Beancount.io LogoBeancount.io

State Auto-IRA Mandates in 2026: CalSavers, Illinois Secure Choice, and OregonSaves Compliance Guide

14 min readMike ThriftMike Thrift
State Auto-IRA Mandates in 2026: CalSavers, Illinois Secure Choice, and OregonSaves Compliance Guide

A two-person bakery in Sacramento, a four-person law firm in Chicago, and a seven-person landscaping crew in Portland now share something in common with Fortune 500 employers: a state retirement mandate with real teeth. Twenty-two states have either launched or scheduled auto-IRA-style programs for private-sector workers, and as of 2026, the headcount thresholds in the largest of those states have dropped to one employee. The notices arrive in plain envelopes from a state treasurer's office. The penalties — up to $750 per employee in California, $750 per employee in Illinois over two years, and escalating five-figure totals in Oregon — are assessed without an audit and without a court hearing. Most of the small employers who get hit didn't know the program existed.

This guide walks through how state-mandated auto-IRA programs actually work, which states require what, who has to register, how the payroll deduction mechanics function, and the specific compliance traps that small business owners and their bookkeepers should plan for in 2026.

What a State-Mandated Auto-IRA Actually Is

A state auto-IRA is a public retirement savings program that requires private-sector employers to either (a) offer their own qualified retirement plan (a 401(k), SIMPLE IRA, SEP IRA, pension, or 403(b)) or (b) "facilitate" the state program by enrolling employees, deducting contributions from payroll, and remitting them to a state-contracted IRA administrator. The state owns the program. A state retirement board contracts with a private recordkeeper and custodian. Employees own their accounts. The employer does not contribute, does not select investments, does not give advice, and does not pay program fees.

If that sounds familiar, it is essentially the payroll-deduction IRA framework the IRS has long permitted, scaled up to mandatory coverage at the state level and paired with automatic enrollment by default.

Three architectural choices make these programs distinctive:

  • The default account is a Roth IRA. Contributions are after-tax and subject to the standard Roth IRA annual contribution limits ($7,000 for 2026, $8,000 if age 50 or older). Employees can usually switch to a Traditional IRA election if they prefer pre-tax treatment.
  • Auto-enrollment with a default contribution rate. Most states default new enrollees to a 3% or 5% deferral, with automatic escalation of 1 percentage point per year up to a cap (often 8% or 10%). California, for example, defaults to 5% and escalates to 8%.
  • Employee opt-out at any time. Employees can change their contribution rate, switch investment options, or stop contributing entirely at any time through the state portal. The employer's job is not to talk them out of it or into it — only to process the deduction the employee selects.

The crucial point for owners: the employer has no fiduciary role. There is no plan document, no Form 5500, no ERISA exposure, no nondiscrimination testing, and no employer matching. It is administrative facilitation only.

The State-by-State Map for 2026

As of early 2026, the auto-IRA states with active or imminent enforcement are California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Minnesota, Nevada, New Jersey, New York, Oregon, Rhode Island, Vermont, Virginia, and Washington. The exact program names differ — CalSavers, Colorado SecureSavings, MyCTSavings, Delaware EARNS, Hawaii Retirement Savings, Illinois Secure Choice, MaineSaves, MarylandSaves, Minnesota Secure Choice, Nevada Employee Savings Trust, RetireReady NJ, New York State Secure Choice, OregonSaves, RISavers, VermontSaves, RetirePath Virginia, Washington Saves — but the underlying mechanics are nearly identical.

The headcount thresholds, however, are wildly different. Here are the four that small businesses outside their borders may still need to worry about because of multi-state employees:

CalSavers (California)

The mandate now reaches employers with one or more California-based employees. Originally tiered by size (100+, then 50+, then 5+), the program expanded to the one-employee threshold for newly-reporting employers in 2024. A business that newly reports having at least one California employee in 2026 must register or certify an exemption with CalSavers within 90 days of crossing the threshold, and in any case by December 31, 2026 if reporting for the calendar year.

Penalty structure: $250 per eligible employee at 90 days of non-compliance, an additional $500 per eligible employee at 180 days, and an additional $500 per eligible employee can be assessed annually thereafter. The cumulative ceiling — frequently cited at $750 per employee — is the standard first-year exposure for a covered employer that ignores both the initial and the final notice.

Illinois Secure Choice

Covered employers are those with five or more Illinois employees in every quarter of the prior calendar year and at least two years in business. Illinois has rolled the mandate down to the five-employee tier and is operating a 2026 program-manager transition with a soft launch window. Employer fees: zero. Employer contributions: prohibited.

Penalty structure: $250 per employee for the first calendar year of non-compliance and $500 per employee for any subsequent year. The Illinois Department of Revenue handles the enforcement notices, which is procedurally significant — the notices arrive on letterhead small businesses already take seriously.

