Last November, the federal corporation charged with protecting Americans’ retirement funds issued an ominous public warning: the amount of pensions at risk inside failing companies had more than tripled during the recession.
The Pension Benefit Guaranty Corporation’s announcement signaled it might need tens of billions of new dollars to rescue traditional pensions paid by U.S. firms whose economic collapse left them unable to meet their retirement obligations to workers.
At the same time, however, the federally chartered corporation was receiving some bad news of its own: for the first time it was going to flunk an independent audit of the way it manages its finances.
On Nov. 12, 2009, PBGC’s outside audit firm and the corporation’s own internal watchdog jointly informed the federal body it was being cited for a “material weakness” in its internal financial controls, the accounting equivalent of an F grade.
“PBGC did not have effective internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations and its operations,” Inspector General Rebecca Anne Batts wrote in a letter that has escaped public attention despite their potential importance to taxpayers.
Americans may expect such adverse audit findings for corporate bad actors, but the finding is more unusual for a government agency, especially one charged with cleaning up failed companies’ messes and rescuing workers’ pensions.
A Center for Public Integrity review of hundreds of pages of memos, audits and internal reports shows the pension guaranty corporation has been unable to make several guarantees about its own work — in some cases directly misleading Congress and its inspector general into believing long-simmering problems were resolved.
Inspector General Rebecca Anne Batts“Providing false information to OIG or Congress can be a criminal violation,” an angry Sen. Charles Grassley of Iowa, the senior Republican on the Senate Finance Committee, warned in a letter March 31 that was provided to the Center. The letter chided the corporation for its “apparent dishonesty” in erroneously reporting it had implemented solutions to past problems.
Created in 1974, PBGC is essentially the government’s insurance program for retirees, protecting the pensions of approximately 44 million workers and retirees in more than 29,000 private defined benefit pension plans that promise a fixed monthly payment to retirees for life. When a covered company’s pension plan defaults, PBGC swoops in and protects workers’ retirements.
The corporation receives no tax dollars, and is funded instead by insurance premiums paid by pension plan operators, investments and assets it recovers from companies whose pension plans needed to be rescued.
A litany of problems
Getting its story straight with Congress is just one of PBGC’s problems.
Despite being the custodian of some of Americans’ most private data, PBGC suffers from such lax security that a contractor was able in 2008 to download the pension and Social Security numbers of 1,300 Americans to an unsecured electronic thumb drive that was then lost at an Ohio train station, according to documents and interviews.
The corporation also has been criticized for letting its contractors hire employees with inadequate experience or education, and has been cited repeatedly since 1997 for failing to create a unified financial management system to better safeguard its funds. It lacks the ability, for instance, to independently confirm the investment revenue figures reported by a contractor hired to engage in securities lending on its behalf, according to audit reports and interviews.
And its former chief executive was the subject of a year-long criminal investigation that ended in March with no criminal charges but a conclusion that his conduct raised “serious ethical concerns,” documents show.
“I am acutely aware that every dollar spent on a contractor who doesn’t provide the promised level of service or who doesn’t provide contract workers with the minimum qualifications needed to do the job is a dollar that is not available to pay the pension benefits of the workers that PBGC was created to protect,” Batts said in an interview.
Such systemic problems are equally concerning to lawmakers like Grassley and Democratic Sen. Herb Kohl of Wisconsin, the chairman of the Senate Aging Committee, particularly because the corporation’s own long-term financial outlook has worsened over the last few years.
Kohl, who is pressing for legislation to strengthen the PBGC’s oversight and governance, said the corporation’s “long-running problems …. should serve as a wake-up call to Congress.”
“Nearly one in six Americans relies on the PBGC to guarantee the pensions they’ve worked a lifetime for. The agency is far too important to let it operate without adequate oversight,” he said.
