Is the Fiduciary Rule’s Private Right of Action a Greater Threat than DOL Enforcement?
The Department of Labor (DOL) released a temporary enforcement policy ahead of its recently enacted Fiduciary Rule, which went into effect on June 9, 2017. This policy states that the DOL will not pursue claims against fiduciaries who make a diligent and good faith effort at compliance until the end of the Fiduciary Rule’s transition period on January 1, 2018.
Financial advisors who believe that good faith attempts at compliance will eliminate exposure associated with the Fiduciary Rule should be aware that most Fiduciary Rule provisions came into full effect on June 9, 2017. Moreover, the Fiduciary Rule includes a robust private right of action against financial advisors for compliance failures. Under this private right of action, retirement investors may sue immediately for breach of any Fiduciary Rule provisions currently in effect. Furthermore, liability for those breaches may begin accruing as of June 9, 2017, generating significant exposure for financial advisors who believe the DOL’s temporary enforcement policy limits their Fiduciary Rule liability. The private right of action will remain a significant source of liability even after the transition period, as it provides incentive for plaintiff’s attorneys to sue non-compliant advisors. Under the Fiduciary Rule, private suits will be a prominent enforcement driver.
Overview of the Fiduciary Rule Private Right of Action
The Fiduciary Rule’s individual private right of action builds on existing Employee Retirement Income Security Act (ERISA) rules governing fiduciary duties, fiduciary liability, and an individual’s right to sue. The Fiduciary Rule applies these basic ERISA concepts, but it expands the scope of individuals qualifying as fiduciaries. The Best Interest Contract Exemption (BICE), enacted with the Fiduciary Rule, further enhances the private right of action by forbidding investment advisory contracts that contain exculpatory clauses, limit the investor’s class action rights, or include unreasonable arbitration terms.
ERISA Fiduciary Provisions
The Fiduciary Rule only concerns those who render investment advice for a fee or other compensation. This applies to financial advisors who advise retirement plan participants regarding plan investments or offer advice on an overall investment strategy within the plan. The Fiduciary Rule requires the financial advisor to meet the Duty of Prudence and the Duty of Loyalty, ERISA’s two main fiduciary duties. The Duty of Prudence requires advisors to act with the “care, skill, prudence, and diligence” that a prudent advisor would display under similar circumstances. This calls for a careful and measured approach and requires advisors to consider investors’ individual financial circumstances, goals, and risk tolerance. The Duty of Loyalty directs the advisor to act for the exclusive purpose of benefiting the retirement investor. This requires advisors to act in the best interest of the retirement investor without considering potential benefit to the advisor, such as commission or payments offered from third parties. Additionally, transactions using retirement plan assets that financially benefit a fiduciary are considered Prohibited Transactions. ERISA forbids Prohibited Transactions unless the transaction satisfies one of the Prohibited Transaction Exemptions (PTE) listed within ERISA.
Financial advisors who breach their fiduciary duties are personally liable for resulting losses. The financial advisor must restore to the plan any profits the advisor earned through the inappropriate use of assets. In addition, the court has authority to impose any penalty or relief it deems appropriate. For financial advisors, this includes restoring earnings lost due to improper advice, and the court generally restores the retirement investor’s account at the financial advisor’s expense.
Fiduciary Rule Modifications to ERISA Fiduciary Liability
The DOL’s Fiduciary Rule expands the scope of ERISA rules by modifying what constitutes “investment advice.” Under the Fiduciary Rule, investment advice includes advice regarding assets of an employer-based retirement plan, assets housed within an IRA, and assets being considered for rollover into an IRA. By expanding the definition of investment advice, the Fiduciary Rule applies the ERISA fiduciary status to advisors rendering advice to IRA owners. This applies to other ERISA fiduciary provisions, including rules regarding fiduciary duties, liability for fiduciary breach, and who may sue for breaches. Under the Fiduciary Rule, an advisor paid for investment advice regarding IRA assets becomes a fiduciary with respect to those assets, and he or she must adhere to the Duty of Prudence and the Duty of Loyalty.
