New York City Enacts Mandatory Auto-IRA Law

In an effort to assist more of its residents to save for retirement, New York City recently passed a law requiring most employers to offer a qualified retirement plan or participate in the newly created city-run retirement savings program. While a number of states have enacted similar legislation, NYC joins Seattle as the only cities to take this leap. It seems likely, however, that more states and cities will follow suit. Below is a description of many of the key features in this new law.

Which employers does this apply to?

This law applies to employers who meet the statutory definition of a “covered employer.” As defined in the statute, “covered employers” are employers who: 1) employ five or more employees whose regular duties occur in New York City; 2) has employed five or more employees without interruption in the previous calendar year; 3) has been in continuous operation for two or more years; and 4) has not offered or maintained a qualified retirement plan in the preceding two years.

What must covered employers do?

Covered employers have two primary duties: enroll covered employees in the retirement savings program and, if the covered employer is a participating employer, remit funds deducted from the earnings of each participant.

Is there a penalty for covered employers who do not comply?

Yes. Depending on the violation, employers could be liable for a civil penalty ranging from $100 to $1,000 for each violation.

Who are covered employees?

“Covered employee” means any employee: 1) who is 21 years old or older; 2) who is employed by a covered employer and regularly scheduled to work at least 20 hours per week; and 3) whose regular duties occur in New York City. Covered employees must be automatically enrolled in the program, however, they do have the ability to opt out.

Where are employee contributions invested and how much is permitted?

All participants will contribute to their own IRA, which may be traditional or Roth. The comptroller of New York City and the retirement savings board are tasked with establishing an investment strategy and policy. While specific investment details are not known yet, the statute expressly permits investments to include shares of mutual funds and exchange-traded funds, publicly-traded equity, and fixed-income securities. Nonetheless, this list is not exclusive and other investments may be chosen by the comptroller and the board. Lastly, participants are permitted to allocate the assets of their IRAs among the investment options available, but a default investment option will be designated by the board for participants who do not make an investment choice.

The default contribution rate is set at 5% of a covered employee’s wages, but employees can increase or decrease this amount at any time. Contribution amounts are subject to limitations established by federal law for the respective type of account.

Who is running this program?

The newly formed retirement savings board, which consists of three mayoral appointees, and the comptroller of New York City share responsibility for administering this program. Additionally, they both have the authority to promulgate rules to implement this program.

Who is paying for this?

Administrative fees associated with this program will be borne by the participants and not by employers.

When must covered employers comply?

This statute goes into effect on August 9, 2021 (90 days after the enactment date). Nonetheless, the board has up to two years to get the program up and running. If a covered employer does not want to participate in the program, it should adopt a qualified retirement plan so it no longer meets the definition of a covered employer.

Is it a good idea for cities to enact this type of legislation?

Time will tell.

Agencies Issue Guidance on Comparative Analysis of Mental Health/Substance Use Disorder Non-Quantitative Treatment Limits

The Consolidated Appropriations Act of 2021(“CAA”) amended the Mental Health Parity and Addiction Equity Act (“MHPAEA”) to require group health plans and insurers that impose non-quantitative treatment limits on mental health or substance use disorder treatment benefits to prepare a detailed comparative analysis explaining the application of each such limit.

As background, the MHPAEA prohibits group health plans and insurers from imposing non-quantitative treatment limitations ("NQTL"), such as processes, strategies, evidentiary standards, or other factors with respect to mental health/substance use disorder (“MH/SUD”) benefits that are more restrictive than those factors as applied to medical/surgical benefits under the plan.

Effective February 10, 2021, the CAA’s required comparative analysis of NQTLs must be made available to the Departments of Labor, Health and Human Services and Treasury, or State agencies upon request. The Departments have jointly released FAQs describing this new compliance requirement.