Working on fixes
In an interview with the Center, PBGC Acting Director Vincent Snowbarger said the corporation is taking steps to fix the problems that led to the adverse audit finding as well as the communication gaps that led his agency to provide erroneous information to Congress and its inspector general.
“Some of it is human error. Some of it is sheer sloppiness. And some of it is when an executive takes information from down below and doesn’t check its accuracy. All of it needs to, and will be, fixed,” Snowbarger said.
While fixing communication gaps should theoretically occur quickly, officials cautioned that addressing some of the systemic problems — like finishing a long-overdue unified financial management system or fortifying the agency’s information technology security — will take time, making it likely that PBGC will carry the stain of a material weakness finding on its audits for as many as three to five more years.
“What the IG has called to our attention are some things we can do better at,” Snowbarger said. “There also has to be the capacity within the organization to put all that in place. So we’re slowing down our implementation process on this. We’re trying to get more realistic about what we can get accomplished and when.”
PBGC officials said in the meantime the corporation is still able to perform its primary mission of making good on a growing number of pension obligations from companies that have collapsed.
“We’re not this rogue agency out there, about to fall off a cliff…. We have had no adverse results from this,” General Counsel Judith Starr said in an interview. “It’s all potential problems. We have to plug leaks so bad things don’t happen.”
Added Snowbarger, a former Kansas congressman who joined the corporation during the Bush administration: “We have been inundated by new participants and our primary responsibility is to make sure those people get paid… We’ve been sort of swamped from the intake process and that’s where resources naturally would go.”
Starr said senior executives agree that problems have “been going on long enough. We’ve been trying to fix this and we need to be much more comprehensive in our approach.”
The corporation is also facing a variety of more basic financial challenges. At the end of the Bush administration, PBGC sought to change its investment strategy, switching away from secure bonds and toward more risky Wall Street investments that offered the potential for higher returns in good economic times.
The Obama administration, however, put the plan on hold before it could be fully implemented, asking the corporation’s next chief executive, Joshua Gotbaum, to “prudently rebalance” its investment portfolio. Gotbaum’s nomination, though, has been pending for months.
When the recession struck, the corporation’s long-term financial position worsened in large part because the number of faltering U.S. companies with pensions that might need to be rescued ballooned.
PBGC reported in November that its deficit — the gap between its current assets and its future obligations — grew from $11.2 billion in fiscal 2008 to $21.9 billion in fiscal 2009, reversing several years of progress.
Meanwhile, the corporation reported its potential obligations to cover future pension losses from financially troubled companies more than tripled from $47 billion at the end of fiscal 2008 to about $168 billion at the end of last year.
Among the companies whose pensions PBGC have recently been forced to assume are the electronics retailer Circuit City, the IndyMac Bank, and the Lehman Brothers investment firm.
And General Motors’ and Chrysler’s continued losses leave their massive pension plans hanging in the balance, potentially adding $42 billion in auto industry retirement obligations to PBGC’s burden if they went under, the Government Accountability Office reported April 6. The automakers reported last month their condition is improving, but losses continue to accumulate.
To ensure its own health, PBGC undergoes two audits each year. One determines if its books accurately reflect its financial state and the second reviews whether it has adequate internal controls over its finances to ensure it complies with laws and regulations and spends its money wisely.
PBGC passed the first audit at the end 2009 with an unqualified or clean finding, the 17th straight year it has done so. But Batts and the outside auditor flunked the corporation on its internal controls, citing three serious deficiencies that they said amounted to a corporation-wide material weakness.
Batts’ auditors specifically cited the corporation’s failure to safeguard its sensitive data, and alleged it falsely claimed it had fixed problems. The auditors concluded that the problems not only left Americans’ personal data vulnerable to loss but also “impacted strategic decisions” the corporation made on how to spend its resources.
The Sarbanes-Oxley law passed after the Enron scandal required all public companies to conduct regular audits on their internal controls, seeing it as an essential safeguard for investors.
