Road-testing SECURE 2.0’s auto-enrollment mandate for new DC plans 

February 14, 2023

Some defined contribution (DC) plans will have to gear up for mandatory automatic enrollment under the SECURE 2.0 Act of 2022 (Div. T of Pub. L. No. 117-328). Unless an exception applies, 401(k) and 403(b) plans established after Dec. 28, 2022, must offer an "eligible automatic contribution arrangement” with automatic escalation and permissible withdrawal features starting with the 2025 plan year. This mandate also applies to employers adopting a multiple employer plan (MEP) after that date, even if the MEP was already established. Auto-enrolled employees’ contributions must be invested in a qualified default investment alternative (QDIA). This GRIST examines SECURE 2.0’s auto-enrollment mandate and its numerous exceptions and provides a road map of implementation questions ripe for agency guidance.

The retirement plan community has long recognized that many employees won’t participate in a DC plan if they have to affirmatively elect to contribute. Starting in 1998, a series of IRS rulings let plans automatically enroll eligible employees as long as they could opt out. But widespread adoption of automatic contribution arrangements didn’t shift into high gear until the Pension Protection Act of 2006 (Pub. L. No. 109-280) relieved fiduciaries from liability for default investments in QDIAs and introduced two designs:

• Eligible automatic contribution arrangement (EACA). An EACA applies a default contribution rate that is a uniform percentage of compensation. No minimum contribution percentage applies, and the contribution rate can automatically increase according to a uniform schedule based on the number of years since an employee’s initial enrollment. An EACA can also allow participants to withdraw default contributions within 30 to 90 days after the initial contribution. Each employee covered by the EACA must receive a notice when first eligible and then again 30 to 90 days before the beginning of each plan year. The notice must describe the level of default contributions, the right to opt out or elect a different contribution rate, the way contributions will be invested, and the ability to make permissible withdrawals (if applicable).
  
  
• Qualified automatic contribution arrangement (QACA). A QACA is a safe-harbor design that exempts a plan from the actual deferral percentage (ADP) nondiscrimination test and possibly the actual contribution percentage (ACP) test (depending on whether the plan provides nonsafe-harbor matching contributions or after-tax contributions). Eligible employees must be enrolled at a contribution rate of at least 3% but not more than 10% of compensation. The minimum contribution rate must increase by at least 1% per year until it reaches 6% of compensation (with up to 15% allowed). The employer must make either safe-harbor matching contributions — at least 100% of the first 1%, and 50% of the next 5% of compensation — or a 3% safe-harbor nonelective contribution. These safe-harbor contributions must be fully vested after two years of service. Notice requirements similar to those for EACAs also apply, with additional content required for QACAs that provide safe-harbor matching contributions. (The Setting Every Community Up for Retirement Enhancement Act of 2019 (Div. O. of Pub. L. No. 116-94) eliminated the additional content requirement for QACAs that provide safe-harbor nonelective contributions.)

Prior to SECURE 2.0, automatic contribution arrangements, EACAs and QACAs were optional: Plans could have any combination or none of these features. However, as Congress worked to pass comprehensive retirement legislation by the end of last year, several competing policy proposals signaled that SECURE 2.0 might steer a different course. The final SECURE 2.0 package included the auto-enrollment mandate from the House-passed Securing a Strong Retirement Act of 2022 (SSRA) (HR 2954). Beginning with the 2025 plan year, 401(k) and 403(b) plans subject to the mandate must offer an automatic enrollment feature that meets detailed requirements described below.

Plans subject to SECURE 2.0’s auto-enrollment mandate must offer an EACA with the following features, some of which resemble elements of QACAs:

• Withdrawal right. Plans must include the 30- to 90-day withdrawal feature that’s optional for other EACAs. Withdrawals are adjusted for earnings and taxable in the year distributed (unless the withdrawals are designated Roth contributions). However, the 10% early withdrawal penalty doesn’t apply.
  
  
• Initial contribution rate. Plans must automatically enroll employees at an initial rate of at least 3% but not more than 10% of compensation (the same initial contribution rate that applies to QACAs). Participants can opt out or elect a different contribution rate.
  
  
• Automatic escalation. An auto-enrolled participant’s contribution rate must automatically increase by 1% after each completed year of participation until the rate reaches at least 10% (but not more than 15%) of compensation. (IRS guidance could clarify whether increases exceeding 1% are allowed.) Participants can opt out of the automatic increase or elect a different contribution rate. These requirements differ slightly from those for QACAs. For example, the mandated EACA must continue to increase auto-enrolled participants’ contribution rates 1% per year until they reach 10%, even if the plan applies an initial contribution rate higher than the minimum 3%. In contrast, the minimum contribution rate under a QACA increases 1% per year until reaching 6%. This structural difference means a QACA that automatically enrolls participants at 4%, which is the minimum contribution rate for the second year of participation, wouldn’t have to increase to 5% until the third year. The act also says automatic increases must occur on the first day of every plan year, whereas increases under a QACA can occur on the anniversary of a participant’s auto-enrollment date.

