401(k) Compliance

Adherence to IRS and Department of Labor regulations governing employer-sponsored 401(k) retirement savings plans.

What Is 401(k) Compliance?

Key Takeaways

  • 401(k) compliance means meeting all IRS and Department of Labor rules for operating a retirement savings plan.
  • Over 70 million Americans actively participate in 401(k) plans, holding $7.7 trillion in combined assets (ICI, 2024).
  • Key requirements include non-discrimination testing, timely contribution deposits, Form 5500 filing, and fiduciary responsibilities.
  • Penalties for non-compliance range from $250/day for late filings to full plan disqualification in serious cases.
  • The SECURE 2.0 Act (2022) introduced major changes including auto-enrollment mandates and expanded catch-up contributions.

401(k) compliance covers every legal and regulatory obligation an employer must meet when sponsoring a 401(k) retirement savings plan. The rules come from two federal agencies: the Internal Revenue Service (IRS), which governs tax-qualified status and contribution limits, and the Department of Labor (DOL), which enforces fiduciary duties and participant protections. Getting compliance wrong isn't just an administrative headache. Penalties can be steep. The IRS can disqualify the entire plan, which means all tax-deferred employee contributions suddenly become taxable income. The DOL can impose civil penalties, and in cases of fiduciary breach, individual plan administrators can face personal liability. With over 70 million active participants and $7.7 trillion in plan assets (Investment Company Institute, 2024), 401(k) plans are the most common employer-sponsored retirement vehicle in the US. HR teams, payroll departments, and plan administrators share responsibility for keeping these plans compliant.

Why 401(k) compliance matters for HR

HR doesn't just enroll employees in the plan and move on. HR teams are typically responsible for timely enrollment of eligible employees, accurate deduction of contributions from payroll, communication of plan features and changes to participants, and coordination with the plan's third-party administrator (TPA) and recordkeeper. A single missed enrollment window or late contribution deposit can trigger a compliance violation. In the DOL's most recent enforcement data, late deposits of employee contributions were the most frequently cited violation in 401(k) audits.

Key regulatory bodies and laws

The IRS sets contribution limits, approves plan qualification, and enforces tax rules. The DOL enforces ERISA (Employee Retirement Income Security Act of 1974), which sets fiduciary standards, reporting requirements, and participant rights. The Pension Benefit Guaranty Corporation (PBGC) doesn't cover 401(k) plans directly (it covers defined benefit pensions), but its existence reflects the broader regulatory environment. The SECURE Act (2019) and SECURE 2.0 Act (2022) made the biggest changes to 401(k) rules in decades, including auto-enrollment requirements for new plans starting in 2025.

70M+Active 401(k) participants in the US (Investment Company Institute, 2024)
$7.7TTotal assets held in 401(k) plans as of 2024 (ICI)
$23,500Employee contribution limit for 2025 (IRS Notice 2024-80)
$250+/dayIRS penalty per day for late Form 5500 filing

401(k) Contribution Limits [2025]

The IRS adjusts contribution limits annually based on cost-of-living calculations. Here are the current numbers for 2025, published in IRS Notice 2024-80.

Limit Type2025 Amount2024 AmountNotes
Employee elective deferral$23,500$23,000Maximum an employee can contribute from their paycheck pre-tax or Roth
Catch-up contribution (age 50+)$7,500$7,500Additional amount for employees aged 50 and older
Super catch-up (ages 60-63)$11,250N/A (new in 2025)SECURE 2.0 provision allowing higher catch-up for those aged 60 to 63
Total annual addition (415 limit)$70,000$69,000Combined employee + employer contributions per participant
Highly compensated employee (HCE) threshold$160,000$155,000Employees earning above this are subject to non-discrimination testing limits
Key employee threshold$230,000$220,000For top-heavy testing purposes

Non-Discrimination Testing Explained

Non-discrimination tests are the IRS's way of ensuring that 401(k) plans don't disproportionately benefit highly compensated employees (HCEs) at the expense of non-highly compensated employees (NHCEs). These tests are among the most technically complex aspects of 401(k) compliance, and failing them requires corrective action within strict deadlines.

ADP test (Actual Deferral Percentage)

The ADP test compares the average deferral rate of HCEs to the average deferral rate of NHCEs. If HCEs are deferring too much more than NHCEs, the plan fails. The allowed gap depends on the NHCE average: if NHCEs defer 2% or less, HCEs can defer up to 2x that amount. If NHCEs defer more than 2%, HCEs can defer up to 2 percentage points more. For example, if NHCEs average 4%, HCEs can average up to 6%. If HCEs average 7%, the plan fails the ADP test.

ACP test (Actual Contribution Percentage)

The ACP test works the same way as the ADP test but looks at employer matching contributions and after-tax employee contributions instead of elective deferrals. The same percentage limits apply. Plans that offer generous matches to all employees regardless of level typically pass the ACP test without issues.

Top-heavy testing

A plan is top-heavy if more than 60% of total plan assets belong to "key employees" (officers earning above $230,000 in 2025, 5%+ owners, or 1%+ owners earning above $150,000). Top-heavy plans must provide minimum contributions (typically 3% of compensation) to all NHCEs, regardless of whether those employees are deferring their own money. This test protects rank-and-file employees from being shut out of meaningful retirement benefits.

