Tag Archives: fiduciaries

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

Addressing Objections to a Second Look at a Reinsurance Recovery

Most ceding companies avail themselves of catastrophe reinsurance, a product that pays anywhere from 90 to 100% of aggregated event loss after the ceding company’s retention up to the limits obtained. Generally the retention is determined as some fraction of the company’s surplus and the exposure profile of the company from any one catastrophe. The ceding company wants that retention high enough to not merely be swapping dollars with the reinsurer for frequency events, but low enough that the “shock” of the sudden demand for cash to pay claims does not impair the company.When a broker tells a ceding company what the rate-on-line is for a catastrophe treaty … (the rate for a limit of coverage) or the inverse of a payback period, that number is not assuming any reinstatement of limits occurring. The reinsurers have now worked it that the reinstatement premium will in effect accelerate the payback period and increase the actual rate-on-line by requiring 100% as to time in reinstatement calculations. This was not always the case — at one time the reinsurer only charged for the reinstatement limits at a pro rated factor of the time remaining on the treaty.

Catastrophe reinsurance is somewhat unique in that its limits must be reinstated, but reinstating those limits now generally comes at a price higher than the original limits costs. This is so because the reinstated limits are only good for the remainder of the treaty period, not for the entire annual contract period as were the original limits. For example, suppose a Texas ceding company had a catastrophe treaty for the period from Jan 1, 2012 to December 31, 2012 and a hurricane came through Houston on October 1, 2012, exhausting the cedant’s treaty limit. The cost to reinstate that entire limit is the same dollars as it was to initially secure the original limit, but the second limit is good only from October 1, 2012 to December 31, 2012. Thus, the limits costs are the same for a three-month period reinstatement as they were for a twelve-month original limit of the same amount.

Reinsurers may tell ceding companies at renewal time that they are renewing at the expiring rate, but what the ceding company must be aware of is that a reinsurer’s practice is not unlike the federal government saying it will not raise tax rates, but then taking away some deductions so that the net effect is to increase the tax owed. At renewal, the ceding company may find that because of some change in the treaty definitions initiated by the reinsurer, it will have to pay more for the treaty even thought the “rate” stayed the same. The net effect may be that while the rate did not change, the measurement against that rate did change, making the actual treaty costs increase or coverage decrease.

Consider also that if the ceding company had been carrying its original limits equal to the one in one hundred year storm, and such limits were appropriate, the reinstatement limit is now being carried for a second one in one hundred year event occurring in the same year, but happening again in the next three months, a highly unlikely scenario. The reinsurer is actually making the ceding company reinstate the catastrophe limit at a higher cost for an event that is even less likely to occur … but never fear, the reinsurer will offer to sell the ceding company yet another product that will cover the reinstatement costs … a treaty now for a charge slightly below the reinstatement costs that will pay the reinstatement premiums for the catastrophe treaty so that the ceding company will have reinstatement limits available in the event a second one in one hundred year catastrophe strikes within the next three months. (A pre loss, pre pay option treaty so to speak, where the ceding company can prepay the reinstatements now at a discounted rate!)

One of the primary attributes making for sound-rating analysis is the law of large numbers. That is, enough units are insured providing that sufficient losses are experienced in order to provide predictability to an event. By its very nature, catastrophes are generally unusual events as far as the individual ceding company is concerned. Regional ceding companies may experience an event that exceeds its retention only once every several years. Reinsurers thus, by in large, do not price catastrophe treaties for ceding companies on the individual cedant’s catastrophe experience.

Rates for catastrophe insurance are based on “cat models.” Cat models are used against the ceding company’s risk locations and dollars of exposure at those locations. That is, all other things being equal, having 5 billion dollars of insurance exposure along the coast where the models predict a hurricane will strike will cost the ceding company more to reinsure than 5 billion dollars of inland exposure, where the models show the effects of a hurricane are less intense.

During any catastrophe, claims are filed in multiples of what the ceding company may be used to dealing with on a normal basis, and the ceding company may be required to utilize the services of independent adjusters to augment their own claims personnel services. The combination of high volume, tyranny of the urgent, and utilization of temporary staff provides ample opportunity for mistakes in coding, reinsurance reinstatement premium calculations, and event identification.

Event identification is simply the realization that the loss may not be correctly identified to the named event covered. Not all policyholders may immediately turn in a claim, and a claim that is turned in months after the event may be miscoded and missed in reinsurance recovery. Additionally, not all reinsurance recovery is utilized because the cedant did not realize that certain subsequent events are covered.

