Skip to main content

ERISA Fiduciary Duties for 401(k) Plan Sponsors: Personal Liability and the 3(38) Investment Manager

· 16 min read
Mike Thrift
Mike Thrift
Marketing Manager

A small manufacturing company in Ohio with 38 employees offered a 401(k) plan as a recruiting tool. The founder never thought twice about the plan's investment menu — the broker his bank recommended picked the funds, and the founder signed where he was told. Six years later, a former employee sued. The complaint alleged the plan held retail share classes of mutual funds when cheaper institutional shares were available, that recordkeeping fees ran roughly double the market rate, and that nobody on the company side had benchmarked either in years. The case settled for $1.4 million. The founder's personal assets were on the table the whole way through.

That outcome was not unusual, and the rules that produced it apply to nearly every employer that sponsors a 401(k) — including yours, if you have one. The Employee Retirement Income Security Act (ERISA) of 1974 imposes a duty of loyalty and a duty of prudence on the people who run a retirement plan, and it backs those duties with personal liability. Most small business owners do not realize that the protection of the corporate veil simply does not extend to their role as a plan fiduciary. The Department of Labor, plaintiffs' attorneys, and the participants themselves can reach personal bank accounts, investment portfolios, and homes when a breach is established.

This guide walks through what a 401(k) fiduciary actually is, what the Supreme Court's Tibble v. Edison decision means for the ongoing duty to monitor a plan, and how shifting investment authority to a Section 3(38) investment manager can substantially reduce — but never eliminate — your personal exposure.

2026-05-11-erisa-fiduciary-duties-401k-plan-sponsors-personal-liability-tibble-edison-3-38-investment-manager-guide

Who Is a Fiduciary Under ERISA?

ERISA defines a fiduciary functionally, not by title. You are a fiduciary if you do any of the following with respect to a retirement plan:

  • Exercise discretionary authority or control over plan management
  • Exercise authority or control over plan assets
  • Provide investment advice for a fee
  • Have discretionary authority over plan administration

In a typical small business, that captures the company itself (named in the plan document), the CEO or owner who signs off on decisions, anyone serving on a retirement committee, and the HR or finance employee who picks the recordkeeper and signs the contracts. A non-discretionary clerk who follows orders from above is generally not a fiduciary; the people who make the choices are.

The label matters because ERISA Section 404(a) requires every fiduciary to:

  1. Act solely in the interest of plan participants and beneficiaries
  2. Act for the exclusive purpose of providing benefits and paying reasonable plan expenses
  3. Use the care, skill, prudence, and diligence that a prudent person familiar with such matters would use — the so-called "prudent expert" standard
  4. Diversify the plan's investments to minimize the risk of large losses
  5. Follow the terms of the plan document, to the extent consistent with ERISA

That third standard is the one that catches small employers off guard. The law does not measure prudence against what a typical small business owner would do. It measures it against what an expert plan sponsor — someone familiar with retirement plan investing — would do. A founder who never benchmarked recordkeeping fees because she did not know to is not excused. She is judged against the someone who would have known.

Personal Liability Under Section 409

ERISA Section 409(a) is the provision that scares ERISA lawyers. If a fiduciary breaches one of the duties listed above, that fiduciary "shall be personally liable to make good to such plan any losses to the plan resulting from each such breach, and to restore to such plan any profits of such fiduciary which have been made through use of assets of the plan."

The corporate form does not shield you. Indemnification clauses in your employer handbook do not shield you. Even a release signed by a departing employee generally does not shield you, because the participants and the Department of Labor have independent rights to bring suit. The only practical defense is to demonstrate that you followed a prudent process — that you collected the information a prudent expert would collect, considered it, documented your reasoning, and made a defensible decision.

ERISA also gives the courts the power to remove a fiduciary, bar them from serving as a fiduciary on any ERISA plan for a period of years, and award attorneys' fees to the prevailing party. The Department of Labor can pursue civil penalties under Section 502(l) equal to 20 percent of the recovery in a settlement or judgment. Criminal penalties exist for willful violations of reporting and disclosure requirements.