The FAQs provide a detailed explanation of the comparative analysis content requirements. The analysis must be detailed, specific and reasoned in order to demonstrate that the processes, strategies, evidentiary standards, or other factors used in developing and applying the NQTL are comparable as between MH/SUD and medical/surgical benefits. Nine factors, derived from the DOL’s MHPAEA Self-Compliance Tool, provide the minimum content requirements for the comparative analysis:

• A clear description of the specific NQTL, including the applicable plan terms;
• Identification of the specific MH/SUD and medical/surgical benefits to which the NQTL applies, and a clear statement as to which benefits are considered MH/SUD versus medical/surgical;
• Identification of any factors, evidentiary standards, strategies or processes considered in the design or application of the NQTL and in determining which benefits are subject to the NQTL, and the weighting of such factors;
• To the extent the plan or insurer defines any of the factors, evidentiary standards, strategies, or processes in a quantitative manner, it must include the precise definitions used and any supporting sources;
• An explanation of any variation in the application of a guideline or standard used by the plan between MH/SUD and medical/surgical benefits and a description of the process and factors used for establishing that variation;
• If the application of the NQTL turns on specific decisions in administration of the benefits, the plan should identify the nature of the decisions, the decision maker(s), the timing of the decisions, and the qualifications of the decision maker(s);
• If the plan relies upon any experts, the analyses should include an assessment of each expert’s qualifications and the extent to which the plan ultimately relied upon each expert’s evaluations in setting recommendations regarding both MH/SUD and medical/surgical benefits;
• A reasoned discussion of the plan’s findings and conclusions as to the comparability of the processes, strategies, evidentiary standards, factors, and sources identified above and their relative stringency, both as applied and as written. This discussion should include citations to any specific evidence considered and any results of analyses indicating that the plan or coverage is or is not in compliance with MHPAEA;
• The date of the analyses and the name, title, and position of the person(s) who performed or participated in the comparative analyses.

The comparative analysis must be carefully prepared to address these requirements. Conclusory or generalized statements without specific supporting evidence and detailed explanations are insufficient to satisfy these requirements. In addition, the comparative analysis requirements are not satisfied by transmitting a large volume of documents without a clear explanation as to how each document is relevant. Plans should be prepared to produce additional documentation in conjunction with an agency’s request for the comparative analysis, including claims processing procedures; samples of covered and denied MH/SUD and medical/surgical benefit claims; and documents related to MHPAEA compliance by the plan’s delegated service providers.

If, after reviewing the comparative analysis, an agency determines the plan is out of compliance with the MHPAEA, the plan will have 45 days to take corrective action and submit additional documentation. If compliance is not achieved after such corrective action, the plan must notify participants within seven days of the determination that the plan is not in compliance. Participants and claimants appealing an adverse benefits determination may request a copy of the plan’s comparative analysis and supporting documentation.

The Departments’ guidance ends with a discussion of MHPAEA enforcement priorities, including:

• prior authorization requirements for in-network and out-of-network inpatient services;
• concurrent review for in-network and out-of-network inpatient and outpatient services;
• standards for provider admission to a network, including reimbursement rates; and
• out-of-network reimbursement rates, including plan methods for determining usual, customary, and reasonable charges.

Of course, the Departments may also focus on MHPAEA complaints, and may expand their compliance focuses in the future.

FAQS About Mental Health and Substance Use Disorder Parity Implementation and the Consolidated Appropriations Act, 2021, Part 45 (April 2, 2021), found at https://www.dol.gov/sites/dolgov/files/EBSA/about-ebsa/ouractivities/resource-center/faqs/aca-part-45.pdf

Department of Labor Publishes Cybersecurity Guidance

In April, the Department of Labor’s ("DOL") Employee Benefits Security Administration ("EBSA"), for the first time, published subregulatory guidance aimed directly at sponsors of ERISA employee benefit plans, ERISA plan fiduciaries, recordkeepers and plan participants that addresses cybersecurity practices. While the EBSA release announcing the guidance draws particular attention to ERISA retirement plans, which hold estimated plan assets of $9.3 trillion, there is nothing in the guidance that limits the application of the guidance to ERISA retirement plans alone. It is not just the trillions of dollars plan assets that merit greater protection from cybersecurity risks, participants’ personal information (names, birth dates, Social Security numbers, etc.) also needs protection from increased threats of unauthorized access. Accordingly, ERISA welfare benefit plans would be well served by also implementing the relevant cybersecurity practices described in the new guidance.

