Beancount.io LogoBeancount.io

SECURE 2.0 Mandatory Auto-Enrollment in 2026: A Compliance Playbook for New 401(k) and 403(b) Plans

12 min readMike ThriftMike Thrift
SECURE 2.0 Mandatory Auto-Enrollment in 2026: A Compliance Playbook for New 401(k) and 403(b) Plans

If your company spun up a new 401(k) or 403(b) plan any time after December 29, 2022, the friendly reminder phase is officially over. The SECURE 2.0 Act's mandatory automatic enrollment rules took effect for plan years beginning after December 31, 2024, the IRS published proposed regulations under new Internal Revenue Code Section 414A in January 2025, and the plan document amendment deadline that ties it all together lands on December 31, 2026. Miss any piece of this — the 3% floor, the annual 1% escalation, the qualified default investment alternative, the participant notice, the permissible withdrawal window — and you are looking at a disqualified plan and the excise tax exposure that comes with it.

This guide walks through what every small and mid-size employer needs to have nailed down before the 2026 plan year, what to do about the exemption carve-outs, and how to keep your payroll and plan documents in sync without expensive surprises in 2027.

What Section 414A Actually Requires

Section 101 of the SECURE 2.0 Act added Section 414A to the Internal Revenue Code. The provision says any new 401(k) plan or 403(b) plan established after December 29, 2022 must include an Eligible Automatic Contribution Arrangement, or EACA. An EACA is a specific flavor of automatic enrollment defined under earlier IRC Section 414(w), and it carries a few non-negotiable design features that go beyond a simple opt-out checkbox on the enrollment form.

Here is what the law demands at a minimum:

  • Initial default deferral rate: Between 3% and 10% of compensation for the employee's first period of participation. Most plan sponsors choose 3% to minimize the participant nudge, but some go higher to accelerate retirement readiness.
  • Annual escalation: A mandatory 1 percentage point increase each year until the participant reaches a floor of 10% and a cap of 15%. The default is to escalate from 3% all the way up to 10% before stopping, but you may continue escalation up to 15%.
  • Uniform application: The default percentage must be a single uniform percentage applied to all eligible employees who fail to make an affirmative election. You cannot tier defaults by job title, department, or compensation level.
  • QDIA investment: In the absence of an affirmative investment election, default contributions must be invested in a qualified default investment alternative under DOL Regulation 2550.404c-5. Target-date funds, balanced funds, model portfolios, and professionally managed accounts all qualify when structured properly.
  • Permissible withdrawal window: Section 414(w) permits — and the SECURE 2.0 mandate requires — that participants can withdraw default contributions plus earnings within 90 days of the first contribution, with no 10% early-withdrawal penalty. Plan documents must offer this election explicitly.
  • Coverage of long-term part-time employees: The EACA must cover every eligible employee, including the LTPT employees that SECURE Act 1.0 and SECURE 2.0 phased in for elective deferral eligibility.

The IRS confirmed in proposed regulations issued January 10, 2025 that the rules become operationally enforceable for plan years beginning at least six months after the final regulations are issued. Final regs are widely expected in mid-2026, which means most plan sponsors should plan around the 2026 calendar plan year for a clean compliance posture.

Who Is Actually Exempt — and Who Just Thinks They Are

The exemption list is short and easy to misread. Section 414A applies to all new 401(k) and 403(b) plans unless the plan falls into one of five buckets:

Pre-Existing Plans

Any 401(k) or 403(b) plan that was established before December 29, 2022 is grandfathered out. "Established" means the plan was adopted and effective before that date. Simply restating a pre-existing plan onto a new pre-approved document, or merging it into another pre-existing plan, does not break the grandfather. Spinning off a brand-new plan after December 29, 2022 — even from the same controlled group — does trigger Section 414A.

Plans in Existence Less Than Three Years

A new business that adopts a 401(k) plan in its first year gets a three-year runway. The EACA requirement begins on the first day of the first plan year that starts after the business has been in existence for three full years. This protects bootstrapped startups from administrative burden during their fragile early stage.

