Your board just checked off the big compliance boxes. You filed your Form 990. Your state registration is renewed. You're thinking: we're compliant. We're good.
Here's what most nonprofit leaders don't realize: the IRS and your state know about the 990 and registration. But there are a dozen other compliance obligations that nobody told you about when you incorporated — and the ones that cause real problems are the ones nobody talks about.
The good news: these gaps are incredibly common. And they're fixable. You're not running afoul of the law just because you didn't know these existed. But once you know, addressing them becomes your responsibility.
Let me walk you through what you're probably missing.
1. Charitable Solicitation Registration
This is the big one that catches nonprofits off guard.
Before you can legally ask for donations in most U.S. states, you need to register with that state's charitable solicitation regulator — usually the Attorney General's office. Not with the IRS. Not with your state's Secretary of State. With the AG, in a separate process, in each state where you solicit.
Over 40 states require charitable solicitation registration. Some require it only if you're not based in that state. Some have exemptions for small nonprofits or direct mail campaigns. The rules are inconsistent, which is exactly why nonprofits miss this.
What happens if you don't register? You'll start with a cease-and-desist letter. If you keep fundraising anyway, you face fines — sometimes substantial ones. In extreme cases, states have moved to revoke tax-exempt status. More commonly, you have to retroactively register, pay back fees, and explain yourself.
The fix: Determine every state where you've solicited donations (online, direct mail, events, grant proposals). Check that state's AG website for requirements. Register in the states that require it. Most registrations are straightforward — a form, a filing fee ($0 to $100 typically), and annual renewal. Some states ask for your governing documents and financials. Budget a few hours and $500-$1000 annually if you solicit nationally.
This is one of the most common gaps we find in governance reviews, and it's also one of the easiest to fix. For a deeper dive on this specific obligation, see our complete guide to charitable solicitation registration.
2. State Annual Reports and Periodic Filings
Your nonprofit is incorporated in your state. That means your state's Secretary of State is tracking you. And most states require periodic filings — usually annual or biennial reports — separate from your federal 990.
Miss the deadline, and your corporate status gets administratively dissolved. You're no longer a legal entity. You can still operate, but if something goes wrong — a lawsuit, a contract dispute, a donor challenge — you have no legal standing. It's a disaster.
The worst part: you often don't realize it happened. Most states don't proactively notify you. You find out when you try to open a bank account or register for a grant and the bank says "your corporation doesn't exist."
Check your state's Secretary of State website for your filing obligations. Most require an annual or biennial report with basic information: board members, principal address, agent for service of process. Some states allow online filing. Set a calendar reminder for the deadline and add it to your board calendar.
Cost is usually $0 to $50 per filing. Time is 15 minutes once a year.
3. Employment Compliance
This one applies only if you have employees. But if you do, there are several obligations that small nonprofits frequently overlook.
You need payroll tax filings with the IRS (Form 941, quarterly). You need state payroll tax filings. You need unemployment insurance and likely workers' compensation insurance — both required in most states if you have even one employee. You need to verify employment eligibility (Form I-9) within three days of hire. Many states require labor law postings in your office.
Each of these is separately enforceable. Miss your unemployment insurance renewal and the state Labor Department sends a notice. Miss payroll tax filings and the IRS comes looking. These aren't small compliance gaps — they're regulatory violations with real consequences.
If this is new territory for you, hire a payroll service (ADP, Guidepoint, Rippling). They handle the filings, remittances, and compliance calendar for you. Cost runs $30-$80 per employee per month depending on frequency and complexity. For a first-time hire, it's money well spent.
4. Document Retention Policy
The IRS asks about this on the Form 990. "Does the organization have a written document retention and destruction policy?" Many nonprofits check "yes" and move on.
But do you actually have one?
A document retention policy is a written statement describing what documents your organization creates, stores, and keeps — and for how long. It covers board minutes, financial records, donor correspondence, employment files, contracts. The policy should explain who decides what gets destroyed and when.
Without this policy, you're at risk in an audit. You also have no clear guidance when someone asks "do we still have the 2021 board minutes?" The answer becomes informal and inconsistent.
