For all the talk of consolidated plan administration in the 403(b) world in the wake of the IRS's new regulations, there's a real monster lurking in the bushes which isn't getting much attention: the state law privacy rules which apply to individually owned 403(b) annuity contracts and custodial accounts in non-ERISA plans.

Privacy doesn't appear to be an issue for ERISA plans, because of ERISA's likely preemption of state privacy rules; or where the employer owns the contract or custodial agreement; or where Gramm Leach Bliley may be implicated. It doesn't even appear to be much of a problem under the rules requiring information sharing agreements because those rules only apply upon the transfer of a 403(b) account when presumably, the plan participant will agree to the release of data.  And it shouldn't even be much of a problem on newly issued individual contracts, as long as vendors build consent into application forms.

But what of that large block of individually owned 403(b) contracts over which the employer has no authority, and the plan participant is unwilling to grant consent? It can be a real wrench thrown in the gearhouse of consolidated administration.