Here’s a scenario that plays out more often than it should. A business owner signs a PEO agreement, hands over a stack of HR paperwork, and walks away feeling like the problem is solved. Six months later, a state leave law compliance issue surfaces. The PEO says it was the client’s responsibility to track. The client assumed the PEO was handling it. Nobody was handling it.
That’s not a vendor failure. That’s a structural misunderstanding of how HR control actually works inside a PEO arrangement.
The phrase “the PEO handles HR” is one of the most misleading framings in this space. HR responsibilities don’t transfer from your business to the PEO like handing off a relay baton. They stack. The PEO takes ownership of certain administrative functions, you retain operational authority over others, and a significant middle zone exists where both parties share responsibility in ways that are often poorly defined in the contract and almost never discussed during the sales process.
That middle zone is where compliance gaps live. It’s where penalties get issued, lawsuits get filed, and business owners discover that the indemnification clause they never read doesn’t cover the situation they’re in.
This guide is about understanding that layered structure clearly: what the PEO actually controls, what you keep, where the boundaries blur, and how to build an intentional framework before you sign anything.
HR Control Doesn’t Transfer — It Stacks
The foundation of every PEO relationship is co-employment. The PEO becomes the employer of record for specific purposes, most notably payroll tax administration and benefits sponsorship. The IRS recognizes certified PEOs under Section 3511 as the employer for federal employment tax purposes. That’s a meaningful designation, but it’s narrower than most business owners realize.
Being the employer of record for tax purposes doesn’t mean the PEO owns all employer responsibilities. It means the PEO owns that specific slice. Everything else gets sorted out through the Client Service Agreement, state law, and the practical realities of who’s actually managing people day to day. Understanding how a PEO works at a structural level is essential before evaluating any control allocation.
Think of it in three distinct control layers:
Administrative control: This is the PEO’s core domain. Payroll processing, tax filings, benefits enrollment, workers’ comp policy management, and regulatory reporting. These are the functions the PEO is built to handle and where their systems and expertise are strongest.
Operational control: This stays with you. Who gets hired, who gets fired, how performance is managed, what schedules look like, how your workplace culture operates. The PEO has no visibility into your day-to-day management decisions and, more importantly, no legal ownership of the consequences that flow from them.
Compliance control: This is where it gets complicated. Depending on the function, the jurisdiction, and what your CSA actually says, compliance responsibility can sit with the PEO, with you, or genuinely with both parties simultaneously. State wage and hour laws, leave management, ADA accommodations, and employment discrimination claims often create joint liability scenarios where the allocation isn’t clean.
Why does this matter financially? Because gaps in the control environment aren’t just operational inconveniences. They produce duplicated work when both parties think the other is handling something. They produce missed deadlines when neither party thinks they own a filing. And they produce unexpected liability when a compliance failure surfaces and the indemnification clause doesn’t apply the way you assumed it would.
The businesses that get burned by PEO arrangements almost always got burned in that third layer. Not because the PEO was incompetent at payroll, but because nobody ever clearly defined who owned compliance in the areas that actually matter.
Mapping the Layers: What the PEO Owns vs. What You Keep
Let’s get specific, because vague descriptions of “shared responsibility” don’t help anyone make decisions.
In a typical PEO arrangement, the PEO takes clear ownership of:
Payroll tax administration: Federal and state employer tax filings, W-2 issuance, and tax deposits. This is the cleanest handoff in the relationship.
Benefits plan administration: Enrollment processing, carrier communications, COBRA administration, and plan compliance for the benefits the PEO sponsors. Note: if you’re using benefits outside the PEO’s plan, that administration stays with you.
Workers’ compensation policy management: The PEO typically holds the master workers’ comp policy and manages claims through their carrier. The coverage structure matters here, and understanding what actually transfers in employer liability coverage is critical before assuming you’re fully protected.
Regulatory filings: EEO-1 reporting, ACA employer mandate filings for applicable large employers, and similar federal compliance filings that attach to the employer of record designation.
You typically retain clear ownership of:
Hiring and termination decisions: The PEO processes the paperwork, but the decision authority and legal exposure for employment actions stays with you. This is one of the most consequential ownership distinctions in the entire arrangement.
Workplace safety enforcement: OSHA treats the worksite employer, meaning you, as the responsible party for workplace safety compliance. The PEO may offer safety resources or training, but OSHA citations go to the entity controlling the worksite.
Employee scheduling and day-to-day management: Operational decisions that affect wage and hour compliance, including overtime eligibility and meal break compliance, sit with you because you’re the one making those decisions.