The Tibble v. Edison Continuing Duty to Monitor

For decades, ERISA carried a six-year statute of repose that effectively immunized old plan decisions. If a plan sponsor picked a fund in 2005, participants who sued in 2014 were told they were too late.

The Supreme Court ended that in 2015. In Tibble v. Edison International, the Court held unanimously that selecting an investment is not a one-time event. A fiduciary has a continuing duty to monitor the investments in the plan and to remove imprudent ones, and a breach of that monitoring duty starts a fresh six-year clock each time it occurs. The case itself involved a utility that kept retail share classes of mutual funds in the plan when identical institutional share classes — same fund, same manager, lower fees — were available to a plan of Edison's size.

The practical consequence for small plan sponsors is profound. Every fund in your plan, every recordkeeping contract, every administrative fee is something you are presumed to be monitoring on an ongoing basis. If you cannot show a regular review process, plaintiffs can reach back to fees paid in any year and argue you breached your duty to remove or renegotiate. Courts have generally read the duty to monitor to require some form of periodic, documented review — often quarterly or at least annually — that compares the plan's holdings and fees against reasonable alternatives.

The Litigation Wave Has Reached Small Plans

For years, the conventional wisdom was that excessive-fee suits targeted only mega-plans with billions in assets, where contingency-fee plaintiffs' firms could justify the cost of pursuing claims. That wisdom is obsolete. Plaintiffs' firms have built efficient templates and broadened the targets, and excessive-fee complaints now appear against plans with under $50 million in assets. Several have been filed against plans with fewer than 500 participants.

The complaints follow a pattern. The plaintiffs allege:

  • The plan paid recordkeeping fees that exceeded what a prudent fiduciary would have negotiated, often citing per-participant benchmarks of $30 to $50 per year for typical small plans
  • The investment menu included retail share classes when institutional or collective investment trust versions were available
  • Actively managed funds with high expense ratios were retained when cheaper index alternatives existed
  • The fiduciaries never solicited competitive bids from other recordkeepers
  • No documented monitoring or benchmarking process existed

Most of these cases settle in the seven figures. Settlement amounts have ranged from a few hundred thousand dollars for the smallest plans to more than ten million for mid-market plans. Insurance carriers, watching this trend, have raised fiduciary liability premiums and tightened underwriting questions about plan governance.

A Working Definition of Procedural Prudence

ERISA does not require that you pick the lowest-cost fund every time, or that the plan beat any particular benchmark. It requires that you follow a prudent process. The Department of Labor and federal courts evaluate that process based on documentation, not intent. Procedural prudence in practice looks like this:

A written investment policy statement (IPS). The IPS defines the plan's investment objectives, the categories of investments offered, the criteria for selecting and removing funds, the frequency of reviews, and the roles of each fiduciary and service provider. It is not legally required, but courts and the DOL treat a well-followed IPS as powerful evidence of prudence — and treat its absence, or its existence on paper but not in practice, as evidence of the opposite.

A retirement plan committee that meets regularly. Three to five members is typical for a small plan. The committee should meet at least annually, ideally quarterly, with formal minutes capturing what was reviewed, what was discussed, and what was decided. Minutes are the most important document the committee produces. If a fund underperformed for three years and the committee discussed removing it but elected to keep it for documented reasons, the committee is in a defensible position. If the committee never discussed it at all, the committee is exposed.

Periodic benchmarking of fees. This means soliciting quotes from at least three competing recordkeepers every few years, comparing the all-in cost of the current arrangement against published industry surveys, and asking the incumbent provider for a fee renegotiation when the comparison shows a gap. The DOL's Field Assistance Bulletin 2002-3 and subsequent guidance emphasize that fee reasonableness is judged against the services received — high fees can be reasonable if the services are correspondingly valuable, and low fees can be unreasonable if the services are inadequate. The point is the comparison itself, not the answer.

