Back to Insights

The Death of Reasonable Care: A Whitepaper on the 2026 Strict Liability Shift

12 min read

TL;DR for Busy Agency Owners

Don't have 12 minutes? Here's what you need to know:

The Problem (30 seconds)

  • 6 April 2026: The law changes. "Strict liability" means if your umbrella doesn't pay their tax, you're liable - even if you did due diligence.
  • No defences: Under the current rules, you could argue "we didn't know." That defence disappears.
  • HMRC can look back 20 years: For deliberate fraud (which all MUC schemes are), the lookback period is 20 years under Regulation 80.

Your Exposure (30 seconds)

50 workers -> £400K – £1.9M Potential Liablity.

500 workers -> £4M – £19M Potential Liability.

3,000 workers -> £24M – £112M Potential Liability.

Based on £16.50-£50/hour rates. Even 1% non-compliance = significant exposure.

What You Must Do (30 seconds)

Industry legal advisors recommend two layers of protection:

  1. Verify the Organisation: Forensically verify who employs the worker (directors, ownership, locations, supply chain patterns)
  2. Verify the Taxes: Confirm taxes are calculated correctly, disclosed via RTI, and paid to HMRC

The key insight: Services like SafeRec handle Layer 2 (tax verification). But who forensically verifies the organisations before you send money? That's Layer 1, and that's where Diligens comes in.

Short on time?

Book a 15-minute call. We'll explain exactly how strict liability affects your specific supply chain and what you can do before April 2026.

Book a Call

Executive Summary

For the last two decades, the United Kingdom’s recruitment and temporary labour market has operated under a social and legal contract based on the principle of "Reasonable Care."

This principle held that if a recruitment agency, acting as the "Deemed Employer", performed standard due diligence on its supply chain partners, it would be insulated from the tax liabilities incurred by those partners. If an agency checked VAT certificates, verified directorships, and secured indemnities, they could reasonably argue they were innocent parties in the event of upstream fraud.

This fundamentally changes on 6 April 2026.

With the enactment of the Finance Bill 2026, specifically the introduction of Section 61Y to the Income Tax (Earnings and Pensions) Act 2003 (ITEPA), the Treasury is fundamentally altering the risk profile of the sector. We are transitioning from a fault-based liability model to a Strict Liability model.

This whitepaper provides a forensic analysis of the new legislation. We dissect the specific mechanisms of debt transfer, the retrospective power of Regulation 80, and why the "Gap Analysis" between the Promoter and the Payslip is now the single greatest threat to your agency's solvency.

The Legislative Mechanism (Section 61Y)

To understand the magnitude of the threat, one must look beyond the headlines and into the statute itself. The government’s frustration with the "Whac-A-Mole" nature of Mini-Umbrella Company (MUC) fraud has led to the drafting of powers that are deliberately broad and notoriously difficult to defend against.

The End of "Knowingly Facilitating"

Previously, under the Criminal Finances Act 2017 (CFA), the burden of proof lay heavily on HMRC. To successfully prosecute an agency or transfer debt, they often had to demonstrate that the agency "knowingly facilitated" tax evasion or failed to prevent it. While strict, it left room for a defence: "We didn't know."

Section 61Y removes this defence.

The draft legislation introduces a mandatory transfer of PAYE liability. It does not stipulate that the agency must be complicit in the fraud. It creates a hierarchy of debt recovery that functions as follows:

The Primary Default: An umbrella company (or "purported" umbrella) fails to account for PAYE/NICs. The Trigger Event: The umbrella is dissolved, liquidated, or fails to pay within a specified window (often 30 days). The Transfer: The liability moves automatically up the supply chain to the "Relevant Party."

In 90% of supply chain structures, the "Relevant Party" is the recruitment agency that engaged the umbrella.

The Binary Nature of Liability

The text of Section 61Y is binary. It states:

"(2) Each relevant party... is, along with the umbrella company, jointly and severally liable to pay any amount payable, in accordance with the PAYE provisions, by the umbrella company in relation to a qualifying umbrella company payment."

Note the absence of qualifying language. It does not say "Each relevant party who acted negligently." It simply says "Each relevant party."

This is the definition of Strict Liability. In legal terms, the mental state (mens rea) of the agency is irrelevant. You do not need to be guilty of fraud to be liable for the bill. You simply need to be in the chain.

Purported Umbrellas (Section 61Z1)

A common counter-argument from compliance officers is: "We will just stop using Umbrella Companies and only engage with Payroll Bureaus or Fiduciary Platforms."

HMRC has anticipated this semantic evasion. The legislation introduces a catch-all definition under Section 61Z1 known as the "Purported Umbrella Company."

This clause is designed to stop fraudsters from rebranding their schemes to escape the "Umbrella" label. It applies a "Duck Test" to the supply chain:

"(b) it is reasonable to suppose that one or more participants in the arrangements... would assume that the purported umbrella company is the employer of that individual."

"Substance Over Form"

This clause allows HMRC to ignore the contractual label you place on a relationship and look at the commercial reality.

  • If you engage a "Fintech Payment Platform" to pay your workers... It is an Umbrella.
  • If you engage a "Professional EOR Service"... It is an Umbrella.
  • If you engage a "Management Consultancy" that happens to supply 500 nurses... It is an Umbrella.

This is critical because MUC fraud relies heavily on SIC Code misclassification. Thousands of shell companies register under SIC 70229 (Management Consultancy) to avoid scrutiny and abuse the VAT Flat Rate Scheme.

