When Platform Compliance Becomes Client Risk: What the March I-9 Update Means for People Tech

On March 16, 2026, U.S. Immigration and Customs Enforcement updated its Form I-9 Inspection fact sheet, reclassifying more than ten categories of common errors from technical violations into substantive ones. Substantive violations carry inflation-adjusted fines of $288 to $2,861 per form and, unlike technical violations, are not eligible for the statutory ten-business-day cure period. The update effectively supersedes key provisions of the 1997 Virtue Memorandum that had governed I-9 enforcement for nearly three decades.

For payroll platforms, HR tech providers, onboarding products, and embedded payroll providers, the implication is bigger than most teams have caught yet. Design choices that used to be a quality difference are now a liability difference, and the liability sits with the client.

Here's what changed, why it matters more for the platforms employers run on than for the employers themselves, and the architectural read every product leader should be making right now.

What changed: three I-9 compliance shifts that matter

The updated guidance introduced three changes that, taken together, raise the compliance bar for any platform touching the hire-to-paycheck workflow.

1. Errors that used to be correctable are now immediate fines.

The technical-versus-substantive distinction has been around for decades. Substantive violations — errors that directly relate to whether an employee is authorized to work — have always carried fines. Technical violations — administrative or clerical mistakes — have always been correctable within ten business days of a Notice of Technical or Procedural Failures (NTPF).

What changed is that more than ten categories of error moved from the technical column to the substantive column. The cure window still exists for what remains classified as technical, but a longer list of common mistakes now bypasses it entirely.

The reclassified items read like a list of issues any modern onboarding platform should already be enforcing at the data layer:

• Missing date of birth in Section 1
• Missing date of hire in Section 2
• Failure to date Section 1 or Section 2
• Missing employer title in Section 2
• Missing rehire date in Supplement B
• Certain preparer/translator certification errors
• Missing USCIS or Alien Number in Section 1
• Failure to check the alternative procedure box when remote inspection was used
• Failure to be an active E-Verify participant when relying on the remote alternative procedure

There's also a meaningful change to a longstanding compliance shortcut: under the prior guidance, an employer who failed to record a List A, B, or C document detail in Section 2 could often cure the omission by referencing a retained document copy. Under the March update, missing or incorrect Section 2 document data is a substantive violation regardless of whether copies were retained.

If a platform allows any of these gaps to slip through, the employer running on it now owns the exposure with no opportunity to fix it after the fact.

2. Electronic system failures are now substantive violations.

This is the part most platforms haven't fully internalized. The guidance is explicit: failures to meet the standards in 8 C.F.R. § 274a.2(e)–(i) — which cover electronic completion, retention, security, reproduction, e-signatures, and audit trails — are treated as substantive violations against the employer.

In practical terms, that means a platform that:

• Allows backdating or improper post-completion edits
• Fails to maintain a compliant audit trail of every change
• Doesn't capture e-signatures that meet federal standards
• Doesn't track corrections with full traceability
• Cannot reliably store and reproduce records on inspection

…isn't just feature-limited. Every one of those gaps is a legal violation that lands on the employer.

3. Internal audits are now an expectation, not a best practice.

The guidance presumes employers are continuously monitoring their own compliance. Companies that aren't are presumed exposed.

For platforms, this raises a question worth taking seriously: does your product give clients the visibility to run those audits, or does it abstract compliance away in a way that leaves them blind?

Why I-9 matters more for platforms than for employers

Most coverage of the update is aimed at employers. The harder, more interesting read is what it means for the platforms employers run on.

For most companies, the path to I-9 compliance runs through software they didn't build. Those platforms make architectural decisions on the employer's behalf every day: what fields are required, what corrections get tracked, how signatures are captured, what gets logged, what doesn't.

Until this update, the gap between "good enough" and "fully compliant" was a quality difference. Now it's a liability difference — and the liability sits with the client.

That puts platforms in a new spot. Compliance behavior used to be a feature you could ship in v1 and harden over time. It's now a load-bearing part of every client's legal posture from day one.

