State unclaimed property (UP) laws govern customer assets in a company’s possession or custody, as well as a company’s obligations that remain unsatisfied for a statutory dormancy period (usually up to five years). Common examples of unclaimed property include uncashed vendor and payroll checks, failed ACH or direct deposits, dormant bank and shareholder or investment accounts, unredeemed prepaid cards, aged customer credit balances and, more recently, virtual currency.
As the property-owner’s state has first claim to the property (rather than the state where it was found or where the holder is based), a company could have annual reporting and remittance obligations in up to 50 states, Washington, D.C., and U.S. territories. Companies do not need any physical presence or material revenue in a given state to be subject to its UP laws.
State UP risk management challenges have multiplied in the past decade and may grow even further as states look to UP profits to balance budgets and boost revenues. Risk professionals must understand these regulatory regimes and associated compliance obligations, and work to meet regulatory challenges. Specifically, companies must address the two facets of risk management when implementing UP policies and procedures: 1) the state-facing risk of failures to report UP promptly; and 2) the owner-facing risk of premature escheatment of UP, particularly with investment assets.
State UP regimes and current regulatory and enforcement dynamics will impact every business that holds another party’s property or funds, or bears financial obligations to other parties. To best manage UP risk, these are the four most significant challenges and the steps risk professionals can take now to address them:
1. Optimizing UP Compliance Programs
Because a company may have compliance obligations in multiple states and the laws change quickly, a company’s UP compliance program must be nimble. Many companies outsource the reporting function to third parties. This may be expensive, but can boost timely reporting. However, the risk to customers is not necessarily erased by remitting dormant or unclaimed assets to a state custodian. If you hold customer securities or other investment assets, the states will liquidate those that are remitted to them as UP, meaning that the owner will be denied the benefit of their market position in the asset, such as if market value increases post-liquidation.
Unhappy owners will likely seek the value differential from your company if they can demonstrate that the remittance of their assets was erroneous in any sense, such as the company ignoring owner contact or activity, reporting the property too soon or too late, or not sending a pre-remittance “due diligence” letter to the owner’s correct address. Aggrieved customers are increasingly raising their concerns with other state agencies, including the state attorney general’s office, or are filing federal False Claims Act complaints to contest the allegedly erroneous reporting and seek treble damages. Finally, escheatment of customer assets could also have tax consequences for the owner, such as when IRA or HSA balances are escheated. To manage these risks:
- Engage in proactive multistate monitoring of proposed and enacted changes in the legislative regime
- Ensure operational resilience in meeting compliance obligations, including pandemic and remote working disruptions such as changing filing deadlines
- Monitor federal agency changes that will impact performance of compliance duties, for example, recent U.S. Postal Service mailing suspensions to foreign addresses
2. Cybersecurity and Data Privacy Risks
States frequently delegate their audit function to third-party firms. When they do so, those firms will request vast amounts of data on the audited company’s customers, transactional counterparties, employees and shareholders. In light of general concerns with cybersecurity and data privacy, a third-party UP examination is subject to many risk management requirements specific to laws bearing on the safekeeping and nondisclosure of non-public personal information (NPPI) and personal health information (PHI). Providing auditors with more data than truly necessary may expose a holder to:
- Regulatory scrutiny, which would arguably not fall under federal or state privacy law audit exemptions
- Significant and unnecessary security risks from financial data being stolen or being subjected to unauthorized access arising from a contract auditor’s inadequate security practices
- Potential regulatory scrutiny from non-audit states by enabling the auditor to examine data for states and entities outside the audit’s scope
The first way to manage these risks is by using nondisclosure agreements with the audit firm and potentially the auditing state, which may mitigate certain concerns about potential (or inevitable) breaches. However, these intersecting regulatory regimes and the undeniable risk of data breaches impacting a company’s customers, employees and shareholders should prompt you to ask whether the company would still agree to provide certain types of data to an audit firm, even if relevant laws permit certain disclosures. These questions take on added urgency because audit firms use a number of databases outside the scope of your books and records to establish presumptions such as whether property owners are dead (the Social Security Administration’s Death Master File) or no longer located where your business records indicate (the U.S. Postal Service’s National Change of Address and AccuZIP databases).
The second approach is data redaction and removal. The simplest tactic is nonprovision or redaction of data for owners located in non-audit states, per your books and records. However, the complexity of these determinations escalates rapidly in a live audit environment where audit firms are advising their client states to threaten or even issue punitively scoped subpoenas in response to objections to data requests.
3. M&A and Anti-Fraud Restriction Risks
Clients are now scrutinizing transaction and accounting models through an unclaimed property lens. Anti-money laundering (AML) and know your customer (KYC) regulatory regimes are top of mind not only for financial services companies but also any business with payments. Questions of fraud and other financial crime frequently result in restraints on accounts—both in placing such restraints so the customer cannot engage in account activity, and in determining the proper timing to review and potentially lift such restraints. When accounts remain in a permanent restricted “limbo,” analysis of account dormancy for UP purposes can become complex and subject to dispute. Companies should establish UP-informed policies and procedures for application and removal of AML, KYC or other fraud-related restraints on customer accounts or funds.
Mergers and acquisitions are another area of embedded risk. In a stock deal, the purchaser of a company assumes any pre-existing successor liability, including unreported UP in the target’s possession or on its books. Avoid M&A financial impacts such as:
- Adjustments to purchase price and establishment of UP-specific reserves based on shoddy compliance and financial statement reserves or disclosures, which will be picked up in the course of deal due diligence
- Assessment of UP liability in previously acquired assets and entities, in connection with UP audits and voluntary disclosure agreement processes
- Determination of whether the target derives material revenue from breakage on unredeemed prepaid cards or other customer liabilities
4. Expanding Enforcement Authority
State unclaimed property audits carry potentially significant dollar assessments, and mandatory interest (California and other states impose a 12% annual rate) and penalties can equal the assessed liability if a company failed to report high-value property for many years.
Yet this is not the only UP issue for out-of-compliance companies. State agencies besides the treasurer’s office or others with direct authority to administer and enforce UP laws are now getting involved. For example, the number of state attorneys general investigations and initiated inquiries—separate from UP regulator audits—has dramatically increased in recent years. Further, private enforcement efforts are focusing on UP as employees and private third-party whistleblowers allege that companies have knowingly defrauded states by failing to escheat property that is subject to a state’s unclaimed property laws.