Topic: LEGAL & LEGISLATIVE

OSHA may no longer view heat hazards in isolation, but as part of a more integrated approach to worker health and safety.

The Labor Department’s recent proposed joint employer rule is welcome news for the PEO industry. That being said, you’ve received similar welcome news every other time the DOL went through this same exercise in the past, only to see the helpful guidance unwound by a new administration. Watching the joint employer rule evolve is like watching a very slow and long tennis match with a volley returned every four years. But while we have the benefit of a helpful rule, PEOs should incorporate the guidance into their risk management strategy. Here’s a recap and a review of the four things all PEOs should know.

QUICK RECAP OF NEW JOINT EMPLOYER PROPOSAL

The DOL’s Wage and Hour Division released a proposal last month outlining a four-factor test to determine when two businesses are liable as joint employers under the FLSA, FMLA, and MSPA. With no single factor being dispositive, the test considers whether a business hires or fires the employee; supervises and controls their work schedule or conditions of employment to a substantial degree; determines their rate and method of payment; and maintains their employment records.

The proposal largely mirrors a 2020 Trump administration rule that was subsequently blocked by a court and later rescinded under Biden, though this version places greater emphasis on actual control over merely reserved control which is helpful for the PEO industry.

TOP 4 THINGS PEO LEADERS NEED TO KNOW

Here’s a review of the top four things PEO leaders need to know about this proposal.

The four-factor test plays well when it comes to how PEOs operate. Three of the four factors in the new test favor PEOs, as long as your service agreements, policies, and practices are managed in a way that aligns with the factors. For example, while PEOs need the right to hire and terminate from the standpoint of onboarding and offboarding worksite employees, they generally do not make the decision for the customer. Similarly, PEOs don’t supervise or control worksite employees to a substantial degree, or set their rate of pay, and it is important the PEO avoid the appearance of doing so.

The PEO’s role in these things, or lack thereof, must be made very clear in the service agreement. Your other written materials also must align with the contract on these items.

Marketing related documents can be particularly thorny when it comes to keeping these things in synch because, compared to a contract, they are so informal.

When trying to give a potential customer a brief list of helpful services provided by your PEO, it is very easy to accidentally give the impression the PEO is responsible for things it merely supports by offering tools or guidance to the customer. For example, your service agreement probably says that only the customer is responsible for deciding who is exempt from overtime, even though the PEO may provide guidance or tools for that subject. That is a very important provision. If the sales department’s marketing-oriented list of services includes a vague reference to “exempt / non-exempt status” that can work against what the service agreement is trying to do.

Make sure your legal team reviews any marketing materials to make sure they don’t inadvertently create exposure.

The “reserved control” wrinkle shouldn’t be overblown. The proposed rule departs from the 2020 Trump administration standard in one notable way: it treats the mere right to control (even if never exercised) as relevant to the joint employer analysis. This is the provision that drew the most attention when the rule dropped, and it’s worth understanding why it’s there.

The new approach in the rule is likely there to enhance the ability of the rule to survive a challenge in court and not to actually expand joint employer liability. The 2020 rule’s strict “actual control” standard was struck down in court, with the judge finding it conflicted with the FLSA. The new language hopefully fixes that problem, while practically speaking not significantly increasing the risk of joint liability. The proposed rule itself supports this directly, stating that actual control is “much more relevant” to the analysis than a mere reserved right.

Common PEO services are expressly insulated from the analysis. One of the most significant wins buried in the proposed rule is what it excludes. The DOL explicitly states that certain business practices, standing alone, do not make joint employer status more or less likely. That list reads like a PEO service menu:

• providing sample employee handbooks
• offering association health plans or association retirement plans
• providing health, safety, or legal compliance services
• supplying sample workplace policies like anti-harassment programs

The third bullet point is the most useful for PEOs since you often provide all of those services and adversaries often point to them as evidence of joint employer status. The two mentioning “sample” documents are not as helpful because PEOs may do more than just provide samples when they assist customers with things like employee handbooks. But the factors will be helpful in that they acknowledge the difference between providing resources and controlling policy. The association health plan factor is inapplicable.

State law remains the wildcard. The proposed rule would establish a uniform federal standard for DOL enforcement under the FLSA, FMLA, and MSPA, which is a welcome upgrade from the current patchwork of circuit-by-circuit tests. But it doesn’t preempt state law. California, New York, and several other states apply broader joint employer standards, and PEOs with worksite employees in those jurisdictions will need to continue navigating state-specific analysis.

SOME STEPS PEOS SHOULD TAKE NOW

• Review service agreements to ensure they align with the proposed rule.
• Audit marketing and website content to ensure it aligns with the way the service agreement describes the PEO’s responsibilities.
• Ensure legal counsel is familiar with the rule and how to use it in the PEO context, particularly in big-ticket cases like FLSA collective actions.
• Watch for the next version of the rule and adapt, again.

