Beancount.io LogoBeancount.io

SECURE 2.0 Section 101: Mandatory Auto-Enrollment for New 401(k) and 403(b) Plans (2026 Compliance Guide)

11 min readMike ThriftMike Thrift
SECURE 2.0 Section 101: Mandatory Auto-Enrollment for New 401(k) and 403(b) Plans (2026 Compliance Guide)

If you launched a new 401(k) or 403(b) plan after December 29, 2022, your payroll team is now on the hook for a compliance change most small employers still misunderstand. Starting with plan years beginning after December 31, 2024, those plans must automatically enroll every eligible employee at a default deferral rate of 3% to 10%, escalate that rate by one percentage point each year, and meet a stack of notice, withdrawal, and investment rules that traditional opt-in 401(k) plans never had to worry about.

The mandate sounds simple. The reality is a thicket of effective dates, exemptions, predecessor-employer rules, and remedial amendment deadlines. Get it wrong and you risk a plan disqualification that can vaporize the tax-deferred status of every dollar your employees have contributed. Get it right and you've ticked one of the biggest boxes on the SECURE 2.0 plan amendment checklist due December 31, 2026.

Here's what every plan sponsor, payroll provider, and finance lead needs to know to satisfy Section 101 cleanly in 2026 and beyond.

What Section 101 Actually Requires

SECURE 2.0 Act Section 101 amended the Internal Revenue Code by adding new Section 414A. The provision mandates that every "new" 401(k) cash-or-deferred arrangement and every new 403(b) plan must operate as an Eligible Automatic Contribution Arrangement (EACA).

An EACA has four moving parts:

  1. A uniform default deferral rate that applies to every employee who does not make an affirmative election.
  2. Automatic annual escalation of that rate.
  3. A qualified default investment alternative (QDIA) for contributions when the employee does not direct the investment.
  4. A statutory notice delivered before the first contribution and at least annually thereafter.

The plan must also offer a 90-day permissible withdrawal window so employees who never noticed the deduction can claw back contributions without the 10% early-withdrawal penalty.

The default deferral rate window

The plan must auto-enroll participants at a default rate of at least 3% but no more than 10% of eligible compensation. This is the initial rate during the first plan year an employee is auto-enrolled.

Starting with the first day of the second plan year after auto-enrollment, the rate must escalate by at least one percentage point each year until it reaches at least 10% but no more than 15%. A plan can choose to cap escalation anywhere within that 10%-15% band. Many sponsors land on 10% to keep payroll math simple; more aggressive savings-plan designs push to 12% or 15%.

The 90-day permissible withdrawal

This is the most-overlooked compliance lever. Any employee who is auto-enrolled may, within 90 days of their first default contribution, elect a permissible withdrawal of all amounts attributable to the auto-enrollment. The withdrawal is adjusted for gains and losses, included in gross income in the year received (unless designated Roth), and is not subject to the 10% additional tax on early distributions.

If your recordkeeper cannot administer this 90-day window correctly, the entire plan fails the EACA standard. Confirm in writing that your provider supports it before you sign up.

Which Plans Are Actually Subject to the Mandate

This is where many sponsors get tripped up. Section 414A applies only to plans established on or after December 29, 2022. Anything established before that date is grandfathered indefinitely. But "established" has a specific meaning that the IRS clarified in proposed regulations issued January 10, 2025.

"Established" means when the cash-or-deferred arrangement was first adopted

A plan is treated as established on the date its cash-or-deferred arrangement (the 401(k) or 403(b) feature) was initially adopted, regardless of when the broader retirement plan document was first put in place. A profit-sharing plan adopted in 2018 that later added a 401(k) feature in 2024 is treated as a new plan for Section 414A purposes.

Predecessor employer and merger rules

Plans assumed in a corporate transaction generally retain the establishment date of the original plan. If your acquired entity had a pre-2022 401(k) plan, that plan remains grandfathered even after the closing. But if you spin a new plan out of an existing plan after enactment, it is treated as new and subject to the mandate.