OregonSaves

Oregon was the first state to launch, in 2017, and now reaches all private-sector employers regardless of size. Headcount-based deadlines were rolled out in waves; new employers without a qualified plan must register within three months of hiring their first Oregon employee. Penalties of $100 per employee per year apply, capped at $5,000 per employer per year.

Smaller Mandates and Late Movers

Maine, Maryland, Virginia, Colorado, Connecticut, New Jersey, and others have phased mandates that generally hit at five or 25 employees, with 2026 deadlines for the smaller tiers in several states. Hawaii and Minnesota launched their programs in 2026 with multi-year phase-in schedules. Vermont and Hawaii are scheduled to move to a tiered penalty ($10/$20/$75 per employee depending on enforcement window) over 2025–2026.

For multi-state employers, the rule of thumb is straightforward: if you have a W-2 employee with a work address in one of these states and you do not sponsor a qualified retirement plan, assume you are covered and verify.

What Counts as "Sponsoring a Qualified Plan" — The Exemption That Owners Miss

The cleanest way to avoid the mandate is to sponsor your own qualified plan. The plans that qualify as exemptions in most state programs are:

  • 401(k) plans (traditional, safe-harbor, solo, or SECURE 2.0-eligible starter 401(k))
  • 403(b) plans
  • 408(k) SEP-IRAs
  • 408(p) SIMPLE IRAs
  • Defined benefit and money purchase pension plans
  • Profit-sharing plans
  • Multiple employer plans (MEPs) and pooled employer plans (PEPs)

A payroll-deduction IRA that you set up yourself without auto-enrollment is not an exemption in most states, even though it is technically an IRA. The state programs are specifically targeting employer-sponsored qualified plans. If you offer a 401(k) but exclude a class of workers (say, part-timers) from eligibility, those excluded workers may still be subject to the state mandate. Read the program's eligibility definition before assuming your existing plan covers everyone.

Self-certifying the exemption is not automatic. Most programs require an employer to log into the state portal and affirmatively claim the exemption. Skip that step and a non-compliance notice will arrive even if you actually do sponsor a 401(k).

The Payroll Deduction Mechanics

Once you register, the operational workflow is mechanical:

  1. Upload your employee roster. Name, date of birth, Social Security number, work address, and contact information for each eligible employee. Most states define eligible employees as W-2 employees aged 18+ working in the state for any duration.
  2. Send the employee notification packet. The state mails (and emails) a welcome notice with disclosures, default contribution rate, investment lineup, and the opt-out form. By regulation, this happens during a 30-day window before automatic enrollment begins.
  3. Wait out the 30-day opt-out window. Employees who do nothing are auto-enrolled at the default rate. Employees who actively choose a different rate or opt out have their preferences applied. Employees can change their mind at any time.
  4. Begin payroll deductions. Each pay period, you withhold the per-employee contribution from after-tax wages, then submit a single contribution file plus an ACH debit to the state's recordkeeper. Most modern payroll platforms — Gusto, Justworks, Rippling, Paychex, ADP RUN, OnPay, and the like — have native CalSavers / Illinois Secure Choice / OregonSaves integrations that automate the file submission.
  5. Update the roster as people come and go. New hires must be added within 30 days. Departures should be marked promptly to stop deductions. Forgetting to remove a former employee won't trigger erroneous deductions (no wages, no deduction), but it muddles your roster and may invite a state inquiry.

That is the full job. There is no investment menu to construct, no fiduciary disclosure to write, no Form 5500 to file, no nondiscrimination test to pass.

The Compliance Traps That Generate Penalty Notices

The state portals are surprisingly self-service, and the penalty letters generally don't arrive because an employer botched the payroll file. They arrive because:

Trap 1: The "I Don't Have a Mailing Address Anymore" Problem

Many notices go to the legal address of record with the state's employment agency. If your business moved, the LLC's registered agent is stale, or you operate as a sole proprietor out of a residence you sold, the certified mail may never reach you. The 90-day clock keeps running. The first time you hear about CalSavers may be the $250-per-employee final notice.

Trap 2: The "We Have a 401(k), We're Fine" Problem

You sponsor a 401(k) but never logged into the state portal to declare the exemption. Or you sponsor a plan that has a one-year service waiting period, and you have a worker who completed five months and is therefore not yet eligible — a state program will likely classify that worker as eligible for the auto-IRA. Reconcile your plan's eligibility rules against the state program's eligibility definition before relying on the exemption.

Trap 3: The 1099 vs. W-2 Edge Case

State auto-IRAs cover W-2 employees. If you misclassify a worker as a 1099 contractor and the state's labor or revenue agency later reclassifies them — under California AB 5 or its progeny in other states — you may also retroactively owe auto-IRA penalties for failing to enroll them.

Trap 4: Multi-State Employees in Hybrid Roles

A remote employee splits time between Oregon and Washington. Which state's mandate applies? Generally the work location reported for state unemployment insurance purposes governs. If your payroll provider sources the employee to one state, you can usually rely on that — but document the rationale.

