Some defined contribution (DC) plans will have to gear up for mandatory automatic enrollment under the SECURE 2.0 Act of 2022 (Div. T of Pub. L. No. 117-328). Unless an exception applies, 401(k) and 403(b) plans established after Dec. 28, 2022, must offer an "eligible automatic contribution arrangement” with automatic escalation and permissible withdrawal features starting with the 2025 plan year. This mandate also applies to employers adopting a multiple employer plan (MEP) after that date, even if the MEP was already established. Auto-enrolled employees’ contributions must be invested in a qualified default investment alternative (QDIA). This GRIST examines SECURE 2.0’s auto-enrollment mandate and its numerous exceptions and provides a road map of implementation questions ripe for agency guidance.
The retirement plan community has long recognized that many employees won’t participate in a DC plan if they have to affirmatively elect to contribute. Starting in 1998, a series of IRS rulings let plans automatically enroll eligible employees as long as they could opt out. But widespread adoption of automatic contribution arrangements didn’t shift into high gear until the Pension Protection Act of 2006 (Pub. L. No. 109-280) relieved fiduciaries from liability for default investments in QDIAs and introduced two designs:
Prior to SECURE 2.0, automatic contribution arrangements, EACAs and QACAs were optional: Plans could have any combination or none of these features. However, as Congress worked to pass comprehensive retirement legislation by the end of last year, several competing policy proposals signaled that SECURE 2.0 might steer a different course. The final SECURE 2.0 package included the auto-enrollment mandate from the House-passed Securing a Strong Retirement Act of 2022 (SSRA) (HR 2954). Beginning with the 2025 plan year, 401(k) and 403(b) plans subject to the mandate must offer an automatic enrollment feature that meets detailed requirements described below.
Plans subject to SECURE 2.0’s auto-enrollment mandate must offer an EACA with the following features, some of which resemble elements of QACAs:
SECURE 2.0 doesn’t mandate automatic re-enrollment of employees who opt out or elect a lower contribution rate. Employers could add a re-enrollment feature for such employees on an optional basis.
The act also doesn’t require plans to offer employer contributions. However, employers can make matching or nonelective contributions under any EACA. Sponsors that make employer contributions under the mandatory EACA can structure their contributions (and other plan design elements) to take advantage of the QACA or traditional nondiscrimination safe harbors.
Plans subject to the mandate must invest auto-enrolled participants’ contributions “in accordance with” the Department of Labor’s (DOL’s) QDIA regulation, unless the participant affirmatively elects a different investment alternative. The regulation relieves fiduciaries of liability for investment losses related to the default investment of a participant’s contributions in a QDIA. Participants must receive a notice when they become eligible and then 30 to 90 days before the beginning of each subsequent plan year.
Until now, compliance with the QDIA regulation has been voluntary for all plans, and some fiduciaries have continued to use non-QDIAs for default investments. However, compliance with the regulation apparently isn’t optional for plans subject to SECURE 2.0’s auto-enrollment mandate. Because the mandate is part of the Internal Revenue Code (IRC), QDIA compliance failures could jeopardize a plan’s qualification status. These failures currently result in a loss of fiduciary relief under ERISA but don’t otherwise affect a plan’s qualification under the IRC. IRS may need to issue guidance on how to correct these errors.
SECURE 2.0’s auto-enrollment provides exceptions for several categories of plans:
An employer can’t avoid the auto-enrollment mandate by adopting a MEP established before SECURE 2.0’s enactment. The employer would be viewed as adopting a new plan subject to the mandate, unless another exception applies: The exceptions for small employers and employers in existence less than three years also apply individually to each employer that participates in a MEP. However, the statute isn’t clear if an employer’s merger of a pre-existing plan into a MEP — or transition from one MEP to another or to an individually designed plan — would cause the plan to become subject to the mandate. IRS guidance confirming that such a plan maintains its exempt status would be helpful.
Sponsors of plans that are — or could later become — subject to SECURE 2.0’s auto-enrollment mandate may want to begin working with their recordkeeper and ERISA counsel to prepare for implementation. However, many implementation questions remain unanswered and will likely need to be addressed by agency guidance.
