INSIGHT

Your Complete Guide to 2026 Employee Benefit Plan Changes and Best Practices

January 9, 2026

Services: Employee Benefit Plan Audit

---

As we move into 2026, employee benefit plan sponsors face a complex landscape of new regulatory requirements, evolving compliance standards, and heightened scrutiny from the Department of Labor.  Whether you’re managing a defined contribution plan for 50 employees or 5,000, understanding these changes—and implementing strong operational practices—will help you avoid costly corrections while better serving your plan participants. 

Let’s walk through the 2026 employee benefit plan changes to discover what you need to know and do this year. 

Critical SECURE 2.0 Act Provisions Taking Effect in 2026 

The SECURE 2.0 Act continues to reshape retirement plan administration, with several provisions becoming mandatory this year. 

Mandatory Roth Catch-Up Contributions for High Earners 

Starting January 1, 2026, employees age 50 or older who earned more than $150,000 in FICA wages during the previous year must make their catch-up contributions on a Roth (after-tax) basis. If your plan doesn’t currently offer Roth contributions, these employees won’t be able to make catch-up contributions at all. 

The IRS has provided some flexibility through a “deemed Roth election,” which allows participants to opt out if they choose. While full regulatory compliance isn’t required until 2027, your plan must operate under a reasonable, good-faith interpretation throughout 2026. 

Action steps for plan sponsors: 

• Confirm your plan’s Roth functionality is operational 
• Update payroll systems to track employees approaching the $150,000 threshold 
• Coordinate with your recordkeeper to handle the transition smoothly 
• Prepare clear participant communications explaining the new rules 

Annual Paper Statement Requirements 

Your defined contribution plan must now provide at least one paper benefit statement per year unless participants actively opt for electronic delivery. Defined benefit plans must provide paper statements once every three years under the same opt-out conditions. This requirement applies to plan years beginning after December 31, 2025. 

Plan Amendment Deadline Approaching 

All SECURE 2.0-related amendments must be formally adopted by December 31, 2026 (with later deadlines available for governmental and collectively bargained plans). Even though operational compliance has been required since January 1, 2026, your plan documents need to catch up by year-end. 

2026 Contribution and Income Limits 

The IRS released updated limits for retirement accounts in November 2025. Here are the key figures affecting your plan administration: 

Defined Contribution Plans: 

• Employee deferrals: $24,500 (up from $23,500) 
• Maximum annual additions: $72,000 
• Catch-up contributions (age 50+): $8,000 
• Enhanced catch-up (age 60-63): $11,250 

Key Compensation Thresholds: 

• Annual compensation limit: $360,000 
• Highly compensated employee threshold: $160,000 
• Mandatory Roth catch-up wage threshold: $150,000 
• Social Security taxable wage base: $184,500 

These increases provide an opportunity to review your plan’s contribution structures and communicate the enhanced savings potential to your employees. 

New Self-Correction Options for Plan Sponsors 

In January 2025, the DOL introduced a significant change to the Voluntary Fiduciary Correction Program (VFCP) by adding a self-correction component (SCC). This program allows you to voluntarily correct certain ERISA violations without submitting a full VFCP application—potentially reducing both administrative burden and costs for minor errors. 

What Qualifies for Self-Correction? 

The SCC applies to two main categories of common fiduciary breaches: 

Delinquent Participant Contributions and Loan Repayments 

• Lost earnings from late deposits must not exceed $1,000 
• Funds must be remitted within 180 days of withholding 
• Neither the plan nor plan sponsor can be under an ongoing DOL/IRS investigation 

Eligible Inadvertent Participant Loan Failures 

• Applies to errors such as improper loan amounts, failure to withhold repayments, or loans exceeding plan limits 
• The error must be self-correctable under IRS Employee Plans Compliance Resolution System (EPCRS) rules 

To use the SCC, you’ll submit an electronic notice to the DOL through their online VFCP web tool and complete a penalty of perjury statement. For corrections involving delinquent contributions, you’ll compute lost earnings using the DOL’s online calculator and have your plan sponsor pay any penalties or fees. 

Essential Practices for Employee Benefit Plan Operations in 2026 

Beyond regulatory compliance, implementing strong operational practices will help you meet your fiduciary responsibilities while reducing risk. 

Timely Remittance of Contributions 

The DOL continues to emphasize the importance of prompt remittance of participant withholdings into the plan. While small plans (fewer than 100 participants) have a safe harbor of seven business days, large plans must remit contributions “as soon as administratively feasible”—which the DOL generally interprets as within a few business days. Failure to remit contributions timely may result in a prohibited transaction requiring correction and disclosure in your plan’s financial statements and Form 5500. 

Service Organization Control (SOC) Reports 

If you use a recordkeeper or custodian, they should provide an annual SOC 1 report that evaluates the effectiveness of their internal controls relevant to financial reporting. Your responsibility doesn’t end with receiving this report—you need to: 

• Review the report to confirm relevant financial reporting controls are adequately designed and operating effectively 
• Verify that you’ve implemented required “complementary user entity controls” described in the report 
• Document your review process 

Inadequate employer review of SOC 1 reports is one of the most common audit findings. 

