State and local governmental plans, which are excluded from ERISA, are subject to idiosyncratic legal requirements, including specific investment restrictions. These plans are also not immune to the political winds blowing in that state. Nowhere is this more apparent than recent developments out of the States of Texas and Maine with respect to fossil fuel divestment. Investment managers of any governmental plan, especially those that take environmental, social and governance (ESG) factors into account, should pay close attention to these developments. Private equity and other fund managers, for the reasons stated below, should also take note.
On June 14, 2021, Texas Governor Greg Abbott signed into law SB 13. This new law, which goes into effect on September 1, 2021, generally prohibits state governmental entities, including the Employees Retirement System of Texas and the Teacher Retirement System of Texas, from directly or indirectly holding the securities of a publicly-traded financial services, banking or investment company that “boycotts” companies that (i) explore, produce, utilize, transport, sell or manufacture fossil fuel-based energy and (ii) do not “commit or pledge to meet environmental standards beyond applicable federal and state law….” The concept of “boycott” is not limited to divestment; rather, it picks up activity that is designed to inflict economic harm on the energy company. The exercise of certain shareholder rights could possibly amount to a “boycott” of a company.
The law also generally prohibits governmental entities from contracting with a service provider unless the contract provides a written verification from the service provider that it does not boycott energy companies and will not boycott energy companies during the term of the contract. This applies to contracts entered into on or after September 1, 2021.
Fiduciaries of these Texas governmental plans remain subject to countervailing fiduciary duties under Texas law, including the Texas Constitution. The new law crucially allows for breathing space between these core fiduciary duties and the state’s interest in protecting significant portions of its economy.
The law provides that these governmental entities are not required to divest from any holdings in “actively or passively managed investment funds or private equity funds.” However, the governmental entities are required to submit letters to the managers of these funds requesting that they remove from the portfolio financial companies that the state comptroller has designated as boycotting energy companies. The Texas governmental entities will alternatively request that the managers “create a similar actively or passively managed fund with indirect holdings devoid of listed financial companies.” Investment managers should be on the lookout for these letters starting this coming Fall.
Meanwhile, in Maine, the House of Representatives recently passed a bill that calls for the divestment of fossil fuel companies by the Maine Public Employees Retirement System (Maine PERS) and other permanent state funds by 2026. As with Texas, the law is sensitive to the overriding fiduciary duties that apply to the management of these assets. An official for Maine PERS recently testified that, “[p]ermanently striking broad portions of the financial market is incompatible with earning optimal returns for member retirements, will not change corporate behavior, and may not advance the social goals sought because investments are rarely one dimensional.”
Governmental plans invested in separate accounts or commingled funds managed by an investment manager have always posed risks to that manager, as these plans are subject to their own fiduciary duties and investment restrictions. Though the state laws applicable to governmental plans may contain ERISA-like language, we caution investment managers from relying on ERISA or DOL guidance as a failsafe way to manage governmental plan assets. As evidenced from the disparate approaches the States of Texas and Maine have taken, investment managers should pay close attention to the specific rules applicable to these plans to avoid running afoul of state law. With the calls for fossil fuel divestment growing louder in some quarters, and as other ESG issues come to the fore, careful due diligence on the part of investment managers is essential.
Please contact George Michael Gerstein to discuss these matters or other due diligence issues related to governmental plans.
ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The U.S. Department of Labor (DOL) has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a “plan asset.” Plan sponsors and service providers should brace themselves.
Just this past February, the U.S. Government Accountability Office (GAO) issued a report that highlighted the practice of, and risks related to, sharing personally identifiable information (e.g., a participant’s social security number, date of birth and username/password) (PII), and “plan asset data” (e.g., retirement account and bank account numbers) within the plan ecosystem. The plan sponsor’s own IT infrastructure may be vulnerable to attack or misuse. Where the plan sponsor outsources plan administrative responsibilities to a service provider, such as recordkeepers, third-party administrators and custodians, participant PII and plan asset data could be exploited if the service provider is hacked or lacks appropriate internal controls.
The report specifically noted that cybersecurity risk comes in many different flavors and from many different sources. The risk could, for example, be in the form of malware, ransomware, privilege abuse, data exfiltration and account takeover. The source of the risk could come from criminal syndicates, hackers and even an organization’s own employees.
