Department of Labor Issues Guidelines for ERISA Fiduciaries on Cybersecurity

Today, more than ever, Americans are online. Online banking, online shopping, healthcare appointments are set online, even checking on your Social Security benefits and retirement accounts is done online. Which means, a lot of personal information is also online.


With the exponential growth of Internet connectivity there have been more and more incidents of cyber-attacks often leading to devastating consequences. Although the Department of Homeland Security has the underlying Cybersecurity and Infrastructure Security Agency (CISA) as a watchdog against cyberattacks, the Employee Benefits Security Administration (EBSA), the agency within the Department of Labor governing ERISA issues, recently published guidelines for ERISA Fiduciaries, Plan Sponsors and Plan Participants to combat these cyber security threats, and effectively defend against these malicious attacks.


On April 14, 2021, the EBSA has provided cybersecurity guidance for the first time ever. The EBSA estimates that there are over 140 million plan participants in the private pension system, including corporate sponsored defined benefit, 401(k), and 403(b) plans with estimated assets of $9.3 trillion. This is why it is imperative to provide sufficient protection for participants and their assets. The EBSA guidance includes tips on what to look for when hiring Service Providers, Cybersecurity Best Practices, and General Online Security Tips.


What to look for when hiring a Service Provider:


  1. Ask about the service provider’s information security standards, practices and policies, and audit results. Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
  2. Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants.


Use Cybersecurity Best Practices:


  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.


  1. Have strong access control procedures.
  2. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  3. Conduct periodic cybersecurity awareness training.
  4. Implement and manage a secure system development life cycle (SDLC) program.
  5. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  6. Encrypt sensitive data, stored and in transit.
  7. Implement strong technical controls in accordance with best security practices.
  8. Appropriately respond to any past cybersecurity incidents.


Follow proper Online Security protocol:


  1. Register, set-up and routinely monitor your online account
  2. Use strong and unique passwords
  3. Use multi-factor authentication
  4. Keep personal contact information current
  5. Close or delete unused accounts
  6. Be wary of free wi-fi
  7. Beware of phishing attacks
  8. Use antivirus software and keep apps and software current
  9. Know how to report identity theft and cybersecurity incidents


The guidance issued by the DOL is an important step in helping Plan Sponsors, Fiduciaries and Plan Service Providers to safeguard retirement benefits and personal information. We anticipate that in time, the DOL will issue additional guidance, perhaps even standards, and requirements to combat cybercrime as this has been on the agenda of US Government Accountability Office (GAO) for some time. As additional information is released, we will continue to keep you updated. EJReynolds has been adamant about security and will continue to update the EJReynolds Cybersecurity Policy as available.


Trust your plan development and your personal data with the retirement plan experts at EJReynolds.


Our commitment to your security is just one more reason to trust your retirement plan administration to EJReynolds. To learn more, please call 954.431.1774. We are here to help.

ESG Investing – A Consultant’s Point of View

Unless you’ve been living under a rock, you must have heard about ESG Investing. The concept of investing while assessing the Environmental, Social and Governance aspects of underlying companies has become a major focus of the SEC, Department of Labor and Investment Advisors recently. The concept is now working its way into the investment portfolios of America’s most common retirement program: the 401(k) Plan.

The ESG concept, also known as Corporate Socially Responsible Investing takes action to protect the environment as well as promote human rights and equal employment opportunities. It has long been established that businesses and corporations should act responsibly in the communities and environments they operate in. These actions essentially established Socially Responsible Investing (SRI) screens, but it was not until the 1960s that SRI vaulted forward as an investment discipline in the United States.

  • 1960s – Protests of the Vietnam War led to boycotts of companies that provided weapons used in the war. Community development banks were established in low-income communities to provide financing opportunities that were otherwise not available.
  • 1970s – Social activism spread to labor-management issues at many corporations, while the protection of the environment also became a consideration for many investors.
  • 1980s – While Jesse Owens was imprinted on and made advertisements for the South African Krugerrand, many churches, universities, and organizations protested to force US Companies to divest themselves from operations in South Africa due to apartheid. Some of the first SRI mutual funds were marketed as investments. The Calvert Social Investment Fund not only restricted investment away from weapons, alcohol, tobacco, and gambling, but also examined more modern issues including nuclear energy, environmental pollution, and the treatment of workers.
  • 1990s – Sufficient proliferation of SRI mutual funds and growth in popularity as an investment approach led to the creation of an index to measure performance. The Domini Social Index, made up of 400 primarily large cap US Corporations launched in 1990 and over time, helped to disprove the argument that investors were settling for lower returns by limiting the companies they included in their portfolios.

So, how do these SRI practices relate to a 401(k) Plan? In November 2020, the Department of Labor published regulations billed as the final rule on “Financial Factors in Selecting Plan Investments”. This rule amended the investment duties under Title I of ERISA requiring Plan Fiduciaries to select investments and investment courses of action solely on “pecuniary factors”, which were defined as factors a fiduciary prudently determines are expected to have a material effect on risk and/or return of an investment based on appropriate investment horizons consistent with the plan’s investment objectives and funding policy. In other words, the amended rules would require plan fiduciaries to select investments based solely on financial considerations of the investment. The DOL specifically indicated this was an effort to set limits on SRI investing (or as they referenced it, ESG Investing), stating that the only factors in fund selection should be three ERISA duties – prudence, diversification, and loyalty. The DOL felt that if decisions were made based on other factors, the Plan Fiduciaries may be in breach of their fiduciary duties. But is ESG Investing a breach of fiduciary duty?

When selecting investments in a qualified plan, ERISA dictates that a Plan Fiduciary must act rationally for the exclusive benefit of all participants and must ensure diversification among asset classes. The rule of loyalty requires that securities be purchased at a fair market value, not just what they are willing to pay for the security but ensuring they are paying the value of the security. This is especially true when preparing a menu of funds for participants to direct their investments. The initial DOL regulation assumed that socially responsible investing is somehow less prudent, less diversified or has less value. However, in March of 2021. the DOL released an enforcement policy statement that they will not enforce the recently published final rules and would be investigating the matter further. It may have been due to the public comments, it may have been due to the change in leadership, but the DOL is discussing the future consideration of these funds and their ability to be part of a prudent investment line-up.

