Voluntary benefits have long occupied a quieter corner of the regulatory landscape. Compared to group health plans, they've faced relatively limited federal scrutiny, a dynamic that's starting to shift.
The Employee Benefits Security Administration (EBSA), the enforcement arm of the Department of Labor responsible for ERISA oversight, has updated its enforcement priorities for FY 2026 in ways that should get the attention of employers, brokers, and benefits administrators alike. According to NFP's January 2026 compliance update and analysis from Groom Law Group, as well as a subsequent NFP webinar on the topic, four areas are now squarely in EBSA's crosshairs: cybersecurity and data protection, mental health and substance use disorder benefits, surprise billing, and criminal misuse of employee contributions. Layered on top of those project-level priorities, EBSA also issued Field Assistance Bulletin 2026-01 in April 2026, which sets out broader enforcement principles, including a pointed focus on targeting individuals and entities acting in bad faith.
None of these are abstract concerns. Each one has direct implications for how group benefits are structured, administered, and overseen, including who bears responsibility when things go wrong.
Why Group Benefits Are Drawing More Attention
It's worth pausing on the "why" before diving into the specifics. Voluntary benefits, including supplemental coverages like critical illness, accident, hospital indemnity, disability, and life insurance, have grown significantly in prevalence over the past decade. Employers have leaned on them to round out total rewards packages without adding significant cost. Employees have embraced them as a way to address coverage gaps.
But growth brings scrutiny. As voluntary programs have expanded in scope and complexity, regulators have begun paying closer attention to how they're administered, how participant data is handled, and whether the parties involved are acting in the best interests of the people they serve. The 2026 enforcement priorities reflect that evolution, and EBSA, despite having roughly one investigator for every 17,500 plans nationwide, has proven adept at generating broad impact from targeted enforcement activity.
Cybersecurity and Data Protection: Participant Data Is a Compliance Asset
EBSA's focus on cybersecurity has steadily expanded over the past several years, and the 2026 priorities make clear that scrutiny is intensifying. The cybersecurity enforcement project aims to promote best practices for plans and service providers when it comes to protecting sensitive participant information, and investigators will be reviewing how plans and their vendors safeguard systems and data from cyber threats.
For group benefits, this matters in concrete ways. Enrollment platforms, eligibility systems, and carrier integrations all touch sensitive personal information: names, Social Security numbers, health status, dependent data, and financial details. If any link in that chain lacks appropriate safeguards, including access controls, encryption, audit logs, and incident response protocols, the plan sponsor is potentially exposed.
The practical implication for employers: understand how your benefits administrator and carriers handle participant data. Ask whether their systems produce timestamped audit trails. Ask about their incident response procedures. Ask whether they've undergone independent security assessments. "We use a third-party platform" is not a sufficient answer; plan sponsors retain oversight responsibility.
For brokers advising clients on group benefit programs, this is also an opportunity to differentiate. Recommending administrators whose technology infrastructure is built around data integrity and security isn't just good practice; it's the kind of guidance that holds up under scrutiny.
Mental Health and Substance Use Disorder Benefits: The Compliance Gap That Won't Close
Mental health parity has been federal law since 2008, reinforced significantly by the Consolidated Appropriations Act of 2021, and EBSA has made clear it intends to keep pushing on compliance. The 2026 priorities continue that trajectory, with a specific focus on ensuring plans and service providers are removing barriers to mental health and substance use disorder (MH/SUD) care, including unjustified treatment exclusions, inaccurate provider directories, unreasonable limits on care, and burdensome claims processes.
One important recent development adds nuance here. The 2024 MHPAEA regulations issued under the prior administration have been paused pending ongoing litigation, and the agencies have since indicated they will not defend those regulations in court. New regulations are expected by the end of 2026. However, the comparative analysis requirement remains fully in effect as a statutory obligation. Plans are still required to have a documented comparative analysis available for each nonquantitative treatment limitation (NQTL) that applies to MH/SUD benefits. That document can be requested by federal or state regulators, or by plan participants themselves, and it cannot be produced quickly on short notice the first time someone asks for it.
The compliance angle here is technically demanding regardless of where the regulatory dust settles. The comparative analysis must demonstrate not just that NQTLs exist in parallel for medical and mental health benefits, but that they are designed and applied in a comparable way. Many employers have not completed this work, or have done so once without revisiting it as plan designs evolve. EBSA's continued focus means that gap is increasingly difficult to ignore.
Brokers and HR leaders should be asking: Has our plan completed a NQTL comparative analysis? Is it current? Does our network composition hold up to scrutiny? If those questions produce uncertainty, now is the time to address them, not when an EBSA investigator asks.
