Secure Act Guidance for Safe Harbor Retirement Plans

Employers now have more flexibility in adding or amending safe harbor 401(k) or 403(b) plans, thanks to the 2019 Setting Every Community Up for Retirement Enhancement (SECURE) Act and subsequent guidance from the Internal Revenue Service (IRS). These changes should increase access to the benefits that safe harbor plans offer, such as avoiding administrative costs and burdens of performing certain nondiscrimination tests and strengthening retirement readiness thanks to meaningful employer contributions.

We outline the most significant changes that the SECURE Act made to safe harbor plans. We also explain why plan sponsors should talk with their advisors now about amendments that they may need to make to their plan documents to comply with these SECURE Act changes.

Mid-year and Retroactive Adoption of Safe Harbor Plans

Before the new law, plan sponsors had to adopt safe harbor plans before the beginning of the plan year. Now, plan sponsors can retroactively convert a traditional 401(k) plan to a safe harbor plan that uses employer nonelective contributions.

This option is particularly helpful for plan sponsors that realize mid-year that their traditional plan might not pass nondiscrimination testing for contributions on behalf of highly and non-highly compensated employees. As a reminder, plans that fail nondiscrimination testing generally return a portion of highly compensated employees’ contributions to the employee, which are subject to income tax.

Plans now have until 31 days before the end of the current plan year to retroactively implement a safe harbor plan that makes employer nonelective contributions of at least 3% to all eligible employees. If plan sponsors miss this deadline, they can still retroactively implement a safe harbor plan until the last day of the following plan year, but at this point the minimum nonelective contribution increases to 4%.

Elimination of Annual Notice Requirements for Nonelective Safe Harbor Plans

Before the SECURE Act, plan sponsors needed to send participants annual notices outlining the safe harbor contributions. The IRS guidance clarified that plans that use nonelective contributions to satisfy the safe harbor requirement no longer need to send these annual notices. This change should help reduce administrative burdens for plan sponsors that use the nonelective contribution option. It is important to note, however, that safe harbor plans that use matching contributions must still send the annual notices.

Increased Auto-escalation Contribution Cap

Plan sponsors that automatically enroll participants into a safe harbor plan that uses a qualified automatic contribution arrangement (QACA) must default the employee’s contribution to at least 3% of the employee’s pay with an annual increase of 1% to at least 6%. The automatic escalation of the employee’s contribution previously was capped at a maximum of 10%, but the SECURE Act increased that limit to 15%. Plan sponsors can choose to stop the auto-escalation at an amount lower than 15%, however, as this increase is not a required change. This higher limit could be especially helpful in enhancing the retirement readiness of employees who tend to put their retirement savings on autopilot.


Start Conversations About Safe Harbor Plan Amendments Now

Plan sponsors that use safe harbor plans—or may consider adopting one retroactively—should start conversations with their third-party administrators and other relevant service providers about possible amendments to their plan documents. Many safe harbor amendments, related to SECURE, are due by the end of the first plan year starting in 2022.

Although plans have until the last day of the next plan year to retroactively implement a safe harbor plan using employer nonelective contributions, doing so at least 31 days before the end of the current year will save one percentage point per employee (3% vs. 4%). So now is the time to start doing the necessary calculations to see whether your plan is in danger of not passing nondiscrimination testing.

Written by Beth Garner and Nicole Parnell. Copyright © 2021 BDO USA, LLP. All rights reserved.



DOL Issues Cybersecurity Guidance for Retirement Plans

On April 14, the Department of Labor (DOL) outlined a range of practices for combatting the growing threat of cybercrime to ERISA-covered retirement plans. This first-ever cybersecurity guidance issued by the DOL’s Employee Benefits Security Administration (EBSA) casts a wide net, addressing key issues affecting plan sponsors, fiduciaries, record keepers, as well as plan participants and beneficiaries.

The DOL estimates that defined contribution and defined benefit retirement plans hold a combined $9.3 trillion in assets. These plans also store vast amounts of vital personal information online—information that could put participants and their assets at risk if a plan’s online systems were breached. In issuing this guidance, the DOL acknowledges the imminent risk posed by acts of cybercrime as well as the obligation of responsible plan fiduciaries, as set forth by ERISA, to help mitigate these risks.