Safe harbor plans: how to skip testing

Companies can avoid ADP and ACP testing entirely by adopting a safe harbor plan design. Safe harbor requires the employer to make one of three contribution types: a 3% non-elective contribution to all eligible employees (regardless of whether they contribute), a basic match (100% of the first 3% deferred, plus 50% of the next 2%), or an enhanced match (any formula at least as generous as the basic match). Safe harbor contributions must vest immediately. The trade-off is cost: the employer commits to a guaranteed contribution. But for companies that regularly fail non-discrimination tests or want administrative simplicity, safe harbor is usually worth it.

Fiduciary Duties and Responsibilities

Anyone who exercises discretion over a 401(k) plan's management, assets, or administration is considered a fiduciary under ERISA. That often includes HR directors, CFOs, plan committee members, and sometimes even individual managers who influence plan decisions. Fiduciary status comes with personal legal liability.

Core fiduciary obligations

ERISA requires fiduciaries to act solely in the interest of plan participants and beneficiaries (the "exclusive benefit" rule), exercise prudence (the "prudent expert" standard, not just the "reasonable person" standard), diversify plan investments to minimize the risk of large losses, and follow the plan documents unless doing so would violate ERISA. The prudent expert standard is higher than most people realize. Fiduciaries are held to the standard of someone with expertise in the subject matter, even if they personally lack that expertise. That's why most plan sponsors hire investment advisors and TPAs.

Personal liability for fiduciaries

Fiduciaries who breach their duties can be held personally liable for plan losses. This isn't hypothetical. In 2023, the DOL recovered $1.4 billion in enforcement actions related to employee benefit plans (DOL Annual Report). Common breaches include selecting high-fee investment options without proper due diligence, failing to monitor plan investments over time, using plan assets to benefit the company rather than participants, and not correcting known errors in plan administration. Fiduciary liability insurance (ERISA bond) is required for all plan fiduciaries, with minimum coverage of 10% of plan assets up to $500,000.

Most Common 401(k) Compliance Violations

The DOL and IRS publish enforcement data showing the most frequent compliance failures. Knowing these helps HR teams focus audit preparation on the areas most likely to cause problems.

Late deposit of employee contributions

This is the number one violation cited in DOL audits. ERISA requires employee contributions (money deducted from paychecks) to be deposited into the plan trust as soon as they can reasonably be segregated from the employer's general assets. The DOL's safe harbor deadline is 7 business days after the payroll date for plans with fewer than 100 participants. For larger plans, the expectation is even faster, often 1 to 3 business days. Late deposits require correction through the DOL's Voluntary Fiduciary Correction Program (VFCP), which includes making the employee whole for lost earnings.

Failure to follow plan document terms

The plan document is the legal backbone of the 401(k). If it says employees are eligible after 90 days but HR enrolls them at 6 months, that's a compliance failure. If the document specifies a matching formula but payroll calculates a different amount, that's a failure too. Every operational decision must match what the plan document says. When discrepancies are found, they must be corrected through the IRS's Employee Plans Compliance Resolution System (EPCRS).

Missed eligibility and enrollment

Failing to enroll an eligible employee, or enrolling them late, is a common error, especially in companies with complex eligibility rules (waiting periods, hours thresholds, union exclusions). SECURE 2.0 complicates this further by requiring auto-enrollment for new plans established after December 29, 2022. Employees must be enrolled at a default deferral rate of at least 3% but no more than 10%, with annual escalation of 1% up to at least 10%.

Incorrect matching contributions

Matching contribution errors happen when payroll systems calculate the match incorrectly, often due to definition mismatches ("compensation" means different things in different plan documents) or timing issues with true-up calculations. Mid-year changes to compensation definitions or matching formulas also create errors if systems aren't updated promptly.

SECURE 2.0 Act: Key Changes for 401(k) Compliance

The SECURE 2.0 Act, signed in December 2022, made the most significant changes to retirement plan rules in decades. Many provisions phase in over several years. Here are the changes HR teams need to track.

Mandatory auto-enrollment (effective 2025)

New 401(k) plans established after December 29, 2022 must auto-enroll employees at a deferral rate between 3% and 10%, with automatic escalation of 1% per year up to at least 10% but no more than 15%. Existing plans are exempt. Small businesses with 10 or fewer employees, companies less than 3 years old, church plans, and government plans are also exempt.

Enhanced catch-up contributions (effective 2025)

Employees aged 60 to 63 can now contribute up to $11,250 as a catch-up contribution (up from $7,500 for other catch-up eligible employees). This "super catch-up" is indexed to inflation. Starting in 2026, catch-up contributions for employees earning over $145,000 must be made as Roth (after-tax) contributions only.

Student loan matching (effective 2024)

Employers can now treat employee student loan payments as elective deferrals for matching purposes. If an employee can't afford to contribute to the 401(k) because they're paying off student loans, the employer can still provide a matching contribution based on the loan payments. This is optional, not required, but it's a meaningful benefit for attracting younger workers with student debt.