Then there’s the contested middle ground, and this is where your CSA needs to be read carefully:
Employee handbook enforcement: The PEO may provide a template or require certain policies, but enforcement is operational. If a manager ignores the harassment policy, that’s your exposure, not the PEO’s.
Leave management: FMLA administration is frequently a shared or ambiguous area. The PEO may handle the paperwork and tracking, but the decision to approve or deny leave, and the management of the employee during leave, involves operational judgment that sits with you. State-specific leave laws add another layer of complexity.
ACA compliance: Depending on your headcount and how the PEO structures its reporting, ACA compliance can involve shared obligations that require active coordination between both parties.
When you read your CSA, look for the specific language around indemnification and compliance responsibility. Building a clear PEO legal responsibility matrix can help you map these obligations before ambiguity becomes liability. Push for explicit language that names the responsible party for each high-risk function.
Where the Gaps Create Real Exposure
The control gaps that cause the most damage tend to cluster in predictable places. Understanding them before they surface is the entire point of this exercise.
State-specific leave law compliance is the most common failure point. Federal FMLA has a relatively clear framework. State leave laws, which now exist in a growing number of states and vary significantly in their requirements, often don’t map cleanly onto the PEO’s standard processes. If your PEO isn’t explicitly tracking and administering state-specific leave obligations in every state where you have employees, and your CSA doesn’t clearly assign that responsibility to them, you’re exposed.
Workplace safety violations are another area where businesses discover too late that the PEO arrangement didn’t cover what they thought it did. OSHA’s position is straightforward: the employer controlling the worksite is responsible for maintaining a safe workplace. A PEO’s workers’ comp policy doesn’t change that. If OSHA cites your business for a safety violation, the PEO’s involvement in your payroll doesn’t provide a defense. Understanding the full scope of PEO regulatory enforcement risks helps you anticipate where exposure actually lives.
Employee classification disputes get complicated by the co-employment structure itself. When a worker claims misclassification, whether as an independent contractor or in terms of exempt/non-exempt status, the question of who made the classification decision matters enormously. If you made the decision and the PEO processed it, the exposure is likely yours. If the PEO provided guidance that you relied on, you may have a contribution claim against them, but that’s litigation, not protection.
On the financial exposure side: most PEO indemnification clauses are written to protect the PEO from the consequences of your operational decisions. Read that sentence carefully. If a compliance failure flows from a decision within your operational control, including hiring, termination, scheduling, or workplace management, the PEO’s indemnification typically doesn’t apply. You absorb the penalty, the legal fees, and the settlement.
Multi-state operations compound all of this. Each state can treat the co-employment relationship differently for workers’ comp, unemployment insurance, and employment law purposes. A control allocation that works cleanly in one state may be legally insufficient in another. If you’re expanding into new states, the control matrix you built when you signed the PEO agreement needs to be revisited for every new jurisdiction.
Building an HR Control Matrix Before You Sign
The most practical thing you can do before entering or renewing a PEO agreement is build a control matrix. It doesn’t need to be elaborate. It needs to be explicit.
An HR control matrix is a document that maps every significant HR function to a responsible party: PEO, client, or shared. For shared items, it should include an escalation path, meaning who makes the final call when there’s a conflict or ambiguity. It should also note which functions are governed by specific CSA language and which are operating on informal assumptions.
Building it forces a useful discipline. You’ll quickly identify functions where you’ve been assuming the PEO owns something they don’t, and functions where the PEO has been assuming you’re handling something you haven’t prioritized. Reviewing the financial control considerations alongside your operational matrix ensures nothing falls through the cracks on either side.
During the PEO selection or renewal process, use the control matrix as a negotiation framework. Specifically, push for explicit language on:
Workers’ comp claims management: Who manages the claims process after an injury? Who communicates with the carrier? Who makes return-to-work decisions? These are operational questions with financial consequences.
Employment law compliance in your specific states: Ask the PEO directly which state-specific obligations they take ownership of and get it in writing. Generic statements about “compliance support” aren’t ownership assignments.
Termination procedures: What does the PEO’s role look like in a termination? Do they review the decision? Do they handle the paperwork? Do they provide any legal review? Clarity here reduces wrongful termination exposure.
On the internal side: a PEO doesn’t eliminate the need for internal HR oversight. It changes what that oversight focuses on. Without a PEO, your HR function is doing the administrative work. With a PEO, your HR function should be monitoring the layers: verifying that the PEO is executing their responsibilities correctly, managing the operational control functions you’ve retained, and watching for drift in the shared zones. A practical guide on using a PEO alongside your internal HR department can help you structure that oversight effectively.