This is a governance gap that's genuinely easy to fix. A basic policy takes an hour to draft and a board vote to adopt. It doesn't need to be elaborate — just clear and documented.
5. Conflict of Interest Policy Enforcement
Most established nonprofits have a conflict of interest policy. The problem: having one isn't the same as using one.
The IRS expects you to have a written policy, but more importantly, it expects you to enforce it. That means: annual disclosure forms signed by all board members and officers. Documented recusal when conflicts arise. Board review of any transactions with interested parties (like board members' businesses or relatives). Minutes that reflect this discussion.
Many boards have the policy gathering dust in a folder. They don't distribute disclosure forms. They don't document conflicts. If a questionable transaction happens, there's no record of discussion or how the board approved it.
During a compliance review, this becomes a red flag. It suggests governance isn't actually happening — you just have the paperwork.
Enforce it: send conflict of interest disclosure forms to all board members and officers annually. Have them signed and filed. Document any conflicts of interest in board minutes. If a decision involves an interested party, make sure the minutes show that they recused themselves or how the board handled it.
This takes an hour or two per year and sends a powerful message that governance is real at your organization.
6. Board Meeting Minutes
The 990 asks: "Did the organization have general operating policies that address conflicts of interest, document retention, and the process for determining the compensation of the chief executive?" It also asks whether board meetings are documented.
Many small boards meet informally. They discuss decisions over coffee or on Zoom. No one takes minutes. Everything is just... understood.
This is both a compliance problem and a governance problem. Without minutes, there's no record of who decided what, when, or why. If a donor or board member later questions a decision, you have nothing to defend it with. If the IRS asks about a transaction, you can't explain the board's reasoning. If someone sues, you have no documentation of your fiduciary duty.
Minutes don't need to be elaborate. They should note who was present, what was discussed, what decisions were made, and who voted for or against them. They should note any conflicts of interest and how they were handled. They should be approved at the next meeting and stored securely.
Assign someone (often the board secretary) to take minutes. Keep them simple. File them in a central location. Done.
7. Public Disclosure of Your 990
Your Form 990 is a public document. The IRS requires you to make it available to anyone who requests it, free of charge, within 30 days.
Most nonprofits don't know this obligation exists. They file the 990 with the IRS and assume it's private.
The simplest way to satisfy this requirement: upload your 990 to Candid (formerly GuideStar). Candid is free, widely used, and publicly accessible. Your 990 is then available to anyone searching your organization. This satisfies the IRS requirement without extra work on your part.
If you haven't posted your 990 yet, do it this week. It takes 15 minutes and prevents future compliance issues.
8. Lobbying and Political Activity Limitations
501(c)(3) organizations face strict limits on political activity. You cannot endorse or oppose candidates. You cannot contribute to political campaigns. You face limits on lobbying — the rules vary based on whether you've made a 501(h) election, but you cannot have lobbying as a substantial part of your activities.
The boundaries can be blurry, especially around election season. Is an issue forum "lobbying"? Is education about a policy "political activity"? Many nonprofits inadvertently cross the line without realizing it.
Understand the limits. If your work touches policy or elections, consult an attorney to make sure you're compliant. The IRS can impose excise taxes or, in extreme cases, revoke your tax-exempt status.
This one genuinely needs legal guidance if you're in a gray area. Don't guess.
9. Unrelated Business Income Tax (UBIT)
Nonprofits can make money. But if you generate revenue from activities not related to your mission, you may owe Unrelated Business Income Tax (UBIT) on it.
For example: a youth nonprofit that runs a summer camp (mission-related) could also offer after-school childcare on the side (not directly mission-related). That childcare revenue might be subject to UBIT.
The exceptions are many, and the analysis is fact-specific. But many nonprofits don't even think about it. They just assume all their revenue is tax-exempt. Then they get audited and discover they owe back taxes.
If you generate revenue beyond your primary mission, consult a nonprofit tax accountant. They can determine whether UBIT applies and, if it does, file the required Form 990-T.
10. Directors and Officers Insurance
This one isn't legally required in most cases, but it's a serious gap if something goes wrong.
Directors and Officers (D&O) insurance protects your board members and staff from personal liability if the organization is sued. It also covers the organization's legal defense costs. For nonprofits, it typically costs $400-$1500 annually depending on your budget and risk profile.