New surveys suggest that many workers are not aware of ESG options but would likely invest in them if offered the choice. The success of companies such as Bombas, Toms and DIFF, who donate socks, shoes, or glasses to under-served communities with each purchase, proves there is a strong desire and market for this type of investing. If a fund menu provides acceptable ESG investing options as well as sufficient non-ESG alternatives, and the participant can construct a well-diversified portfolio either way, there is no problem under ERISA. There is no requirement to offer these funds, but if participants want to invest this way, the plan may find increased participation, greater participant engagement and more successful retirement outcomes. Ultimately, isn’t this why a company establishes a retirement plan to begin with?

Qualified Birth and Adoption Distributions under the SECURE Act

The Setting Every Community Up for Retirement Enhancement Act of 2019 (SECURE Act) generally allows parents to take an early distribution (up to $5,000) from an employer sponsored retirement plan or IRA during the 12-month period beginning on the date a child is born or legally adopted. The distribution is not subject to the 10% additional income tax for early withdrawals (generally, distributions made prior to attainment of age 59 ½). In addition, the new law permits repayment of such distributions (which are treated as rollover contributions) to an employer sponsored plan or IRA. The new law is effective for distributions made after December 31, 2019.

This new law, however, leaves several unanswered questions regarding these types of distributions – particularly, the permissible timeframe for “repaying” such a distribution to an eligible retirement plan. The IRS did issue preliminary guidance in Notice 2020-68, addressing some of the provisions of the law, but regulations will ultimately need to be issued before it is clear how all of the provisions will apply.

How does the new law define “qualified birth or adoption” (QBA) distributions?

A QBA distribution is defined as any distribution made from an eligible retirement plan to an individual during the one-year period beginning on the date a child was born or legally adopted. Note that legal adoption of a child under the age of 18 or a disabled individual (as defined under IRC section 72(m)(7)) would qualify provided the child (or disabled person) is not the individual’s stepchild.

What types of retirement plans can allow QBA distributions?

Eligible retirement plans include defined contribution plans, e.g., 401(k) plans, 403(b) plans, governmental 457(b) plans, and IRAs.

Are plans required to offer this distribution option?

No. This is an optional provision, not a required one. Based on the preliminary guidance in Notice 2020-68, however, if a plan permits QBA distributions, the plan will also be required to permit repayment of such distributions (up to the amount distributed from the plan) if the participant would otherwise be eligible to make a rollover contribution.

Is this a new type of hardship distribution?

No. It is an entirely new type of in-service distribution. It is permissible to make QBA distributions from restricted accounts (e.g., 401(k), Roth, and safe harbor accounts), and unlike hardship distributions, QBA distributions may not be “grossed up” for income taxes, and there is no requirement that a participant demonstrate a financial need or even how the funds will be used. Rather, the only requirement is that the participant has had a child (or adopted a child or disabled person) within the last 12 months. Notice 2020-68 states that the plan administrator can rely on the participant’s representation that he or she qualifies for a QBA distribution, unless the plan administrator has specific knowledge to the contrary.

Are there limits that apply to QBA distributions?

Yes. There is an individual and plan limit. The individual limit that applies to each parent, i.e., there is not a “family” limit. Additionally, the $5,000 individual limit is determined separately for each child. For example, assume a couple has twins. Each parent could withdraw up to $10,000 ($5,000 x two children) from his or her eligible retirement plan accounts.

With respect to QBA distributions made from plans, the $5,000/per child limit applies to all plans maintained by the employer, e.g., all plans sponsored by a controlled group. As a result, plan administrators must limit the amount distributed under the new rules to the maximum an individual could receive (taking into consideration all plans sponsored by the employer). Plan administrators are not, however, required to determine whether the participant would qualify for the QBA distribution based on QBA distributions made from other plans (sponsored by unrelated employers), or the individual’s IRA(s). The participant (or IRA owner) is ultimately responsible for reporting QBA distributions on their individual income tax return.

If a plan permits QBA distributions, what are the withholding and reporting requirements?

QBA distributions are not treated as eligible rollover distributions for purposes of the special tax notice (required under IRC section 402(f)) or the withholding rules (which generally require 20% federal withholding on eligible rollover distributions). Rather, they are subject to a 10% default withholding rate for federal income taxes, unless elected otherwise by the participant.

The Form 1099-R instructions have been updated for QBA distributions and indicate that such a distribution generally should be reported as a taxable distribution, using Code 1 (early distribution, no known exception). This is presumably because the plan administrator would have no way of knowing whether the distribution made from the plan would ultimately qualify since all QBA distributions taken by the individual (which would include distributions made from other plans and IRAs) must be considered.

Also, in order for the distribution to qualify as a QBA distribution, the participant must report the name, age, and taxpayer identification number of the child (or disabled person) on his or her individual income tax return.

If a plan does not permit QBA distributions, and a participant is otherwise eligible for a distribution, can they treat the distribution as a QBA distribution?

Yes, to the extent it does not exceed the individual’s limit, i.e., $5,000 per child. Keep in mind, the plan would process the distribution without regard to how the participant handles it on their income tax return. For example, a plan could not waive mandatory 20% federal withholding (at the participant’s request) if a participant indicates they will be treating the distribution as a QBA distribution on their personal income tax return.

How can a participant repay a QBA distribution?

First, as mentioned above, the law did not provide the timeframe for repaying such distributions, so the regulations will need to be issued before the rules are clear (or rather, hopefully clear). Presumably, there may be a requirement that the distribution be repaid within three years (similar to disaster and coronavirus-related distributions) since an individual’s income tax return is generally “open” for three years.