Documented investment monitoring. Each fund in the lineup is reviewed against the criteria in the IPS — usually three- and five-year performance against an appropriate benchmark, expense ratios against peer funds, manager tenure, and style consistency. Funds that fail criteria are placed on a watch list. Watch-list funds that fail to improve are removed. The watch list and removal decisions are documented in the minutes.

Compliance with Section 404(c). If the plan is participant-directed and meets the requirements of ERISA Section 404(c) and the related regulations, the plan fiduciaries are not liable for losses that result from a participant's investment selections among the plan's menu. The price of that safe harbor is providing participants with required disclosures, a broad range of investment alternatives, and the ability to give investment instructions at least quarterly. Section 404(c) does not protect the fiduciary from the underlying duty to select and monitor a prudent menu. It protects only the choices participants make within that menu.

How a 3(38) Investment Manager Shifts the Risk

ERISA Section 3(38) creates a special category of fiduciary called an "investment manager." Unlike most fiduciaries, an investment manager is a registered investment adviser, bank, or insurance company that accepts in writing the responsibility to exercise discretionary authority over the selection and monitoring of plan investments. When you hire one, the investment manager — not you — is the fiduciary for those decisions. Your remaining duty is to prudently select and monitor the investment manager itself.

That is a meaningful reduction in exposure. If a plaintiff alleges that a fund was imprudently retained, the lawsuit goes against the 3(38) investment manager, who has its own errors-and-omissions coverage, capital, and regulatory oversight. The plan sponsor's exposure is limited to whether it prudently chose the manager and monitored its performance. That is a much narrower question than whether each of fifteen fund choices was prudent on an ongoing basis.

Compare this with a Section 3(21) investment adviser, the more common arrangement. A 3(21) co-fiduciary recommends investments and shares fiduciary status with the plan sponsor, but the sponsor retains discretion and remains the primary fiduciary for the investment lineup. If the menu is found imprudent, both the adviser and the sponsor are exposed. The 3(21) arrangement helps with prudence — you have an expert in the room — but does not transfer the underlying liability.

A few things are worth knowing before you sign a 3(38) contract:

  • The investment manager must explicitly accept fiduciary status in writing. Many "advisers" market themselves as fiduciaries but reserve the actual discretionary authority for the sponsor in the fine print. Read the contract.
  • Selecting and monitoring the investment manager is itself a fiduciary act. You should document the search, compare candidates, and review the manager's performance at the committee level annually.
  • A 3(38) does not eliminate your duties around plan administration, recordkeeper selection, fee reasonableness, participant communications, or the plan document itself. Those remain on you.
  • Cost is typically a few basis points on plan assets, sometimes folded into a flat fee. For small plans, the math usually favors the arrangement once you factor in fiduciary liability insurance premiums and the time the committee would otherwise spend on investment due diligence.

For a sole-employee 401(k) or a very small plan where the owner is the only participant, the calculus is different. There is no participant to sue you. Prohibited-transaction risk is still real, but the litigation profile is much lower.

The Prohibited Transaction Rules

Even with a 3(38), every plan fiduciary must steer clear of the prohibited transactions in ERISA Section 406. These rules are absolute in form — there is no prudence defense — though the DOL has issued exemptions for common arrangements.

Section 406(a) prohibits transactions between the plan and a "party in interest," including the employer, owners of the employer, fiduciaries, service providers, and certain family members and entities. The forbidden transactions include sales, leases, lending, furnishing goods or services, and transferring plan assets to a party in interest. Section 408(b)(2) provides an exemption for reasonable contracts for necessary services at reasonable compensation — which is what allows the plan to pay a recordkeeper, a 3(38), an auditor, and so on.

Section 406(b) covers fiduciary self-dealing. A fiduciary cannot deal with plan assets in their own interest, act on both sides of a transaction involving the plan, or receive consideration from a third party in connection with a plan transaction. The classic small-business trap is the owner who has the plan invest in real estate the owner controls, or who borrows from the plan, or whose spouse provides services to the plan for compensation. These are almost always prohibited and trigger excise taxes under Internal Revenue Code Section 4975 in addition to ERISA penalties.