This article is designed to give general and timely information about the subjects covered. It is not intended as legal advice or assistance with individual problems. Readers should consult competent counsel of their own choosing about how the matters relate to their own affairs.

If employer contributions or pre-tax salary deferrals to Trump Accounts becomes a common benefit offering, PEOs are well-positioned to offer it to small businesses who otherwise do not have the bandwidth to administer it.

When your clients decide to expand into new markets, the excitement of growth often collides with a harsh reality: every jurisdiction brings its own maze of employment laws, tax codes, and regulatory requirements.

There’s quite a bit that PEOs need to know and understand about Nacha’s new fraud monitoring requirements including operational impacts and how to prepare before the March 20, 2026, effective date.

The ACH network is the financial backbone of payroll, taxes, benefits, and countless employer-related transactions processed by PEOs every day. As fraud grows more sophisticated, Nacha is implementing a broad set of risk management rule amendments that take effect March 20, 2026. These changes aim to strengthen fraud detection, improve visibility into ACH activity, and enhance the industry’s ability to recover funds when fraud occurs.

For PEOs, who sit at the center of employer payroll operations, these rules represent more than a compliance update. They introduce new expectations around monitoring, data visibility, and internal controls that require preparation well before the effective dates.

This article outlines what’s changing, why it matters, and what PEOs can do now to be ready.

WHY NACHA IS UPDATING ACH REQUIREMENTS

The ACH Network has experienced exponential growth in volume and speed, including same-day and near real-time payments. With that growth has come a parallel rise in:

• Business email compromise (BEC)
• Payroll impersonation and redirection
• Vendor fraud
• Account takeover schemes
• Fraudulent credit-push transactions

Historically, many instances of frauds weren’t detected until after funds had settled, making recovery extremely difficult. Nacha’s new rules focus on earlier detection, stronger monitoring obligations, and improved tools for identifying suspicious transactions before they’re processed.

3 KEY NACHA RULE CHANGES

1. Expanded Fraud Monitoring Requirements

Under the new rules, several ACH participants must implement risk-based fraud monitoring across all ACH entries—not only WEB debits or micro-entries.

Requirements impact:

• ODFIs, large Originators, TPSPs, and TPSs (6M+ ACH entries in 2023)
• RDFIs (10M+ incoming ACH receipts in 2023)

This marks a major shift: monitoring must now occur for all transactions regardless of SEC code or transaction type.

Annual reviews now become mandatory. All entities covered by the rule must review their monitoring processes at least annually, documenting updates and validating effectiveness. Annual fraud review requirements mean PEOs must treat ACH monitoring the same way they treat payroll accuracy: consistently, proactively, and with documentation.

PEO Impact: PEOs that originate payroll files or partner with third-party providers must ensure these monitoring capabilities exist—either internally or through their financial partners.

2. Updated Definition Of “False Pretenses”

Nacha expanded the definition of unauthorized transactions to include payments induced by: misrepresentation of identity, authority, and account ownership. This updated terminology more accurately covers modern fraud methods, including payroll redirection, vendor impersonation, BEC schemes, and account takeovers.

PEO Impact: Payroll departments are prime targets for impersonation-based fraud, especially those processing high volumes on behalf of multiple employers.

3. Standardized Company Entry Descriptions

Two new standardized entry descriptions will be required: payroll (for wage and compensation credits), and purchase (for e-commerce WEB debits).

These standardized labels increase transparency for receiving institutions, aiding fraud detection and funds-availability decisions.

PEO Impact: Standardized descriptors allow banks to better identify unusual payroll activity, such as unexpected frequency changes, which often signal payroll redirection attempts.

OPERATIONAL CHALLENGES PEOS MAY ENCOUNTER

While these changes strengthen the ACH ecosystem, they introduce several operational challenges that PEOs must prepare to address.

Comprehensive Fraud & Transaction Monitoring. PEOs will need visibility into a broader range of ACH activity, covering velocity spikes, duplicate entries, irregular transaction patterns, SEC code inconsistencies, and out-of-band payment attempts. This level of monitoring may require new tools or enhancements to existing processes.

AML/KYC-Related Expectations. Though Nacha does not regulate AML laws, its expectations now mirror several AML/KYC principles: account behavior monitoring, risk-based profiling, and suspicious pattern identification. PEOs may need to work more closely with financial institutions to align monitoring practices.

Detecting Batch-Level Discrepancies. Many fraud schemes hide within batch structures. PEOs will need to identify: mismatched totals, duplicate batches, unusual batch volumes, and missing entries. These issues must be flagged before processing—not after settlement.

Payroll Frequency Anomalies. Payroll fraud often begins with subtle deviations in established patterns. Nacha’s rules emphasize monitoring for percentage-based change in payroll volume, transaction count variances, and unexpected off-cycle or one-off payrolls. This is particularly important for PEOs managing multiple employer groups with varied pay cycles.

