AD: Welcome to another episode of Nossaman's Pensions, Benefits & Investments Briefings. I'm Ashley Dunning, co-chair of Nossaman's Pensions, Benefits & Investments group and I'm joined today by Michelle McCarthy, our newest Pensions, Benefits & Investments partner. Welcome to the firm and to this podcast, Michelle.
0:01:43.7 Michelle McCarthy: Thanks, Ashley. I'm excited to be here at Nossaman and on the podcast. Before I begin, I just note that SECURE 2.0 has more than 90 retirement plan provisions. We won't be able to touch on all of them in today's podcast, but I'm going to touch on the ones that I think are the most relevant.
0:02:01.9 AD: As we start out, though, sort of big picture, I understand that many of these changes are mandatory while others are optional. Is that right?
0:02:11.1 MM: That's exactly right. Further complicating matters, a number of these changes take effect over multiple years and have different effective dates for each provision. It's complicated. Also, the DOL and the IRS haven't issued guidance on these. They haven't had an opportunity to issue that guidance, so we're awaiting a lot of that. That should be coming down the pipe, but I'll note that when I go over each of the provisions individually. The first notable change that I'll talk about is the automatic plan enrollment and escalation rule, which applies to new 401(k) and 403(b) plans. Note that it applies to new 401(k) and 403(b) plans. That's 401(k) and 403(b) plans that are established after SECURE 2.0 went into effect. Under this new rule, plans must automatically enroll eligible employees in the plan, starting at a deferral rate of at least 3% and no more than 10%. And new plans must also automatically increase the employee's deferral percentage annually until it reaches a maximum percentage, which percentage is going to vary depending on the type of plan.
0:03:15.6 MM: Employees will have the ability to opt out of automatic enrollment. This only applies to new plans. It would only apply to plans that are established after SECURE 2.0 was enacted and plans have until January 1, 2025 to gear up for this change.
0:03:36.8 AD: That seems like a pretty big change to have an automatic enrollment provision and I'm sure those in the audience who administer these plans are trying to work through the nuances of it and the applicable dates, as you noted. Would this rule apply, though, in the event of, say, a spinoff, where, for example, a new plan is created by spinning that plan off from a currently existing plan?
0:04:01.3 MM: That's a really good question. Where an employer spins off a plan from an existing plan and creates a new plan and transfers plan assets from the old plan to the new plan, I don't know the answer to that question. I think that we're going to just have to wait for guidance on that, but that's a good question, Ashley.
0:04:17.8 AD: Fair enough. This is all very new. I understand that SECURE 2.0 addresses a part-time employee coverage. Could you tell us about that, please?
0:04:28.8 MM: Yes. Currently, part-time employees can be excluded from a 401(k) or 403(b) plan. The original SECURE Act required 401(k) plans to permit part-time employees the option to make elective deferrals to the plan if they had attained age 21 and worked at least 500 hours of service in the last three consecutive years, but that change never went into effect. The IRS delayed the effective date, most likely due to the pending SECURE 2.0 legislation, I'm guessing, which reduces the three consecutive year requirement to two consecutive years and extends the requirement to ERISA covered 403(b) plans. Under this new rule, part-time employees that obtained age 21 and have worked at least 500 hours in the last two consecutive years have to be eligible to participate in the plan. One thing I would just note is that employers are not required to provide employer matching on non-elective contributions on behalf of part-time employees that become eligible under this new rule.
0:05:32.6 AD: Is that 500 hours total in two years or each year 500 hours?
0:05:35.5 MM: That's 500 hours cumulative, so total.
0:05:39.1 AD: That still seems like a somewhat cumbersome administrative requirement to have to track a part-time employee's hours. Do you have a sense of whether, in that context, it would make sense for employers that currently exclude part-time employees simply to allow all employees to participate that way, they could avoid the administration required to keep track of the employee's hours during any two-year period.
0:06:04.9 MM: That's a good point. It certainly is a cumbersome administrative requirement to keep track of, but the one thing I would just note is that if a part-time employee becomes eligible under the new rule, the employer is not required to provide employer matching, whereas if part-time employee becomes eligible to participate by virtue of the normal course, then the employer would need to pay matching contributions on the amount that the part-time employee elects to defer. So I guess employers are just going to have to weigh whether it's worth the administrative burden of keeping track of the hours over a two-year period.
0:06:41.5 AD: Interesting changes. One other aspect of SECURE 2.0 I've heard about is it permits plan sponsors and administrators to offer small financial incentives to encourage plan participation. Could you tell us a bit about that change?
0:06:57.8 MM: Before SECURE 2.0, employers could only offer matching contributions to incentivize employees to participate in their retirement plans, but now employers can offer the small de minimis financial incentive to get employees to participate, perhaps like a $10 gift card. The point is to keep it small and employers probably want to be conservative because de minimis is not defined anywhere and in other contexts, the IRS has issued guidance which says that anything over $100 could never be considered de minimis. So I don't know if this means that if an employer could give a gift card for $99, I think employers are going to want to try to be conservative about that, at least until the guidance is issued.
0:07:42.0 AD: Michelle, I understand that SECURE 2.0 also permits employer matching contributions to cover student loan repayments. Is that right?
0:07:53.1 MM: So that's correct, Ashley. Beginning for plan years starting January 1, 2024, sponsors of 401(k) and 403(b) plans are permitted to provide employer matching contributions based on the employee's qualified student loan repayments that are made outside of the plan. So this is a great benefit for employers and a lot of employers will be interested in this because employees that are making student loan repayments maybe aren't able to make deferrals under the 401(k) like other employees might be financially able to do.
0:08:23.7 MM: Qualified student loan repayments include the repayment of qualified education loan amounts that are incurred by an employee to pay qualified higher education expenses. And one thing that plan sponsors might be excited about too, is that now under this new rule, an employee can self-certify that the payments have been made on such loans and that such loans constitute qualified higher education expenses. So it becomes a lot easier for the employers to administer this benefit.
0:08:51.8 AD: That does seem like a really great benefit, Michelle. I mean, it seems like there'd be real value both to the companies as you note and to their employees to adopt this benefit.
