Smart Controls: A Financial Institution Disables Admin Accounts After 30 Days of Inactivity

I once had the experience of working with a financial representative to pay employees’ retirement contributions, along with my employer’s matching funds, into employees’ retirement accounts. The representative informed me that my administrative account would be disabled if I did not log in within the next 30 days. Each time I log in, the 30 day countdown starts over.

The representative explained that his financial institution wants to give employers and their representatives (e.g., financial controllers or CFOs) incentive to deposit employee funds timely. The IRS requires companies to contribute the employees’ retirement funds within 30 days after the month in which the employees would have been eligible to receive the funds in cash. Thus, for example, any employee contributions withheld during August from employees’ paychecks must be deposited into their accounts by September 30th. To comply with regulations, the controller or CFO must log in at least every 30 days and make the deposits, so the financial institution’s policy is a handy reminder.

I also reasoned that financial departments have turnover, and one controller or CFO could replace another and assume the duty of depositing employee and matching employer funds into retirement accounts. Part of the controller/CFO function (in conjunction with IT) is to ensure that access to administrative accounts and information systems for the departing controller or CFO is appropriately disabled (or passwords changed, as the case may be) in a timely manner. However, in organizations with lax controls, sometimes during the transition no one thinks to disable the previous controller or CFO’s access. The financial institution I worked had thought of a solution for one piece of this problem by simply disabling the accounts of departing personnel after no one logs in for 30 days. The accounts are personalized for the employee who logs in and deposits the funds, so if a new controller or CFO takes over the responsibility, that new person would create a distinct account instead of using the account of the departing employee. Unless the departing employee made a habit of logging in, the account would be disabled after 30 days and the company would no longer have a risk that the departing employee could later gain access to sensitive financial information and functions.