Governmental Plans

Plans maintained by state and local governments are out, as are most plans of political subdivisions and agencies. The federal Thrift Savings Plan is also outside the scope.

SIMPLE 401(k) Plans

Plans that meet the SIMPLE 401(k) requirements under IRC Section 401(k)(11) are exempt. So are SIMPLE IRAs, which are not 401(k) plans in the first place.

Plans of Small Employers With Fewer Than 10 Employees

If the employer normally employs fewer than 10 employees, the EACA mandate does not apply. The 10-employee threshold is measured using the same headcount rules that apply for COBRA continuation coverage under Treasury Regulation Section 54.4980B-2 Q&A-5. Counting heads correctly matters: part-time employees count fractionally, and the test looks at the preceding calendar year, so a growing business can blow past the threshold mid-year without realizing it.

The trap most sponsors fall into is assuming an exemption is permanent. The three-year new-business carve-out evaporates the moment you cross the threshold. The small-employer exemption disappears once you hire your tenth full-time-equivalent. As soon as the carve-out ends, the EACA must be in place by the first day of the next plan year.

Bookkeeping and Payroll Integration: Where Most Plans Break

The compliance failure pattern is rarely a missing plan document — it is a payroll system that does not actually execute on what the plan document says. Accurate bookkeeping from the first pay period after the EACA takes effect prevents downstream nightmares with the IRS, the Department of Labor, and your own participants.

Three operational pieces deserve close attention:

Default deferral coding in payroll. Every new hire who reaches the plan's eligibility date must have a 3% (or higher, if you so elected) pre-tax 401(k) deferral coded automatically on their first paycheck, unless they have made an affirmative election. Most modern HRIS platforms — Gusto, Rippling, ADP Workforce Now, Paychex Flex, UKG, Workday — support this natively, but the toggle is rarely on by default. Audit your payroll system in advance of the plan year start to confirm the right deduction code is mapped to the right earning code.

Annual escalation execution. Once a participant is automatically enrolled, their deferral rate must bump 1 percentage point at the start of each plan year until they hit at least 10%. This requires a recurring rule in payroll, not a manual journal entry. Get this wrong and you have a corrective contribution problem with earnings adjustments — both expensive and embarrassing.

Permissible withdrawal accounting. When a participant elects to take the 90-day permissible withdrawal, you have to return their contributions plus earnings, treat the distribution as ordinary income in the year received, and not apply the 10% early-withdrawal penalty under IRC Section 72(t). The participant gets a Form 1099-R with the appropriate distribution code. Your recordkeeper handles the mechanics, but your payroll system needs to stop the deferral going forward and your accounting system needs to track the timing.

Plan sponsors that maintain clean, version-controlled records of every default enrollment, every notice delivery, every QDIA election, and every payroll deduction adjustment have a far easier time at the next IRS Employee Plans audit or DOL ERISA inquiry.

The 2026 Annual Notice and Disclosure Stack

Each employee covered by an EACA must receive a written notice that explains the automatic enrollment, the default contribution rate, the default investment, the right to elect a different rate or investment, and the right to take a permissible withdrawal. The timing rules:

  • New eligibility notice: Delivered when the employee first becomes eligible to participate.
  • Annual notice: Delivered 30 to 90 days before the start of each plan year, to every employee covered by the EACA.
  • Simplified notice for unenrolled employees: Under a SECURE 2.0 simplification, employees who have already received the full SPD and required disclosures but have not enrolled can receive an annual reminder notice instead of the full notice stack, as long as they get notice of their eligibility and any election deadlines.

For a January 1, 2026 plan year start, the annual notice must be delivered between October 3, 2025 and December 2, 2025. Electronic delivery is allowed under DOL's electronic disclosure safe harbors, but the safe harbor conditions have to be met — meaning either the employee accesses email at work as part of regular job duties, or the employee has affirmatively consented to electronic delivery and acknowledged they understand they can request paper.