Emergency savings accounts (effective 2024)

Plans can now offer a separate emergency savings account linked to the 401(k), allowing non-highly compensated employees to save up to $2,500 in a Roth after-tax account. Withdrawals from this account are penalty-free and tax-free, giving employees a financial cushion without tapping retirement savings.

Annual 401(k) Compliance Checklist

Use this checklist to structure your annual compliance review. Most plan years end December 31, so the heaviest compliance workload falls in Q1 and Q2 of the following year.

  • Verify all eligible employees were offered enrollment and auto-enrolled if required
  • Confirm employee contributions were deposited within the safe harbor deadline (7 business days or fewer)
  • Run ADP, ACP, and top-heavy tests (or confirm safe harbor status eliminates the requirement)
  • Distribute annual participant notices: safe harbor notice, QDIA notice, fee disclosure (404a-5), and summary annual report
  • File Form 5500 by July 31 (or October 15 with extension) for calendar-year plans
  • Review and update the plan document for any legislative changes (SECURE 2.0 provisions phasing in)
  • Verify matching contributions were calculated correctly for all participants
  • Conduct fiduciary review of plan investments (fee benchmarking, fund performance, share class evaluation)
  • Review ERISA bond coverage to ensure it meets the 10% of plan assets minimum
  • Document all compliance activities for audit trail purposes

How to Fix 401(k) Compliance Errors

The IRS and DOL both offer formal correction programs because they recognize that operational errors are inevitable. The key is finding and fixing them quickly.

IRS Employee Plans Compliance Resolution System (EPCRS)

EPCRS has three tiers. Self-Correction Program (SCP) lets plans fix insignificant errors without filing with the IRS or paying fees. Voluntary Correction Program (VCP) requires a filing with the IRS and a fee (ranging from $350 to $3,500 depending on plan size) but provides a formal compliance statement. Audit Closing Agreement Program (Audit CAP) is used when the IRS finds errors during an audit and negotiates a correction and penalty. SCP is the most commonly used tier. Most operational errors (missed deferrals, incorrect matching, late enrollment) can be self-corrected if discovered and fixed within a reasonable period.

DOL Voluntary Fiduciary Correction Program (VFCP)

The VFCP covers fiduciary breaches, primarily late deposits of employee contributions. Employers must calculate lost earnings (using the DOL's online calculator), deposit the corrected amount plus earnings into participant accounts, and file an application with the DOL. The benefit of using VFCP is that the DOL issues a no-action letter, meaning they won't pursue further enforcement for the corrected violation.

When to involve legal counsel

Simple errors (a few late deposits, a missed enrollment corrected within the plan year) can usually be handled by the TPA. But if you discover systematic errors affecting many participants, if the error involves fiduciary breach or misuse of plan assets, or if you receive a DOL audit notice, bring in an ERISA attorney. The cost of legal advice is small compared to the potential penalties for mishandled corrections.

Frequently Asked Questions

What is the deadline for depositing employee 401(k) contributions?

The DOL requires deposits as soon as they can reasonably be segregated from the employer's general assets. The safe harbor deadline is 7 business days after the payroll date for small plans (fewer than 100 participants). Larger plans are expected to deposit within 1 to 3 business days. Many payroll providers can automate same-day or next-day deposits.

What happens if a company fails the ADP test?

The plan has until March 15 of the following year (or 2.5 months after the plan year ends) to correct a failed ADP test. Correction options include refunding excess contributions to HCEs (with a 10% excise tax if done after the deadline) or making Qualified Non-Elective Contributions (QNECs) to NHCEs to raise their average. Repeated failures suggest the company should consider a safe harbor design.

Do all employers need to file Form 5500?

Every employer with a 401(k) plan must file Form 5500 annually with the DOL, regardless of plan size. Plans with 100 or more participants must include an independent auditor's report. Small plans (fewer than 100 participants) file the simplified Form 5500-SF. The filing deadline is 7 months after the plan year ends (July 31 for calendar-year plans), with a 2.5-month extension available.

What is a safe harbor 401(k) plan?

A safe harbor plan automatically satisfies ADP and ACP non-discrimination tests by requiring the employer to make either a 3% non-elective contribution to all eligible employees or a specified matching contribution. The trade-off is guaranteed employer cost in exchange for administrative simplicity and the ability for HCEs to max out their contributions without testing restrictions.

Can a company lose its 401(k) plan tax-qualified status?

Yes. The IRS can disqualify a plan for significant or uncorrected compliance failures. Disqualification means all plan assets become taxable to participants, employer deductions for contributions are reversed, and the trust loses its tax-exempt status. In practice, the IRS prefers correction over disqualification and will typically offer a chance to fix errors through EPCRS before taking this step.

How does SECURE 2.0 affect existing 401(k) plans?

Most SECURE 2.0 provisions apply to existing plans, though some are optional. Required changes include allowing Roth employer contributions (effective 2023), offering penalty-free emergency withdrawals of up to $1,000/year (effective 2024), and adjusting catch-up contribution rules for high earners (phasing in through 2026). Optional provisions like student loan matching and emergency savings accounts are available but not mandatory.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next