0:09:02.3 MM: Absolutely. I agree. I think that there will be a lot of interest from C-suite to offer this and show that the company cares about employees and is a forward-thinking place of employment. It's really something that companies should discuss with their advisors and think about speaking with vendors about to ensure that they can have this up and running for 2024 assuming that they want to do that.
0:09:25.3 AD: So on these matching contributions on student loans, may those be at a different rate than for the matching contributions for elective deferrals?
0:09:34.5 MM: The one thing that the legislation is clear about is that it has to be at the same rate both on the matching and on the student loan repayments. The two must mirror one another.
0:09:45.1 AD: Good to know. On a different topic, the catch-up contribution issue is getting a lot of attention. Could you explain those changes that are in 2.0?
0:09:56.1 MM: So catch-up contribution limit for 2023 is 7,500. That's the current catch-up contribution limit. The increased limit for participants who attain ages 60 through 63 during the year is going to be the greater of $10,000 index for inflation or 50% more than the regular catch-up limit. This is a required change if the plan offers catch-up contributions at all. So it's going to raise the limit to $11,250 for 2025.
0:10:28.5 AD: That's going to be important for, again, for the employees and the employers to keep track of. Tell us a little bit about the change in Roth contributions.
0:10:38.5 MM: Another change is the expansion of Roth contributions. So effective 1/2024, if an employee has wages in excess of $145,000 in the prior plan year then all catch-up contributions that are made to a 401(k) or a 403(b) plan by that employee are going to be subject to Roth contribution tax treatment. Catch-up contributions made by an employee with wages under the $145,000 index limit can continue to be treated as pretax contributions unless the employee affirmatively elects to have it treated like a Roth contribution. But for other employees, the change is going to be mandatory. So if they have over $145,000 in wages in the prior plan year, then their catch-up contributions will be treated like a Roth contribution.
0:11:25.9 AD: Would this force the plan sponsors to offer a catch-up to implement a Roth contribution feature?
0:11:31.9 MM: Yes, that is a really good point. This is going to force plan sponsors that offer catch-ups to implement Roth because to the extent that they have any employees that make more than $145,000 in the prior plan year, then they're going to have to implement a Roth feature. Another facet of the Roth contribution changes that is effective immediately is that SECURE 2.0 allows plan sponsors to provide participants with the option to receive matching contributions or non-elective contributions on a Roth basis, so on an after-tax basis. And this is an optional change and it applies only to matching contributions and non-elective contributions that are fully vested when contributed to the plan.
0:12:13.6 AD: Lots of information to digest. On another topic that I understand is in SECURE 2.0, could you tell us about the new emergency savings option?
0:12:23.9 MM: Sure. So SECURE 2.0 also adds an emergency savings option to be set within a 401(k) or 403(b) plan. Employees can be automatically enrolled, but it's at no more than 3% of their salary. And the portion of an account attributable to the employee's contribution is capped at $2,500 or lower set by the employer and indexed for future years. Contributions are made on a Roth-like basis and are treated as elective deferrals for purposes of employer matching contributions. And they must be invested on an investment option designed to preserve principal and offer a reasonable rate of return. The first four withdrawals from that emergency savings account each plan year may not be subject to any fees or charges solely on the basis of the employee having made the withdrawal.
0:13:11.2 MM: Basically, it's going to be pretty easy for employees to say, for example, their furnace goes out. They could easily just tell the employer that they need to make a withdrawal from their emergency savings account and it would be done. Another feature that I just note is that on termination, employees may take their emergency savings accounts as cash or they could roll it into a Roth defined contribution plan or an IRA. The last thing I just note about this is that the change is optional and it's effective for plan years beginning on or after January 1, 2023.
0:13:44.3 AD: That's really interesting. Do you think that adding this provision will likely reduce the number of hardship withdrawals?
0:13:51.4 MM: Absolutely. I think so. I mean, it's going to be so much easier for employees to make this withdrawal. It would definitely... The employees are going to tap into their emergency savings option before they tap into the hardship withdrawal provision. This is definitely something that employers might want to consider adding to their plans.
0:14:12.1 AD: I'd like to shift gears and talk now about the required minimum distribution rules as impacted by SECURE 2.0. I understand that that's a new rule that's going to have even broader applicability to both the governmental plans as well as the ERISA plans that you've been talking about.
0:14:29.9 MM: That's right, Ashley. These changes apply not only to the private and nonprofit plans governed by ERISA that I referenced in my earlier comments, but also governmental plans as you note. Prior to the original SECURE Act, the required minimum distribution age was 70 and a half. The original SECURE Act increased that age to 72 for people that were born on or after July 1, 1949. And then the SECURE 2.0 increases the RMD age to 73 for people who turn age 72 after 2022 and age 73 before 2033. For people who turn age 74 after 2032, the RMD age is now 75.
0:15:15.3 MM: This is a mandatory change. It's going to impact both defined contribution and defined benefit plans. One caveat is that if you are a defined benefit plan and want to retain a younger forced out age, you can still do so. This avoids the actual increase that applies at 70 and a half. Also affected January 1, 2024, participants will not be required to take RMDs on Roth contributions that are held in their retirement plan. And this impacts both 401(k), 403(b) as well as governmental 457(b) plans. Also effective immediately, the penalty for failing to take an RMD is going to decrease from 50% of the amount of the missed RMD to 25% of that amount.
0:16:00.7 AD: Well, that's a lot of changes to RMDs and I'm sure plan administrators are going to be considering how to effectively communicate this information to their employees and their members generally in these governmental plans. Another topic I understand SECURE 2.0 addresses is cash out limits. Could you tell us about those?
0:16:22.1 MM: Sure. Under current law, 401(k) and 403(b) plans can automatically cash out participants and beneficiaries who have balances of $5,000 or less, provided the balance exceeding $1,000 and up to $5,000 must be rolled over to an IRA established in the participant's name. So SECURE 2.0 allows an optional change. This change goes into effect January 1, 2024, if employers elect it and it would increase the automatic cash out limit from $5,000 to $7,000. SECURE 2.0 also allows an automatic portability provider to automatically transfer a participant's balance from a default IRA established after an automatic cash out into a defined contribution retirement plan sponsored by the participant's new employer, unless of course the participant affirmatively elects otherwise. So this again is an optional change and we're expecting some DOL guidance on this provision shortly.
0:17:16.0 AD: Let's talk about changes to the hardship rules. Those have changed under SECURE 2.0 as well, right?