The same dynamic shows up across the people tech stack. We've made the same point about local payroll tax and about wage compliance. I-9 is now the third regulatory lever in 18 months that has shifted from "feature you ship" to "infrastructure you depend on."

Compliance included vs. compliance built-on

There's a difference between a platform that includes compliance and a platform built on top of compliance infrastructure. From the outside, both can look the same. Under inspection, they don't behave the same way.

A platform that includes compliance treats it as a workflow: a set of forms, a set of fields, a set of reminders. Compliance is what users do inside the product.

A platform built on compliance infrastructure treats it as enforcement. Required fields are required because the system won't accept the form without them. Audit trails exist because every action is logged at the data layer. Signatures meet federal standards because the signature capture is purpose-built for that regulatory regime. Corrections are tracked because the system can't not track them.

The difference shows up exactly where the new guidance points: in whether the system itself enforces the rules, or whether it relies on users to get them right. The framing the guidance uses — that platform behavior is an extension of employer behavior — only resolves cleanly if the platform is doing the enforcing. Otherwise the platform's flexibility becomes the client's risk.

This is the case for treating compliance as a layer underneath your product, not a checkbox inside it. It's also the architectural choice that lets your team focus on what they actually want to build.

What compliance infrastructure looks like in practice for I-9

The joint guidance on electronic Form I-9 software, published by DOJ and DHS, is unusually specific about what compliant systems do. It's a useful checklist for any platform evaluating its own posture or a vendor's.

A compliant I-9 system:

• Enforces sequencing — Section 1 before Section 2
• Surfaces the current Form I-9 version with the full Lists of Acceptable Documents in published order
• Allows employees to leave optional fields blank where rules permit, without forcing data
• Supports single-name employees, optional middle initials, and acceptable receipts
• Captures the full employer certification, including title, name, business name, and physical address
• Uniquely identifies every user who accesses, corrects, or changes a Form I-9
• Records every change in a comprehensive audit trail
• Generates Form I-9 summary files on demand for inspecting agencies
• Produces compliant electronic signatures for both employees and employers
• Does not auto-populate Section 1 from external data sources
• Does not allow administrators to complete or modify Section 1 on the employee's behalf
• Does not auto-correct, predict text, or post-date entries
• Supports E-Verify via web services in compliance with the Interface Control Agreement
• Supports the alternative remote inspection procedure with proper checkbox capture
• Supports delayed E-Verify case creation when rules require it (pending SSN, certain receipts)

A platform that ships fewer of these isn't just feature-limited. It's a compliance gap that lands on the client.

The practical question for compliance product leaders

If you build people tech, the question worth sitting with is this:

If a client of mine received a Notice of Inspection tomorrow, would my platform's design choices help or hurt their defense?

The cleanest answer is the one where the system enforces compliance at the data layer, not the user-discipline layer. Where audit trails exist by default. Where signatures, corrections, and version control are infrastructure-grade, not workflow features.

That's the architecture that lets platforms keep building remarkable products without watching every regulatory shift turn into a roadmap detour. We love building the boring stuff so our clients can build what they love — and the March update is a useful reminder that the line between "boring" and "load-bearing" has moved.

How Symmetry I-9 fits

Symmetry I-9, powered by our partnership with WorkBright, is built explicitly for this architecture. It's an embeddable, API-driven I-9 verification product designed for people tech platforms that need their I-9 capability to behave like infrastructure: enforcing the rules at the system level, capturing the audit trail by default, supporting remote verification with geofenced co-presence metadata, and integrating with E-Verify via the compliant web services path.

For platforms that have built their own I-9 module, or rely on a bundled tool that wasn't designed with 8 C.F.R. § 274a.2 as a first-class requirement, the March update is a good moment to re-examine the architecture. The bar is no longer "compliant on paper." It's "defensible under inspection."

That's a higher bar. It's also the right one — and it's the bar that lets the platforms building the future of work focus on what they do best.

For more on how leading providers are approaching I-9 compliance at scale, see our guide on Automating Form I-9 Verification for HR Tech, Payroll, and Onboarding Providers.

Explore Symmetry I-9 →