If a plan permits QBA distributions, the plan must also permit repayment of those distributions (up to the amount distributed from the same plan), provided the participant would otherwise be eligible to make rollover contributions to the plan at the time of the repayment. For example, most 401(k) plans do not allow terminated participants to make rollover contributions, so a terminated participant generally would not be allowed to repay a QBA distribution to the distributing plan. If the participant is not eligible to make a rollover contribution to the distributing plan, it would appear they will be able to repay the amount to an IRA, though.

Further, it may be that such repayments are treated in the same manner as disaster and coronavirus-related distributions, meaning that an individual will be able to use Form 8915 series to report the repayment and claim the deduction. Again, the IRS will need to issue regulations (and possibly other guidance) to address the repayment rules for QBA distributions.

If a plan sponsor wants to permit QBA distributions, what actions must be taken?

A plan can permit QBA distributions now, as long as the plan adopts the conforming amendment by the deadline provided under the SECURE Act, i.e., December 31, 2022 for calendar year plans. Note that collectively bargained and governmental plans generally have until the last day of the 2024 to adopt the conforming amendment.

How can I learn more about the new rules?

When the IRS issues the regulations (or other guidance), we will provide an update. In the interim, please contact EJReynolds to learn more about these rules and how they may impact your plan and plan participants.

Controlled Group Rules and Common Pitfalls for Plan Sponsors

Under the controlled group rules, related employers are treated as a single employer for plan purposes. This means that employers who are part of a controlled group may (or may not) be able to maintain separate plans because ALL employees of the employer, i.e., the controlled group, must be considered when determining what plan design options are available. In other words, certain plan testing requirements apply to the group of related employers on a combined basis.

What is a controlled group?

Controlled group companies can be related under either the “brother-sister” or “parent-subsidiary” rules. A brother-sister relationship exists between two (or more) companies when five or fewer owners have common ownership of 80% or more and identical ownership of more than 50%. A parent-subsidiary relationship exists when a company owns at least 80% of another company. In either case, the stock attribution rules under IRC section 1563 must be applied when determining who has ownership (direct or indirect) in the companies.

Example: assume Bill owns 100% of ABC Company and 80% of DEF Company. The two companies are related under the brother-sister rules since Bill owns more than 50% of each company and at least 80% of both companies. Alternatively, assume ABC Company owns 80% of DEF Company. In that case, a parent-subsidiary relationship exists since ABC Company owns at least 80% of DEF Company. Under either scenario, the employers form a controlled group and must be treated as a single employer for plan purposes.

What are stock attribution rules?

Stock attribution rules require certain family members (and other entities) to be considered when determining whether an individual (or entity) has ownership in a company. Under these rules, ownership is attributed from the actual owner(s) of a business to another party(parties), i.e., the other party is considered to own the same percentage of the company as the business owner for this purpose.

These rules often hit the employer from left field because they do not exactly follow common sense. For example: assume an individual owns a construction company and his wife owns a dental practice. Even though the companies are in completely different industries, they would be considered related under the controlled group rules since ownership is generally attributed between spouses, unless a limited exception applies.

Who are related parties under these rules?

Related parties under these rules suggest certain family members must be considered for this purpose including spouses, children, parents, grandparents, and grandchildren. There are, however, specific rules that apply when determining whether ownership is attributed to a particular family member. There are also attribution rules that apply to corporations, partnerships, estates, and trusts. Lastly, there are attribution rules that apply to stock options.

What are the attribution rules that apply to spouses?

Attribution rules that apply to a spouse’s ownership is attributed to the other spouse unless all of the following conditions are satisfied:

  • The spouse has no direct ownership interest in the company; and
  • The spouse is not an employee or director; and
  • The spouse does not participate in the management of the business; and
  • No more than 50% of the company’s gross income is derived from rents, royalties, dividends, interest, or annuities; and
  • The interest in the company is not subject to restrictions that would limit the spouse’s ability to dispose of the stock.

Caution: Even when all of the above conditions are satisfied, if a couple resides in a community property state, that state’s laws could result in the spouse having actual ownership in the company. Additionally, if the couple has minor children, ownership is attributed to the children which could result in businesses being related under these rules.

What attribution rules apply to minor children?

Attribution rules that apply to minor children is attributed to the parent’s ownership interest in a company (minor children are under age 21). From a plan perspective, this rule could result in an unexpected “surprise” when a couple has a baby or adopts a child.

For example, if each spouse owns his or her own business and met the exception (described above) prior to the birth of their child, the companies would not have been related under the controlled group rules. After the birth of their child, however, they would be related, i.e., a controlled group, since the child would be considered to own 100% of both companies under these rules (never mind the fact an infant generally could not own a business).

What attribution rules apply to other family members?

Attribution rules applying to other family members are limited with respect to parents, grandparents, grandchildren, and adult children. An individual who owns more than 50% of a company is also considered to own any interest owned (directly or indirectly) by his or her parents, grandparents, grandchildren, and any adult children. Otherwise, there is no attribution.

For example, assume Bill owns 51% of XYZ Company and his adult son owns the remaining 49%. In this situation, Bill is considered to own 100% of XYZ Company since he is attributed his son’s ownership interest. His son, however, is not attributed his father’s ownership interest since he owns less than 50% of the company. This would matter if Bill owned 80% (or more) of another business – in that case, the businesses would form a controlled group.

Note: There are special rules that limit stock attributed to an individual under these rules from being attributed to another family member, i.e., there isn’t “double attribution”, and similar rules that apply with respect to ownership interests held by other entities.

What rules apply to ownership interests held by other entities?

The rules that apply to ownership interests held by other entities is generally attributed to the underlying owners of that entity (or beneficiaries, in the case of a trust or an estate). For example, assume ABC Company (owned 100% by Sally) owns 50% of DEF Company. In that case, Sally is considered to own 50% of DEF Company under these rules.

Are there rules that apply when a person has options to buy an interest in a company?

Yes. When an individual (or entity) has options to purchase an ownership interest in a company, they are normally considered to own that interest under these rules.