0:17:23.5 MM: That's correct. Beginning in 2023, employers may rely on a written representation from a participant confirming that a hardship request meets the plan's need and amount requirements. So before this, it was a lot more difficult for employers to ascertain whether the amount that the participant was requesting met the requirements of a hardship withdrawal. In order to constitute a hardship withdrawal, the employee must have an immediate and heavy financial need and the distribution must be limited to the amount, "necessary to satisfy" the financial need. This self-certification is permitted as long as the employer has no actual knowledge. To the contrary and the employer may also use one of two other methods if desired. They could use the traditional substantiation method. So that would be to obtain the actual source documents that substantiate the need for the distribution or the summary substantiation method, rely on a participant's provided summary of the financial hardship.
0:18:26.7 AD: Michelle, is there any guidance as to what types of events would allow someone to establish that they have an immediate and heavy financial need under this rule?
0:18:35.2 MM: So the seven events that establish immediate heavy financial need are for medical care, costs related to purchase of primary residence, tuition payments, payments necessary to avoid eviction, funeral expenses, expenses to repair the principal residence, or expenses resulting from a federally declared disaster.
0:18:55.3 AD: Well, that's all very good to know and important for people who need those funds. I understand that SECURE 2.0 also modifies distribution rules applicable in the event of a federally declared disaster, is that right?
0:19:09.6 MM: That's correct. Under the new rules, if a participant is impacted by a federally declared disaster, she can request a distribution of up to 22,000 from her retirement. This distribution is not subject to the 10% early distribution penalty tax and it can be taken into income over three years. And the participant has the ability to repay this distribution to the retirement plan in a later year. SECURE 2.0 also allows plan sponsors to increase the maximum loan amount that is available to a participant in the event of a federally declared disaster to $100,000 or 100% of the participant's account balance if that amount is less.
0:19:50.1 MM: Plan sponsors can also extend the loan repayment period for such participants by one year. And these changes are effective immediately and they're optional. However, even if the plan sponsor does not implement these changes, a participant could still avoid the penalty tax by completing his or her tax return to indicate that it was used for hardship or a federally declared disaster.
0:20:12.8 AD: Aren't there other exceptions to the distribution penalty, for example, with terminally ill individuals?
0:20:19.1 MM: So that's correct. Under SECURE 2.0, there are some additional exceptions to the 10% early distribution penalty tax that would otherwise apply for distributions taken by terminally ill individuals, as you mentioned and then also in certain emergency circumstances and where a limited withdrawal is taken by a victim of domestic abuse. For the latter two, for the emergency expenses and the victims of domestic abuse, that change is not effective until January 1, 2024.
0:20:50.4 AD: But the change for distributions taken by terminally ill individuals are effective immediately, right?
0:20:56.2 MM: That's correct. The penalty tax exemptions apply for both defined contribution and defined benefit pension plans and the participants must have the ability to repay these distributions to the retirement plans too.
0:21:10.9 AD: Michelle, what if a plan sponsor doesn't adopt these changes? Could a participant avoid the 10% penalty tax and take the amount into income over three years just simply by completing his or her tax return and indicating there that the distribution was due, for example, to a federally declared disaster?
0:21:28.5 MM: So that's correct, Ashley. The participant could still avoid the changes. So even if a plan sponsor decides not to amend the plan to allow the early distribution, an employee could still avoid that 10% distribution penalty by just indicating on their tax return that the amount was used for one of these reasons.
0:21:47.7 AD: Good. That's important to note. I understand that SECURE 2.0 has made some miscellaneous other changes for ERISA plans in particular relating to participant notice provisions. What are those changes?
0:22:01.0 MM: So that's correct, Ashley. Under SECURE 2.0, defined contribution plans must provide one paper statement every year and defined benefit plans must provide one paper statement every three years. And this change is less burdensome than what was previously in effect. It's a mandatory change. It's effective December 31, 2025. These plans are no longer required to provide paper communications to people who have elected to receive electronic communications.
0:22:29.7 AD: But again, this is applying to ERISA plans specifically, not governmental plans, correct?
0:22:35.1 MM: That's correct. This is only applying to ERISA plans. Another change that is implemented under SECURE 2.0 is that the DOL is going to be creating a lost and found database that's going to reunite missing participants with their retirement funds. This database will cover both defined contribution and defined benefit plans and it will enable individuals who lost track of their 401(k) or 403(b) plan accounts to search their plan administrator's contact information and hopefully reunite the participant with their missing monies. The DOL has two years to create this database.
0:23:10.8 AD: That's so interesting, Michelle. Is this database something that might help governmental plans as well who are looking for members?
0:23:19.6 MM: I'm uncertain about that. I don't know whether the DOL would have access to the information enough to include governmental plans in the database, but I don't know exactly how the DOL is going to collect the information necessary to complete this database from other plans. So it will be interesting to see.
0:23:40.6 AD: Great. All right. Michelle, along the lines of the other miscellaneous changes in SECURE 2.0, I understand that there also is a change in the IRS correction program. Could you tell us about that?
0:23:58.1 MM: Sure. This is another change that I think plan administrators are going to be excited about. It's a change to the IRS correction program and the change currently, it's only directly applicable to plans governed by ERISA. However, they also may provide some comfort to administrators of governmental plans that the IRS is taking a broader view of permissible means by which the errors made in the administration of the plans may be corrected. Specifically, the Employee Plans Compliance Resolution System, or EPCRS, is expanded to allow more types of errors to be self-corrected and to cover IRA errors.
0:24:33.9 MM: So plan fiduciaries are not required to recover inadvertent overpayments that are made to participants and beneficiaries, assuming the plan complies with the applicable tax limitations on benefits and the minimum funding rules. So if the plan fiduciary does not seek recovery of the overpayment, the participant may treat the overpayment as eligible for tax-free rollover. In addition, as the plan is governed by ERISA, the IRS is not prohibiting recovery of inadvertent overpayments from participants and beneficiaries for periods in excess of three years.
0:25:04.8 AD: Well, that's really interesting. So basically inserting a statute of limitations concept into the collection of overpayments, is that right?
0:25:12.5 MM: That's correct.
0:25:14.2 AD: These changes under EPCRS, are those effective immediately?