Three Types of Guidance Issued

The DOL’s guidance is presented in three separate documents, each targeting a different audience. These best practices and tips are offered as recommendations for safeguarding the assets and personal information of plan participants while helping to reduce the risk of fraud and loss.

Tips for Hiring a Service Provider

This document aims to help plan sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers that follow strong cybersecurity practices. Specific recommendations include scrutinizing the service provider’s information security standards, practices, policies, and audit results; evaluating its track record in the industry, including whether the provider has experienced any past security breaches and how it responded; inquiring about any potential insurance policies the service provider may hold that cover cybersecurity breaches; and reviewing contracts to ensure that they include provisions for compliance with cybersecurity and information security standards.

Cybersecurity Program Best Practices

This document offers 12 best practices that address the needs of record keepers and other service providers responsible for managing plan-related IT systems and data, as well as the needs of plan fiduciaries who are responsible for hiring such vendors. The recommended practices include having a formal, well-documented cybersecurity program; conducting annual risk assessments; holding periodic cybersecurity awareness training sessions; and implementing and maintaining strong technical controls in keeping with industry best practices.

Online Security Tips

While this tip sheet targets plan participants and beneficiaries, the information is also important for plan sponsors to know and potentially integrate into employee education programs focused on online safety. These tips include encouraging users to regularly monitor their accounts online; creating strong passwords; using multi-factor authentication; being aware of (and knowing the signs of) phishing attacks; and keeping antivirus applications and all system software up to date.

 Building on Past DOL Guidance

Although the DOL noted that this guidance was an important “first step” in safeguarding retirement benefits and personal information, it also builds on earlier EBSA guidance that addressed electronic recordkeeping systems and controls for protecting the personal information of plan participants. In this way, the current guidance may serve as a call to action to plan sponsors, fiduciaries and participants to review and update any established cybersecurity practices and protocols or to create a cybersecurity program using these recommendations.


Keep Strengthening Your Controls

While there is no way to eliminate the risk of cybercrime entirely, plan sponsors who understand and take steps to incorporate the DOL’s guidance into their cybersecurity protocols will be on a more solid path to safeguarding their plan assets and participants’ vital information.

​The DOL guidance should be viewed as guidance or recommendations rather than a set of minimum requirements or as regulations. These recommendations underscore the importance of constantly evaluating, testing, and improving your cybersecurity protocols amid a rapidly evolving threat landscape.

Your representative can help you assess your current cyber risk profile.

Copyright © 2021 BDO USA, LLP. All rights reserved.

Templeton & Company Receives Peer Review PASS Rating

West Palm Beach, Fla. – December 14, 2016 – Templeton & Company, LLP has successfully completed a rigorous peer review of its accounting and auditing practice. The reviewer concluded the firm complies with the stringent quality control standards set by the American Institute of Certified Public Accountants (AICPA), the national organization for Certified Public Accountants in the United States.

The peer review of Templeton & Company was performed by a team of licensed, independent CPAs who qualified under the program’s requirements for service as a reviewer. The objective of the peer review is to determine whether a CPA firm has suitable quality control policies and procedures and is complying with them.

Its unmodified report indicates Templeton & Company measures up to the accounting profession’s high standards of quality and professionalism.

For more than 25 years Templeton & Company has been dedicated to providing the highest quality audit, tax and consulting services to their clients. The firm employs more than 60 professionals and has expanded to three South Florida office locations.

The AICPA is the national professional organization of CPAs with more than 412,000 members in public practice industry, government and education. AICPA members are committed to the highest standards of quality, independence, and ethics in their practice. In its continuing efforts to serve the public interest, the organization sets audit standards, upholds the profession’s code of conduct, provides continuing professional education, administers peer review programs, and prepares and grades the Uniform CPA Examination.

About Templeton & Company

Founded in 1990, Templeton & Company, LLP is a professional services firm providing comprehensive business solutions to help its clients discover and realize their vision for success. Located in Fort Lauderdale, West Palm Beach, and Wellington, Fla., the firm provides consulting services to businesses in multiple industries with a focus on audit, tax, technology, accounting, succession strategy, and business valuations. Templeton & Company is also an independent member of the BDO Alliance USA, a national network of leading CPA firms. For more information about Templeton, its people, services, experience, and alliances, visit