Automatic re-enrollment and employer contributions remain optional

SECURE 2.0 doesn’t mandate automatic re-enrollment of employees who opt out or elect a lower contribution rate. Employers could add a re-enrollment feature for such employees on an optional basis.

The act also doesn’t require plans to offer employer contributions. However, employers can make matching or nonelective contributions under any EACA. Sponsors that make employer contributions under the mandatory EACA can structure their contributions (and other plan design elements) to take advantage of the QACA or traditional nondiscrimination safe harbors.

Plans subject to the mandate must invest auto-enrolled participants’ contributions “in accordance with” the Department of Labor’s (DOL’s) QDIA regulation, unless the participant affirmatively elects a different investment alternative. The regulation relieves fiduciaries of liability for investment losses related to the default investment of a participant’s contributions in a QDIA. Participants must receive a notice when they become eligible and then 30 to 90 days before the beginning of each subsequent plan year.

Until now, compliance with the QDIA regulation has been voluntary for all plans, and some fiduciaries have continued to use non-QDIAs for default investments. However, compliance with the regulation apparently isn’t optional for plans subject to SECURE 2.0’s auto-enrollment mandate. Because the mandate is part of the Internal Revenue Code (IRC), QDIA compliance failures could jeopardize a plan’s qualification status. These failures currently result in a loss of fiduciary relief under ERISA but don’t otherwise affect a plan’s qualification under the IRC. IRS may need to issue guidance on how to correct these errors.

SECURE 2.0’s auto-enrollment provides exceptions for several categories of plans:

• Plans established before SECURE 2.0. A broad exception applies to all 401(k) and 403(b) plans “established” before Dec. 29, 2022 (SECURE 2.0’s enactment date). The act doesn’t define this term, which raises questions for employers that were already on track for adopting new plans for 2023. Would a plan be treated as established if the sponsor adopted the plan before SECURE 2.0’s enactment, even if the plan wasn’t yet effective? The act also doesn’t address how this exception will apply in corporate transactions, including whether a plan spun off after Dec. 28, 2022, from an exempt plan would maintain its exempt status or be treated as a new plan. IRS guidance would be helpful.
  
  
• Governmental, church and SIMPLE plans. All governmental plans, church plans and savings incentive match plans for employees of small employers (SIMPLE plans) are exempt from the auto-enrollment mandate, even if established after SECURE 2.0’s enactment.
  
  
• Small businesses. The auto-enrollment mandate doesn’t apply to a 401(k) or 403(b) plan sponsored by an employer that “normally” employs 10 or fewer employees. The act doesn’t define how this is determined — for example, whether any employees are excluded for this purpose or if the IRC’s controlled-group rules for related employers apply. The mandate couldn’t apply to a plan earlier than one year after the close of the first taxable year the employer fails to meet the exception. Without clarifying agency guidance, this could pose challenges for sponsors whose tax years and plan years aren’t aligned because IRS rules currently don’t allow plans to add an EACA during the plan year. For example, if a sponsor with a calendar-year tax year and July 1–June 30 plan year first exceeds this threshold for the 2025 tax year, the plan apparently would have to offer a compliant auto-enrollment feature starting Jan. 1, 2027, which would be the middle of the plan year. The statute doesn’t appear to provide a mechanism for a nonexempt employer that later falls below the threshold to claim the exemption and eliminate the plan’s auto-enrollment feature.
  
  
• New businesses. A 401(k) or 403(b) plan sponsored by an employer in business less than three years (taking into account any predecessor employer) is exempt from the auto-enrollment mandate. Unlike the exception for small businesses, the act doesn’t specify the timing for a plan’s implementation of the required EACA once the employer ceases to qualify for the exemption. IRS guidance is needed.

An employer can’t avoid the auto-enrollment mandate by adopting a MEP established before SECURE 2.0’s enactment. The employer would be viewed as adopting a new plan subject to the mandate, unless another exception applies: The exceptions for small employers and employers in existence less than three years also apply individually to each employer that participates in a MEP. However, the statute isn’t clear if an employer’s merger of a pre-existing plan into a MEP — or transition from one MEP to another or to an individually designed plan — would cause the plan to become subject to the mandate. IRS guidance confirming that such a plan maintains its exempt status would be helpful.