0:25:17.5 MM: Yes, that's correct. These changes have already taken effect, but the IRS hasn't updated the guidance yet and we anticipate that they'll do so within the next two years.
0:25:28.9 AD: Michelle, the anticipated change in EPCRS is really interesting and important. Could you please share any thoughts you may have on how this change may or may not impact error corrections by governmental plans?
0:25:41.5 MM: Sure. So regarding governmental plans, given that EPCRS is being revised to incorporate requirements of SECURE 2.0, we expect the IRS to approach the inadvertent overpayment topic with the same policy perspective as it has with private and nonprofit plans. That is, we expect the IRS to confirm publicly that plan fiduciaries may not be required to recover inadvertent overpayments made to participants and beneficiaries, but rather that any such losses to the retirement fund may be collected through additional contributions by the participating employer, which typically would be made through a direct payment or inclusion of payments towards the unfunded actuarial accrued liability of the fund. This approach has been permitted on a one-off basis from governmental plans previously, but it will be extremely useful to have that approach reflected in EPCRS itself.
0:26:30.9 AD: That's true. That's a really interesting and helpful development. Finally, in this miscellaneous change category, I understand that there's a savers credit notion within the SECURE 2.0.
0:26:44.4 MM: Yes. The savers credit under current law is going to be replaced with the retirement plan match. Under the revised program, qualifying low-income individuals who make contributions to their IRA or employer-sponsored retirement plan will receive a federally funded matching contribution to their IRA or retirement plan account of up to $2,000. And that change takes effect January 1, 2027.
0:27:06.0 AD: Michelle, this is such helpful information you've provided to our audience on a topic that is of great interest to so many administrators of plans that are impacted by SECURE 2.0. I appreciate learning from you and I hope our audience did as well. Thank you for joining me today. And thank you to all of our listeners for joining us for this episode of Pensions, Benefits & Investments Briefings. For additional information on this topic and other pension issues, please do visit our website at Nossaman.com. Don't forget to subscribe to Pensions, Benefits & Investments Briefings wherever you listen to your podcasts so you don't miss an episode. Until next time.
0:27:50.4 Speaker 2: Pensions, Benefits & Investments Briefings is presented by Nossaman LLP and cannot be copied or rebroadcast without consent. Content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only. It is not intended as legal advice and does not create the attorney-client relationship. Listeners should not act solely upon this information without seeking professional legal counsel.
[music]
- What Public Retirement Systems Need to Know Now About Changes to Actuarial Standard of Practice No. 4
On February 15, 2023, changes to Actuarial Standard of Practice (ASOP) No. 4 will be effective, and defined benefit plans will need to comply with these new rules in all actuarial funding valuations with measurement dates after the effective date. In the latest episode of Pensions, Benefits & Investments Briefings (formerly Public Pensions & Investments Briefings), Ashley Dunning welcomes Graham Schmidt, an actuary with Cheiron, and Todd Tauzer, an actuary with Segal, who explain three significant changes arising from the new ASOP and discuss some of the implications of those changes.
Transcript: What Public Retirement Systems Need to Know Now About Changes to Actuarial Standard of Practice No. 4
0:00:00.0 Ashley Dunning: The ASOPs dictate–in large part the information to be included in a defined benefit plans actuarial valuation. ASOP No. 4 is changing some of those rules and those who administer and oversee such retirement systems should take note.
[music]
0:00:25.8: Welcome to Public Pensions & Investments Briefings, Nossaman's podcast, exploring the legal issues impacting public pension systems and their boards.
0:00:47.6 AD: My name is Ashley Dunning and I'm co-chair of Nossaman's Public Pensions and Investments Group. In this episode of Public Pensions & Investment Briefings, we talk with Graham Schmidt, an actuary with Cheiron and Todd Tauter and actuary with Segal, who will explain three significant changes arising from the new ASOP and we'll discuss some of the implications of those changes. Todd, why don't we start off with you to give us a little bit of overview on this change?
0:01:19.5 Todd Tauter: Sure, I'd be happy to, thank you, Ashley, for having us here today. It's good to be on this podcast. For the Actuarial Standard of Practice number four, the ASOP 4 that we're talking about today, it's called measuring pension obligations and determining pension plan costs or contributions, which is a mouthful. But if you think about the two things, it's talking about, measuring pension obligations or you can think of it as liabilities and then determining pension plan costs or contributions. That is the core element of what an actuary does when they provide an actuarial evaluation to a pension system. So, we like to call this ASOP the mother of all ASOPs for pension plans because of how central it is to the work we do. And if I take a step back for a minute, just on the actuarial profession as a whole, we are not a practice that is governed by some external body like the SEC.
0:02:11.0 TT: We have an internal group of actuaries. It's called the Actuarial Standards Board, or ASB for short, and that's a nine member group of actuaries that helps evaluate and then eventually provide and finalize standards of practice for actuaries related to all the different areas of work that we practice in. Under the Actuarial Standards Board, there are different committees that help work with the standards board. And included in that there's a pension committee. So, this ASOP 4 is coming up through the pension committee and it's finalized with the Actuarial Standards Board. It went through a variety of revisions along the way. They would send out a version or a proposal and they'd get a lot of comment letters back from actuaries, and then we'd go back and forth quite a bit. And then they ended up on this final version that we see, this version is effective February 15th, 2023. The last time it was revised, ASOP 4, was December of 2013. So, we have almost 10 years since this has changed in any way, shape or form and many things here have stayed the same, but there are some notable changes and that's why we're here today and I'll turn it over to Graham to talk about those changes.
0:03:19.4 Graham Schmidt: Yeah, thanks Todd and thanks Ashley. It's good to be here. Yeah, there are three main changes that Todd and I are going to talk about today in terms of this current Actuarial Standard of Practice. The first is a requirement that plans as part of your annual actuarial funding valuation. You have to include what's known as a reasonable, actuarially determined contribution and we'll go into the specifics of what we mean by reasonable. I also want to point out throughout this conversation, we're going to start using acronyms, because we're actuaries and we love acronyms. But for this one we're going to call that one the ADC. So, the actuarially determined contribution. So again, with any funding valuation, we are going to be required to calculate and disclose this measure. Then we're also going to need to talk about the implications of both your funding policy and this contribution allocation procedure.