But the government does not require such an audit of all of its own agencies, leaving it instead for each agency to decide. Some address internal controls with a separate audit, and others evaluate internal controls as part of their financial statements. A handful, like the Department of Veterans Affairs, Treasury Department, and Agriculture Department, currently have at least one material weakness finding concerning internal controls.
PBGC, with its billions in assets and investments, conducts a formal internal controls audit each year. And after years of warning of problems that went unresolved, the auditing firm hired by inspector general Batts decided to cite the agency with its first material weakness.
“Internal controls over these operations are essential to ensure the confidentiality, integrity, and availability of critical data while reducing the risk of errors, fraud, and other illegal acts,” the auditors said in explaining the significance of their negative finding.
George Mason University professor Anthony B. Sanders, a financial accountability expert who has testified before Congress, said the PBGC’s inability to pass its own internal controls audit raises the question, “How can we rely on this corporation to successfully audit these failing pensions? It tells us they may not be up to the task.”
A bigger concern, Sanders said, is that politicians are not trying to address the inevitability of PBGC eventually being unable to meet its obligations. “We have to first be rethinking our whole approach to pension benefits because clearly that model is broken and cannot be sustained,” he said.
Snowbarger said PBGC faces no short-term cash flow problems, in part because the corporation has assumed cash and other assets from a large number of failed companies whose pension plans have been taken over. But those assets will run out over time, and lawmakers will be forced to decide whether the government assumes those liabilities.
The options for closing the gap are limited. Congress could raise the premium costs for companies who buy the pension insurance to close the gap, but it would likely cause an outcry from companies. It could increase the investment returns on the corporation’s current assets, but that would open it up to additional risks. It could change the entire approach and cover only a pro-rata share of defaulted pensions, or lawmakers could simply use tax dollars to close the gap when the corporation’s current assets run out.
“Right now, the way we are structured, we don’t have the full faith and credit of the U.S. government behind us,” Snowbarger said. “That is something Congress will one day have to wrestle with.”
Batts, who was hired two years ago as an independent watchdog by the PBGC’s board of directors, has been an unrelenting siren about the state of the corporation’s affairs. PBGC, her office’s memos show, was warned for years before November’s audit about weaknesses in its procurement processes, its internal controls over its accounting practices, and information technology security.
In fact, the IG disclosed in a letter April 26 to Congress that 201 proposed solutions to problems identified as far back as the late 1990s still have not been implemented. The culture in certain key departments, Batts said, simply allowed bad practices to be swept under the rug or to fester until they manifested themselves into more dramatic failures.
For instance, IG reports dating several years back warned PBGC that it lacked a comprehensive and secure information technology platform, a red flag for a corporation trusted with protecting Social Security numbers, personal account balances, and proprietary actuarial data from pension funds.
A security breach
So it came as no surprise to insiders when the infamous flash drive with sensitive pension data was lost.
A supervisor and employee for a PBGC contractor stored unauthorized pension account data and Social Security numbers for 1,300 Americans on the above thumb drive, which was found on the floor of a Cleveland, Ohio, commuter train station with no encryption or password protection.
A Transportation Security Administration employee was heading home from work in 2008 when he spotted a computer thumb drive lying in the parking lot of a Cleveland, Ohio, commuter train station. The worker popped the thumb drive into a computer, and discovered it had Social Security numbers, account details from PBGC-protected pensions, and actuarial data from other private pension plans.
“Not exactly the sort of stuff you want lying on the ground of a public train station,” Batts said.
The worker managed to get the thumb drive back to the PBGC. Batts said she ultimately concluded that a supervisor and employee for a PBGC contractor downloaded unauthorized pension account data and Social Security numbers for 1,300 Americans. The information was stored on a flash drive with no encryption or password protection, leaving it totally exposed when it fell out in the train station lot. “These actions violated PBGC’s policy to protect sensitive information,” Batts concluded.
After the episode, Batts pressed PBGC anew to finally address its information security weaknesses.