Cybersecurity Controls 

Retirement plans hold over $45 trillion in assets and maintain participants’ personal data, making them attractive targets for cybercriminals. The DOL recommends that your cybersecurity program include: 

• Regular cybersecurity awareness training for staff 
• Clear roles and responsibilities regarding encryption of sensitive data 
• Internal or third-party audits of your cybersecurity systems 
• Business continuity and incident response programs 
• Review of third-party service provider security controls 
• Regular, documented reviews of users with administrative access to key IT systems (recordkeeper/custodian websites, payroll providers, and HRIS systems) 

Investment Benchmarking and Fee Reviews 

Fee reasonableness continues to be a focal point in plan litigation. You should conduct regular benchmarking studies—either internally or through an investment advisor—to assess investment performance and fees over various time frames.  

Fee disclosures from all covered service providers must be provided to plan participants annually. Review these disclosures to determine whether fees incurred by the plan are reasonable, and document these discussions in committee meeting minutes. 

Managing Missing Participants 

When plan participants change jobs, many leave their retirement accounts behind, creating a growing number of participants who can’t be located. The DOL has issued guidance on best practices for locating missing participants, including: 

• Sending certified mail to last known addresses 
• Contacting designated beneficiaries or emergency contacts 
• Using online search engines and public record databases 
• Attempting contact via email, telephone, or social media 

Regardless of which methods you use, document your attempts to locate missing participants as part of your fiduciary responsibility. 

Monitoring Defaulted Loans 

If your plan offers participant loans, you’re responsible for setting up loan repayments within the payroll system and verifying that payments are made timely according to the loan’s amortization schedule. You should regularly review your outstanding loan listing, watching for terminated employees and loans in default or approaching default status. If loan payments stop, notify the participant of the missed payment, cure period deadlines, and tax consequences if the loan goes into default. 

Service Provider and Payroll Provider Changes 

If you’re considering changing recordkeepers, third-party administrators, or payroll providers, maintain complete records of all plan-related information before terminating your current provider. This includes plan documents, adoption agreements, trustee agreements, service provider agreements, annual participant statements, eligibility files, trust statements, payroll records, and census files.  

For payroll changes specifically, verify that the new provider understands your plan’s compensation definition, match formula, and loan repayment processes—and confirm how year-to-date accumulators will transfer if the change occurs mid-year. 

Insurance Considerations 

Three types of insurance can help you mitigate risks associated with offering and operating retirement plans: 

ERISA Bonds Required by the DOL, these bonds protect your retirement plan from theft or embezzlement by people handling plan assets. Coverage must equal 10% of plan assets or $500,000, whichever is less (or $1 million for employee stock ownership plans). 

Fiduciary Liability Insurance Covers plan committee members, company executives, and plan trustees should any liability result from fiduciary acts of operating and monitoring the plan. This protection may help you attract individuals willing to serve on your plan committee. 

Cyber Liability Insurance Helps protect retirement plans from risks associated with data breaches or cyberattacks, which have become a heightened concern as more plan and employee data is maintained and transmitted digitally. 

The Evolving Landscape of Alternative Investments 

While not directly related to immediate compliance requirements, it’s worth noting that alternative investments—including private equity, venture capital, private credit, real estate, and cryptocurrency—are gaining attention in qualified retirement plans. An August 2025 White House executive order specifically cited the “potential growth and diversification opportunities associated with private investments” and directed the DOL to reexamine guidance related to alternative investments under ERISA. 

These investments offer potential for higher returns and enhanced portfolio diversification, but they come with specific challenges including higher fees, illiquidity, limited transparency, and wide dispersion of manager returns. If you’re considering alternative investments for your plan, working with advisors who have substantial experience in this area is particularly valuable. 

Take Action Now to Strengthen Your Plan 

These changes and best practices represent more than a compliance checklist—they’re opportunities to strengthen your retirement plan administration, better serve your participants, and meet your fiduciary responsibilities with confidence. 

Key deadlines to remember for 2026: 

• January 1, 2026: Operational compliance with mandatory Roth catch-up contributions required 
• March 15, 2026: Deadline for correcting failed compliance tests for 2025 calendar-year plans 
• December 31, 2026: Deadline to adopt formal SECURE 2.0 plan amendments 

At BPM, we’ve provided employee benefit plan audit, tax compliance, and consulting services for decades. Our team stays current on evolving legislation and can provide guidance tailored to your organization’s specific needs. Whether you need help implementing SECURE 2.0 provisions, addressing audit findings, evaluating your current service providers, or strengthening your operational procedures, we’re here to help. 

Contact BPM today to discuss how these 2026 changes affect your employee benefit plans and to develop a proactive compliance strategy that protects both your organization and your plan participants.