Can companies who are members of a controlled group sponsor different 401(k) plans for each company?

It depends. Usually, it is permissible for an employer, i.e., controlled group, to sponsor different 401(k) plans covering different groups of employees. In that case, if each plan can pass coverage on its own after considering all employees of the employer (i.e., the controlled group), the plans could have different features and would not be aggregated for nondiscrimination testing (including ADP/ACP testing and other required nondiscrimination testing).

Alternatively, if each plan cannot satisfy coverage on its own, the plans could be aggregated, i.e., combined, for coverage and nondiscrimination testing provided they have same plan year and use the same ADP/ACP testing method, e.g., prior year or current year testing method, the same safe harbor formula, etc. Also, each plan would generally need to have the same features to avoid additional testing requirements.

Lastly, when an employer sponsors multiple 401(k) plans, the plans generally must be aggregated for top-heavy purposes. There is a limited to exception to this rule, however, when an employer sponsors a plan that does not cover any key employees if that plan is not aggregated with any other plan for coverage and nondiscrimination testing purposes.

That said, depending on the situation, it may make more sense to cover all companies under a single plan than to maintain separate plans. It really will depend upon the demographics of the employer’s workforce, goals of the employer, specific testing requirements, and other factors.

The Bottom Line

Determining whether employers are related under the controlled group rules can be complex, but it is critical in determining what options are available from a retirement plan perspective. Not getting this right can result in unintended and costly mistakes!

For example, assume Bill and Sally are married have three minor children. Each of them owns a business, and since they have children, their companies are related under the controlled group rules.

Bill is an IT consultant and self-employed. He does not have any employees. His business sponsors a 401(k) plan. Sally owns an established and successful dental practice that has 10 employees. Her practice sponsors a safe harbor 401(k) plan.  When Bill set up his 401(k) plan several years ago, he never mentioned to his advisors that his wife owns a dental practice because he didn’t see how that would be relevant.

Bill has been making 401(k) deferrals to his plan and a 25% profit sharing contribution. Sally’s practice, however, has not been making profit sharing contributions for the last few years.

So, what is the problem here? Bill cannot operate his plan without taking into consideration the employees in his wife’s practice. As a result, there are a number of issues that would require correction in order to preserve the qualified status of Bill’s plan, but let’s just look at the profit sharing contribution.

Since Bill has been making a 25% profit sharing contribution for the last several years, and none of the wife’s employees have received a profit sharing contribution for those same plan years, Bill’s plan fails coverage.

The correction would need to amend his plan to provide for profit sharing contributions for a sufficient number of Sally’s employees (at 25% of their compensation) so that coverage is satisfied. To make things worse, the correction would generally have to be made by seeking IRS approval under the applicable IRS plan correction program.  Clearly, this could be a very expensive mistake to fix!

How can I learn more?

Please contact EJReynolds, Inc. to learn more about these rules and how they may impact your plan and plan participants. Our Administrators are here to help.

Solo-k Plans – What Could Go Wrong?

Over the years, EJReynolds has discussed the merits of a “Solo-k Plan”, or a 401(k) plan that covers only owners and their spouses. This plan design is a useful tool for getting the maximum deduction for a business owner to save for retirement. However, this article focuses on the responsibilities involved in maintaining such a plan as well as the potential problems that may arise as the business matures. In fact, the Internal Revenue Service announced recently that the Service’s TE/GE (Tax Exempt and Government Entities) division has identified one-participant 401(k) plans as among its current audit initiatives. On the IRS website post announcing the initiative, TE/GE states: “the focus of this strategy is to review one-participant 401(k) plans to determine if there are operational or qualification failures, income and excise tax adjustments, or plan document violations. The treatment stream for this strategy is examinations.” 

As previously stated, a Solo-k Plan is a traditional 401(k) plan covering a business owner or owners with no employees, or those persons and their spouses. Solo-k Plans are subject to the same rules and requirements as any other 401(k) plan; however, because no common law employees participate, there is no concern regarding ADP/ACP testing, top-heavy rules, minimum coverage requirements or, in general, most of the requirements of Title I of ERISA. 

The following are the most common Solo-k compliance issues. If you have clients with a Solo-k Plan design, you may want to discuss these issues before the IRS audits them while you can still take steps to correct any compliance failures using several IRS and Department of Labor correction methods. Taking steps now to correct any compliance failures through use of the Employee Plans Compliance Resolution System (EPCRS) and the Delinquent Filer Voluntary Compliance Program (DFVCP), where applicable, can avoid substantial penalties if an IRS audit does occur. 

Upon audit, the IRS penalties usually start with plan disqualification and the negotiations begin from there. 

1. Plan Document Errors: The Solo-k plan is a 401(k) plan, and subject to the written document requirements like all other plans. This means that the plan document must periodically be restated to comply with the law just like any other plan sponsor, meeting the adoption deadlines for pre-approved plan cycles and any required interim amendments. For instance, the Cycle 3 Restatement deadline falls on July 31, 2022, meaning that all Solo-k Plans must be restated on to a Pre-Approved Cycle 3 Document by that date. Once the language comes out for the SECURE Act and CARES Act amendments, Solo-k Plans must adopt those as well. Failure to meet these requirements result in a document failure, a qualification issue. This may be corrected easily under EPCRS, but only if determined prior to an audit. 

2. Form 5500 Reporting Failures: Solo-k Plans are exempt from filing Form 5500-EZ so long as plan assets remain under $250,000. If plan assets exceed this threshold and a Form 5500-EZ is not filed, significant penalties could be assessed by the IRS and by the Department of Labor. The SECURE Act of 2019 increased the penalties for late filings from $25 to $250 per day. Filing the late forms under the Department of Labor Penalty Relief Program for Form 5500-EZ for Late Filers is a way to avoid penalties. This is like the DFVCP for small plan filers in that the user fee is capped at $1,500, but each year has a $500 fee assessed. 

