Your TPA Is Not Your Fiduciary.

You Signed the Contract. You Own the Risk.

Most CFOs assume their TPA is watching out for the plan. They're not. Not legally.

A TPA performing administrative services for a self-insured plan isn't directly subject to ERISA's fiduciary standards. Their job is to process claims, manage networks, and handle paperwork. Watching out for your plan participants? That's your job.

As the U.S. Department of Labor makes clear, when you take steps to implement plan decisions, you become a fiduciary. The TPA doesn't absorb that exposure. You do.

And in 2025 and 2026, the stakes got a lot bigger.

Is Your TPA a Fiduciary Under ERISA?

Probably not. And that's the issue.

ERISA defines a fiduciary based on function, not title. If someone exercises discretionary authority over plan management or control over plan assets, they're a fiduciary. If they're just following instructions and processing paperwork, they're not.

Most TPAs structure their contracts to stay on the "just following instructions" side. Your Administrative Services Agreement likely says the TPA is acting in an administrative capacity only. No discretion. No fiduciary duty.

But what the contract says and what the TPA actually does can be two very different things.

When Does a TPA Cross the Fiduciary Line?

When they start making decisions, not just executing yours.

The Sixth Circuit's decision in Tiara Yachts, Inc. v. Blue Cross Blue Shield of Michigan (May 2025) drew a hard line. BCBSM was processing claims for a self-funded plan but exercised control over how claims were paid and retained a percentage of overpayment recoveries through its "Shared Savings Program." The court said that's fiduciary behavior, regardless of what the contract called it.

The key quote: "contractual duties and ERISA fiduciary status are not mutually exclusive." A TPA can't hide behind "we're just admins" when they're exercising real control over plan assets.

This creates a circuit split with the First Circuit's 2023 Mass. Laborers' v. BCBS Massachusetts decision, which went the other way. That split may push the issue to the Supreme Court.

For you, the practical question is simple. Is your TPA making benefit determinations? Exercising control over claims payment? Influencing how your plan dollars flow? If the answer is yes, their actual behavior, not the contract language, determines who's exposed.

If your TPA is using automated downcoding software on your claims without human review, that's the kind of discretionary action that blurs the line.

How Big Is the Litigation Risk?

Bigger than most mid-market employers realize.

There were 155 ERISA fiduciary class action lawsuits filed in 2025. A near-record. Twenty-two percent of them, 35 cases, involved health plans, according to Encore Fiduciary. That makes health plans the second-largest target behind retirement plans.

Average settlements exceeded $3 million. Over $1.3 billion has been paid out across 200-plus settlements in the past five years.

You don't have to be a Fortune 500 company to get sued. Plaintiffs are actively pursuing small- and mid-sized plans. One wave of lawsuits in late 2025 targeted employers for broker compensation that ran as high as 39.8% of premiums, roughly four times the industry norm.

The DOL isn't sitting still either. EBSA recovered $1.4 billion for workers and plans in FY 2025, closing 878 civil investigations. Sixty-three percent produced monetary results or corrective action. Their FY 2026 enforcement priorities include service provider oversight, cybersecurity at TPAs, and mental health parity compliance.

If your broker isn't disclosing compensation or your TPA isn't cooperating on audits, you're the one holding the liability. Not them.

What Does the CAA of 2026 Change?

Everything about disclosure. The Consolidated Appropriations Act of 2026, signed February 3, expands ERISA Section 408(b)(2) to cover all group health plan service providers. That means PBMs, TPAs, stop-loss insurers, brokers, and consultants must now disclose all direct and indirect compensation.

The key provisions:

• Full compensation disclosure. Every service provider must disclose what they're being paid, how, and by whom. Contracts entered, extended, or renewed after February 3, 2026 must comply immediately.
• 100% rebate pass-through. PBMs must pass through all rebates, fees, and alternative discounts. Failure is a prohibited transaction. Your rebate guarantees need to reflect this.
• Audit rights. Plan fiduciaries can annually audit disclosed information. You pick the auditor. No restrictions on scope, location, or time period.
• Penalties. Up to $10,000 per day for PBM disclosure failures.

If a service agreement doesn't meet these requirements, it doesn't qualify as "reasonable" under 408(b)(2). That means the arrangement is automatically a prohibited transaction. Opaque compensation is no longer just bad practice. It's a legal violation.

The DOL also published a proposed rule on January 30, 2026, signaling it may expand these disclosure requirements beyond PBMs to TPAs and health insurers in medical claims administration.

Thirteen states have already passed their own TPA fiduciary laws, including Indiana's SB 3 (effective July 1, 2025), which requires TPAs and PBMs to owe fiduciary duties to plan sponsors. The federal and state walls are closing in from both sides.

The Benefits Blake Compliance Calendar tracks all 72 federal requirements, including the new CAA mandates and their staggered effective dates.

What Should You Look for in Your ASA?

Your Administrative Services Agreement is where this fight gets won or lost. Most ASAs are written to protect the TPA, not the plan. You need to know what yours actually says.

Here's what to examine:

• Fiduciary status. Does the TPA accept fiduciary status for any function? Benefit determinations? Claims appeals? If the document is silent, that silence is your answer. You're holding the bag.
• Compensation disclosure. Under the CAA of 2026, your TPA must disclose all compensation. Does your ASA require it? Is it specific enough to satisfy 408(b)(2)?
• Indemnification. What language runs in the TPA's favor? Does any run in yours? Most ASAs are one-sided here.
• Discretionary authority. What authority does the TPA hold over claims payment, provider network management, or benefit determinations? After Tiara Yachts, discretionary behavior creates fiduciary exposure whether the contract acknowledges it or not.
• Audit rights. Can you audit claims data and fee arrangements? How often? Can you pick the auditor? The CAA now gives you that right by statute, but your ASA should spell it out.
• Claims data ownership. If you can't access your own claims data, you can't fulfill your fiduciary duty to monitor your service providers.
• Cybersecurity standards. The DOL's top FY 2026 enforcement priority is TPA cybersecurity. Does your ASA require your TPA to meet specific data security standards?

A 3(16) fiduciary takes on named responsibility for plan administration. That's different from a TPA relationship. It's a legal commitment, not a service agreement. If you want someone else to own the administrative liability, you need that in writing.

What Should Self-Funded Employers Do Before Renewal?

The legal landscape shifted in 2025 and 2026. Your ASA may not reflect it yet.

1. Read your ASA. Not a summary. The actual agreement. Look for where fiduciary responsibility lands and whether your TPA has accepted any of it in writing.
2. Demand compensation disclosure. The CAA requires it for contracts renewed after February 3, 2026. If your TPA or broker hasn't provided it, ask why. If your broker is showing red flags, that's a fiduciary problem you own.
3. Ask about discretionary authority. After Tiara Yachts, any TPA exercising discretion over your claims is creating fiduciary exposure. Ask your TPA directly whether they'll accept fiduciary status for benefit determinations. If they won't, you need to know that now.
4. Run a 5500 audit check. The DOL closed 878 investigations in FY 2025. Know what triggers an audit and make sure your Form 5500 filing is clean.
5. Call an ERISA attorney. Have them review your ASA, your PBM contract, and your pharmacy terms before renewal. The cost of a legal review is a fraction of a $3 million settlement.
6. Audit your vendor stack. The more vendors touching your plan, the more disclosure obligations and oversight you carry. The Benefits Control System scores your current setup and shows where complexity is creating risk.

The TPA processes your claims. You own your plan. Those are two very different things. And the gap between them is exactly where lawsuits land.