PLANADVISER - Spring 2023 - 39

September, she learned her entire account balance had
been stolen.
In October 2021, Disberry requested a withdrawal
from her account, though knowing there was no balance,
the complaint says. Last April, Alight denied this request,
saying her balance could not be retrieved. Disberry brought
suit last July.
According to Disberry,
a number of red flags were
ignored. The fraudsters
contacted Alight in January
2020 and asked to change her
mailing and email addresses,
plus her phone number. Alight
mailed a personal identification
number to Disberry's
home in South Africa, which,
according to the complaint, the
fraudsters
likely
intercepted.
Once the thieves possessed the
PIN, they were able to change
her information to a different email address and phone
number, registered in South Africa. Alight never tried to
reach Disberry by email or phone during this process,
according to the complaint.
In February 2020, the fraudsters contacted Alight's service
center to change her login credentials, and permission was
granted. That March 9, they added information for a bank
account in Las Vegas, although the phone number and email
address remained South African. Shortly after, on March 17,
they changed Disberry's mailing address to one in Las Vegas.
Alight did send notices of these changes, but it used the new,
fraudulent contact information, so Disberry never saw them.
The fraudsters successfully withdrew the entire account
balance on March 20, 2020, approximately two months after
changing the contact information and 11 days after changing
the bank information. The funds were mailed to them as a
check that was cashed on March 27.
The 11-day window between the bank account change
and distribution is key. Disberry alleges that Alight maintained
a policy requiring itself to wait 14 days after a change
in account information before processing a distribution.
The three defendants in the case-also including the Bank
of New York Mellon Corp.-filed to dismiss. In December
2022, the judge dismissed the case for BNY Mellon on the
grounds that it merely cut the check and was not a fiduciary
for Disberry's savings. Colgate-Palmolive's motion to dismiss
was rejected because the company is the plan sponsor and
is required to monitor its service providers. Alight's motion
was also dismissed because it had discretion over whether to
execute the distribution and was therefore a fiduciary.
The Discussion
Cases of this kind are normally settled out of court, says
Kimberly Jones, an ERISA attorney and a partner in Faegre
Drinker Biddle and Reath LLP in Chicago. The plaintiffs are
highly sympathetic because they have lost their retirement
of funds, it is often in the defendants' interest to settle. But,
Boyko says, there is a " growing sense that, at some point,
there will be a fraud too big to be resolved that way. [This
case] is a skirmish before a bigger battle that everyone sees
on the horizon. "
Both Jones and Boyko agree that recordkeepers have to
follow their own policies. The standard of prudence that
has evolved from ERISA litigation is that of a " prudent
expert, " Boyko says, and if a recordkeeper maintains a
security policy, that means the company knew, or at least
thought, it was imprudent not to follow it.
Brian Edelman, CEO of FCI Cyber, a cybersecurity firm in
Bloomfield, New Jersey, says extra safeguards should be in
place when first making a distribution to a new destination,
such as a new bank account. He explains that a distribution
to a new bank account should be considered high-risk,
unlike a routine distribution to an existing account. He also
says, in this case a substantial amount of information was
changed within a short time frame, which would be a red
flag for him. Changing login credentials plus contact information
is especially dubious, since there is no logical relationship
between the two, he says.
Jones admits that the criminals in this case were " highly
sophisticated " and it is possible that, sometimes, nobody
is at fault. If the fiduciaries do everything right, but the
thieves do everything righter, can you justly hold the fiduciaries
responsible, tragic though the case may be for the
participant? In the absence of solid precedents, it is hard to
say, though this " good fiduciary, beaten by better criminals, "
is certainly not the narrative that Disberry advanced.
The SPARK [Society of Professional Asset Managers and
Recordkeepers] Institute's Best Practice Fraud Controls say
a recordkeeper should verify the identity of the participant
before changing login credentials and should notify participants
of account activity using the contact information it
has on file. -Paul Mulholland
savings through no fault of their own, she notes.
Most fraud of this sort has been handled privately,
Boyko says. The use of settlements means there are no
clear precedents to guide the case. However, cases such as
this draw attention to industry best practices, he says.
Since fraud typically involves a relatively small amount
" ... at some point, there will be
a fraud too big to be resolved
that way. [This case] is a skirmish
before a bigger battle that
everyone sees on the horizon. "
Participants | Spring 2023 | planadviser.com 39
http://www.planadviser.com
PLANADVISER - Spring 2023

Table of Contents for the Digital Edition of PLANADVISER - Spring 2023