Sponsors of plans that are — or could later become — subject to SECURE 2.0’s auto-enrollment mandate may want to begin working with their recordkeeper and ERISA counsel to prepare for implementation. However, many implementation questions remain unanswered and will likely need to be addressed by agency guidance.

SECURE 2.0 doesn’t indicate whether the mandated EACA must cover all eligible employees. IRS regulations provide that an EACA isn’t required to cover all eligible employees. Some sponsors have limited their EACAs to employees who become newly eligible after the arrangement is effective, excluding employees with earlier eligibility dates — even those without affirmative elections. (However, a nonsafe-harbor EACA must cover all eligible employees to take advantage of an extended six-month period — instead of the typical 2-1/2 months — after plan year-end to correct ADP and ACP testing failures.)

New plans established after SECURE 2.0’s enactment but before the 2025 plan year — as well as plans sponsored by new or small employers that lose their exemption after the 2025 plan year — would already have eligible employees prior to implementing the mandated EACA. IRS guidance clarifying whether such employees must be covered by the EACA would be helpful. If these employees must be covered, the guidance should also address whether such employees’ affirmative elections could remain in place, as permitted for QACAs.

For plan years beginning after Dec. 31, 2024, SECURE 2.0 requires 401(k) and 403(b) plans to allow part-time workers to participate after completing two consecutive years with at least 500 hours of service. The act’s auto-enrollment provision doesn’t suggest that these long-term part-time workers can be excluded under the mandated EACA. Future IRS guidance may clarify how these SECURE 2.0 provisions interact.

One reason employers may choose not to offer an automatic contribution arrangement is the potential for elective deferral failures. In 2015, IRS added a temporary safe harbor for self-correcting elective deferral failures to the agency’s Employee Plans Compliance Resolution System (EPCRS), but that safe-harbor was set to expire at the end of this year. As a result, employers would have had to revert to the historic self-correction, which could require the employer to make a qualified nonelective contribution (QNEC) to make up for the lost deferral opportunity, as well as pay missed matching contributions.

SECURE 2.0 made the self-correction safe harbor permanent for plan years after Dec. 31, 2023. Plans will continue to have 9-1/2 months after plan year-end to self-correct reasonable errors in administering auto-enrollment and auto-escalation features. A much shorter correction window applies if an employee notifies the sponsor about the error. Employers that timely self-correct wouldn’t have to make a QNEC for the lost deferral opportunity but must pay any matching contributions participants would have received had the error not occurred (adjusted for earnings). This correction is available for both current and former employees. The act directs Treasury to issue implementing regulations, but sponsors can rely on a good-faith interpretation in the interim.

The plan amendment deadline for all of SECURE 2.0’s changes is the end of the first plan year beginning on or after Jan. 1, 2025 (2027 for collectively bargained plans). This deadline applies to sponsors implementing mandated auto-enrollment provisions before the amendment deadline.

For sponsors of existing plans that must first implement mandated auto-enrollment after the amendment deadline — such as new or small employers that lose their exemption — the timing for plan amendments isn’t clear. Because these employers must amend their plans to comply with the mandate, the amendment seems best characterized as required rather than discretionary. The deadline to adopt required amendments is usually tied to IRS’s annual Required Amendments List. This list generally includes statutory and administrative changes that first apply to all affected plans on an effective date set by the statute or guidance. However, required amendments to plans that lose their SECURE 2.0 auto-enrollment exemption don’t fit this rubric because the employer’s circumstances — not the statutory or regulatory effective date — will determine when the mandate first applies to the plan. IRS guidance is needed.

Employees covered by the EACA must receive the required notice within a reasonable period before the arrangement is effective, even if the amendment is adopted later. Plans subject to SECURE 2.0’s auto-enrollment mandate beginning Jan. 1, 2025, will have to provide the first required notice between Oct. 3 and Dec. 2, 2024, even if sponsors take advantage of the extended amendment deadline.

SECURE 2.0 directs the DOL and Treasury to issue regulations allowing consolidation of required auto-enrollment, safe harbor, and QDIA notices by Dec. 29, 2024. However, as noted above, this date is after the date nonexempt plans would have to provide their first notices in advance of the 2025 plan year. (IRS previously released a sample notice for a QACA that permits EACA withdrawals, which also incorporates DOL’s notice requirements for QDIAs.)

• Pub. L. No. 117-328, the SECURE 2.0 Act of 2022 (Congress, Dec. 29, 2022)
• Summary of the SECURE 2.0 Act of 2022 (Senate Finance Committee, Dec. 20, 2022)

• User’s guide to SECURE 2.0 (regularly updated)
• Alert: SECURE 2.0 retirement reforms set to become law (Dec. 20, 2022)