When you partner with a PEO, record retention becomes a shared responsibility—and that’s where things get complicated. Your PEO handles payroll, benefits administration, and compliance documentation, but you’re still on the hook if records go missing during an audit or lawsuit. The legal requirements aren’t suggestions; they’re mandates from the IRS, DOL, EEOC, OSHA, and state agencies, each with different retention periods and specific documentation standards.
Getting this wrong can mean fines, failed audits, or losing a wrongful termination case because you can’t produce the right paperwork. This guide breaks down the specific legal requirements you need to understand when working with a PEO, what your PEO should be handling versus what stays with you, and how to build a retention system that actually protects your business.
We’re not covering general HR filing tips here. This is specifically about the legal mandates that govern record retention in a co-employment relationship.
1. Federal Payroll and Tax Record Requirements (IRS Rules)
The Legal Mandate
The IRS requires 4-year retention for all employment tax records under Publication 15 (Circular E). This isn’t a guideline—it’s the minimum period you must keep payroll tax documentation available for audit. The clock starts from the date the tax becomes due or is paid, whichever is later.
In a PEO relationship, your provider typically files employment taxes under their EIN, but you remain jointly and severally liable if something goes wrong. That means if the IRS comes knocking, you need to be able to produce documentation even if your PEO relationship ended years ago. Understanding IRS certified PEO requirements and protections can help clarify your liability exposure.
What Must Be Retained
The specific documents covered under this requirement include W-4 forms showing withholding elections, payroll registers with gross wages and deductions, quarterly 941 filings, annual W-2 and W-3 forms, and records of any tax deposits made. You also need documentation of fringe benefits, tips reported by employees, and any adjustments or corrections filed.
Your PEO should maintain these records as part of their service, but the co-employment structure means you’re not off the hook if they fail to do so properly.
Implementation Steps
1. Request quarterly copies of all payroll tax filings your PEO submits on your behalf, including 941s and state equivalents.
2. Maintain your own archive of W-4 forms for all employees, even though your PEO processes them for withholding purposes.
3. Keep year-end documentation (W-2s, W-3s, and reconciliation reports) in a separate permanent file that survives any PEO relationship changes.
4. Document the date each tax payment was made or became due to establish the correct 4-year retention start date.
Pro Tips
Many PEOs will provide access to historical payroll data through their portal, but that access typically ends when your contract does. If you switch providers or bring payroll in-house, you may lose portal access entirely. Request downloadable copies of all tax records quarterly rather than waiting until you need them. Also, be aware that some states require longer retention periods than the federal 4-year minimum—California requires 4 years, but Texas requires 4 years for most records and 7 years for certain unemployment tax documentation.
2. FLSA Wage and Hour Documentation (DOL Mandates)
The Legal Mandate
The Department of Labor requires 3-year retention for payroll records under 29 CFR 516, with 2-year retention for supplementary records like time cards, schedules, and wage computation documentation. These requirements apply regardless of whether you use a PEO, and they’re frequently the focus of DOL audits following wage and hour complaints.
The distinction between 3-year and 2-year retention matters. Basic payroll records showing what you paid employees must be kept longer than the supporting documentation showing how you calculated those amounts. But in practice, you need both to defend against FLSA claims.
What Must Be Retained
Three-year records include employee names and Social Security numbers, addresses, birth dates for workers under 19, sex and occupation, time and day when workweek begins, hours worked each day and week, total daily or weekly straight-time earnings, regular hourly rate, total overtime earnings, additions or deductions from wages, total wages paid each period, and payment dates.
Two-year records include time cards, piecework tickets, wage rate tables, work schedules, and records showing additions to or deductions from wages. If you classify workers as exempt from overtime, you need documentation supporting that classification for the full retention period.
Implementation Steps
1. Confirm your PEO’s timekeeping system preserves records for the full 3-year period, including after employees terminate.
2. Maintain independent documentation of exempt employee classifications, including job descriptions and salary basis tests, separate from your PEO’s records.
3. Keep copies of any policy changes affecting overtime calculation, meal period practices, or rounding rules—these become critical if you face a class action claim.
4. Archive records showing how you communicated wage rates and overtime policies to employees, as these support your good faith defense in FLSA cases.