The Required Fidelity Bond and the Optional Fiduciary Insurance

ERISA Section 412 requires every person who handles plan funds to be covered by a fidelity bond — a form of insurance that protects the plan from losses caused by fraud or dishonesty. The bond must equal at least 10 percent of the funds handled, with a $1,000 minimum and a $500,000 maximum per plan in most cases. The bond protects the plan, not you. If you steal from the plan, the bond pays the plan and the insurer pursues you.

What protects you is fiduciary liability insurance, which is optional under Section 410 and which most plans should carry. Fiduciary insurance covers legal defense costs and judgments arising from breach-of-duty claims. For a small plan, annual premiums often run a few thousand dollars and can vary based on whether the plan uses a 3(38), has a written IPS, and has a documented committee process. A plan that demonstrates good governance pays less. The insurance never covers intentional fraud, theft from the plan, or known prohibited transactions.

The bond and the insurance are sometimes confused. They are different products with different protections, and a prudent plan sponsor carries both.

A Practical Checklist for Small Plan Sponsors

Set aside an afternoon and verify each of the following. If the answer is no, that item is on your fix list.

  • The plan has a current, signed plan document and summary plan description (SPD).
  • You have a written investment policy statement that reflects how the plan is actually managed.
  • A retirement committee exists, has named members, and meets at least annually with documented minutes.
  • You have benchmarked recordkeeping and administrative fees within the last three years against at least three competitors.
  • You have benchmarked the investment menu within the last year — share classes, expense ratios, and performance against peer funds and indices.
  • The plan complies with Section 404(c), including timely participant disclosures and a QDIA for participants who do not affirmatively elect.
  • The plan carries a current ERISA fidelity bond meeting Section 412 requirements.
  • The plan or company carries fiduciary liability insurance with adequate limits.
  • You have evaluated whether a 3(38) investment manager makes sense for your plan.
  • You have Form 5500 filings up to date and any required audit completed by a qualified independent auditor.
  • You file required participant notices: safe harbor notice (if applicable), QDIA notice, fee disclosure under 404a-5, and others.
  • You have documented your decision-making — not just outcomes, but the process and reasoning behind each material choice.

If you find gaps, fix them in order of risk. Documented monitoring, an active committee, and a defensible fee-benchmarking exercise are usually the highest-leverage items.

How Fiduciary Risk Connects to Bookkeeping

Plan-level fiduciary compliance and the company's bookkeeping are tied together more closely than most owners realize. The plan's annual Form 5500 filing pulls directly from payroll data and the plan trust accounting. Late or missed employee deferrals — money withheld from paychecks but not deposited to the plan within the DOL's seven-business-day safe harbor for small plans — are themselves prohibited transactions. They show up on Form 5500 and trigger required corrections, lost-earnings calculations, and DOL scrutiny. Clean, current books that reconcile payroll registers with plan contribution records make those problems visible early, when they are inexpensive to fix, rather than during an audit when they are not.

Keep Your Records Audit-Ready

Running a 401(k) plan is one of the clearest examples of how detailed, well-kept financial records protect a small business owner. Whether you are documenting fiduciary decisions, reconciling plan contributions against payroll, or producing the data your TPA needs for Form 5500, a transparent ledger makes the work straightforward and the defense easier. Beancount.io offers plain-text accounting that is transparent, version-controlled, and AI-ready — every entry timestamped, every change traceable, every report reproducible. Get started for free and see why developers and finance professionals are switching to plain-text accounting.

Share on TwitterFollow @beancount_io

Get started with Beancount.io

Take control of your finances with our open-source double-entry accounting system. Start your ledger today.

Get Started FreeView Pricing

Getting Started

Features

Community

Legal

Beancount.io© 2019 - 2026 Beancount.io
Download on the App StoreGet it on Google Play
Built with transparency • Version controlled • AI-powered