Multiple employer plans and pooled employer plans

For multiple employer plans (MEPs) and pooled employer plans (PEPs), the proposed regulations clarify that the Section 414A determination is made employer-by-employer, not at the plan level. A new employer joining a pre-enactment PEP is still subject to auto-enrollment for its own employees. Conversely, the new-business and small-employer exemptions can apply to a single participating employer within a MEP.

Multiemployer plans (the union-sponsored variety) are excluded entirely. A new employer joining a pre-existing multiemployer plan never triggers Section 414A.

The Four Exemptions Worth Memorizing

Even if your plan is technically "new," you may not have to implement auto-enrollment yet. Section 414A carves out four categories:

1. Small employers (10 or fewer employees)

If you "normally" employ 10 or fewer employees, the mandate does not apply. The headcount uses the same standard that determines small-employer exemption from COBRA continuation coverage: count common-law employees across the controlled group.

Once you exceed 10 employees, you get a runway. The plan must adopt auto-enrollment by the first plan year beginning at least 12 months after the close of the first tax year in which you normally employed more than 10 employees. In practice, that gives a fast-growing startup at least one full plan year to set up payroll integration and notices.

2. Businesses less than three years old

A plan sponsored by a business that has been in existence less than three years (including any predecessor employer) is exempt. The clock runs from the first day the employer existed, not from when it adopted the plan.

The plan must satisfy the mandate by the first plan year beginning after the employer's third anniversary. So a business incorporated in January 2024 that established a 401(k) in 2025 has until plan year 2028 to add auto-enrollment.

3. Governmental plans

State, county, municipal, and federal 401(a) and 403(b) plans are out of scope. School district 403(b) plans benefit here.

4. SIMPLE 401(k) plans and church plans

SIMPLE 401(k) plans operating under Code Section 401(k)(11) are exempt, as are non-electing church plans.

Combined exemptions matter. A two-year-old startup with eight employees qualifies under both the small-employer and the new-business rule. You don't lose the exemption until you fail every applicable test. Watch the cliff carefully: if you cross 11 employees on the same day your business turns three years old, the calendar starts.

The EACA Notice: Form, Timing, and Failure Modes

Every employee covered by the EACA must receive a written notice that covers:

  • The level of default contributions and a statement that the employee can opt out or elect a different rate
  • How contributions will be invested in the absence of an affirmative election (the QDIA)
  • The 90-day permissible withdrawal feature
  • The plan year escalation schedule

Timing rules

Deliver the notice before the employee is first eligible (so they have a meaningful chance to opt out before payroll deducts a dollar), and again 30 to 90 days before the start of each subsequent plan year for as long as the employee remains auto-enrolled.

You do not need to send the annual notice to participants who have opted out, although best practice is to send it anyway since enrollment status can change.

What goes wrong in practice

The most common failures are timing-based. A new hire onboards Friday, payroll runs Monday, and the notice arrives Tuesday after the first deduction. That's a fail. Build a HR/payroll handshake that withholds eligibility until the notice is delivered and acknowledged.

The second-most-common failure is investment direction. If the recordkeeper defaults contributions into a money-market fund instead of a QDIA-compliant target-date fund or balanced fund, the plan loses ERISA Section 404(c)(5) protection and the sponsor inherits investment fiduciary liability for those balances.

Compliance Timeline: What to Do When

DateAction
Plan years beginning on or after Jan 1, 2025Section 414A in effect for non-exempt plans
By plan-year startEACA design, payroll integration, recordkeeper coordination, QDIA selection
Before first eligible payrollInitial EACA notice to every newly eligible employee
30-90 days before each plan yearAnnual EACA notice
December 31, 2026Plan amendment deadline for SECURE 2.0 provisions (most non-collectively-bargained plans)
December 31, 2028Amendment deadline for collectively bargained plans
December 31, 2029Amendment deadline for governmental plans

Operational compliance must precede the formal plan amendment. The IRS expects you to administer the plan as if amended starting in 2025, and then document that operation in a written amendment by 2026. Operating one way and amending another is a recipe for a determination-letter problem.