SECURE 2.0 doesn’t indicate whether the mandated EACA must cover all eligible employees. IRS regulations provide that an EACA isn’t required to cover all eligible employees. Some sponsors have limited their EACAs to employees who become newly eligible after the arrangement is effective, excluding employees with earlier eligibility dates — even those without affirmative elections. (However, a nonsafe-harbor EACA must cover all eligible employees to take advantage of an extended six-month period — instead of the typical 2-1/2 months — after plan year-end to correct ADP and ACP testing failures.)
New plans established after SECURE 2.0’s enactment but before the 2025 plan year — as well as plans sponsored by new or small employers that lose their exemption after the 2025 plan year — would already have eligible employees prior to implementing the mandated EACA. IRS guidance clarifying whether such employees must be covered by the EACA would be helpful. If these employees must be covered, the guidance should also address whether such employees’ affirmative elections could remain in place, as permitted for QACAs.
For plan years beginning after Dec. 31, 2024, SECURE 2.0 requires 401(k) and 403(b) plans to allow part-time workers to participate after completing two consecutive years with at least 500 hours of service. The act’s auto-enrollment provision doesn’t suggest that these long-term part-time workers can be excluded under the mandated EACA. Future IRS guidance may clarify how these SECURE 2.0 provisions interact.
One reason employers may choose not to offer an automatic contribution arrangement is the potential for elective deferral failures. In 2015, IRS added a temporary safe harbor for self-correcting elective deferral failures to the agency’s Employee Plans Compliance Resolution System (EPCRS), but that safe-harbor was set to expire at the end of this year. As a result, employers would have had to revert to the historic self-correction, which could require the employer to make a qualified nonelective contribution (QNEC) to make up for the lost deferral opportunity, as well as pay missed matching contributions.
SECURE 2.0 made the self-correction safe harbor permanent for plan years after Dec. 31, 2023. Plans will continue to have 9-1/2 months after plan year-end to self-correct reasonable errors in administering auto-enrollment and auto-escalation features. A much shorter correction window applies if an employee notifies the sponsor about the error. Employers that timely self-correct wouldn’t have to make a QNEC for the lost deferral opportunity but must pay any matching contributions participants would have received had the error not occurred (adjusted for earnings). This correction is available for both current and former employees. The act directs Treasury to issue implementing regulations, but sponsors can rely on a good-faith interpretation in the interim.
The plan amendment deadline for all of SECURE 2.0’s changes is the end of the first plan year beginning on or after Jan. 1, 2025 (2027 for collectively bargained plans). This deadline applies to sponsors implementing mandated auto-enrollment provisions before the amendment deadline.
For sponsors of existing plans that must first implement mandated auto-enrollment after the amendment deadline — such as new or small employers that lose their exemption — the timing for plan amendments isn’t clear. Because these employers must amend their plans to comply with the mandate, the amendment seems best characterized as required rather than discretionary. The deadline to adopt required amendments is usually tied to IRS’s annual Required Amendments List. This list generally includes statutory and administrative changes that first apply to all affected plans on an effective date set by the statute or guidance. However, required amendments to plans that lose their SECURE 2.0 auto-enrollment exemption don’t fit this rubric because the employer’s circumstances — not the statutory or regulatory effective date — will determine when the mandate first applies to the plan. IRS guidance is needed.
Employees covered by the EACA must receive the required notice within a reasonable period before the arrangement is effective, even if the amendment is adopted later. Plans subject to SECURE 2.0’s auto-enrollment mandate beginning Jan. 1, 2025, will have to provide the first required notice between Oct. 3 and Dec. 2, 2024, even if sponsors take advantage of the extended amendment deadline.
SECURE 2.0 directs the DOL and Treasury to issue regulations allowing consolidation of required auto-enrollment, safe harbor, and QDIA notices by Dec. 29, 2024. However, as noted above, this date is after the date nonexempt plans would have to provide their first notices in advance of the 2025 plan year. (IRS previously released a sample notice for a QACA that permits EACA withdrawals, which also incorporates DOL’s notice requirements for QDIAs.)