If you have a single HR generalist, their job inside a PEO arrangement isn’t data entry. It’s control environment management. That’s a different skill set, and it’s worth making sure whoever fills that role understands the distinction.
When the Layered Model Becomes the Wrong Fit
There are situations where the layered control environment stops being a manageable operational reality and starts being a structural liability.
The warning signs are usually gradual. Repeated compliance surprises, where issues surface that neither party anticipated or owned. Conflicting guidance from PEO account reps versus your internal managers, creating confusion about which direction employees should follow. Employees who aren’t sure who to report HR issues to, which creates both morale problems and legal exposure. Conducting periodic PEO internal audits can surface these misalignments before they escalate into real problems.
Any one of these is a signal that the control environment needs attention. All of them together suggest the model itself may need reconsideration.
Some business situations genuinely don’t fit the PEO layered model well:
Complex regulatory environments: Businesses in heavily regulated industries, or operating under specific federal contractor requirements, may find that the PEO’s standard compliance framework doesn’t accommodate their specific obligations. The control fragmentation creates more risk than the administrative efficiency offloads.
Unionized workforces: Co-employment adds complexity to collective bargaining relationships that most PEOs aren’t structured to navigate. The employer of record designation can create ambiguity about bargaining unit membership and negotiating authority.
Rapid multi-state expansion: If you’re adding states faster than you can update your control matrix and verify the PEO’s coverage in each jurisdiction, you’re accumulating compliance exposure with each new location.
The honest question to ask is this: if managing the control matrix requires as much internal HR infrastructure as operating without a PEO, has the cost-benefit equation shifted? Running a thorough cost accounting comparison of internal HR vs PEO expenses can clarify whether the arrangement still delivers net value. The PEO model makes sense when it genuinely offloads administrative burden and provides compliance infrastructure you couldn’t build cost-effectively on your own. When the overhead of managing the layers consumes that value, it’s worth doing the math on alternatives.
Making the Layers Work for You, Not Against You
A layered control environment isn’t inherently problematic. It’s the operational reality of co-employment, and plenty of businesses manage it well. The ones that do share a common habit: they treat the control matrix as a living document, not a one-time exercise.
A practical quarterly review looks like this:
1. Pull your control matrix and compare it against what’s actually happening operationally. Look for drift, places where responsibilities have informally shifted without updating the agreement or internal processes.
2. Check for any new state or federal compliance requirements that have taken effect since your last review. Assign ownership explicitly for each new obligation.
3. Reconcile any compliance gaps or near-misses from the previous quarter. If something almost fell through the cracks, update the matrix to make ownership explicit before it happens again.
4. Confirm that your internal HR function and your PEO account team are aligned on shared-zone items. Misalignment in shared zones is where most problems originate.
One point worth emphasizing on the comparison side: not all PEOs structure their control layers the same way. Some providers take on broader compliance ownership as part of their service model. Others push more responsibility back to the client and price accordingly. Neither approach is inherently better, but the difference matters enormously for how you structure your internal operations and what you’re actually paying for.
This is one of the most important dimensions to evaluate when comparing PEO providers, and it’s one of the least visible in standard sales presentations. A provider who takes on more compliance ownership may carry a higher price point that’s entirely justified when you factor in the internal overhead you’re not carrying. A provider who prices lower but pushes compliance responsibility back to you may cost more in practice once you account for the internal resources required to manage those layers.
The core takeaway is straightforward: the layered HR control environment is the defining operational reality of working with a PEO. It’s not a flaw in the model. It’s the model. The businesses that get value from it are the ones that understand exactly where each layer sits and actively manage the boundaries. The ones that treat it as a set-and-forget arrangement are the ones who find out the hard way what they actually owned.
The Bottom Line on Ownership
The PEO relationship is a partnership in the truest sense, meaning both parties carry real responsibilities and real exposure. The administrative efficiency is genuine. The compliance infrastructure the PEO provides is valuable. But none of that eliminates your need to understand exactly what you’ve retained, what they’ve taken on, and where the agreement is silent.
Build your control matrix before you select a provider. Use it as a comparison tool during the evaluation process, because how different PEOs structure their service responsibilities is one of the most consequential differences between them. And revisit it quarterly, because operational drift is real and the gaps it creates don’t wait for a convenient time to surface.
If you’re approaching a renewal without having done this analysis, that’s the first thing to fix. Don’t auto-renew. Make an informed, confident decision. PEO Metrics provides side-by-side comparisons of how different providers structure their service responsibilities, pricing, and contract terms, so you can see exactly what you’re buying before you sign.