3. Exceeding Contribution and Deduction Limits: Since there are two sources of contributions in a Solo-k Plan (employee contributions and employer contributions), it is important that each source contribution is limited to the appropriate dollar amount. Employee 401(k) salary deferrals cannot exceed the 401(k) dollar limit ($19,500 in 2021, plus $6,500 for those 50 and older). Obviously, the employee must have enough earned income to support the 401(k) contribution that is made. The maximum total allocation to an employee is the lesser of 100% of compensation or $58,000 (in 2021) or a total of $64,500 for an individual over age 50 deferring the maximum catch-up contribution of $6,500 (in 2021). What derails many Solo-k Plans, however, is that the employer deduction is limited to a total of 25% of eligible plan compensation. An owner with a W-2 of $40,000 may be able to defer $19,500 as an employee contribution, but the employer contribution would be limited to $10,000. Failure to observe any of these dollar limits could be picked up easily on audit.

4. Exclusion of Common Law Employees: One of the most frequent errors with a Solo-k Plan is that they lose their solo status when the business sponsoring them hires employees. Although the plan may be written to exclude employees with less than a year of service and require a minimum number of hours for eligibility (generally, this cannot exceed 1,000 hours), if no one is monitoring the plan, employees may become eligible. This can trigger application of minimum coverage, nondiscrimination, and top heavy rules, as well as ERISA reporting and disclosure requirements, regardless of the assets. Business owners need to also realize that the Solo-k Plan is only for owners and their spouses. The hiring of an owner’s child will cause the plan to be subject to all the above rules. Testing is not an issue as the child is considered Key and Highly Compensated, however the plan would be required to file a Form 5500-SF, and is no longer allowed to file the shorter, Form 5500-EZ. Having the rank and file employees paid under a leasing arrangement or PEO would cause the same rules to apply as there is a co-employment relationship to the employees under the PEO. Failure to meet      requirements under any of these sets of rules would bring joy to an IRS Agent in an audit setting.

5. Exclusion of other Companies, especially in Controlled or Affiliated Service Groups: The Controlled and Affiliated Service Group rules were designed years ago to ensure that an employer does not establish one company for the owners with rich benefits and a separate company for the employees with no benefits. Employees of other commonly owned businesses would be eligible for benefits under the (formerly) Solo Plan.

We have always tried to stress that the field of retirement plans is complicated. Without proper supervision, a plan can quickly become a liability to any employer. Spending a few dollars annually to ensure compliance can certainly save future headaches when the plan spins out of control. Too often, we have come into situations where the client just made contributions without looking at the proper limitations or never filed the tax returns when required. Some advisors just take the money and run, leaving the taxpayer uneducated and responsible for penalties when the problems arise. Since the IRS has specifically listed these plans as a target for their future examinations (audits), it is imperative that you look at any plans that may need a review of their procedures. 

Let EJReynolds help you look better to your clients before the IRS looks at them.

EJReynolds – Cybersecurity Commitment

Trust your retirement plan development and your personal data with the retirement experts.

Data breaches are happening more and more often with many companies of all sizes. Even companies whose main function is to protect your identity and personal information. What can you do to ensure your data is safe? EJReynolds has taken the following measures to safeguard our Client information with our cutting-edge cybersecurity commitment that will give you peace of mind knowing your most private information is safe.

How is EJReynolds handling and protecting your personal information?

Our advanced cybersecurity program stems from our core principles of trust, integrity, and ethics. We collect only the necessary information to consistently deliver the best products and services for our clients. All employees are required to complete extensive training programs on new threats and how to handle them. We have implemented security standards and processes to ensure that access to client information is limited to your EJReynolds Plan Consultant.

Our Best Practice Cybersecurity Protocols Include:

–  Citrix ShareFile© – Secure File Sharing

EJReynolds’ secure file sharing link provides a safe and secure way to transmit sensitive information online. This assures that files are sent and received with bank-level encryption. You will be required to register through ShareFile©’s one-time enrollment process to send and receive files securely. We are aware this may be an initial inconvenience, but we want our Clients’ information to remain protected.

–  Two-factor Authentication

EJReynolds has implemented a two-factor authentication process for our Plan Consultants to review our clients most sensitive information. It is the most advanced form of security and we have been applying this practice to all documentation.

–  State-Of-The-Art Advantage Firewall Security

EJReynolds’ Firewall Security system protects our computer network from being attacked by online hackers, worms, viruses, etc. It is designed to stop unauthorized access to the EJReynolds computer systems.

–  Industry leading threat protection

Advanced Threat Protection (ATP) helps to protect our organization from malicious attacks by:

  • Scanning email attachments for malware
  • Scanning web addresses (URLs) in email messages and office documents
  • Identifying and blocking malicious files in online libraries
  • Checking email messages for unauthorized spoofing
  • Detecting attempts to impersonate users or organization’s custom domains

–  Dark Web Monitoring

Dark Web Monitoring provides around the clock monitoring and alerting for compromised digital credentials, scouring millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards and illegal black market sites. All email addresses for EJReynolds’ employees, including the personal accounts for certain officers and managers, are monitored on the “Dark Web” for breeches in security. We are notified immediately if these critical assets are compromised, affording the chance to secure them before they may be used for identity theft, data breaches or other crime.

–  Continuous Training

Since 2019, all employees are required to complete extensive training programs through©, a nationally recognized leader in security awareness. Along with monthly training on the latest ERISA rules and regulations, each employee must complete training sessions on:

  • Phish threat security and common threats
  • Handling sensitive information digitally
  • Ransomware
  • Establishing and maintaining strong passwords
  • Mobile device security

Hackers constantly change their tactics. EJReynolds is groomed and trained to handle these situations.

Our commitment to your security is just one more reason to trust your retirement plan administration to EJReynolds.

