What Hasn’t Changed in a Changing Regulatory Environment

Despite shifting regulations, litigation trends, and legislative priorities, retirement plan committees can best manage fiduciary risk by maintaining a prudent process, by documenting decisions, and by keeping participants' interests at the center of every action.

For retirement plan committees, the last few years have brought no shortage of change: new legislation, regulatory proposals, court decisions, shifting enforcement priorities, and now a broader push toward deregulation.

Amid all this change, one message stood out during CAPTRUST’s recent fiduciary training webinar: While the regulatory landscape continues to evolve, the fundamentals of fiduciary responsibility remain the same.

As Retirement Learning Center Chief Operating Officer Jennifer Kiffmeyer explained, regardless of whether the issue involves ESG investing, alternative assets, cybersecurity, fiduciary advice regulations, or SECURE 2.0 implementation, plan sponsors should follow the same guiding principle: Maintain a prudent process and document it well.

Enforcement Remains Focused on Fundamentals

Federal priorities may shift, but regulators continue to focus on protecting plan participants and ensuring plans operate prudently.

Recent Department of Labor (DOL) enforcement results have remained relatively consistent, with approximately $1.4 billion returned to plans on behalf of participants in both 2024 and 2025.[1] Despite changing headlines, the agency continues to focus on familiar issues, including fiduciary oversight, late deposits of employee deferrals, excessive fees, and cybersecurity.

The DOL also receives significant input directly from participants. Last year alone, participants submitted more than 220,000 complaints through the agencyโ€™s online portal and telephone hotline. Those complaints can lead to investigations and, in some cases, full-scale audits.

For plan committees, these figures serve as reminders that compliance isnโ€™t just about satisfying regulators. Itโ€™s also about demonstrating a commitment to protecting participantsโ€™ interests.

Process and Documentation Matter

Regulators are generally less concerned with whether every decision turns out perfectly and more about how fiduciaries make those decisions.

When discussing fees, Kiffmeyer emphasized that regulators do not expect fiduciaries to choose the lowest-cost plan. Instead, they expect committees to understand the fees they pay, evaluate the services they receive, and determine whether those fees are reasonable.

As Kiffmeyer said, โ€œProcess is the key word these days. Is there a prudent process in place, and is it documented?โ€

That principle runs throughout todayโ€™s fiduciary landscape. Whether committees evaluate service providers, select investments, consider retirement income solutions, or address cybersecurity risks, regulators consistently look for evidence of a thoughtful, repeatable, and well-documented process.

Regulatory Changes Don’t Eliminate Fiduciary Responsibility

Recent regulatory developments have created uncertainty around fiduciary investment advice rules, ESG investing, and alternative investments. Regulators have withdrawn some rules, stopped enforcing others, and signaled plans to revisit or replace additional guidance in the coming months.

For plan sponsors, however, the core message remains largely unchanged.

As Kiffmeyer noted when discussing alternative investments, there is โ€œno issue in having alternative investments in DC [defined contribution] plans as long as, again, the plan sponsor and committee follow a prudent process in selecting those investments, making sure that they are there to serve the best interest of participants.โ€

That responsibility requires committees to establish clear criteria, define how they will evaluate investments in the planโ€™s investment policy statement. and document decisions in committee meeting notes.

The takeaway is this: changing regulations may influence what committees evaluate, but they do not change how fiduciaries should approach their responsibilities.

Cybersecurity Has Become a Core Governance Issue

Cybersecurity is receiving increased scrutiny. The DOL has identified it as an enforcement priority for 2026 and increasingly requests cybersecurity information during plan audits.

Importantly, regulators are looking beyond technical safeguards. They also want evidence of strong governance. Specifically, the DOL is asking plan sponsors to demonstrate how they evaluate service providersโ€™ cybersecurity practices.

As a result, committees should ask questions, reviewing provider controls, educate participants, and document those efforts. Once again, the focus comes back to the same fiduciary principle: prudent oversight backed by clear documentation.

The Bottom Line

Regulations will continue to change. Enforcement priorities will evolve. New legislation will emerge.

But as CAPTRUSTโ€™s Director of Retirement Plan Consulting Lisa Caito concluded, โ€œThe fundamentals remain the same. Strong governance, thoughtful documentation, and a proactive approach to fiduciary decision-making are your best tools for managing risk and driving better outcomes for participants.โ€

For plan sponsors, that may be the most important takeaway. Regardless of what changes in Washington, a well-documented, participant-focused process remains the foundation of effective fiduciary oversightโ€”and the strongest defense against risk.


[1] EBSA Restores $1.4 Billion to Employee Benefit Plans, Participants, and Beneficiaries | U.S. Department of Labor


Post Topics