Pro Tips
FLSA claims have a 2-year statute of limitations for unintentional violations and 3 years for willful violations. That’s why the DOL requires 3-year retention—so records exist for the full potential claims period. If you’re ever unsure whether an employee was properly classified as exempt, keep those records longer than the minimum. Misclassification cases often surface years after the employment relationship ends, and the burden of proof is on you to show the exemption was legitimate. Knowing how to reconcile PEO payroll with your accounting records helps ensure your documentation stays accurate.
3. EEOC and Anti-Discrimination Record Requirements
The Legal Mandate
Under 29 CFR 1602, employers must retain personnel records for at least 1 year from the date of the record’s creation or the personnel action involved, whichever is later. This includes hiring records, promotion decisions, demotions, transfers, layoffs, terminations, and compensation changes. For employers with 15 or more employees, this requirement is absolute.
But here’s the trap: if an employee files a discrimination charge with the EEOC, you must preserve all relevant records until the case is resolved—even if that takes years. The 1-year minimum becomes indefinite retention the moment a charge is filed.
What Must Be Retained
The requirement covers applications and resumes (even for positions not filled), interview notes and evaluation forms, job postings and descriptions, promotion and transfer records, performance evaluations, disciplinary documentation, compensation decisions and salary history, benefit enrollment records, and termination documentation including exit interviews.
In a PEO relationship, some of these records live with your provider (payroll and benefits data), while others typically remain with you (interview notes, performance reviews, disciplinary files). That split creates risk during EEOC investigations if you can’t quickly produce a complete picture of the employment relationship. Understanding your legal obligations as a PEO client helps you track what stays with you.
Implementation Steps
1. Create a litigation hold process that triggers when any employee files an EEOC charge, immediately preserving all records related to that employee and similarly situated workers.
2. Maintain your own personnel files separate from your PEO’s records, especially for documentation related to hiring decisions, performance management, and termination reasoning.
3. Keep applicant flow data and hiring records for at least 1 year even for positions you didn’t fill—these become critical if you face a pattern-or-practice discrimination claim.
4. Document the business justification for any adverse employment action at the time it occurs, not retroactively when a charge is filed.
Pro Tips
EEOC charges can be filed up to 300 days after an alleged discriminatory act in states with their own fair employment agencies, or 180 days in states without. That means your 1-year retention requirement needs to account for the delayed filing period. Also, if you’re subject to affirmative action requirements as a federal contractor, you have additional recordkeeping obligations under OFCCP regulations—2 years for most personnel records and 3 years for compensation data. Your PEO won’t typically handle OFCCP compliance, so those records are entirely your responsibility.
4. ERISA and Benefits Plan Documentation
The Legal Mandate
ERISA Section 107 requires 6-year retention for plan documents, summary plan descriptions, annual reports (Form 5500), and supporting financial records. For participant-specific records—enrollment forms, beneficiary designations, claims, and distribution documentation—the 6-year period runs from the date the participant’s benefits cease, not from the plan year.
This gets complicated with PEOs because you’re typically enrolled in your PEO’s master health plan rather than sponsoring your own. That structure shifts some ERISA responsibilities to the PEO as plan sponsor, but it doesn’t eliminate your obligations entirely.
What Must Be Retained
Required documentation includes the full plan document and all amendments, summary plan descriptions and summaries of material modifications, Form 5500 filings with all schedules and attachments, trust agreements and insurance contracts, participant enrollment and beneficiary designation forms, claims and appeals documentation, COBRA notices and election forms, and HIPAA privacy notices and authorizations.
If you offer a 401(k) through your PEO, you also need participant loan documentation, hardship withdrawal records, and distribution forms retained for 6 years after the participant’s account is fully distributed. Proper tracking and accounting for benefits expenses under your PEO arrangement supports this documentation requirement.
Implementation Steps
1. Request annual copies of the master plan documents your employees are enrolled in through your PEO, along with the Form 5500 filings that cover your participating group.
2. Maintain your own file of all employee enrollment elections, beneficiary designations, and COBRA documentation—your PEO may have copies, but these are critical for defending benefits claims.
3. Keep a separate archive of HIPAA authorizations and privacy notices, as these have specific retention requirements that intersect with ERISA.
4. Document any benefits communications you provide to employees beyond what the PEO distributes, as these can create enforceable plan terms even if they’re not in the formal plan document.