IRS Issues Guidance on Notice Requirements for Safe Harbor Nonelective Contribution Plans

The IRS issued Notice 2020-86 (the Notice) on December 9, 2020, providing initial guidance for plan sponsors on the changes made under the SECURE Act for plans that provide for safe harbor nonelective contributions. Although the Notice address all the changes to a certain extent, this piece is focused solely on the elimination of the safe harbor notice requirements for plans that provide for safe harbor nonelective contributions. While this change was intended (by Congress) to reduce the administrative burden associated with these types of plans, it has little practical application based on the initial IRS guidance.

In general, the SECURE Act eliminated the safe harbor notice requirement for plans that provide for safe harbor nonelective contributions, expanded the ability for plan sponsors to retroactively amend their plans to permit safe harbor nonelective contributions, and increased the maximum automatic enrollment percentage from 10% to 15% for QACA safe harbor plans. As of today, the IRS has not updated the regulations, so there may (and hopefully will) be future changes.

Which plans are required to provide the safe harbor notice?

The Notice clarifies that the following plans still must provide the safe harbor notice:

  • Plans that provide for safe harbor matching contributions (the SECURE Act did not make any changes to the rules appliable to plans that provide for safe harbor matching contributions)
  • Plans that provide for safe harbor nonelective contributions AND matching contributions intended to satisfy the ACP safe harbor requirements

If a plan provides for safe harbor nonelective contributions, it is exempt from the ADP test. If the plan also permits matching contributions (fixed or discretionary), the plan must meet certain requirements for the match to be exempt from ACP testing. In general, 401(k) contributions exceeding 6% of compensation cannot be matched, the plan cannot impose allocation conditions on the match, discretionary matching contributions cannot exceed 4% of a participant’s compensation, and the safe harbor notice must be provided.

For example, assume a plan provides for a 3% safe harbor nonelective contribution and permits discretionary matching contributions. Further, assume there are no allocation conditions on the match and the employer matches 66.67% of deferrals up to 6%. While the safe harbor notice is not required for the plan to satisfy the ADP safe harbor requirements, it would be required if the employer wants to meet the requirements for the match to be exempt from the ACP test. In other words, even though the match provided by the employer would otherwise meet the ACP safe harbor requirements, if the employer does not provide the safe harbor notice, the plan would nevertheless be subject to ACP testing for the plan year.

Can a plan that provides for safe harbor nonelective contributions be amended mid-year to reduce or suspend those contributions if the employer did not provide the safe harbor notice?

First, under the existing regulations (which have not been updated for the SECURE Act changes), in order for a 401(k) plan that provides for safe harbor nonelective or safe harbor matching contributions to be amended mid-year to reduce or suspend safe harbor contributions, the employer must (1) be operating at an economic loss, or (2) have provided a notice to participants prior to the beginning of the year stating that the plan may be amended during the year to reduce or suspend contributions (the Safe Harbor “maybe” notice). Note that there are additional conditions that must be satisfied including the requirement to provide 30 days advance notice to participants such as allowing them to make changes to their deferral elections. Additionally, the safe harbor contribution must made through the effective date of the amendment, and the plan must satisfy the ADP/ACP tests using the current year testing method for the entire plan year.

Since the SECURE Act generally eliminated the safe harbor notice requirements for plans that provide for safe harbor nonelective contributions, it was anticipated the IRS would also eliminate the Safe Harbor “maybe” notice. Unfortunately, the IRS took the surprising position in Notice 2020-86 that a plan that provides for safe harbor nonelective contributions still must provide the Safe Harbor “maybe” notice if the employer wants to reserve the right to reduce or suspend safe harbor contributions mid-year.  The Notice states that while such plans are not required to provide the safe harbor notice, they still must provide a “maybe” notice (generally, within 30 days prior to beginning of the plan year).

We took the position to tell our clients with the Safe Harbor “maybe” non-elective plan design that it would be better to remove the Safe Harbor election altogether, since a plan may be amended to allow the 3% Safe Harbor non-elective contribution at any time up until the end of the 11th month of the plan year, or later up until the due date of the corporate tax return if the employer contributed a 4% Safe Harbor non-elective contribution.

Since it is only a matter of how much language is included in the participant notice, this essentially subjects employers who sponsor safe harbor nonelective contributions plans to the same notice requirements that existed before the SECURE Act. We expect the IRS will receive many comments on this aspect of the guidance, so there is still hope this issue will be resolved when they update the regulations.

How can I learn more?

When the IRS provides additional guidance or issues the amended regulations, we will provide an update. If you have any questions, please do not hesitate to contact EJReynolds, Inc. We are here to help.

Long-Term, Part-Time Employees New Rules under the SECURE Act

The Setting Every Community Up for Retirement Enhancement Act of 2019 (SECURE Act) generally requires that 401(k) plans allow long-term, part-time (LTPT) employees to become eligible to make elective deferrals (i.e., 401(k) contributions) upon completion of at least 500 hours of service during each of three consecutive 12-month periods. Under the new law, service prior to January 1, 2021 is not considered for this purpose. This means that any such employees will not be required to be eligible to make deferrals until the plan year beginning on January 1, 2024 (for calendar year plans).

Important Note:  The new rules do not have any impact on 401(k) plans that otherwise cover part-time employees or plans that provide immediate eligibility for all employees.

What rules apply to part-time employees currently?

First, as a matter of plan qualification, an employer cannot exclude a class of employees solely based on service, e.g., part-time employees. As a result, if a plan excludes part-time employees as a class, it must also include “fail safe” language providing that a part-time employee will nevertheless become eligible for the plan upon completion of a year of service (i.e., 1,000 hours during a 12-month period) and attainment of age 21. This is because basing a class exclusion on service could violate the minimum coverage standards under the Internal Revenue Code.

An employer may, however, exclude employees (including part-time employees) under some other reasonable classification that is not based on service, e.g., location, job title, etc.  In that case, the plan would have to be able satisfy the coverage rules annually taking into consideration the excluded class.

What are the new rules for part-time employees?