The corporation reported back a few months later that it had implemented 45 of the 65 recommended security enhancements. And to address the case of the flash drive, PBGC reported both to Congress and the IG that it went to the offending contractor’s facility, provided additional security training, emphasized the need for greater care in handling sensitive data, and took other steps to ensure there would be no repeat.
The action plan sounded great — until Batts’ team went to check the fixes. She found they did not exist, according to documents and interviews.
“PBGC fabricated this follow-up action,” Grassley concluded in a March 31 letter to the corporation. “Other than providing routine annual security training, PBGC took no trips to the contractor’s facility, provided no additional IT security training, and to date has not ensured the contractor is adequately securing” sensitive data. Batts ultimately concluded that PGBC failed to implement any of the 65 “common security controls” it had promised.
Recent changes in the corporation’s information technology leadership have resulted in some progress in creating a more efficient, more secure technology system, according to both Snowbarger and Batts. PBGC’s former chief information officer left the corporation in November.
But the pattern of claiming fixes that didn’t occur has persisted. After Batts’ office raised concerns about two actuarial contracts with a Canadian firm that ballooned to $15 million in costs, corporation officials promised they had made changes to ensure the corporation could verify it got the services it paid for. The corporation even stated in writing that the corrective actions were “approved,” “in place,” and “effective,” according to Grassley’s letter.
Not true, Batts found, when she went back to check. In fact, there were a total of 17 fixes for procurement problems stemming from four separate audits that were inaccurately reported to be implemented. None of the corrective actions to make contracting safer had actually been taken, according to Batts and Grassley.
In an April 14 letter to Grassley, Snowbarger acknowledged a “number of shortcomings” and communication breakdowns but insisted that “any implication that PBGC employees have been fraudulent or dishonest in their dealings with Congress or the OIG is unwarranted.” Instead, Snowbarger said, the misinformation sent to Congress “involved failures of communication and/or good faith errors.”
A controversial former CEO
Sensitivities about PBGC’s procurement practices are also high in the aftermath of former chief executive Charles Millard’s tenure in 2007-09. Batts said Millard was the subject of a criminal investigation conducted by her office and the U.S. Attorney in Manhattan. Her office last month advised Congress that Millard would not face criminal charges.
But the IG concluded that the former PBGC boss had ignored staff warnings and intervened in 2008 in the evaluation of major Wall Street firms, including Goldman Sachs Group Inc., JP Morgan Chase & Co., and BlackRock Inc., as they were bidding for contracts to invest or manage $2.5 billion of the corporation’s money. The probe found the CEO later sought personal job search help from an executive at one firm that had just won a PBGC contract to manage hundreds of millions of dollars in investments. Millard “had inappropriate contacts with bidders … and took actions incompatible with his role,” investigators concluded. The investigation ultimately located 29 e-mails between a senior Goldman Sachs executive and Millard involving the director’s request to assist him in his search for employment.
Millard did not reply to multiple e-mail messages seeking comment on the investigation. His attorney, Stan Brand, did not immediately respond to a phone message seeking comment.
Meanwhile, the audit documents discuss numerous other problems. For instance the IG concluded the corporation lacked written rules “from the highest level down” to govern the risks associated with securities lending it performs as part of its investment strategy. PBGC “is unable to independently calculate” the revenues its main contractor claims it is generating from the strategy, the internal watchdog warned.
PBGC said a new investment policy it is drafting will provide written guidance on ensuring the accuracy of securities lending figures.
UPDATE — 5/3/10: After this story was published, Charles Millard’s attorney, Stan Brand, issued a statement saying that he and his client were “delighted to learn from news reports that I.G. Rebecca Batts concluded her investigation in March, and that Mr. Millard will not face charges of any kind.” As for Batts’ findings regarding Millard’s conduct at PBGC, Brand noted that the I.G. did “not identify a single rule or law that was violated during [Millard’s] tenure at the agency or at any time.”