Thus, the GAO report warned, “[t]he sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.” Poor risk controls can lead to the leaking of usernames, passwords and social security numbers, which can lead to the unauthorized access of participant accounts, and, fatally, the illicit draining of a participant’s retirement savings. The misappropriation of participant PII or plan assets by virtue of a cybersecurity attack may not be expressly addressed in ERISA, but its effect on a participant may indeed result in “the great personal tragedy” Congress sought to prevent in enacting ERISA.1
The GAO ultimately made two recommendations: (1) the DOL should formally state whether cybersecurity for ERISA-covered retirement plans is a plan fiduciary responsibility under ERISA; and (2) the DOL should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks to plans and the relevant service providers.
A mere two months later, the DOL issued a series of cybersecurity tips and best practices for plan sponsors, service providers and participants. Specifically:
- Tips for Hiring a Service Provider, to “[h]elp plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.”
- Cybersecurity Program Best Practices, to “[a]ssist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.”
- Online Security Tips, to “[o]ffer plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.”
Useful as the tips and practices may be, the big reveal is that the DOL indicated that ERISA’s duty of prudence encompasses “an obligation to ensure proper mitigation of cybersecurity risks.” This means that a responsible plan fiduciary, when determining whether to hire and retain a service provider, should consider the service provider’s cybersecurity risk controls, and should document such consideration as part of its overall evaluation of the service provider.
The upshot of the DOL’s April 2021 cybersecurity tips and best practices is that it puts employers on notice that both the DOL takes this seriously and that plaintiffs could attempt to use this new guidance as a basis for fiduciary duty breach claims. Moreover, service providers can expect detailed questions on cybersecurity in RFPs and RFIs. Plan sponsors will seek more transparency, whereas service providers may be reluctant to divulge too much on their cybersecurity defenses to guard against inadvertently offering up the keys to the castle. The balance of the two will become market practice.
The DOL is ramping up enforcement in this area. Plan sponsors should also gird for class-action lawsuits with allegations of breaches of ERISA’s duty of prudence when participant PII or plan asset data is misused. For these reasons, employers and plan service providers should carefully consider the DOL guidance.
A related string of litigation also poses a risk to plan sponsors and service providers. These suits argue that participant PII and plan asset data constitute “plan assets,” and that using such data for marketing purposes amounts to a breach of fiduciary duties. Some of these suits have targeted both the plan’s sponsor and recordkeeper. So far, the courts have rejected these claims.
In one case,2 plaintiffs brought an action against the plan sponsor and recordkeeper alleging that participant data (e.g., names, contact info, investment history, etc.) constituted “plan assets,” and, therefore, the recordkeeper’s purported sharing of this information with affiliates to cross-sell non-plan retail financial products to participants amounted to violations of ERISA. In granting the recordkeeper’s motion to dismiss, the court ruled that “participant data does not meet the statutory definition of ‘plan assets’….”
In a similar case,3 plaintiffs brought suit against the plan administrator alleging, inter alia, breach of fiduciary duty over the plan’s recordkeeper access to participant information (e.g., investment choice, account size, etc.) and use of that data to market products to the participants. In granting the motion to dismiss, the court stated, “[p]laintiffs cite no case in which a court has held that such information is a plan asset for purposes of ERISA….[t]his Court does not intend to be the first.” Moreover, the court rejected the argument that “releasing confidential information or allowing someone to use confidential information constitutes a breach of fiduciary duty under ERISA.”
Cybersecurity is quickly becoming an important risk area for ERISA plan sponsors. Protection of participant PII and plan asset data against privilege abuse, account takeovers and other vulnerabilities to a participant’s information and account raises the specter for DOL enforcement action and litigation. Service providers should anticipate a greater focus on their cybersecurity measures by plan sponsors and expect that such measures could be an important basis to be hired and retained as a plan service provider. Both employers and plan service providers should also consider whether it is complying with other applicable privacy laws (to the extent such laws are not preempted by ERISA).
1 Nachman Corp. v. PBGC, 446 U.S. 359, 374, 100 S. Ct. 1723, 1733, 64 L. Ed. 2d 354, 366 (1980).
2 Harmon v. Shell Oil Co., No. 3:20-cv-00021, 2021 BL 126207 (S.D. Tex. Mar. 30, 2021).
3 Divane v. Northwestern Univ., No. 16 C 8157, 2018 BL 186065 (N.D. Ill. May 25, 2018), aff’d, 953 F.3d 980 (7th Cir. 2020).
Governmental plans largely operate at the behest of their respective state legislature. It is, therefore, unsurprising that state governmental plans will take disparate approaches to ESG. Interestingly, various plans have pushed back against new legislation that requires a certain action be taken, as the case with Maine. Further complicating the analysis are state constitutional provisions that impose broad fiduciary duties, similar to those in ERISA.
