PEO Compliance: The Complete Risk-and-Compliance Guide for PEO Buyers

PEO compliance breaks into nine domains. Each has distinct buyer-side responsibilities and PEO-side responsibilities under co-employment, defined in the Client Service Agreement (CSA).

1. Payroll tax compliance — FICA, FUTA, federal income tax withholding, state unemployment, and local taxes. With a CPEO, federal employment-tax liability transfers to the CPEO by statute.
2. Shared liability and indemnification — The CSA defines what each party indemnifies the other against. Termination, supervisory conduct, and wrongful-termination claims sit at the contested boundary.
3. Workers' comp and mod-rate exposure — Pool blending mechanics, master policy coverage, OSHA Forms 300/301 recordkeeping, return-to-work programs, and claims management.
4. Misclassification and wage-and-hour risk — Exempt/non-exempt classification, overtime authorization, off-the-clock work, 1099 vs W-2 distinctions, state-specific wage-and-hour overlay.
5. OSHA, safety, and industry compliance — 29 CFR 1926 for construction, 29 CFR 1910 for general industry, EPA Section 608, NFPA 70E, industry-specific licensing.
6. CPEO certification and tax protections — IRC §7705 sole-liability transfer for federal employment taxes, bonding requirements, wage-base continuity.
7. Contract audit and documentation failures — Auto-renewal clauses, termination notice periods, exit fees, data return obligations, audit-trail requirements.
8. Multi-state compliance — State payroll tax registration, paid-leave law tracking, state-specific ACA equivalents, multi-state wage-and-hour patchwork.
9. Federal contractor and union-specific compliance — Davis-Bacon, Service Contract Act, DCAA audits, FAR flow-downs, EEO-1, affirmative-action plans, CBA compliance.

Buyers evaluating PEOs should require evidence — not assurances — that each PEO they consider handles every domain relevant to their industry, headcount, and operational footprint.

The CSA defines the formal allocation, but a useful operational mental model:

The PEO is typically responsible for:

• Federal employment tax compliance (FICA, FUTA, federal income tax withholding deposits and filings) — with a CPEO, this liability fully transfers
• State and local payroll tax filings (varies by state and PEO)
• Workers' compensation policy holding and claims management
• Group benefits plan administration, ERISA fiduciary duties for the master plan, ACA reporting (Forms 1094/1095)
• EPLI policy (when PEO-provides) and employment practices claims handling
• HR compliance functions explicitly listed in the CSA (COBRA, EEO-1, FLSA classification support)

The client (you) typically remains responsible for:

• Hiring and termination decisions and the legal exposure those decisions create
• Supervisory conduct and any harassment or hostile workplace claims arising from supervisor behavior
• Workplace safety, OSHA compliance for the worksite, incident reporting
• Wage-and-hour decisions: exempt/non-exempt classification, overtime authorization
• Compliance with worksite-specific regulations (industry licensing, certifications, prevailing wage)
• Independent contractor classification (the PEO does not absorb misclassification risk on 1099s)

The contested middle zone usually involves cases where supervisory misconduct intersects with HR process — wrongful termination, retaliation, discrimination claims where the client made the decision but the PEO processed the paperwork. Both parties typically get named as defendants; the CSA's indemnification clauses drive cost allocation.

About 100 of the 700+ US PEOs hold CPEO (Certified Professional Employer Organization) status from the IRS under section 7705 of the Internal Revenue Code (enacted under the Small Business Efficiency Act of 2014).

For federal employment-tax purposes:

• Standard PEO: If the PEO fails to remit federal employment taxes, the IRS can pursue the client company for the unpaid taxes. The client remains liable even though the PEO physically held the money.
• CPEO: The CPEO is the sole liable party for federal employment taxes under §7705. If the CPEO fails to remit, the IRS pursues the CPEO — not the client. The client is "held harmless" by statute.

For wage-base continuity at mid-year transitions: standard PEOs reset the FICA wage base when employees move between separate employers, costing the client potentially $200K–$500K depending on workforce size. CPEOs preserve wage-base continuity because they remain the same legal employer regardless of client transitions.

For risk-conscious buyers, CPEO status is rarely worth giving up unless the cost differential is meaningful and the buyer is comfortable with federal-tax exposure. See: CPEO Guide and CPEO vs PEO.