0:04:10.5 GS: When I say contribution allocation procedure, I'm talking about the method by which we come up with the ADC. So, what are the processes that we use to come up with that Actuarially Determined Contribution? And we have to talk about, what are the implications of the plan's funding policy and this reasonable ADC in terms of what do we expect to happen in the future to the funded status of the plan, when we compare the assets and liabilities, and what do we expect to happen to the contributions of the plan in the future. Finally, the biggest change affecting public plans is the new requirement to disclose what's known as a low default risk obligation measure. And again, with our love of acronyms, we've come up with a new one, the LDROM, and we'll get into specifics about this one later in terms of how is this measure calculated and what does it mean? But this is the one true thing where it's really a very new requirement for public plans to include this in your funding valuations.
0:05:08.5 AD: Thank you Graham, for that overview of the three significant changes we'll be talking about today. We'll turn it back to Todd now to dive a little deeper into the reasonable ADC. Todd?
0:05:19.9 TT: Thank you Ashley, and I'm happy to talk about this reasonable ADC. I think even though it doesn't have as big implications as potentially the LDROM might have, I think it's still a very important change and a positive change that we're seeing through this ASOP. There's a little background here on my perspective, I'll keep it as short as possible. Prior to Segal, I worked for S&P, I was hired by S&P to evaluate pension plans across the country and evaluate the decisions that have been made in the past and the contributions that were being made today, and what would that look like in the future? What would that result in terms of future contribution rates? What would that result in terms of future funded status and concept of future plan health? And when evaluating the contributions in particular, this is related to the ADC, we would ask three questions.
0:06:07.9 TT: The first would be, are plan sponsors paying what they're told to pay by the plan. Second one is, if they are, then is that based on an actuarially determined contribution or is it based on something else? There could be a number of other things that they could use to set the contributions coming to the plan. And then finally, if it is also an actuarially determined contribution, how effective is that actuarial contribution in paying off the unfunded liability over time? So, we had these three considerations and they were actually pivotal for understanding plan trajectory over time. And when you combine those three and you're looking for how effective the actuarially determined contribution is at paying off the unfunded liability over time, you can almost just replace that word effective with reasonable. How reasonable is that actuarially determined contribution in funding the plan over time? So, that's the idea behind this reasonable ADC that we have here.
0:06:58.9 TT: Whenever we're performing an actuarial evaluation, whether or not this reasonable ADC is going to be used to actually fund the plan or not, we now must calculate and disclose it within the actuarial evaluation. Doesn't matter if the plan is a fixed rate plan and just pays 15% a year and hopes for the best, or if they're targeting 90% funding, no matter what they're doing, they still have to calculate and disclose this measure. So, this breaks down into a few different components. The first is, well, we need to use a cost method. That cost method allocates the cost of funding the plan over different periods of time, and most plans use the entry age normal and that's completely fine for a reasonable ADC. So, I don't think we need to spend more time on that. The second one is asset smoothing. Many plans use asset smoothing within their valuation.
0:07:45.9 TT: You may have heard the term actuarial valuation of assets. The idea here is to mitigate a lot of that volatility that we see in the markets, from year to year, through a smoothing mechanism and here what the reasonable ADC says is any asset smoothing that you use, if you're using, for example, an actuarial value of assets, it must fall within a reasonable range of the market value of assets. It also says any differences between the actuarial value of assets and the market value of assets must be recognized in a reasonable period of time. So, you're going to hear this word reasonable alot throughout this discussion. Actuaries love to use this term, it's a beautiful term of art, where there's a little bit of wiggle room, but there's not too much wiggle room, if you're using reasonable. So, cost method asset smoothing.
0:08:35.3 TT: The next component is amortization. Of course amortization is how we pay off the unfunded liability over time and work towards fully funding a plan. Now the requirement here is that the amortization that is used, either must pay off the unfunded liability in full over a reasonable period of time, or it must reduce the unfunded liability by a reasonable amount in a sufficiently short period of time. The idea here being, "Hey, we're either paying this thing off and we're paying it off in full over a certain amount of time that's not too long." Or if that's not the plan then in any given year or any given short amount of period of time, we should be paying off a chunk of it. And so, those are the two ways by which we can fulfill having a reasonable ADC in terms of the amortization.
0:09:19.6 TT: And then the final component worth mentioning is output smoothing. And, I guess, a little guidance around output smoothing, now what output smoothing is, is when we have a change in an actuarially determined contribution, and let's say it's going up and maybe it's going up significantly, well, output smoothing says, "Well we can take a little bit of time to get there, we can smooth in that change over a couple years or a few years." This is one example at least of output smoothing, and you most commonly see this if there's a large experience study and that experience study is going to lead to a significant change in the actuarially determined contribution. In that case we might say, "Hey, we're going to get to this ultimate new contribution rate, but for budgetary purposes, let's smooth that in over two years or three years to give a little bit more predictability and time in getting there." So, there's some guidance and the primary disclosure requirement from the ASOP is that, if you're going to use output smoothing, you also must disclose what the original actuarially determined contribution was without output smoothing.
0:10:17.4 TT: So, you don't have to use that, but you've have to disclose it. So, you've got both sets of information in front of you. So, the conclusion here with the reasonable ADC is that it's required, it must be calculated, it must be disclosed, whether you use it or not, gives guidance over multiple things, the cost method, the asset smoothing, the amortization, even output smoothing. And again, the point here is that we can have this additional reasonable, actuarially determined contribution to be compared against. So, we can compare whether it's comparable to the actual contribution being made or perhaps one is higher or lower and what the long-term implications of that is.
0:10:54.0 AD: That was really helpful, thank you. Coming at this discussion, as a lawyer who's heard a lot of actuarial evaluation presentations over the years, primarily in California, elsewhere too, but focusing on California for the moment, a lot of the terminology you've used is familiar in the sense that in actuarially funded plans these methodologies are presented. In my experience, I've seen them discussed and adopted. In those circumstances where you've been working with a plan that every year has had their actuary determine or recommend a contribution rate that is actuarially based, are we going to see a material or even any difference in the calculations, do you think, as a result of this reasonable ADC requirement?