The Employee Benefits Security Administration is charged with protecting the benefits of about 154 million participants in employer-sponsored...
Legislation is afoot that would amend ERISA to expressly permit fiduciaries to account for environmental, social and governance (ESG) factors as part of their fiduciary duties. The proposed legislation, the Financial Factors in Selecting Retirement Plan Investments Act, was introduced by Senator Tina Smith (D-MN). It expressly permits, but does not compel, fiduciaries to “consider” ESG and similar factors when selecting investments or strategies on behalf of an ERISA-covered retirement plan. The legislation also permits fiduciaries to consider “collateral” factors “as tie-breakers when competing investments can reasonably be expected to serve the plan’s economic interest equally well with respect to expected return and risk over the appropriate time horizon.” Under either scenario, the fiduciary need not “maintain any greater documentation, substantiation, or other justification” when considering the ESG or similar factors. Notably, the bill provides that an investment selected based on ESG or similar factors (including such factors used as a tie-breaker) may be a permissible default investment option (a “qualified default investment alternative” (QDIA)) for a plan that uses a default investment option as part of its menu. Lastly, the US Department of Labor’s (DOL) 2020 Financial Factors rule would cease to have force or effect upon the enactment of the legislation.
Meanwhile, President Joe Biden just issued an Executive Order on Climate-Related Financial Risk, in which he directed the DOL to consider proposing by September 2021 a rule that would suspend, revise or rescind the Financial Factors and proxy voting rules promulgated under the Trump Administration. The Executive Order further directed the DOL to consider taking any other action under ERISA “to protect the life savings and pensions of United States workers and families from the threats of climate-related financial risk.”
Should the legislation pass, it could provide fiduciaries limited additional comfort that the incorporation of ESG factors in their investment decision-making complies with ERISA’s fiduciary duties. The trend is toward incorporating ESG factors into an investment process for their effect on investment performance, and existing guidance, including the Financial Factors rule, should already provide fiduciaries enough of a roadmap to do so in accordance with ERISA. The legislation also seeks to dial back the documentation requirements of the Financial Factors rule, which may indeed ease some of the angst over foot faults and the resulting liability exposure. Though the DOL removed all references to “ESG” in the final Financial Factors rule, some argued the rule’s aggressive proposal, coupled with the Trump Administration’s overall stance on climate change, was designed to curb ERISA fiduciaries’ appetite for ESG. Yet, carefully documenting important decisions is already a well-established requirement and technique used by fiduciaries to mitigate their fiduciary duty risk.
It is a big deal that, with a rescission of the Financial Factors rule, fiduciaries would seemingly no longer have to comb through a fund’s prospectus and marketing materials for references to non-pecuniary factors, nor would the fiduciary need to scrutinize a fund manager’s use of screens or ratings. These requirements obviously present legal risk to a fiduciary and, therefore, may deter some fiduciaries from considering ESG products. But they also may serve as useful guideposts for fiduciaries trying to avoid selecting a greenwashed fund. An unintended consequence of the legislation could be that stripping out specific actions a fiduciary must take to navigate the intricate ESG landscape perhaps deters more plan sponsors from adding ESG to their plans than if the guideposts (and associated legal risks) remained.
It is also a big deal that the proposed legislation would allow a fund, which incorporates ESG factors for non-investment performance reasons, to serve as QDIA. The Financial Factors rule outright prohibited such a result. This change will likely give some plan sponsors comfort in selecting an ESG-themed QDIA that does not base ESG decisions on risk and return criteria, for example. However, the zealous litigation routinely brought against defined contribution plan sponsors over the selection of investment options has largely resulted in playing it safe. Plan sponsors know they will be second-guessed. This change, therefore, is unlikely to dramatically increase the adoption of ESG by ERISA plans, which continue to lag other institutional investors on that score.
The Executive Order is worth watching. The DOL may opt to impose affirmative obligations on fiduciaries to mitigate climate change risk to the plan. The imposition of any such obligation will likely be litigated.
In sum, ESG is and will remain entirely relevant to ERISA fiduciaries. Under ERISA and existing guidance, fiduciaries may take ESG factors into account when investing plan assets or selecting investment options for a plan lineup. With ESG top of mind for the current Congress and White House, ERISA fiduciaries should continue to evaluate whether taking ESG into account is prudent under the circumstances.