Pro Tips
ERISA litigation often surfaces years after employment ends, particularly for disability claims or retirement benefit disputes. The 6-year retention requirement is a minimum—many attorneys recommend indefinite retention for plan documents and participant records involving ongoing benefits. Also, if you ever switch PEOs or bring benefits administration in-house, you need complete participant records to ensure continuity. Losing enrollment data during a transition can create gaps in coverage that expose you to liability. Request a full data export before you terminate any PEO relationship.
5. OSHA Safety and Workers’ Comp Records
The Legal Mandate
OSHA requires 5-year retention for injury and illness logs (Form 300, 300A, and 301) under 29 CFR 1904.33. But for employee exposure records and medical surveillance documentation, the retention period jumps to 30 years under 29 CFR 1910.1020. That’s not a typo—three decades of retention for certain safety and health records.
Workers’ compensation claim documentation has state-varying requirements, but most states require retention for the life of the claim plus several years. Since some occupational injuries and illnesses have long latency periods, that can mean indefinite retention in practice.
What Must Be Retained
Five-year records include OSHA 300 logs of work-related injuries and illnesses, annual summaries (300A forms), and incident reports (301 forms). You must also keep records of any OSHA inspections, citations, and abatement documentation for 5 years from the citation date.
Thirty-year records include employee exposure records for toxic substances or harmful physical agents, medical surveillance records and test results, material safety data sheets (now Safety Data Sheets under GHS), and industrial hygiene monitoring results. Workers’ comp records that must be retained include first reports of injury, claim forms, medical documentation, return-to-work records, and settlement agreements. Understanding how to track and verify workers’ comp accounting through your PEO helps maintain accurate records.
Implementation Steps
1. Clarify with your PEO whether they maintain OSHA logs on your behalf or if you’re responsible for recordkeeping—this varies by PEO contract structure.
2. Maintain your own copies of all workplace injury reports and workers’ comp claims, even if your PEO handles the claims administration.
3. Create a separate long-term archive for any exposure monitoring or medical surveillance records, as these have the 30-year retention requirement that outlasts most PEO relationships.
4. Document your safety training programs and keep attendance records, as these become relevant in OSHA citation defense and workers’ comp litigation.
Pro Tips
The 30-year retention requirement for exposure records applies even if you don’t think your employees are exposed to hazardous substances. OSHA’s definition of “exposure” is broad and includes noise, ergonomic stressors, and biological agents. If you’re ever unsure, retain the records. Also, if an employee requests access to their exposure or medical records, you must provide them within 15 days—so you need to know where these records are and be able to retrieve them quickly. That’s difficult if they’re buried in your former PEO’s archives.
6. I-9 Employment Eligibility Verification
The Legal Mandate
Under 8 CFR 274a.2, employers must retain I-9 forms for 3 years from the date of hire or 1 year after termination, whichever is later. This creates a sliding retention window that varies by employee tenure. Someone who works for you for 5 years requires I-9 retention for 6 years total (5 years employed plus 1 year after termination), while someone who works for 6 months requires 3 years of retention (3 years from hire).
I-9 compliance is a frequent audit target for Immigration and Customs Enforcement (ICE), and the penalties for missing or improperly completed forms are substantial. In a PEO relationship, the question of who maintains I-9s and who’s liable for compliance violations isn’t always clear.
What Must Be Retained
You must keep the completed I-9 form (all three sections), copies of the documents the employee presented to establish identity and work authorization, and any receipts for documents in transit. If you use E-Verify, you must also retain the E-Verify case results and any tentative nonconfirmation documentation.
The I-9 must be retained in its original form—electronic storage is permitted, but only if the system prevents unauthorized alterations and can produce legible copies for inspection. Many PEO platforms offer I-9 management, but you need to verify their system meets federal electronic storage requirements. Reviewing PEO audit trail requirements helps ensure your provider tracks documentation properly.
Implementation Steps
1. Determine whether your PEO contract makes them responsible for I-9 completion and storage, or if you retain that obligation—this varies significantly by provider.
2. If your PEO handles I-9s, request quarterly audits of their system to ensure forms are being completed correctly and retained for the proper periods.
3. Maintain a separate backup of all I-9 documentation outside your PEO’s system, particularly if you have high turnover or operate in industries with frequent ICE audits.