Cost, Cash Flow, and Bookkeeping Implications

For employers, Section 414A creates three lines of expense and one line of benefit:

Expenses:

  • Higher matching contributions. Auto-enrollment routinely drives participation rates from roughly 60% to 90%+. If your plan matches contributions dollar-for-dollar up to 4%, expect your match expense to climb correspondingly.
  • Recordkeeping fees. EACAs require notice generation, opt-out tracking, escalation processing, and 90-day withdrawal administration. Many recordkeepers charge a per-participant uptick.
  • Payroll software upgrades. Smaller payroll providers may charge to add escalation logic and notice delivery.

Benefit:

  • The Section 45E small-employer pension plan startup credit has been substantially expanded under SECURE 2.0 and includes a $500 per year auto-enrollment credit for three years for employers with up to 100 employees that add an EACA. Stack this against the contribution match credit and the administrative cost credit, and many small employers see their first three years of plan costs largely offset by the credit.

Track contributions and matches at the account level

Once auto-enrollment is in place, your payroll register and your trial balance need to reconcile every pay period. Misposted employee deferrals create a fiduciary breach the moment they leave the employer's general operating account and miss the trust deposit deadline. Bookkeeping at the account-level granularity—each employee's deferral, each employer match dollar, each true-up entry at year end—prevents the kind of timing discrepancy that triggers a DOL Voluntary Fiduciary Correction Program filing.

Common Mistakes to Avoid

After reviewing the proposed regulations and early adopter case studies, the same five mistakes show up over and over:

  1. Assuming your existing plan is grandfathered without checking. Merging two plans, terminating and re-establishing a CODA, or spinning off a subsidiary all create potential "new plan" exposure.
  2. Setting the default rate at 2%. Some payroll systems default lower for cash-flow management; this fails the 3% floor and disqualifies the EACA.
  3. Missing the 1% annual escalation. Auto-enrollment without escalation does not satisfy Section 414A. Make sure your recordkeeper actually increases the rate annually.
  4. Defaulting to a money market or stable value fund. Outside the very narrow 120-day QDIA short-term default rule, money market funds are not QDIAs. Use a target-date fund, balanced fund, or managed account.
  5. Failing the 90-day permissible withdrawal logistics. Some providers force a hardship-style application or charge a withdrawal fee. Both jeopardize EACA status.

Practical Setup Checklist for 2026

Use this list before your next plan year begins:

  • Confirm in writing with your recordkeeper that the plan operates as an EACA, including escalation and 90-day withdrawals
  • Set the default deferral rate (3%-10%) and write the escalation schedule (1%/year to at least 10%)
  • Designate a QDIA that meets DOL standards (target-date fund family, balanced fund, or managed account)
  • Draft and deliver the EACA notice to all new hires; build a payroll workflow that gates the first paycheck on notice delivery
  • Calendar the annual notice 30-90 days before each plan year
  • Document the small-employer or new-business exemption status if applicable, with annual reassessment
  • Coordinate with your accountant to claim the Section 45E auto-enrollment credit on Form 8881
  • Calendar the plan amendment deadline of December 31, 2026

Keep Your Plan Records Audit-Ready

Auto-enrollment compliance hinges on documentation: who was notified, when, at what rate, with what investment direction, and which opt-outs occurred. Beancount.io offers plain-text accounting that gives plan sponsors and their finance teams complete transparency into payroll deferrals, employer matches, and trust deposits—no black boxes, no vendor lock-in, and every entry version-controlled for the next plan audit. Get started for free and see why developers and finance professionals are switching to plain-text accounting.