0:11:44.1 TT: Yes, actually that question is spot on and that's a very good point here. So, the short answer is, no, we won't see any change. Those that fund on an actuarially determined basis and then specifically on a reasonable actuarially determined basis, they can continue to do exactly what they've already been doing. And that's true for the vast majority of plans, as you indicated in California. The rest of the country, there's more of a mix of the plans that we see. Some, they're doing exactly that same thing and others maybe not so much. So, there might be some more transparency and clarity out there, particularly in the rest of the country for some of these plans and what contributions are being made.
0:12:21.7 AD: Thank you, that's helpful. Turning to you, Graham, if you could talk with us more about the second significant change that we're discussing today, which is the implications of the cost allocation procedure and funding policy, provision of ASOP No. 4.
0:12:39.2 GS: Thanks, Ashley. So, one of the things that's required in this, in the update of the ASOP is to communicate how this reasonable actuarially determined contribution is going to affect the plan's funding status and contribution requirements in the future. If you are not making an actuarially determined contribution, so as Todd pointed out, there are some plans out there that are just doing a fixed contribution rate, it's not necessarily related to the actuarially determined contribution, you may have to talk about the implications of that policy itself on your funding requirements and your funding status. So, the standard requires a qualitative analysis, not necessarily quantitative. So, there's not a specific set of numerical projections that you have to include in the valuation report, with a few exceptions that I'll come back to. But at the baseline it does require that the actuary has to make a statement as to how this funding policy or the contribution allocation procedure is going to affect the contributions and funded status.
0:13:43.8 GS: But as I said, there are a few things that are required, and some of these are new requirements. You are supposed to estimate how long it will be until this policy results in a contribution that exceeds the normal cost plus the interest on the unfunded liability. Now, we sometimes refer to this as the tread water amount. Basically this is the amount that needs to be contributed to the plan in order for the unfunded liability to remain stable from year to year if all of your assumptions are met. So that the normal cost is the cost of the benefit that members are earning this year, for the active members. And then you have that interest on the unfunded liability. So, if you're just covering the interest on the unfunded liability and the cost of new benefits, that should be enough to keep the unfunded liability even from year to year.
0:14:36.2 GS: If you fall below that level, it's known as negative amortization. And what the standard requires is that you have to disclose if you're in negative amortization and if you are, how long you're expected to be there. So now, what could cause you to be in negative amortization? Well, as Todd pointed out, there are some plans that are just making a fixed contribution. It's not necessarily tied to what the actuarially determined contribution is. In that case, if you're not covering the interest on the unfunded liability plus the cost of new benefits, there'll be a negative amortization. There are other plans that may be contributing an actuarially determined contribution and maybe even a reasonable actuarially determined contribution. But if the amortization periods are long enough and you have an unfunded liability, it may be that at least for the next few years, you may not be contributing enough to cover the interest on the unfunded liability and that normal cost.
0:15:30.4 GS: So, there may be plans that that have a perfectly good ADC and a perfectly good funding policy, but they may still find themselves in a negative amortization period for a certain period of time. They're going to be needing to make a disclosure to that effect in the report. We are also required to estimate the time until the unfunded liability is expected to be paid off. So, for a lot of plans, particularly plans that have a fixed amortization schedule, this is going to be a very easy thing to do. You just look at that amortization schedule and you see when the unfunded liabilities is expected to be paid off. There are some plans that use alternative modes of amortizing their unfunded liabilities, something known as a rolling amortization period. Well, essentially what you're doing is refinancing the remaining debt each year over a new period of time.
0:16:14.7 GS: If you're taking that approach, then the technical answer to the question of when is this unfunded liability going to be paid off? The answer may be never, because you may be paying off a chunk of that unfunded liability each year, but each year you're pushing out the date at which you're expected to pay off the full unfunded liability. As Todd said, that can still result in a reasonable actuarially contribution as long as you're paying off a reasonable chunk of the unfunded liability. So, that means that if you got into a situation where you had a plan with a rolling unfunded liability amortization policy and it was long enough that you weren't making a significant payment towards the unfunded liability, if you were in a negative amortization situation, you're not going to be able to provide a good answer for that question of when is that unfunded liability going to be paid down?
0:17:04.1 GS: So, and again, in that case, you'll need to have some additional disclosures in your report and even in as a baseline, you have to show when that unfunded liability will be paid off. Finally, we need to disclose if the funding policy or that contribution allocation procedure is expected to result in the plan running out of assets before all promised benefits are expected to be paid. Now this is not entirely a new requirement within the ASOP. The ASOP always, you had to make a statement if your funding policy wasn't going to be expected to result in sufficient assets to pay benefits. But we also need to now estimate the approximate time that would occur if your policy is not going to be expected to be able to cover those benefit payments.
0:17:47.2 AD: Graham, thank you for that explanation. It's interesting that this new provision is requiring a qualitative assessment by the actuary and then some metrics around topics that have gotten attention over the years, such as negative amortization, but generally have been viewed, at least in California, as permissible within reason. Is there something to be discerned from this new rule or new standard different from that history or not?
0:18:20.3 GS: It's not necessarily different. Reasonable actuarially determined contribution contains still a fair amount of wiggle room in terms of your actual contributions. Just because you have negative amortization does not mean that the plan is not being financed appropriately. You could have negative amortization period that only lasts for a few years and then you could still pay that unfunded liability down over a reasonable period of time. It does put a little more in terms of guardrails up there though, that if you had a policy in place that was expected to have that negative amortization for a long period of time and you're not going to be making any progress towards paying down that unfunded liability, it really is going to result in these additional disclosures. While I think negative amortization isn't necessarily a negative event, it does put some parameters around that, that if it's not something that you're going to get out of at some point in time, you're going to have to show some additional things to show what the consequences of that are going to have to be, on your plan.
0:19:22.0 AD: Todd, turning to our final significant change, the LDROM, I think, one of you noted earlier that this is most significant of the three for purposes of the public pension plan community. So, go ahead and tell us about it, and I think both of you will be talking about this one, so thank you.