For example, suppose a claim is paid and closed, and a recovery is made from the reinsurer for the event. Two years later the ceding company receives a suit alleging bad faith and deceptive practices and other allegations that the claim was mishandled. Many insurance companies will put its Errors and Omissions carrier on notice of the allegation being made. However, not all will notify the reinsurer of possible additional development under the treaty for the catastrophe under the ECO/XPL* portion of the cat treaty, which treaty has already been tapped. The ceding company will likely have a per claim retention under its Errors and Omissions policy, plus it is responsible for the stated limits of the policy it issued to the insured before its Errors and Omissions coverage kicks in. Whereas the cat treaty retention has already been met, meaning the ECO/XPL coverage of the cat contract will essentially provide Errors and Omissions coverage sooner to the cedant.

Additionally, depending on the definition of net retained loss under the treaty, it is possible under given circumstances that the ceding company could collect twice for the same Errors and Omissions loss, once under the treaty’s ECO/XPL and if large enough, additionally under its Errors and Omissions policy. An argument by the reinsurer that a collection under the Errors and Omissions policy inures to the treaty should be challenged with a claim that then the premium of the Errors and Omissions policy must similarly reduce the measure (earned premium) against the rate the reinsurer is charging. In other words the reinsurer does not get the inuring benefit of the Errors and Omissions without a corresponding allowance for its costs to the cedant. However, the cedant may be better off arguing the definition of retained loss under the treaty than to argue for the inuring costs.

During the turmoil of a catastrophic event, it is entirely likely that other reinsurance treaties will be overlooked or receive lesser attention. Most per risk treaties have a single occurrence limit, so that the per risk treaty is not used for catastrophic events. However, in many instances the per risk treaty inures to the cat treaty, so that the costs of the per risk treaty reduces the measure against which the cat rate is multiplied. In other words the costs of the per risk treaty reduces the costs of the cat treaty, because technically, the per risk treaty is supposed to be used up to the measure of its occurrence limit before the cat treaty is utilized; the recovery paid by the per risk treaty reduces the catastrophe loss.

As well, premiums may be missed or double paid, inuring contracts overlooked, or checks directed to the wrong reinsurer. I have seen the case during a catastrophe where a premium payment check was directed to the wrong Lloyds Syndicate, and such Syndicate was either so disorganized or so unethical, that it did not return the misdirected funds until after a formal request was made by the ceding company for the return over a year later. You can’t tell me the Syndicate thought that it was entitled to the money or did not realize it was not in the ceding company’s program.

The reinsurers are not your “friends.” They are not in the business to watch out for the interests of the ceding company — reinsurers are in business to make money, just as ceding companies are in business to make money. In 2010, just the top five reinsurers wrote over 98 billion dollars in premiums.

In a brokered market, the intermediaries do not only work for the interests of the ceding companies — they are in many cases dual agents. The word “intermediary” means go between, and for purposes of finances, intermediaries are the agent of the reinsurer, as provided in a standard intermediary clause ever since the federal case of 673 F.2d 1301; The Matter of Pritchard & Baird, Inc., which held that for purposes of money transfer, the broker is the agent of the reinsurer. Money received by the intermediary from the ceding company is considered money to the reinsurer, but money received by the intermediary from the reinsurer is not considered money to the ceding company.

Even all these years after Pritchard and Baird, I have recently witnessed where an unscrupulous reinsurer told the ceding company that it must collect from the intermediary the refund funds portion representing the intermediary brokerage fees. I have also witnessed where this same ceding company signed and agreed to placement slip terms but some 9 months later when the contract wording was finally provided, change the minimum premiums to equal the deposit premiums within the contract, successfully slipping this change by the cancer chemo patient general manager of the small ceding company and then arguing that it had no record of any change. Such behavior is inexcusable and would never have been caught without an independent reinsurance recovery review.

If reinsurers did things right, then the National Association of Insurance Commissioners would not have needed to adopt a rule requiring that final contract wordings must be signed within 9 months of the contract’s effective date to allow for accounting treatment as prospective, as opposed to retroactive, reinsurance.

