What Retirement Policies Should Your 401(k) Plan Have in Place?


Having clear policies and procedures for 401(k) plans helps employees involved in plan administration do their job more efficiently by mapping out steps to take when various situations arise.  The Department of Labor (DOL) recommends retirement plans maintain some of these policies and, while not required by law, are helpful in the event of a DOL audit or participant litigation. 

Often, a plan sponsor can obtain these policies and/or procedures from their various vendors or financial advisors.  But for some of these policies, such as the cybersecurity policy, they may have to reach out to qualified legal counsel for assistance.  So what policies should be considered having and what do they entail? 

Cybersecurity Policy 

Most businesses now depend on computers and mobile devices as part of their daily operations, which means it is essential that they are used in an appropriate, safe, and secure manner.  It is important to have a cyber security policy that sets out clear rules on the acceptable use of company computers and devices to keep information secure. The DOL released their cyber security guidance in April 2021 and compliance will become a focus of DOL plan audits going forward.  During an audit, the DOL now asks plan sponsors to provide “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan.” 

The following is what the DOL expects a plan's cybersecurity policy to cover: 

  • Access controls and identity management for online systems,
  • The processes for responding to a cybersecurity breach,
  • Diligence process for assessing service provider information security protocols,
  • Cybersecurity awareness training, and
  • Encryption of sensitive information transmitted, stored, or while in transit. 

Investment Policy 

Plan litigation in the past several years has escalated and cases claiming breaches of fiduciary duties related to unreasonable fees and underperformance of investments available in 401(k) plans are common.  This has increased the need for a 401(k) plan's investment committee to have clear procedures for selecting plan investment alternatives and monitoring those choices (including fees) to help avoid, or defend against, claims that the plan's investment choices were not in the best interest of the participants. 

It is prudent to include the following: 

  • Criteria to consider when first selecting a fund,
  • Criteria to consider when deciding to replace a fund,
  • Procedures for identifying a qualified default investment alternative,
  • Process for monitoring investment fund and investment service provider costs, and
  • How to handle Proxy voting. 

Loan Policy 

Unless plan loans meet the requirements under ERISA and IRS code, each plan loan would be a prohibited transaction, which is a serious issue for a qualified plan.  Not all 401(k) plan documents include the ERISA and IRS requirements for loans which is why a separate loan policy is sometimes needed.  The loan policy then becomes a part of the "plan rules" from a legal perspective. 

Loan policies are detailed and comprehensive, and should cover the following items: 

  • Loan eligibility,
  • Loan fees,
  • Minimum and maximum loan amounts,
  • Loan sources,
  • Number of permitted loans,
  • What events would cause the loan to default,
  • Refinancing option, if any, and
  • Suspension rules. 

Missing Participant and Uncashed Check Policy

Missing participants in a retirement plan has become more of an issue due to Covid and massive increases in employees changing careers.  The DOL considers it a "red flag" if a plan has a significant amount of missing participants in a plan.  That is why it is important to have a policy and procedure in place for locating missing participants and handling uncashed checks. 

This policy should include the following: 

  • Procedures to prevent missing participants, such as a requirement that certain documents (such as all SPDs and SMMs) include a statement reminding participants to inform the plan of any changes in their contact information
  • Steps the plan will take to locate missing participants,
  • Documented policy on how the plan sponsor will audit participant census information and correct data errors,
  • Instructions on how to record and track uncashed checks,
  • Procedures for reissuing stale uncashed checks, and
  • When a lost participant's benefit will be forfeited and then if they are found later, restored to them. 

Many recordkeepers will have processes and procedures in place that a plan sponsor can use to form their missing participant policy. 

QDRO Policy 

As much as we would not want any participant to go through a divorce, it happens.  Every 401(k) plan is required to establish written procedures for administering distributions under a qualified domestic relations order (QDRO) as well as determining whether a domestic relations order meets the definition of a “QDRO” under ERISA. The processes and procedures must be used by the plan administrator to administer any QDROs from the plan.  We recommend providing a copy of the QDRO process and procedures to the participant and alternate payees before they submit a domestic relations order so they will know exactly what they need to include in the QDRO. 

QDRO procedures should include: 

  • A list of documents related to the plan that may be helpful in the drafting of a QDRO (for example, SPD, plan document, model QDROs),
  • Estimated timing by the plan administrator for making QDRO determinations,
  • What the administrator will do to preserve retirement assets while making a QDRO determination,
  • How and when plan assets will be segregated for the participant and alternate payee, and
  • The processes for appealing the plan administrator's determination as to whether an order is a QDRO 

The above policies should be updated as guidance is published by the DOL and IRS.  The policies should be used to administer the plan and guide the committee in making decisions concerning the plan.  They will also help establish the legitimacy of retirement committee actions by ensuring the application of rules and ensuring that decisions are made in an objective, fair, and consistent manner.  Finally, they help document that the people making plan decisions are held accountable for any decisions made.


Leisha Gosling has worked for over 30 years in the field of Defined Contribution Plan Administration. She graduated from University of Louisville with a Bachelor of Science in Business Management and from Sullivan University with a Master’s degree in Business Administration. Leisha joined RMS as a New Business Consultant in 2020. Her areas of expertise include qualified retirement plan administration and consulting, plan document underwriting, and compliance. She focuses the majority of her time at RMS on new client implementation and onboarding as well as marketing and new business initiatives. She also performs special research projects. Leisha has been awarded the designations of Qualified 401(k) Administrator and Qualified 401(k) Consultant from the American Society of Pension Professionals & Actuaries and Certified Employee Benefits Specialist from the International Foundation of Employee Benefit Plans.

Let us help design and administer a Retirement Program that meets your needs.

Request a Quick Quote