The purpose of the new rules is to expand coverage of part-time workers under 401(k) plans. As result, they address LTPT employees who work for the employer year after year, but less than 1,000 hours per year. Specifically, the new rules require that LTPT employees become eligible to make deferrals under the plan after satisfying the following requirements:

  • Completion of three consecutive 12-month periods with 500 or more hours of service in each of those 12-month periods, and
  • Attainment of age 21.

As mentioned above, service prior to January 1, 2021 is excluded for this purpose, so the first date a LTPT employee could become eligible to make deferrals under a calendar year 401(k) plan is January 1, 2024. The new rules generally apply to all LTPT employees except for employees who are covered under a collective bargaining agreement (i.e., union employees), and nonresident aliens with no U.S. source income.

When would a LTPT employee enter the plan after satisfying the maximum eligibility requirements?

A LTPT employee would generally become eligible to make 401(k) deferrals on the entry date provided for under the terms of the plan document for other eligible employees. For example, assume a plan allows eligible employees to enter the plan on the January 1 or July 1 coinciding with or next following the date an employee satisfies the eligibility conditions. In that case, a LTPT employee who is 21 (or older) and completed 500 (or more) hours of service during 2021, 2022 and 2023 would become eligible to make deferrals under the plan on January 1, 2024.

Does this mean LTPT’s have to receive employer contributions?

No. Under the new rules, the requirement is that a LTPT employee who has satisfied the maximum eligibility conditions must become eligible to make 401(k) elective deferrals. There is no requirement that they become eligible for employer contributions under the plan.

As a result, if LTPT employees are eligible to make deferrals under the plan solely because of the new requirements (e.g., the plan would not otherwise permit plan participation), the employer is not required to provide any employer contributions on behalf of such participants, including top-heavy minimum, gateway minimum, and safe harbor contributions (where applicable).

Are LTPT’s required to be included in testing?

No. If LTPT employees are eligible to make deferrals under the plan for no reason other than the new rules, they would be excluded from coverage and nondiscrimination testing, including ADP/ACP testing and general nondiscrimination testing.

Further, as discussed above, eligible LTPT employees would not be required to receive top-heavy minimum contributions (if applicable). Their balances would be included when determining the plan’s top-heavy ratio.

Important Note:  As mentioned previously, if the plan’s eligibility provisions are more liberal and LTPT employees are eligible for reasons other than the new rules, e.g., the plan has immediate eligibility, the exceptions to the testing and top-heavy rules would NOT apply, i.e., the part-time employees would be included in testing, required to receive top-heavy minimum contributions (if applicable), etc.

What happens if a LTPT employee works 1,000 (or more) hours during a plan year after becoming eligible to make deferrals under the plan?

If a LTPT employee completes a year of service (1,000 hours during a 12-month period), he or she will no longer be considered a LTPT employee effective as of the first day of the following plan year. The Employee would be treated in the same manner as a “regular” participant and included in testing, eligible to share in employer contributions (where applicable), etc.

What happens if a full-time employee changes to part-time status and would otherwise be considered a LTPT employee?

When a full-time employee changes to part-time status, their prior service cannot be disregarded. As a result, they would continue to remain eligible for the plan (in the same manner as they did prior to the change in employment status), unless they were excluded under some other classification in the plan document.

Are there special vesting rules that apply to LTPT employees?

Yes. If an employer provides employer contributions on behalf of LTPT employees who are eligible to make deferrals for no reason other than the new rules, special rules do apply. Under these rules, a LTPT employee must be credited for ALL years of service in which the employee completed 500 hours of service (the normal rule is 1,000 hours of service). The law does NOT exclude service prior to January 1, 2021 for this purpose.

Obviously, this has no impact on 401(k) elective deferrals (since they must be 100% vested). If an employer wants to avoid the special vesting rules all together, they could elect to only allow LTPT employees to make elective deferrals (i.e., not permit employer contributions), or they could elect to use more liberal eligibility provisions.

Could LTPT employees be excluded from the plan under some other classification?

This answer is not entirely clear; the IRS has not yet issued specific guidance. Currently, it would appear this would be permissible, provided the class exclusion is based on something other than service, e.g., all employees (full-time and part-time) in the Miami office are excluded from participation.

Are the LTPT employees counted as participants on the Form 5500 for purposes of determining whether a plan must file as a large or small plan filer?

This is unclear. Based the definition of a participant in the Form 5500 instructions, it would appear they will be counted for this purpose unless the Department of Labor provides an exception to the general rules. Given that the rules will not have an impact until the 2024 plan year, we are hopeful the DOL will issue guidance on this point shortly.

Do the new rules apply to 403(b) plans?

No. The new rules do not apply to 403(b) plans, as those plans generally cannot impose eligibility conditions on an employee’s ability to make elective deferrals (known as the “universal availability” rules).

If my company employs LTPT employees, are there any actions we should take now?

If you have long-term, part-time employees, you need to make sure you have good records in terms of their employment history and hours worked. Further, it would be advisable to review your plan’s current eligibility provisions with your third-party administrator and professional advisors to determine how the new rules may impact your plan. Changes to payroll providers or Human Resource systems may make it difficult to produce this history, so make sure to provide you third-party administrator with this information annually.

How can I learn more about the new rules?

Please contact EJReynolds, Inc. to learn more about these rules and how they may impact your plan and plan participants.

Solo (k) Plans

Are you a Small Business Owner? Are you Self-Employed? The same retirement plan options available to companies with 10, 20 or 200 employees are also available for your business. Many Small Business Owners may be more familiar with a Simplified Employee Pension (SEP) IRA. With a SEP you can deduct up to 25% of your earned income. However, it may make sense to look at a one-participant 401(k) plan. This combines a traditional employee retirement savings plan with a small business profit-sharing plan. This may make for a larger overall deduction comparable to the same earned income.