The Best Interest Contract Exemption
Financial advice regarding retirement assets that benefits the financial advisor, such as advice rendered for a fee, constitutes a Prohibited Transaction under ERISA rules unless a Prohibited Transaction Exemption applies. For financial advisors, the only PTE generally available is the Best Interest Contract Exemption. The DOL released the BICE at the same time as the Fiduciary Rule, and it is functionally a part of the Fiduciary Rule. The BICE provides an exemption for financial advisors rendering paid advice regarding IRA assets, but it requires financial advisors to adhere to rigorous disclosure and impartial conduct standards. If the advisor fails to meet the BICE standards, the advice constitutes a Prohibited Transaction. The BICE contains important standards for how the investment advisory contract between advisor and investor limits investors’ potential claims against the financial advisor. The contract may not limit the financial advisor’s liability for violations of the contract, waive the retirement investor’s right to participate in a class action suit, or unreasonably limit the retirement investor’s ability to bring claims through arbitration or mediation requirements.
The existing ERISA fiduciary structure, the Fiduciary Rule, and the BICE collectively define the investor’s private right of action against investment advisors who violate their fiduciary duties, and the private right of action could become the primary enforcement mechanism for the Fiduciary Rule. The Employee Benefit Security Administration (EBSA) is accepting comments relating to the Fiduciary Rule and BICE. Comments regarding extending the January 1, 2018 applicability date of certain BICE and other PTE provisions must be submitted to EBSA by July 21, 2017. Other comments regarding the Fiduciary Rule and PTE must be submitted by August 7, 2017.
If you have questions regarding compliance with the Fiduciary Rule, Hall Benefits Law encourages you to seek the advice of experienced ERISA counsel.
We’re Under Cyber Attack! What Do We Do Now?
On May 12, 2017, the WannaCry ransomware cryptoworm (“WannaCry cryptoworm”) attacked approximately 230,000 computers in over 150 countries. WannaCry cryptoworm locked computers and required users to pay a ransom to unlock the infected computer and restore the affected files. By May 15th, the global count of infected computers worldwide reached more than 300,000, despite being contained within four days of its initial discovery.
Recently, in response to the WannaCry cryptoworm, the United States department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a quick-response checklist (the “Checklist”) that explains and outlines the steps a covered entity or its business associate should take in response to a ransomware attack or other cyber-related security incident. According to HHS, in the event of a cyber-related security incident, the covered entity or business associate should:
- Execute its response and mitigation procedures and contingency plans;
- Report the crime to appropriate law enforcement agencies, including the Federal Bureau of Investigation and Secret Service;
- Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs) – for example, the HHS Assistant Secretary for Preparedness and Response and the Department of Homeland Security; and
- Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals (in accordance with the Breach Notification Rule) and the media unless a law enforcement official has requested a delay in the reporting.
Hall Benefits Law strongly recommends adherence to the Checklist because OCR presumes that a cyber-related security incident is a reportable breach unless the covered entity can demonstrate a low probability protected health information (PHI) was compromised through a multi-factor risk assessment based on factors outlined in the Breach Notification Rule. Furthermore, OCR has advised that during a breach investigation it will consider all the covered entity’s mitigation efforts, including the covered entity’s willingness to voluntarily share breach-related information with law enforcement agencies and other organizations identified on the Checklist.
Finally, the penalties assessed for violations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can be staggering. These penalties are based on a tiered structure that is contingent upon the covered entity’s knowledge of the HIPAA violation.
Hall Benefits Law recommends you seek the advice of ERISA counsel to ensure your HIPAA policies and procedures align with the requirements outlined above.
Copyright © 2017 Hall Benefits Law, All rights reserved.
This newsletter is intended to provide a Firm update to clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under rules of certain jurisdictions.