The Plan Document Amendment Deadline

Operational compliance is required for the 2025 plan year and beyond. Plan document compliance — meaning the formal written plan must say what you are actually doing — has a later deadline.

Most plans must be amended to incorporate the SECURE 2.0 changes by December 31, 2026. For collectively bargained plans, the deadline extends to December 31, 2028. For most governmental plans, the deadline is December 31, 2029.

If you use a pre-approved plan document from a recordkeeper, the recordkeeper will typically push out a SECURE 2.0 amendment package for you to review and adopt. If you are on an individually designed document, your ERISA counsel needs to draft the amendment. Either way, the amendment needs to be signed and adopted before the December 31, 2026 cutoff to stay in the operational-compliance safe harbor that the IRS extended for SECURE 2.0 provisions.

The Penalty Side: What Happens If You Get This Wrong

A 401(k) plan that fails to satisfy Section 414A is not a qualified plan under IRC Section 401(a). The downstream consequences if this is not corrected:

  • Loss of the employer deduction for contributions
  • Immediate taxation of vested participant account balances
  • Trust earnings become subject to current tax
  • Possible excise tax exposure under IRC Section 4979A on certain prohibited allocations
  • IRS Voluntary Correction Program filing fees and corrective contributions to make participants whole

The IRS offers self-correction and voluntary correction programs through EPCRS (the Employee Plans Compliance Resolution System), but the cost of a corrective contribution for missed deferral opportunities — typically 25% of the missed deferral plus 100% of the missed match, adjusted for earnings — adds up fast across a workforce of fifty or a hundred employees over multiple plan years.

Coordinating With the Rest of Your 2026 Compliance Calendar

Section 414A is one of several SECURE 2.0 provisions taking effect in 2026:

  • Roth catch-up requirement for higher-paid participants (FICA wages above $145,000, indexed)
  • Higher catch-up contribution limits for participants ages 60 through 63
  • Paper benefit statement requirement under SECURE 2.0 Section 338, requiring an annual paper benefit statement to defined contribution plan participants unless they affirmatively elect electronic
  • Long-term part-time employee eligibility rules continuing to expand

Building a unified plan-year calendar that maps every SECURE 2.0 deadline against your payroll cycles, your recordkeeper deliverables, your audit schedule (if you are a large plan filer), and your Form 5500 filing is the cleanest way to stay ahead of the moving parts.

A Practical Checklist for the Final Six Months Before Year-End

If you are an employer that sponsors a 401(k) or 403(b) plan established after December 29, 2022 and you do not qualify for an exemption, here is what to do between now and December 31, 2026:

  1. Confirm exemption status. Review the date the plan was established, the headcount under the COBRA test, and the date the business itself began operations.
  2. Audit the plan document. Does it currently include an EACA with the 3% floor, the 1% annual escalation, the 10% to 15% cap, the QDIA election, and the 90-day permissible withdrawal? If not, schedule the amendment now.
  3. Verify payroll system configuration. Default deferral code, escalation rules, withdrawal handling, and Form 1099-R generation must all be wired correctly.
  4. Issue the annual notice. Calendar 30 to 90 days before the 2027 plan year, and confirm electronic delivery compliance.
  5. Train HR and payroll staff. Newly hired employees need to understand the auto-enrollment design and their right to opt out or change the deferral.
  6. Document the QDIA selection process. Fiduciary committees should have meeting minutes showing the prudent process for selecting the default investment.
  7. Reconcile your Form 5500 reporting. Make sure your auditor (if applicable) understands the new compliance posture.

Keep Your Plan Records Organized and Audit-Ready

Sponsoring a retirement plan in 2026 is no longer just about choosing investments and matching contributions — it is about clean, defensible records that can withstand IRS and DOL scrutiny. Plain-text accounting puts every contribution, deduction, payroll deferral, and corrective entry in a transparent ledger that is version-controlled, AI-ready, and free from vendor lock-in. Beancount.io gives finance teams the audit trail they need without surrendering control to a black-box accounting platform. Get started for free and bring the same engineering discipline you apply to your retirement plan compliance to the rest of your books.