0:19:38.0 TT: Sure. So, I'll start with some of the basics, and you're right, this is probably the most significant for public plans, and it also was the one that created the most back and forth between actuaries and the standards board. When we're going through iterations and doing exposure drafts and comment letters, there is a whole bunch of comment letters related to this LDROM. So, LDROM is our low default risk obligation measure, and it requires the actuary to calculate and disclose, essentially what I'd call an additional assessment of liability or an additional assessment of the obligation, the way that it's written. But this is supplemental to the normal funding, the actual accrued liability that the actuary is already calculating and putting into your actual evaluation. And really to make the point here, all of what Graham and I are discussing with all three of these, the new standard of practice does not require us to remove things that we are already putting in the actual evaluation.
0:20:34.0 TT: It doesn't really change any of the base information that you'll be getting in the actual evaluation. It simply adds additional disclosures and potential disclosures on top of it. And this LDROM is one of those additional disclosures that are required. So, with the LD ROM, we can use the same, I mentioned earlier, the cost method used, we can use the same cost method that we use in the funding valuation, which again, for the vast majority of our plans is entry age. But then when we get to the discount rate, which of course the discount rate is looking out at benefits to be paid in the future and discounting them back to the present, so that we can get them to base what we'd call a present value of future benefits. So, that discount rate is actually very important. If a discount rate is high, well, a lot of discounting happens and costs are anticipated to be lowered today.
0:21:25.7 TT: And if the discount rate is low, well, not very much discounting happens and the costs are higher today. So, with LDROM, this requires the discount rate used for that calculation to be derived from low default risk fixed income securities, where the cash flows from those securities are reasonably consistent with the pattern of benefits expected to be paid by the pension plan in the future. So, we've got this comparability between the cash flows of the securities, and the cash flows of the benefit plans, and it gives a couple examples of what kind of securities they think could fulfill this requirement even directly in the ASOP. One example they use is US Treasury Yields. Another one is highly rated corporate bonds or even highly rated municipal bonds. Basically, any security that has very low default risk. And then of course with that low default risk comes very low expected return.
0:22:22.9 TT: So, we'll talk about that more in a minute, but that's important to keep in mind as we go through this. So, that's really the whole idea here. We have a new obligation or liability measure. The only necessary change to that measure is using a discount rate that is based on low default risk fixed income securities, and based on the present market and the way things are looking, that discount rate would be significantly lower than what we see today. The final thing to mention before I forget, is if your plan has variable aspects to it, it gets a bit more complicated in how to potentially calculate this measure. We're not going to use this podcast to go into those details, but if your plan has significant variable features, you may be having a discussion with your plan actuary to figure out how to handle all of that.
0:23:05.8 AD: Thank you, Todd. Graham, can you tell us a little bit about some implications you see from this LDROM figure?
0:23:16.6 GS: Sure. First and foremost, the biggest implication is going to be, there's now going to be this much larger liability number included somewhere in the valuation report. So, we've done some sample calculations for some of our clients, and in some cases the numbers are something like 40 to 50% higher than the traditional actuarial liability measurement. And Todd talked about the differences in discount rates and so forth where traditional valuation report for a pension plan might have something like a 7%, I assume, greater return on their assets, which they then use as their discount rate. If you're talking about this low default risk obligation measure and you're talking about yields on bonds, you might be looking at something like a 4% expected return. So, the difference in using those discount rates can increase your liabilities by 40 to 50%. But it's really going to be important, and we're going to talk about this is, is how do you put that number into context and what does it actually mean?
0:24:12.8 GS: One thing we also know is that this measure is likely to bounce around a lot as interest rates change. So, if we had start to put this number in our reports a couple of years ago when interest rates were near zero, those liability measurements could have easily been double what the traditional liability measurement was. Not 40 to 50% higher, but double. Now that interest rates have gone back up over the last 12 months and we're, look, significantly from where they were, the impact is not quite as high as it as it would've been, but we're still seeing, again, much higher liability numbers compared to the traditional measure. And that's going to be really important for plans as they add these measures into their reports to put them into context.
0:24:57.8 AD: Speaking of context, Todd, could you talk to us a little bit about various ways to interpret reports that have this figure in it? I think the audience will be really interested in understanding both how this type of measurement already is used in some circumstances, and then also how to respond to the observation that Graham just made, which is that this number may be much higher than what they're used to seeing in actual evaluation reports, in reporting on liabilities.
0:25:25.8 TT: If I start by taking a step back and look back to the Actuarial Standards Board, remember this all starts with the standards board and starting with the disclaimer, of course, I cannot speak for them, I'm not representing them here, but I get the feeling that at least at some level, there's a concept here of looking at this from an LDI type perspective. Now it's another acronym, liability driven investing. And so, the idea is, "Hey, if you compare securities with similar cash flows to the cash flows of the benefit payments coming out of the plan and you use discount rate that's comparable between the two, then you get a pretty decent idea of what the cost of the plan would be with very little market risk, at least very little default market risk or as the low default risk obligation measure.
0:26:11.3 TT: So, if I said that more succinctly, the LDROM shows an assessment of liability, if the plan were to fund exactly the way they are now, except that on the investment side, they're only invested in low default risk fixed income security. So, you just sell off the entire current portfolio and then you go out and buy a bunch of treasuries or a bunch of high grade corporate or municipal bonds, and then you take the discount rate based off of that and you do your measurement of your obligations, then you could go forward from there and set actual costs. It's worth mentioning the LDROM does not require us to actually calculate costs on this measure, it's just to calculate the obligation or the liability side. But if you were to do that, then you'd get an idea of what Graham was talking about, with the 50% or a 100% extra cost that you'd see in terms of total liability to the plan.
0:27:00.4 TT: Another way to look at it is if you turn that on its head, and if we were to calculate the LDROM and then compare it to exactly as plans are funding today, with the discount rates that they're using today, with the diversified portfolio. The difference in liability between those two plans is exactly what the plan is attempting to or expects to save taxpayers over time by investing in that diversified portfolio, by taking advantage of the range of stocks in real estate or whatever else they're investing in and taking advantage of that compounded return over time. It's worth mentioning, on top of just talking about possible interpretations, it's worth mentioning that some plans already do use a form of the LDROM in some circumstances. For example, I know multiple plans where there's a provision that allows particular plan sponsors, or what we call them, employers, particular employers, to terminate from the plan, which means they leave the plan and they don't have any further risks.