It’s absurd to think that this type of rule should be necessary in the first place. The 9-month rule, which really comes out of Part 23 of SSAP 62, requires that the reinsurance contract be finalized — reduced to written form and signed within 9 months after commencement of the policy period. In effect the reinsurers being remiss in generating a timely reinsurance contract punishes the ceding company. The National Association of Insurance Commissioners also found it necessary to adopt the so-called 90-day rule. This rule requires the US ceding companies to take a penalty to surplus in an amount equal to 20% of reinsurance recoverables on paid losses 90 days past due. The rule also requires a 20% penalty to surplus for all recoverables due from so-called “slow payers.”

In effect reinsurers have been so remiss in generating timely contracts and paying bills in a timely manner that the National Association of Insurance Commissioners had to create rules to prod them into doing the right thing by punishing the ceding company if they don’t.

It also never ceases to amaze me the attitude of ceding companies in their thrill of receiving a 25% ceding commission from the reinsurer in a proportional treaty for business that costs the ceding company 33% to generate. Or how the reinsurer now “did them a favor” by allowing a 27% ceding commission in the renewal. Or how that so called quota share treaty that the reinsurer is supposedly a “partner” in has a catastrophe cap included for the benefit of the reinsurer. If this represents what it is like to partner and be the “friend” of ceding companies, then the plaintiff’s bar should certainly also be considered a friend of ceding companies.

Reinsurance intermediaries are required to be licensed in most states. Penalties are imposed on unlicensed intermediaries. In some states, led by New York through its Rule & Regulation 98, reinsurance intermediaries must have written authorization from a reinsured before procuring reinsurance for the reinsured. The reinsurance intermediary must provide the reinsured with written proof that a reinsurer has agreed to assume the risk. The reinsurance intermediary also must inquire into the financial condition of the reinsurer and disclose its findings to the reinsured and disclose every material fact that is known regarding the reinsured to the reinsurer.

Record keeping requirements also exist, mandating that the reinsurance intermediary keep a complete record of the reinsurance transaction for at least 10 years after the expiration of the reinsurance contract. Reinsurance intermediaries under these regulations are now responsible as fiduciaries for funds received as reinsurance intermediaries. Funds on reinsurance contracts must be kept in separate, identifiable accounts and may not be comingled with the reinsurance intermediaries’ own funds.

Most of the time the intermediary’s sales pitch to the ceding company emphasizes how it has a great relationship with the reinsurers, the inference being that such a relationship will ultimately provide for a better price for the ceding company in the negotiation process, as if the reinsurer will do a “favor” for the intermediary which will directly benefit the ceding company. Such fairy tale thinking is best left to children’s books and not in the board rooms of ceding companies. The truth is the intermediary is more dependent for its success on the relationship it has with the reinsurer than it is on the ceding company, and the intermediary is not about to alienate the reinsurer for the sake of a ceding company.

In the brokered market, the ceding company typically has no say in the treaty terms. What most small to medium ceding companies fail to realize is that just as an insurance policy that it issues is subject to being a contract of adhesion by virtue of the legal maxim of contra proferentem, so too is the reinsurance treaty to the reinsurer.

The Latin phrase “contra proferentem” is a standard in contract law, which provides that if a clause in a contract appears to be ambiguous, it should be interpreted against the interests of the person who insisted that the clause be included. In other words, if you speak ambiguously in a contract, your words can literally be used against you. This is designed to discourage people from including ambiguous or vague wording in contracts because it would run against their interests. This is a decisive advantage for many ceding companies in what are often ambiguously defined treaties produced by reinsurers.

All too often the ceding company simply falls in line with what the reinsurer says is the proper interpretation of the treaty language. Whether such complicity is reflective of the incorrect notion that the reinsurer is their “friend” and operates in its best interests or just ignorance, the fact is that ceding companies are often not fully utilizing the product for which they have dearly paid.

The services offered by such entities as Boomerang Recoveries, LLC provide for the ceding company a second look at the treaties it purchased and how it structured its recoveries from its various treaties. Every “touch point” along the recovery process provides for possible missed opportunity. An expressed reluctance by a ceding company to have its recoveries reviewed by an independent reinsurance professional represents misplaced loyalties. The loyalty of a ceding company is to its policyholders or its stockholders, not to its reinsurers.

Good faith and fair dealing owed by a ceding company to the reinsurer does not include foregoing rightful reinsurance recoveries or agreeing with every position of the reinsurer. In this day of increased litigation for Errors and Omissions and Directors and Officers issues, ceding companies should be more concerned with demonstrating their due diligence and exhibiting fiduciary responsiveness by trying to recover every dollar that they are entitled to receive under the treaty contracts, than in worrying about what reinsurers may think about an independent review of its reinsurance recovery process.