Trap 5: PEOs and Co-Employment

If you use a professional employer organization, the question of which entity is the "employer" for state auto-IRA purposes turns on the state's regulations. Some states view the worksite employer as the obligor; others let the PEO sponsor a master plan that covers all client employees and treat that as the exemption. Confirm in writing which model applies before assuming your PEO handled it.

What This Costs Owners (and What It Doesn't)

The honest accounting for a small employer choosing between the state program and a private 401(k) looks like this:

  • State auto-IRA total employer cost: zero in program fees, plus the payroll-deduction processing time. With modern payroll software the marginal cost is minutes per payroll cycle.
  • SIMPLE IRA: roughly $0–$25 per participant per year in custodian fees, plus a mandatory 2% non-elective or 3% match employer contribution.
  • Safe harbor 401(k): typically $500–$2,000 in setup costs, $1,000–$3,000 per year in recordkeeping and TPA fees for a small plan, plus a 3% non-elective or roughly 4% match employer contribution. Modern providers (Guideline, Human Interest, Vestwell, ForUsAll, Betterment at Work, Carry, Penelope) have driven these costs down considerably.
  • SECURE 2.0 Starter 401(k): designed precisely for this market, with auto-enrollment, no nondiscrimination testing, and reduced administrative burden. Contribution limits are lower than a regular 401(k) but higher than an IRA, and the SECURE 2.0 startup tax credit can cover up to 100% of the plan's startup costs for the first three years.

Many small employers crunch the numbers and conclude that the SECURE 2.0 startup credit ($500 to $5,000 per year for the first three years) and the per-employee contribution credit make a real 401(k) cheaper than they expected, especially if owners want to defer more than the IRA limit. Others — particularly tip-heavy or seasonal businesses with high turnover — find the state program is functionally free and not worth replacing.

Booking the Mechanics Cleanly

From an accounting standpoint, state auto-IRA contributions touch four moving pieces:

  • Gross wages stay where they are. Auto-IRA contributions are after-tax (Roth), so they do not reduce taxable wages reported on the W-2 in box 1.
  • A liability account for "Auto-IRA contributions payable" accumulates the amount withheld each pay period from employees' net pay. Reconcile this account to zero each cycle as the ACH debit clears.
  • No employer expense entry. Unlike a 401(k) match, there is no payroll-tax savings on the employee deferral and no employer contribution expense. The deduction is purely a flow-through from net pay to the state recordkeeper.
  • W-2 reporting: the Roth auto-IRA contribution is not reported in box 12. There is no plan code analogous to AA or BB because this is not an employer-sponsored plan. Some payroll providers include a memo line for the year-end total as a courtesy; that is informational only.

Cleanly tracking the liability account each pay period is what surfaces the small but recurring reconciliation errors — a missed contribution, a duplicate ACH, an employee whose deferral change was applied late. The pattern is the same as any other payroll-deduction liability: clear the balance to zero, every time, and investigate exceptions while the trail is fresh.

A Practical Compliance Checklist for 2026

If you operate in any auto-IRA state, run through this in the next 30 days:

  1. Confirm your headcount tier and deadline. Visit your state program's employer portal, search by your EIN, and read the on-screen status. The portals know whether you have been issued an access code and what your status is.
  2. Decide between the state program and a private plan. If you want any employer contribution, any meaningful deferral above the IRA limit, or any retirement benefit you can use as a hiring tool, run the numbers on a SECURE 2.0 Starter 401(k) or a SIMPLE IRA. Otherwise, register for the state program.
  3. If exempt, claim the exemption. Don't assume the state will figure it out. Log in and certify.
  4. Verify your registered mailing address and email with your state's secretary of state and your business registration. Penalty notices follow that address.
  5. Wire up your payroll software. Most modern providers have a built-in integration that handles roster sync, deduction calculation, and ACH submission automatically. If yours doesn't, get a workaround in place before your first payroll under the program.
  6. Document your enrollment and notification dates in a single spreadsheet or your bookkeeping system. If a state ever sends a non-compliance notice, the contemporaneous record is your defense.
  7. Reconcile the auto-IRA liability account every pay period. This is where reconciliation discipline pays for itself — it catches problems while they are still cheap to fix.

Keep Your Books Audit-Ready Year-Round

State auto-IRA mandates are one more compliance layer on top of payroll taxes, unemployment insurance, workers' compensation, and the local business license — and like all of them, the cost of getting it wrong is multiplied by the number of employees and the number of pay periods. The owners who navigate these mandates cleanly are the ones whose books already show, with precision, who is on payroll, what was deducted, and where each dollar landed. Beancount.io provides plain-text accounting that gives you complete transparency and version-controlled history over every payroll liability, contribution, and reconciliation — no black boxes, no vendor lock-in. Get started for free and see why developers, finance professionals, and small business owners are switching to plain-text accounting.