EBSA’s cybersecurity guidance takes the form of three separately published documents:

• Tips for Hiring a Service Provider, which offers plan sponsors and fiduciaries tips for prudently selecting and monitoring service providers with strong cybersecurity practices.

• Cybersecurity Program Best Practices, which assists plan fiduciaries and recordkeepers in meeting their responsibilities to manage cybersecurity risks.

• Online Security Tips, which offers plan participants and beneficiaries tips on how they can reduce the risk of fraud and loss to their retirement account when checking their retirement accounts online.

Although the DOL, via EBSA or otherwise, has not previously provided specific cybersecurity guidance for ERISA employee benefit plans, there have been increasing indirect indicators of the DOL’s growing concerns about cybersecurity threats to plan assets and personal information. Plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. The new guidance not only offers helpful insights on what practices and procedures EBSA would consider important to prudently mitigate cybersecurity risks, but it suggests standards of cybersecurity practices we might expect EBSA to look for in future audits and investigations.

The amplified focus on cybersecurity not only pertains to a plan sponsor’s own internal administrative procedures, but also to the cybersecurity practices and procedures of recordkeepers and other service providers that plan sponsors select to support ERISA plan operations. Are plan sponsors asking the right questions of recordkeepers and service providers regarding their information security standards, practices and policies, and are adequate protections built into service agreements? The new guidance provides suggested lines of questioning that plan sponsors of all sizes should be asking as part of their selection and monitoring process for their service providers.

Best practices for plan service providers should include:

• Having a formal, well documented cybersecurity program.
• Conducting prudent annual risk assessments.
• Having a reliable annual third party audit of security controls.
• Clearly defining and assigning information security roles and responsibilities.
• Having strong access control procedures.
• Ensuring that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
• Conducting periodic cybersecurity awareness training.
• Implementing and managing a secure system development life cycle ("SDLC") program.
• Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
• Encrypting sensitive data, stored and in transit.
• Implementing strong technical controls in accordance with best security practices.
• Appropriately respond to any past cybersecurity incidents.

The fact that the new EBSA guidance includes online security tips for plan participants reflects a recognition that participants have their own role to play in reducing the risk of fraud and loss with respect to their individual retirement accounts. Plan sponsors will want to consider making those online security tips part of the standard plan enrollment and communication packages that go to participants.

In light of the new guidance, plan sponsors should be looking to develop appropriate internal cybersecurity practices and policies (including hiring practices and policies for new plan service providers), or to update any such practices and policies that are already in place. For existing service providers, a review of provider cybersecurity practices, policies and contractual responsibilities (i.e., service agreement provisions), as well as the development of appropriate mechanisms for monitoring cybersecurity practices going forward, is advisable.

Ninth Circuit Addresses Issues Related to Miscalculation of Retirement Benefits at Portals

The Ninth Circuit Court of Appeals addressed several issues related to a miscalculation of benefits provided by using an internet portal. The employer had hired a third-party recordkeeper to provide a portal where plan participants could receive estimates of their defined benefit plan payments. Because of a misapplication of the definition of compensation utilized at the portal, several participants received estimates that grossly overstated the amount of the pension payable. When the individuals retired, those benefit amounts were initially paid. Subsequently, when a new recordkeeper was hired, the error was discovered. The participants were then told that their benefits were much less and, in at least one instance, told that benefit payments needed to be returned. As a result, the participants brought an action to retain the original benefit amounts. The Ninth Circuit addressed three important issues regarding the participant claims for violation of fiduciary duties and negligence claims.

First, the participants alleged that the miscalculation of the benefit was a violation of fiduciary duty under ERISA. The Ninth Circuit held that the employer, the plan administrative committee, and the recordkeeper were not performing a role as a fiduciary when performing the benefit calculation. Following similar decisions in the First and Fourth Circuits, the Ninth Circuit found that the party would be liable for a fiduciary breach only when they are performing a fiduciary function. The court held that calculating pension benefits using a pre-determined formula is a ministerial function and not a fiduciary function. Therefore, the miscalculation did not create a breach of fiduciary claim.