Think of it this way, if the ceding company obtained some tax advice on a return it had filed which showed that by refiling, it would be refunded $1,000,000 on the taxes it paid to Uncle Sam, will the officers of that company argue that filing an 1120X (Corporate Amended Tax Return) is a bad idea because it might look like an admission that the company had not taken every deduction entitled to it when it was originally filed or that the IRS might think poorly of the company? That would be absurd, but so too are the arguments that recasting and review of past reinsurance recoveries is a bad idea.

As we have seen:

  1. Every touch point in the recovery process is a potential to miss recovery … its just human nature to make more mistakes at the time of crisis than otherwise.
  2. Catastrophe treaties are not priced for individual company experience, but by models, so that additional recoveries will not directly impact the future rate charged the ceding company.
  3. Reinsurers are not in business to be your friend. Ceding companies pay sufficient premiums to collect all that they are entitled to collect under the treaty.
  4. Reinsurers will not tell ceding companies when a mistake is made or that it owes a ceding company more money.
  5. Intermediaries do not make a commission and are not paid to assure that the ceding company appropriately and fully utilizes the treaties that are placed.
  6. Reinsurance treaties are esoteric and a ceding company cannot rely on an intermediary to watch out for its best interests or interpret contracts in its favor.
  7. Increasing Directors and Officers exposures demand that officers and managers demonstrate their due diligence and the full filling of fiduciary duties. Even if no additional funds are shown as recoverable after a review, the effort is demonstrative of duties fulfilled.
  8. Intermediaries are dual agents and primarily “sell” their services to ceding companies by emphasizing the great relationship they have with reinsurers. Ceding companies need to understand that great reinsurer relationships do not mean better terms for ceding companies or that the intermediary is willing to sacrifice that relationship for the sake of the ceding company. Indeed, intermediary relationships with reinsurers are an extension of and built upon their loyalty to those reinsurers, not the ceding companies.
  9. Reinsurance treaties follow the legal maxim that ambiguities are construed against the drafter of the contract. Ceding companies need a truly independent expert that is not tied to the reinsurer, as is the intermediary, to argue for them and review recoveries on their behalf.

Cronyism has no place in today’s economy. Insurance managers are not reinsurance recovery experts, and utilizing the services of independent reinsurance recovery experts should be thought of as no different than utilizing the services of legal or tax experts to maximize the financial position of the ceding company. The deference ordinarily given to a reinsurer by a ceding company is substantially more than it would ever give to say, an insurer that carried its fleet auto coverage or its Directors and Officers coverage. Ceding companies should stop thinking of reinsurance as some sort of friendship pact and start considering it as they would any other insurance protection it purchased for its financial stability.

* Excess of policy limits, extra contractual obligations

Risks Plan Sponsors And Fiduciaries Face When Employee Benefit Responsibilities Are Mishandled

A $27 million plus settlement announced by the Department of Labor on July 7 shows the big liability that employer, union or association plan sponsors and their fiduciaries risk by failing to take appropriate steps when deciding who will serve as fiduciaries or other plan sponsors or setting the compensation paid by the plan for those services.

The settlement announced last week against the National Rural Electric Cooperative Association (NRECA), like the $1.2 million plus judgment obtained by Labor Department litigators against the California fruit and nut company, Western Mixers Inc., and its owners and management in late May, shows the significant risks that employer, union and association health plan sponsors and fiduciaries run from mishandling employee benefit responsibilities.

Companies And Fiduciaries Often Face Significant, Under-Recognized Fiduciary Exposures
Employee benefit plan vendor selection and compensation arrangements made by employer or union, association or other employee benefit plan sponsors, fiduciaries and service providers are coming under increasing scrutiny by the Employee Benefits Security Administration (EBSA). While the Employee Retirement Income Security Act of 1974 (ERISA) technically grants plan sponsors and fiduciaries wide latitude to make these choices, the exercise of these powers comes with great responsibility (see these three additional articles: Plan Sponsors. Their Owners & Management & Others Risk Personal Liability If Others Defraud Plans or Mismanage Employee Benefit Plan Responsibilities, New Rules Give Employee Benefit Plan Fiduciaries & Investment Advisors New Investment Advice Options, and DOL Proposes To Expand Investment Related Services Giving Rise to ERISA Fiduciary Status As Investment Fiduciary).