Workers' comp compliance is where PEO selection has the largest dollar impact for high-exposure industries. The core compliance components:

• NCCI class code accuracy — The PEO must classify your workforce correctly. Misclassification (e.g., a roofing worker coded as office clerical) is the most common source of audit findings.
• Experience modification factor handling — Standalone mod rates feed into pricing; PEO pool blending replaces your standalone mod with the PEO's blended pool mod. For high-mod operators (mod 1.20+), see PEO for high-mod-rate employers.
• OSHA recordkeeping — Forms 300, 301, and 300A. The PEO often handles recordkeeping infrastructure; you remain responsible for accurate worksite reporting.
• State-fund relationships — In monopolistic states (Ohio, Washington, Wyoming, North Dakota), workers' comp goes through state funds. PEO operational depth in those states varies.
• Return-to-work programs — Premium-tier PEOs maintain active RTW programs that materially reduce claim reserves; budget-tier providers often skip this.

Multi-state operations multiply compliance load disproportionately. Each new state typically adds:

• State payroll tax registration and ongoing filings
• State-specific paid sick leave laws (varies by state and locality)
• State unemployment insurance rates and bases
• State-specific minimum wage thresholds (often higher than federal)
• State-specific OSHA equivalents (Cal/OSHA, Oregon OSHA, etc.)
• State worker's comp requirements (private vs state fund)
• State ACA-equivalent reporting (California, Massachusetts, etc.)
• Final paycheck rules (timing varies dramatically by state)

PEO operational depth across all 50 states is uneven. ADP TotalSource, Insperity, and TriNet maintain registrations and operational teams in all 50 states. Mid-tier PEOs typically maintain 30–40 states with active filing capability and limited contractor relationships for the rest. Budget PEOs often deflect multi-state complexity back to the client. For multi-state buyers, see PEO for multi-state companies.

Applicable Large Employer (ALE) status — 50+ full-time-equivalent employees — triggers ACA reporting obligations: Forms 1094-C and 1095-C, employer mandate compliance, affordability calculations, and minimum value plan offerings.

Under co-employment with a PEO, the PEO typically:

• Issues 1095-C forms to employees (or aggregates with the client's reporting)
• Manages plan-design changes through the master plan
• Tracks affordability against safe-harbor benchmarks (rate of pay, federal poverty line, W-2)
• Handles plan-level ERISA filings (Form 5500, summary plan description distribution)

The client remains responsible for:

• Worksite headcount tracking and ALE-status determination
• Plan-affordability determinations for employees the PEO doesn't cover
• Coordination of any non-PEO benefit plans (e.g., supplemental coverage)

Misalignment between PEO ACA reporting and client recordkeeping is a common audit finding. Premium-tier PEOs offer dedicated ACA support; budget PEOs often outsource it to third-party administrators with less responsive support.

Compliance also lives in the contract itself. PEO contract audits surface these recurring issues:

• Auto-renewal clauses with 90+ day notice requirements (preventing graceful exit at renewal)
• Rate escalator caps that don't actually cap PEPM increases (only base admin fees)
• Hidden pass-through cost calculations that obscure true year-over-year increases
• Termination fees that aren't pro-rated (paying for the full contract period after exit)
• Data return obligations that don't guarantee timely employee data export
• EPLI policy scope that excludes pre-existing employment practices claims

For a structured audit framework: PEO Contract Risk Audit and our PEO contract negotiation guide.

Federal contractors face a compliance layer most commercial PEOs aren't built for: Davis-Bacon Act prevailing wages, Service Contract Act wage determinations, DCAA audit-ready accounting, FAR flow-down clauses, EEO-1 reporting, and affirmative-action plan obligations under OFCCP. See: PEO for Federal Contractors.

Union employers face a parallel complexity: CBA compliance under co-employment, multi-employer pension plan contributions, grievance handling protocols, union dues administration, and vacation/holiday fund handling. See: PEO for Union Employers.

Premium-tier PEOs maintain dedicated federal-contractor and union-employer practices. Mid-tier PEOs handle them on a case-by-case basis. Budget PEOs typically decline these accounts entirely.

Five questions surface real compliance depth in a PEO sales process:

1. "Show me a redacted ACA filing you've issued for a 100+ EE client this year." Real ACA depth means current-year filings, not pre-2020 examples.
2. "Walk me through the most recent compliance audit findings from one of your clients and how you supported them." If the PEO claims they've never had findings, they're either small or being economical with the truth.
3. "Which states do you maintain active payroll registration in, and which do you defer to a third-party agent?" The answer to the second part exposes operational depth.
4. "What's your protocol when a client receives an OSHA citation at a worksite?" The PEO should have a documented response playbook within 24 hours.
5. "How does your CSA allocate liability for a wrongful-termination claim where a supervisor took the action?" The answer should match the CSA language verbatim, not paraphrase.