Surprise Billing: No Surprises Act Enforcement Moves to Center Stage
Surprise billing is a key addition to EBSA's 2026 enforcement project list, and it signals that the DOL views No Surprises Act (NSA) compliance as an ongoing obligation, not a one-time implementation exercise. The NSA protects participants from unexpected out-of-network medical bills for certain services, including emergency care and nonemergency services provided by out-of-network providers at in-network facilities. For those protected services, participant cost-sharing is capped at in-network levels.
According to NFP's webinar, one area EBSA intends to examine closely is whether plans are correctly applying the "prudent layperson standard" when identifying covered emergency services. Under this standard, the determination of whether a condition qualifies as an emergency is made from the perspective of a reasonable person with average medical knowledge, not a clinician reviewing a final diagnosis code. This matters practically: a participant who presents to an emergency room with chest pain that turns out to be non-cardiac may still be entitled to NSA protections based on how the situation appeared at the time.
EBSA's enforcement focus here also operates at two levels. Plan sponsors are expected to ensure that required surprise billing notices are posted on publicly accessible websites, and that participants are assessed in-network cost-sharing for NSA-protected services. More broadly, EBSA has indicated it may use individual plan investigations as a gateway to reviewing how TPAs are processing NSA-protected claims across multiple clients, meaning a compliance gap at the administrator level could have consequences well beyond a single plan.
For employers, this is a prompt to verify that their TPAs are adjudicating NSA-protected claims correctly, and that participant-facing notices are current and accessible. For brokers, it's a reminder that No Surprises Act compliance is not solely a carrier or TPA responsibility; oversight sits with the plan sponsor.
Bad Faith and Criminal Misuse of Contributions: Two Tracks, One Message
The final enforcement priority operates on two related tracks, and together they send the clearest signal of where EBSA's conduct-based enforcement is headed.
The first is EBSA's Contributory Plans Criminal Project. As Groom Law Group notes, EBSA has sharpened its focus on egregious misconduct involving contributory benefit plans, including embezzlement and fraud. This means employers who divert employee payroll contributions, funds withheld from employee paychecks for premiums or benefits, for personal use or to cover business expenses instead of forwarding them to the carrier or TPA. Under ERISA, participant contributions are plan assets the moment they are withheld. Using them for any other purpose isn't a paperwork violation; it's a criminal matter.
The second track is set out in Field Assistance Bulletin 2026-01, issued by EBSA in April 2026. The FAB establishes broader enforcement principles, with the highest civil enforcement priority placed on what EBSA describes as breaches of the duty of loyalty. That means targeting individuals and entities who, acting in bad faith, improperly administer plan benefits or misappropriate plan assets, including conduct designed to enrich themselves or pursue goals unrelated to participants' best interests. The FAB also signals that EBSA will not pursue cases that merely second-guess good-faith fiduciary judgment calls, but will apply heightened focus where direct evidence of disloyalty or self-dealing exists.
Taken together, these two tracks broaden the lens beyond plan sponsors. Administrators, brokers, and service providers who touch plan assets or participant benefits can find themselves in scope if their conduct raises loyalty questions.
The best protection here is what it's always been: clean administration, transparent processes, and a paper trail that demonstrates decisions were made in participants' interests.
What Employers and Brokers Should Be Doing Now
The 2026 enforcement priorities aren't cause for alarm; they're cause for preparation. For most well-administered group benefit programs, the fundamentals already align with what EBSA is looking for. But "fundamentally sound" and "audit-ready" aren't always the same thing.
A few practical starting points: Review how participant data flows through your enrollment and eligibility systems, and confirm that your administrator can demonstrate appropriate safeguards. If you haven't completed a mental health parity comparative analysis, put it on the compliance calendar and revisit it any time your plan design changes. Verify that your TPA is correctly processing No Surprises Act claims and that required participant notices are posted and current. And take a clear-eyed look at how employee contributions are handled; the timing and accuracy of those remittances matter under ERISA.
At PPI Benefit Solutions, compliance infrastructure is part of how we're built, not a feature we bolt on. Our rules-based eligibility platform produces a timestamped audit trail on every transaction. We support annual Form 5500 filings for coverages we administer. And we keep brokers and employers informed through regular federal and state regulatory updates, so you're not learning about shifts like these after the fact.
Regulatory scrutiny of group benefits is growing. The employers and brokers best positioned to navigate it are the ones who treat compliance not as a checkbox, but as an ongoing discipline.