Associations, employer and other plan sponsors, and other entities and individuals who in name or in function possess or exercise discretionary responsibility or authority over the selection of plan fiduciaries, administrative or investment service providers or other services to the plan or the establishment of their compensation generally must make those decisions in accordance with the fiduciary responsibility and prohibited transaction rules of the Employee Retirement Income Security Act. Among other things, these rules generally require that fiduciaries exercising discretion over these and other plan matters:

  • Must act prudently for the exclusive benefit of plan participants and beneficiaries;
  • Must not involve the plan or its assets in any arrangement that is listed as a prohibited transaction under ERISA § 406; and
  • Must not act for the benefit of themselves or any third party.

Although often misunderstood by companies and their management, these responsibilities generally attach whenever a company or individual is either named as a fiduciary or in fact possesses or exercises discretionary responsibility or authority over plan investments, assets, administration or other fiduciary matters, including but not limited to the selection of fiduciaries and service providers, investments or expenditures of funds or other discretionary matters.

Since the earliest days of the Employee Retirement Income Security Act, the Employee Benefits Security Administration as well as private plaintiffs have aggressively enforced these and other fiduciary responsibility rules. In recent years, the Employee Benefits Security Administration has taken further steps to tighten and enforce these protections such as the new fee disclosure rules recently implemented by the Employee Benefits Security Administration and other fiduciary guidance (see, for example, Western Mixers & Officers Ordered To Pay $1.2M+ For Improperly Using Benefit Plan Funds For Company Operations, Other ERISA Violations. See also Plan Administrator Faces Civil & Criminal Prosecution For Allegedly Making Prohibited $3.2 Million Real Estate Investment and Tough Times Are No Excuse For ERISA Shortcuts).

As illustrated by the NRECA Settlement and the Western Mixers, Inc. judgment, plan sponsors or fiduciaries that violate these rules risk personal liability to the plans for the greater of profits realized or losses sustained by the plan, plus attorneys’ fees and costs, as well as exposure to an EBSA-assessed ERISA civil penalty equal to 20% of the amount of the fiduciary breach.

$27+ Million NRECA Settlement
According to a July 5, 2012 announcement, the National Rural Electric Cooperative Association will restore $27,272,727 to three association-sponsored employee benefit plans covered by the Employee Retirement Income Security Act to settle U.S. Department of Labor Employee Benefits Security Administration charges that the association violated the Employee Retirement Income Security Act by selecting itself as a service provider to the plans, determining its own compensation and making payments to itself that exceeded the National Rural Electric Cooperative Association’s direct expenses in providing services to the employee benefit plans.

Following an investigation, the Employee Benefits Security Administration accused the National Rural Electric Cooperative Association of violating the Employee Retirement Income Security Act by selecting itself to act as the administrator of various association employee benefit plans and arranging for the National Rural Electric Cooperative Association to receive unreasonable compensation for these services which the National Rural Electric Cooperative Association set without the use of independent parties to prudently verify the appropriateness of the selection or compensation arrangements. The Employee Benefits Security Administration said these arrangements violated the self-dealing and other fiduciary responsibility requirements of the Employee Retirement Income Security Act.

Headquartered in Arlington, the National Rural Electric Cooperative Association is a nonprofit trade association for electric power cooperatives. The sponsored plans are open to members of the trade association as well as the association’s employees. As of 2010, the latest information available, the National Rural Electric Cooperative Association 401(k) Plan had 68,970 participants, the National Rural Electric Cooperative Association Retirement Security Plan had 64,286 participants and the National Rural Electric Cooperative Association Group Benefits Plan had 73,644 participants.

Under the terms of the agreement, the National Rural Electric Cooperative Association will not provide administrative services to the National Rural Electric Cooperative Association Retirement Security Plan, the National Rural Electric Cooperative Association 401(k) Plan and the National Rural Electric Cooperative Association Group Benefits Plan without entering into a written contract or agreement with the plans that must be approved by an independent fiduciary. The independent fiduciary must determine whether the use of the National Rural Electric Cooperative Association to provide administrative services to the plans is prudent and reasonable, determine the categories of direct expenses that the National Rural Electric Cooperative Association may charge to the plans and the methods of calculating those expenses, and monitor the National Rural Electric Cooperative Association’s compliance with certain terms of the agreement.