Contribution limits in a one-participant 401(k) plan – The business owner wears two hats in a 401(k) plan: employee and employer. The owner can contribute both:

  • Elective deferrals which reduce compensation (“earned income” in the case of a self-employed individual) up to the annual contribution limit:
    • $19,500 in 2020 ($19,500 in 2021), or $26,000 in 2020 ($26,000 in 2021) if age 50 or over; plus

  • Employer contributions up to:
    • 25% of compensation, as defined by the plan, with special calculations for sole-proprietor and partnership entities

Total contributions to a participant’s account, not counting catch-up contributions for those age 50 and over, cannot exceed the lessor of: 100% of compensation, or $57,000 for 2020; ($58,000 for 2021). In addition, the 401(k) limit on elective deferrals is an individual, calendar year limit, not a limit for each plan. If a business owner is also employed by another company and participates in its 401(k) plan, the total of all elective deferrals cannot exceed the annual contribution limit.

Contribution limits for self-employed individuals – If the business entity is a sole-proprietor or partnership, a special computation must be made to determine the maximum employer contribution. When calculating the contribution, it is a circular calculation. Compensation, or “earned income,” is the net earnings from self-employment after deducting both your share of the employer allocation and one-half of your self-employment tax.

Note: The IRS Publication 560 provides rate tables and worksheets for figuring your allowable contribution rate and tax deduction for your 401(k) plan contributions.

Testing in a one-participant 401(k) plan – A business owner with no common-law employees doesn’t need to perform nondiscrimination testing for the plan, since there are no employees who could have received benefits under the plan. The no-testing advantage vanishes if the employer hires employees. If the business hires employees, the plan must satisfy all coverage and non-discrimination requirements as any other 401(k) plan, once they become eligible.

Note: The Plan Document should be flexible enough to protect the employer if employees are hired in the future.

Deadline for Establishment of Plan – The SECURE Act of 2019 allows a qualified plan to be established up until the deadline of the return for which the deduction is taken, however, it did not extend the deadline for which income may be deferred in a 401(k) plan. Thus, a Solo-k plan established after the end of the 2020 Calendar Year would only allow employer profit sharing contributions, as any 401(k) deferrals may only be deducted from income earned in 2020. Deferrals deducted from income in 2021 would be reported on the 2021 tax return. There are some limited cases with Sole-proprietorships or Partnerships that may allow deferrals after the tax year, but for the most part, deferrals must be deducted from earned income in the year the deduction is taken.

Reporting Requirements (Form 5500) – If plan assets exceed $250,000 at the end of a plan year, the plan will be required to file a Form 5500-EZ, or Form 5500-SF until the plan is terminated and all assets are disbursed.  A one-participant 401(k) plan with fewer assets is exempt from the annual filing requirement. When determining the $250,000 threshold, all plans of the entity are considered; if you sponsor more than one plan, the filing requirement starts when the sum of the assets combined in all plans exceeds $250,000 at year-end.

Note: Failure to file Form 5500 when required can result in substantial penalties on audit.

Most Small Business Owners are familiar with a SEP IRA. Planning for retirement with a 401(k) plan can offer a great degree of flexibility. The basics start with a 401(k) plan; and adding a defined benefit pension plan can greatly increase the potential tax deduction available to a successful business owner. Whether you are adopting a plan for the first time, or have one that needs cleaning up, EJReynolds is here to help.

Defined Contribution Restatement Cycle 3 Has Arrived.

Qualified retirement plans—including profit sharing, money purchase, and 401(k) plans—receive special tax benefits by meeting requirements set forth by the IRS and Department of Labor. Many of these plans operate under a pre-approved plan document that is recertified by the IRS every six years. What were formerly called “Prototype Plans”, the IRS requires Pre-Approved Documents to be restated on a uniform six year cycle. A new six-year cycle, called Cycle 3, has begun. The restatement period runs from August 1, 2020 through July 31, 2022. The six-year restatement cycle helps to keep plans from becoming too burdened with separate interim “good faith” amendments that may have been added to the plan document over many years of operation. Restatement provides a great opportunity to implement discretionary changes in addition to updating your plan document with mandatory legislative updates. During restatement, our dedicated Plan Consultants can help evaluate potential enhancements and ways to optimize your retirement plan. Why Cycle 3? This is the third six-year cycle for which the IRS has issued opinion letters under the Pre-Approved Retirement Plan Program. Cycle 1 was the Economic Growth and Tax Relief Reconciliation Act (EGTRRA) restatement in 2010. Cycle 2 was the Pension Protection Act (PPA) restatement in 2016. Although this Cycle 3 restatement does not have an ornate title, it is equally important to maintain the qualification of the plan.

Since the announcement of the Cycle 3 Restatement period, Congress has enacted a number of new laws affecting tax qualified retirement plans, specifically the Setting Every Community Up for Retirement Enhancement (SECURE) Act and the Coronavirus, Aid, Relief and Economic Security (CARES) Act. In addition, the IRS has issued substantial guidance regarding the operation of qualified plans under these laws. Congress and IRS have generally permitted employers to comply with these new rules in operation without formally amending the underlying Plan document until some date after the law is effective. The Cycle 3 Restatement does not include these changes; however, the general consensus is that the plan must be amended to conform by the end of the first Plan Year beginning after December 31, 2021. If you are currently on our Pre-Approved Plan Document or if we restate your document during the Cycle 3 Restatement period, we will prepare the amendment for employer signature once we receive the required amendment language. If not, please forward a copy of the Cycle 3 Restatement and any subsequent amendments you obtain from your current provider as soon as they are received.

What Do I Need to Do? EJReynolds has acquired the Opinion Letters from the IRS on our Pre-Approved Documents for the Cycle 3 Restatement Period, and we are ready to begin the restatement process for our clients currently on our document. If you are not currently on our Pre-Approved Plan Document, contact your Plan Consultant to receive a quote on converting. We will be reaching out to you in the coming months and through 2021 to make the process of restating your plan documents as seamless as possible. Be on the lookout for updates. We will be sending you reminders and instructions to keep you current in future blogs on the EJReynolds, Inc. website to guide you through the restatement process.