Meeting Annual Compliance Review Requirements. The required annual reviews will demand documentation, testing, and validation. PEOs must account for this increased workload without slowing down payroll operations.

HOW PEOS CAN PREPARE

The most successful organizations will treat ACH risk management as a strategic priority rather than an isolated compliance task. Here are a few steps PEOs can take now.

1. Reviewing ACH workflows end-to-end. Mapping every touchpoint reveals gaps and vulnerabilities.

2. Strengthening internal fraud awareness. Most fraud begins with social engineering; better training reduces risk.

3. Confirming provider readiness. Ensure banks or ACH processors are preparing for new 2026 monitoring requirements.

4. Implementing payroll pattern monitoring. Systems should detect both percentage-based and transaction-based anomalies.

5. Updating client communication processes. Employer contacts must understand red flags and verification expectations.

6. Treat 2025 as a “test year.” Conduct mock audits and practice annual reviews before the deadline.

Nacha’s 2026 rule changes represent one of the most significant updates to ACH risk management in years. For PEOs that manage payroll and payments at scale, these new requirements call for enhanced monitoring, stronger internal controls, better data visibility, and closer collaboration with financial partners.

By preparing early and strengthening fraud detection workflows now, PEOs can protect employers, employees, and payroll operations while stepping confidently into 2026 and beyond.

In May 2025, the Trump DOL announced it would no longer enforce a strict Biden-era rule that deemphasized any “core” factors and adopted a broad, multi-factor economic realities test.

At the start of 2025, only a dozen states had formal pay transparency mandates. By year-end, that number has more than doubled.

With the new $100,000 fee, the economics change dramatically. For smaller employers — many of whom partner with PEOs for HR and compliance — the barrier may now feel insurmountable.

PEOs need to stay on top of these decisions, as they impact guidance that they provide to their clients.

One provision that might be of benefit to PEOs as a potential service to offer their clients is the newly created savings accounts provided in the OBBB.

While the bill simplifies taxes in some areas, it also introduces new compliance requirements tied to workforce investments and tax credit eligibility.

In our tracking of regulatory changes affecting our clients across multiple jurisdictions, we’ve documented an average of at least 50 significant compliance updates annually — changes that can overwhelm even the most diligent business owners. One of the major selling points of a PEO for overworked administrators, in addition to payroll processing or benefits administration — is having experts who can help decipher the constant flow of regulatory changes and protect their business. As leaders in this space, we develop systematic approaches to turn regulatory complexity into competitive advantage.

As we move through 2025, regulations from the SECURE 2.0 Act taking effect provide the perfect case study to demonstrate effective compliance management in action. Below is an outline of how our PEO transforms complex regulatory requirements into streamlined client solutions through a practical framework which apply to any regulatory update.

UNDERSTANDING SECURE ACT 2.0: ENCOURAGING EMPLOYEES TO BUILD THEIR FINANCIAL FUTURES

One of the law’s main purposes is to increase employee participation in employer-sponsored retirement plans. For brevity, let’s examine one critical component: the mandatory auto-enrollment requirement for new plans. This provision requires any retirement plan created after December 29, 2022, to automatically enroll new employees at a contribution rate between 3% and 10%, effective January 1, 2025.

That single requirement generates numerous implementation questions. For PEOs supporting clients with standalone 401(k) plans, 403(b) plans, or clients participating in our MEP, this requirement creates both obligations and opportunities. Here’s how we’ve put our regulatory management plan into action.

STEP 1: ESTABLISHING MULTI-CHANNEL INFORMATION NETWORKS

When SECURE Act 2.0 passed in 2022, our leadership took note, but like most regulations, we recognized the timeline between ratification and implementation would be long. The auto enrollment rule’s proposed guidance wasn’t published by the IRS until January 14, 2025 — after the effective date — with the comment period ending March 17, 2025.

Rather than waiting for final guidance or relying on a single information source, we activated our multi-channel approach to gather information:

• Direct monitoring of IRS news releases and regulatory updates
• Active participation in law firm webinars and specialized newsletters
• Engagement with NAPEO regulatory updates
• Weekly consultations with our retirement partners
• Early testing of software platform updates and participation in implementation webinars

Leadership Insight: Each vendor is working in parallel on regulatory changes to update and produce their own solutions for businesses independent of the PEO. By working together with them, you can leverage those partnerships during their process to get customized materials created and assist in beta testing software, which creates stronger relationships with your vendors and better processes for your clients.

This diversified approach ensures we identify subtle interpretations and implementation challenges months before they impact our clients.