The agreement also provides that during a 60-month period following the implementation date, the National Rural Electric Cooperative Association shall discount the amount of permissible direct expenses for which it seeks reimbursement from all three plans in the amount of $22,727,272. The balance of the settlement payment, $4,545,455, already has been paid directly to the National Rural Electric Cooperative Association 401(k) Plan. In addition to the amounts returned to the plans, the National Rural Electric Cooperative Association will pay $2,727,276 in civil penalties.

“This settlement sends a clear message to plan fiduciaries that they cannot profit from selecting themselves to provide services to plans,” said Phyllis Borzi, assistant secretary of labor for employee benefits security in announcing the settlement.

Western Mixers $1.2+ Million Judgment
In May, the Department of Labor got a judgment against a California fruit and nut supplier Western Mixers Inc., its owners and certain officers for failing to properly handle their company’s retirement, health and other employee benefit plans moneys and other responsibilities. Under the judgment entered in Solis v. Frank L. Rudy et. al. and Western Mixers Inc. Money Purchase Pension Plan, Western Mixers Inc., its owners and officers will pay a total of $1,287,901 to the company’s pension plan, plus a 20 percent penalty to the Department of Labor.

Following an investigation by the Labor Department’s Employee Benefits Security Administration, the Labor Department charged that Western Mixers Inc. and two officers who served as trustees of the plan failed to make approximately $952,511 in mandatory employer contributions for the benefit of participants and beneficiaries. Investigators also found that the same two officers as well as the company’s chief financial officer made $565,000 in unauthorized withdrawals from the plan accounts, comingling those funds in the company’s general accounts and using them for the benefit of the business.

Labor Department officials sued the company and the officers for violation of the fiduciary responsibility rules of the Employee Retirement Income Security Act. The Employee Retirement Income Security Act generally requires that plan trustees and other plan fiduciaries carry out duties with respect to an employee benefit plan assets prudently for the exclusive benefit of participants.

Pursuant to the consent judgment, the company and its officers admitted to violation of the Employee Retirement Income Security Act. During the course of the investigation leading up to the lawsuit, the company previously repaid to the plan $485,000 of the total funds identified as missing by the Labor Department. According to an announcement of the U.S. Department of Labor on May 14, 2012, Midwest Mixers Inc.’s officers agreed to repay $802,901 to participants’ accounts within 10 day of the judgment.

In addition to repaying the missing funds with interest, defendants also must pay a penalty equal to 20 percent of the recovered amount. The court also has appointed an independent fiduciary to terminate the plan and to collect, marshal, pay out and administer plan assets. Frank L. Rudy and David H. Bolstad, owners of the company, are removed as plan trustees and fiduciaries. Together with Robert J. Fischer, Western Mixers, Inc.’s chief financial officer, they are permanently enjoined and restrained from violating the Employee Retirement Income Security Act and from serving as fiduciary or service providers to any ERISA-covered plan in the future.

Despite these well-document fiduciary exposures and a well-established pattern of enforcement by the Labor Department and private plaintiffs, many companies and their business leaders fail to appreciate the responsibilities and liabilities associated with the establishment and administration of employee benefit plans.

Frequently, employer and other employee benefit plan sponsors fail adequately to follow or document their administration of appropriate procedures to be in a position to demonstrate their fulfillment of these requirements when selecting plan fiduciaries and service providers, determining the compensation paid for their services, overseeing the performance of these parties, or engaging in other dealings with respect to plan design or administration.

In other instances, businesses and their leaders do not realize that the functional definition that the Employee Retirement Income Security Act uses to determine fiduciary status means that individuals participating in discretionary decisions relating to the employee benefit plan, as well as the plan sponsor, may bear liability under many commonly occurring situations if appropriate care is not exercised to protect participants or beneficiaries in these plans.

For this reason, businesses and associations providing employee benefits to employees or dependents, as well as members of management participating in, or having responsibility to oversee or influence decisions concerning the establishment, maintenance, funding, and administration of their organization’s employee benefit programs need a clear understanding of their responsibilities with respect to such programs, the steps that they should take to demonstrate their fulfillment of these responsibilities, and their other options for preventing or mitigating their otherwise applicable fiduciary risks.

In light of the significant liability risks, employer, association and other employee benefit plan sponsors and their management, plan fiduciaries, service providers and consultants should exercise care when selecting plan fiduciaries and service providers, establishing their compensation and making other related arrangements.

To minimize fiduciary exposures, parties participating in these activities should seek the advice of competent legal counsel concerning their potential fiduciary status and responsibilities relating to these activities and take appropriate steps to minimize potential exposures.