Second, the participants claimed that the company and administrative committee breached their fiduciary duties by providing incomplete and inaccurate benefit statements. The court held that a request made at a portal satisfied ERISA’s requirement of being a request made “in writing.” As a result, participants are allowed to amend their complaint to provide that they made a written request for benefits that was not properly responded to.

Third, the Court addressed the issue of ERISA preemption with respect to the negligence claim made against the third-party recordkeeper. The Court found that ERISA did not preempt state law claims of professional negligence against the recordkeeper. The Court found that state law negligence claims do not directly impact ERISA plans and was not preempted. Therefore, the case was remanded to the district court for further action regarding the malpractice claim again the recordkeeper.

While the employer and administrative committee were successful on the direct breach of fiduciary claim, the participants may be able to revive their claim for failing to provide an accurate benefit statement in response to a written request and the recordkeeper may have to defend the negligence claim made against it. This highlights the need for plan sponsors and administrative committees to carefully review the way in which administrative portals operate and to be as certain as possible that the portals operate in a manner constant with plan terms. Bafford v. Northrop Grumman Corp., 9^th Cir., 2021.

COBRA Subsidy Guidance Issued

As described in a previous alert, certain COBRA qualified beneficiaries may be eligible for up to six months of free COBRA coverage. The IRS recently issued Notice 2021-31 providing guidance for plan administrators on numerous American Rescue Plan Act (ARPA) COBRA subsidy questions. Highlights from the new IRS guidance include:

Reliance on Employee Attestation. An employer may rely on an individual’s attestation regarding a reduction in hours or involuntary termination of employment, and eligibility for other disqualifying coverage, for the purpose of substantiating eligibility for the credit, unless the employer has actual knowledge that the individual’s attestation is incorrect. Employers are encouraged to keep a record of these attestations.

Intervening Coverage is Not Disqualifying. An otherwise eligible individual is not disqualified from being eligible for the subsidy if the individual previously enrolled in other group health plan coverage before electing COBRA continuation coverage. So long as the individual is no longer covered by (or eligible to enroll in) the other group health plan coverage as of April 1, 2021, that prior coverage by a group health plan does not disqualify the individual from COBRA premium assistance. However, beginning on April 1, 2021, coverage by (or eligibility to enroll in) another group health plan would disqualify the individual from COBRA premium assistance, even though it does not end the period of eligibility for COBRA continuation coverage.

Coverage under a Healthcare Exchange is not Disqualifying. An otherwise eligible individual is not disqualified from being eligible for the subsidy if they are currently enrolled in individual health insurance coverage through a healthcare exchange. However, an individual is not eligible for a premium tax credit to help pay for the cost of Exchange coverage during any month that the individual is enrolled in COBRA continuation coverage.

Broad Definition of Involuntary Termination. The subsidy is only available to individuals who became eligible for COBRA because of a reduction of hours, or an involuntary termination of employment. Determining whether a termination of employment was involuntary depends on the facts and circumstances of a given situation.

Generally, retirement would not be considered an involuntary termination. However, if the employee would have been terminated if the employee had not retired, then the retirement would be considered an involuntary termination. Terminations of employment resulting from participating in a retirement “window” program, a required material relocation, or termination for “good reason” are generally considered involuntary terminations. An involuntary termination would also include an employer’s decision not to renew an employment contract if the employee was otherwise willing and able to continue the employment relationship and was willing either to execute a contract with terms similar to those of the expiring contract or to continue employment without a contract.

However, a termination of employment would be considered voluntary if the employee terminates employment because a child is unable to attend school or because another childcare facility is closed due to the COVID-19. Also, an employee’s death is not considered an involuntary termination.

Consequences for Individuals. An Assistance Eligible Individual who fails to provide notice that they are no longer eligible for a subsidy may be subject to a Federal tax penalty of $250 for each failure to notify the employer, plan, or issuer. If the failure to provide notice is fraudulent, the penalty will be the greater of $250 or 110 percent of the COBRA premium assistance improperly received.

Additional guidance may be issued by the Treasury Department and the IRS.