0:27:55.3 TT: The plan can't go back to them later and say, "Hey, you owe us more money because investments went poorly, or whatever else happened." So, if they leave the plan, terminate and take no risk with them, then the plan turned around and said, "If you're going to leave with no risk attached to you, we're going to invest your assets in as a low risky portfolio as we can. So, we're going to invest them in low default risk securities." In essence, it's exactly what this LDROM is calculating, is we're going to turn around and invest in such a way that we're basically taking risk off the table so you can pay for all that risk upfront and then you can leave scott free and never talk to us again. So, that actually does exist out there today, and that's maybe not so much an interpretation, but an example of practical application of a measure such as this.
0:28:42.1 AD: Thank you for that discussion. Your comment about the benefit to taxpayers of the retirement systems having a diversified portfolio made me also think about it in terms of the members of these plans, because wouldn't it also be fair to say that if the expectation were that the plan would not diversify its investments and were only to invest in very low risk bonds, that you'd have to assume a much lower rate of return for purposes of your discount rate, which would, correspondingly, require quite a bit higher normal cost contributions by your members. So in effect, everyone is benefiting from having a diversified portfolio that reasonably anticipates a higher rate of return. What this number shows is what would happen if you did not do that, in a sense.
0:29:42.0 TT: That's exactly right, and that's particularly true after PEPRA, as we've had more and more employees, for example, paid 50% of the normal cost. Well, if the normal cost is going to be quite a bit higher, then those employees are going to be on the hook for a much, much larger cost as well. So, exactly to your point there, Ashley.
0:30:01.8 AD: Thank you, Todd. It sounds like what you've described is really a termination liability and you're needing to include that in the valuation, not necessarily characterized as that, but if I'm understanding you correctly. And then secondly, would it also be fair to say that what you're really measuring is the opportunity cost or the opportunity benefit of a diversified portfolio? So, the actuarial value of assets and liabilities that you're currently calculating is based on a diversified portfolio, but if the system were to not do that, it would cost a lot more money both to taxpayers and then if you incorporate that idea into how you set your discount rate and assume a much lower discount rate, it also impacts normal cost, which impacts members. Is that a fair way of thinking about this?
0:30:53.4 TT: Yeah, there was a lot in there, but I agree, if I take your latter statement first, completely right, it's definitely showing the benefits of that investment in a diversified portfolio. Of course, there are risks attached to it as well, and those risks have to be understood, but it is showing the long-term benefits, both for the employers, the plan sponsors, and the members who are also going to be shouldering part of the contribution burden over time. The first thing you said in terms of a termination liability, you're absolutely right. A termination liability would, if that was being calculated, it would fit this requirement of the LDROM. I mentioned before that on a actuarial cost method basis, that the LDROM allows you to use the current cost method for the plan. And so, that's usually entry age and it's usually based on assuming ongoing funding and all of that. You might handle that a bit differently on a termination basis, you might use a different cost method. You might not allow for anticipate future salary increases or service or any of that. So, that might change a little bit, but certainly calculating it on a termination basis still fulfills this requirement of the LDROM.
0:31:57.5 AD: Thank you. Graham, why don't you step in here with some final comments about LDROM and maybe some concerns about this particular disclosure obligation, if you have them.
0:32:08.9 GS: Sure, Ashley. There are certainly some concerns. As we expect to see these much larger liability numbers go into public valuation reports, we certainly expect that some observers are going to pounce on this number and point it out and say that public plans have been trying to hide the "true liabilities of the plan." But the standard itself actually addresses this head on. In the introduction, it explicitly says, and I'm going to read it here, "The calculation and disclosure of this additional measure is not intended to suggest that this is the "right liability measure" for a pension plan." So, it's explicitly saying that this is not the one true measure that you should look to for the liability. And as we've been discussing, this does not represent the funding target for most public pension plans. Public pension plans are not invested in a 100% treasury bond portfolio.
0:33:01.8 GS: So, what it's really trying to get at is, more in terms of what's the investment risk that your plan is taking on and how you go about quantifying that, at least compared to a 100% fixed income portfolio. But there are a lot of other ways to quantify risk, many of which are already used by public plans. Several years ago, the Actuarial Standards Board released a different ASOP, ASOP 51, which really dealt with the assessment and disclosures of risks associated with pension plan. And the standard provided guidance to actuaries, in terms of coming up with different ways to measure risks and doing what this ASOP is requiring and comparing your traditional liability measure to something akin to an LDROM, that was included as one possible method for assessing risks, but the standard did not require it, and it also had other possible methods as well, some of which I think are probably more effective at getting at the actual risk faced by your individual pension plan.
0:34:05.0 GS: Because what this risk measure does is it's just telling you, "Well, what would it cost if you invested with no default risk or very low default risk?" But that's not what plans are actually doing. So, if you wanna get a true picture of investment risk in your plan, you probably need to look at some kind of measurements that actually take into account what you are actually invested in. What is the riskiness of your investments? That's not going to be told to you by just looking at this LDROM measure. So, I think one of the concerns is that this is being pointed out as the one true measure that tells you everything you need to know. And clearly I think it does not. It's not even necessarily the best measurement for looking at the risk of your individual plan.
0:34:49.9 GS: I would point out that in terms of where this number is going to show up in a lot of val reports, when this new ASOP 51 went into place about assessing risk, a lot of actuaries added sections to their val reports that started talking about different assessments of risk. So, I think this is probably a natural home for it in terms of valuation reports. So, you'll probably, in your conversations with actuaries, you'll probably hear them suggest that this might be one place that you put it, and it's a place that you can put the correct context around it. You're actually explaining what does it mean in terms of our outlook on risk and how it affects our plan.
0:35:27.6 AD: Thank you for that context. Really good session to both of you. Thank you, Graham. Thank you, Todd, for your time. I learned a lot, and I hope our listeners do too when they listen to this podcast. And thank you to our listeners for joining us for this episode of Public Pensions & Investments Briefings. For additional information on this topic or other public pension issues, please visit our website at nossaman.com. And don't forget to subscribe to Public Pensions & Investment Briefings wherever you listen to podcasts, so you don't miss an episode. Until next time.
[music]
0:36:02.3 Speaker 2: Public Pensions & Investments Briefings is presented by Nossaman LLP, and cannot be copied or rebroadcast without consent. Content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only, is not intended as legal advice and does not create an attorney-client relationship. Listeners should not act solely upon the information without seeking professional legal counsel.