STEP 2: BREAKING DOWN DEPARTMENTAL SILOS

Auto-enrollment impacts multiple departments across our organization. Rather than allowing this knowledge to remain siloed, we established biweekly leadership meetings where our leaders share updates with representatives from:

• Implementation Team (for setting up new clients)
• HR Business Partners (who field client questions)
• Payroll Department (for coordination with onboarding)
• HRIS Team (for platform configuration)
• Business Development (for prospect client conversations)

Each department representative determines what information impacts their operations and distributes it to team members accordingly. For example, our business development team now confidently explains to prospects how rolling their existing 401K plan into our MEP won’t trigger the auto-enrollment requirement because it isn’t considered a new plan — a key selling point for our 401K solution that addresses a common concern.

STEP 3: CRAFTING STRATEGIC CLIENT COMMUNICATIONS

With our internal knowledge base established, we developed a tiered communication approach that delivers the right information to the right clients at the right time.

Tier 1: General Awareness (all clients): Brief overview of Secure Act 2.0 changes for 2025, clear guidance on determining if compliance is required, timeline of implementation with key decision points, and introduction to our retirement plan partners.

Tier 2: Preparation Guidelines (clients subject to requirements): Detailed implementation steps with timeline indicators, employee notification templates and communication strategies, and training materials for client administrators.

Tier 3: Implementation Support (clients actively adding the requirement): Direct communication with our TPA, FuturePlan, to verify eligibility and plan language, verification process for plan document changes and approval, step-by-step setup of auto enrollment in PrismHR and Vestwell, weekly quality checks with Vestwell to verify enrollment functionality, payroll system validation to ensure accurate implementation, and direct access to assistance for employees requesting to opt out.

Case Study: One of our new clients, running two schools in the middle of 2024, required a plan update to meet the auto enrollment requirement. They continue to be impressed with our knowledge and expertise while assisting them through a tricky mid-year move of their payroll and retirement plan.They have also praised our foresight as our partner worked with them on their new plan document which included the auto-enrollment for 2025, therefore, eliminating the need for an amendment and providing ample time for employee communications. The system change was completed flawlessly resulting in an informed and happy client.

Each communication tier provides precisely the right amount of information without overwhelming clients. We’ve been particularly careful to exclude our clients with fewer than 10 employees from unnecessary communications, as they’re exempt from these requirements.

STEP 4: BUILDING A DYNAMIC KNOWLEDGE REPOSITORY

We recognize that auto enrollment information will be needed repeatedly as the system evolves and as new clients onboard. We’ve created a dedicated section in our knowledge base with:

• Recorded training webinars for internal staff
• Client-facing FAQs and educational materials
• Step-by-step implementation guides
• Technical documentation for platform integration
• Legal updates and interpretations from counsel
• Case studies of complex situations and solutions

This repository allows our Implementation team to educate new clients consistently, our marketing team to highlight our expertise in content creation, and our service team to quickly access information when client circumstances change, such as when a client adds their 11th employee.

STEP 5: CLEARLY DEFINING SERVICE BOUNDARIES

Perhaps most importantly, we’ve clearly defined what aspects of compliance we handle as the PEO and what remains the client’s responsibility. We don’t typically provide extensive assistance with plans outside our MEP beyond taking deductions, but we do send out general educational materials to those clients. Our standard client service agreement defines our HR support to include guidance and counseling on regulations, not legal advice.

This clarity prevents our well-meaning specialists from inadvertently taking on client risks while still providing excellent service. It also creates transparent expectations that build trust with clients.

RESULTS: TRANSFORMING COMPLEXITY INTO COMPETITIVE ADVANTAGE

By following these best practices, we’ve transformed what could have been a confusing regulatory change into a smooth transition for both our organization and our clients. The results speak for themselves as we have increased our MEP portfolio in the last two years by 21% and 26% respectively, tying our clients tighter into our model. Our business development team now actively uses our retirement plan expertise as a selling point with prospects concerned about maintaining compliance.

LOOKING FORWARD: APPLYING THIS FRAMEWORK TO OTHER 2025 CHANGES

The framework we’ve established for auto enrollment demonstrates our template for addressing other significant 2025 compliance developments, including new state paid family medical leave programs, expanded pay transparency requirements, and evolving minimum wage and overtime regulations.

By applying these same five steps consistently, we’ve positioned our PEO as a true compliance partner for our clients rather than just a service provider, creating a meaningful competitive advantage in the marketplace.

Albert Einstein once said “Strive not to be a success, but rather to be of value.” I believe that we can be successful by providing value to our clients. As the regulatory environment grows increasingly complex, PEOs that excel in compliance management will be those that create order from chaos, transforming what could be administrative burdens into strategic advantages. The most successful PEOs won’t just help clients avoid problems — they’ll use regulatory expertise to help clients thrive in complexity. I’m committed to ensuring our organization leads this evolution, setting new standards for what clients should expect from their PEO partnership.