Without it, if a director is personally sued, they're defending themselves on their own dime. Even if they win, legal costs can be devastating. With D&O insurance, the insurer covers defense costs and judgments.
Many nonprofits skip this because they think "we're a small nonprofit — who would sue us?" But accidents happen. Employment disputes happen. Donors sometimes sue. Having insurance means your directors can make decisions confidently, knowing they're protected.
Add this to your insurance review alongside general liability coverage.
Governance Review
If you're reading this list and checking off gaps, a Governance Review covers all of these areas and more. You get a comprehensive assessment with a prioritized action plan — so you know exactly what to address and in what order.
How to Close These Gaps
You have three options:
Option 1: Self-audit. Walk through this list yourself. Check off each obligation. Note the ones you haven't addressed. Create a prioritized action plan. This works if you have the time and confidence to research each requirement.
Option 2: Fix specific gaps as they arise. When you identify a gap, address it individually. Our Governance Remediation service covers specific fixes — from charitable solicitation registration to policy creation to employment documentation. We charge à la carte ($150–$500 per item depending on complexity) so you only pay for what you need.
Option 3: Comprehensive assessment. If you want a professional to review all of these at once, our Governance Review service covers nonprofit compliance and governance health end-to-end. We identify gaps, provide a prioritized action plan, and point you to next steps. It's $1,000 and typically takes 2-3 weeks.
If you discover issues that require legal guidance — like lobbying limits, tax status questions, or contract disputes — those go to an attorney. We identify the gaps; a lawyer handles the legal compliance questions.
The compliance obligations that cause real problems aren't the ones everyone knows about. They're the ones nobody told you existed. And they're not a sign that your organization is mismanaged — they're just knowledge gaps that almost every nonprofit encounters.
You're not alone. Most nonprofits have missed several of these. The ones that thrive are the ones that close the gaps intentionally.
If you'd like to review your organization's compliance and governance health, schedule a conversation. Or if you have questions about a specific obligation, we offer advisory calls at $125/hour.
The gaps are fixable. Let's get them fixed.
Frequently Asked Questions
What happens if a nonprofit loses its tax-exempt status?
If the IRS revokes your 501(c)(3) status — usually for failing to file Form 990 for three consecutive years — donations to your organization are no longer tax-deductible, you may owe back taxes on income, and you'll need to reapply for exemption. Reinstatement requires filing all missed returns and paying any penalties. Prevention is far easier than remediation.
How often should a nonprofit review its compliance?
At minimum, annually. Many organizations tie their compliance review to their fiscal year-end or Form 990 preparation. A thorough review covers federal filings, state registrations and renewals, charitable solicitation registrations, employment compliance, governance policy enforcement, and board documentation. Creating a compliance calendar makes this manageable.
What is the penalty for not filing Form 990?
The IRS imposes a penalty of $20 per day for each day the return is late (up to the lesser of $10,000 or 5% of the organization's gross receipts). For organizations with annual gross receipts over $1 million, the penalty increases to $100 per day, up to $50,000. After three consecutive years of non-filing, the IRS automatically revokes tax-exempt status.
Does my nonprofit need a document retention policy?
Yes. The IRS asks about this on the Form 990, and having one is considered a governance best practice. The policy should specify how long different types of documents are kept (financial records, board minutes, employment files, contracts) and how they're eventually destroyed. It protects the organization during audits and legal disputes.
Is D&O insurance required for nonprofits?
It's not legally required in most states, but it's strongly recommended. Directors and Officers insurance protects board members from personal liability in lawsuits — covering legal defense costs and any judgments. It typically costs $400–$1,500 annually and is increasingly expected by funders and board members as a condition of service.
Related Resources
Many of these compliance gaps trace back to governance practices. If your board isn't providing adequate oversight, how to know if your board is functioning properly covers the warning signs. For new board members who want to understand their compliance responsibilities, what every new board member should know covers fiduciary duties and financial oversight. And for the specific requirements around charitable solicitation registration, we have a comprehensive guide with state-by-state details. For state-specific compliance requirements, check your state guide.