4. Calculate the retention deadline for each employee at the time of hire and termination, and set calendar reminders to purge expired I-9s—retaining forms beyond the required period creates unnecessary exposure in audits.
Pro Tips
ICE audits typically request I-9s for all current employees plus any terminated employees still within the retention window. If you can’t produce a form, the penalty is the same whether it never existed or you just can’t find it. That’s why independent backup copies matter, especially if you’ve switched PEOs or brought HR in-house. Also, if you discover errors on historical I-9 forms, you can correct them—but only if they’re still within the retention period. Once you’ve purged a form, you can’t recreate it, even if you later realize it was incomplete.
7. State-Specific Requirements That Override Federal Minimums
The Legal Mandate
When state and federal record retention requirements conflict, you must follow whichever is more stringent. That typically means longer retention periods, broader categories of covered records, or more specific documentation requirements. For multi-state employers, you need to track the strictest applicable requirement across all locations where you have employees.
California, for example, requires 4-year retention for wage statements and personnel records under Labor Code Section 226. New York requires 6-year retention for payroll records. Illinois requires 5-year retention for sexual harassment training documentation. These state-specific requirements don’t replace federal mandates—they layer on top of them.
What Must Be Retained
State requirements vary widely, but common areas where state law exceeds federal minimums include payroll and wage records (California requires 4 years vs. 3 years federal), personnel files and performance reviews (some states require 5+ years), workplace safety and training records (varies by state and industry), unemployment insurance records (often 7+ years), and state-specific notices and postings documentation.
Some states also have unique requirements that don’t exist at the federal level. Massachusetts requires 3-year retention for job advertisements and postings. Colorado requires retention of all employment-related communications, including emails and text messages, for the duration of employment plus 2 years. If you operate across multiple states, a PEO specializing in multi-state compliance can help navigate these variations.
Implementation Steps
1. Create a matrix of retention requirements for every state where you have employees, identifying which state has the longest requirement for each record category.
2. Apply the longest state requirement to all employees across all locations to simplify compliance—don’t try to maintain different retention schedules by state unless you have sophisticated document management systems.
3. Review state requirements annually, as legislatures frequently extend retention periods or add new categories of required documentation.
4. Ensure your PEO’s record retention policy meets the requirements of your strictest state—many PEOs apply a single national standard that may not cover state-specific extensions.
Pro Tips
Remote work has complicated state-specific compliance significantly. If you have employees working remotely in states where you don’t have a physical presence, you may be subject to those states’ record retention requirements even though you don’t consider yourself to have operations there. This is particularly tricky with PEOs, since the co-employment structure can create nexus in states you wouldn’t otherwise be connected to. Also, some states impose retention requirements as part of specific employment laws—California’s Private Attorneys General Act (PAGA), for example, effectively requires indefinite retention of wage and hour records for any period that could be subject to a claim.
Putting It All Together
Record retention in a PEO relationship isn’t about trusting your provider to handle everything. It’s about understanding exactly what they’re required to keep, what you need independent copies of, and how you’ll access records if you ever leave the relationship.
Start by requesting your PEO’s written record retention policy and comparing it against the federal and state requirements outlined here. Look for gaps. If your PEO only retains payroll records for 3 years but you operate in California, you have a 4-year exposure. If they purge I-9s immediately after the retention period expires but you face ICE audits, you need backup copies.
Negotiate contract language that guarantees record access and specifies data portability terms. What format will you receive records in if you terminate the relationship? How long after termination can you request historical data? What’s the fee structure for records requests? These questions matter most when you’re in the middle of an audit or lawsuit and discover your former PEO has purged records you still needed.
Build your own shadow archive of critical documents. You don’t need to duplicate everything your PEO maintains, but you should have independent copies of anything you’d need for litigation defense or regulatory audits. That includes termination documentation, discrimination complaints, workplace injury reports, benefit plan documents, and I-9s. The goal isn’t redundancy for its own sake—it’s ensuring that no matter what happens with your PEO relationship, you can produce the documentation that protects your business.
Before you sign that PEO renewal, make sure you’re not leaving money on the table. Many businesses unknowingly overpay because of bundled fees, hidden administrative markups, and contracts designed to limit flexibility. We give you a clear, side-by-side breakdown of pricing, services, and contract terms, so you can see exactly what you’re paying for and choose the option that truly fits your business. Don’t auto-renew. Make an informed, confident decision.