Under Section 61Z1, your contract saying "This is a B2B Consultancy Agreement" is worthless if the commercial reality is the supply of labour. The Strict Liability still applies.

Are you relying on labels?

Diligens ignores the contract label and analyses the raw data. We spot 'Purported Umbrellas' hiding under consultancy SIC codes.

Audit Your Labels

A 20-Year Risk Horizon (Regulation 80)

Perhaps the most terrifying aspect of this legislative shift is not the future liability, but the interaction between the new debt transfer rules and the existing Regulation 80 of the Income Tax (PAYE) Regulations 2003.

When HMRC determines that tax has been underpaid, they issue a formal "Regulation 80 Determination." This establishes the debt. The crucial question for any CFO is: "How far back can they look?"

The answer depends entirely on the behaviour that caused the loss.

The Two Windows of Risk

  1. Careless Behaviour (6 Years): If the loss was due to a mistake, a clerical error, or negligence, HMRC can look back 6 years.
  2. Deliberate Behaviour (20 Years): If the loss was brought about deliberately, the limitation period extends to 20 years.

Why MUCs are Always "Deliberate"

This is the trap. Mini-Umbrella Company fraud is not an accident. It is a highly sophisticated, engineered crime involving:

  • Contrived Disaggregation: Splitting a workforce to abuse the Employment Allowance.
  • Falsified Identities: Using "Mule" directors or hijacked IDs.
  • ** algorithmic incorporation:** Batch-registering companies.

Because the underlying act is Fraud (Deliberate Behaviour), the 20-year window applies.

The Retrospective Headache: Even though the Strict Liability rules come into force in 2026, they interact with debts established under Regulation 80. If HMRC investigates a supply chain in 2027 and finds a fraud ring that operated in 2023, they can issue a determination for the 2023 debt.

Because the MUC has dissolved, that debt sits homeless. Under the new Joint & Several Liability provisions, HMRC will look for the nearest solvent entity. That is you.

Failures of "Static" Due Diligence

If the law has changed, why hasn't the compliance process?

Most recruitment agencies still rely on what we call Static Due Diligence. This involves collecting a "Pack" of documents at the point of onboarding:

  • Certificate of Incorporation.
  • VAT Certificate.
  • Proof of Bank Account.
  • Director ID.

Once these documents are filed, the supplier is marked "Green" (Compliant).

Promoter Paradox

The fatal flaw in this process is that it audits the Brand, not the Taxpayer.

In a typical MUC scheme, the fraudster operates a two-tier structure:

  1. The Promoter (The Face): A legitimate-looking UK company with a nice website, a sales team, and valid insurance. This is who you sign the contract with. This is who you audit.
  2. The MUCs (The Engine): A network of 5,000 micro-companies that actually employ the workers. These companies have no assets, offshore directors, and exist for less than 18 months.

The Disconnect: You send your gross funds to the Promoter. The Promoter funnels the cash to the MUCs. The MUCs pay the workers but steal the tax.

When HMRC invokes Section 61Y, they are chasing the PAYE debt of the MUCs. If you only audited the Promoter, you have effectively audited a ghost. You have zero visibility on the entities creating the liability that you are about to inherit.

Elphysic

To understand how the courts will interpret these new rules, we must look at the landmark case of Elphysic Limited & Ors v HMRC.

This Upper Tribunal case serves as the judicial blueprint for the 2026 legislation. The court was asked to rule on a VAT abuse scheme involving "Contrived Disaggregation"—the exact mechanism used in MUC fraud.

The taxpayers argued that the entities were independent and compliant with the letter of the law. The court disagreed, ruling that the structure had no commercial justification other than tax avoidance.

Key Takeaways for 2026:

  1. Ignorance is Irrelevant: The court did not care whether the participants "knew" the intricate details of the tax law. They looked at the outcome.
  2. Piercing the Veil: The court was willing to look through the corporate structure to identify the "controlling mind" and the economic reality.
  3. The "Litter" Concept: The judgement highlighted the statistical impossibility of multiple independent companies sharing identical incorporation dates, addresses, and directors without being part of a coordinated scheme.

Elphysic proves that the judiciary is already aligned with the Treasury's aggressive stance. The "We didn't know" defence was effectively dead on arrival in the courtroom; the Finance Bill 2026 just buries the body.

Strategic Response for CFOs

Given this existential threat, the role of the Agency CFO must evolve from Financial Controller to Forensic Risk Manager.

We recommend a three-pillar strategy to prepare for April 2026.

Pillar 1: The "Look-Through" Clause

Review all commercial contracts with intermediaries. You must mandate a "Look-Through" clause that grants you the right to audit not just the intermediary, but the entire downstream supply chain.

  • Action: If a supplier refuses to provide the Company Registration Numbers (CRNs) of the entities paying the workers, terminate the relationship immediately. They are hiding a Section 61Y liability.

Pillar 2: The "Velocity" Check

Static checks are useless against dynamic fraud. You must implement Continuous Monitoring.

  • Action: Monitor your supply chain for "Director Flips." If a UK director resigns within 90 days of onboarding and is replaced by an offshore national, this is a prelude to a "Deliberate" default.

Pillar 3: The "Solvency" Reserve

Recognise that despite your best efforts, some liability may crystallise.

  • Action: sophisticated agencies are beginning to hold "Risk Reserves" or seeking specific insurance products to cover JSL. However, insurers will demand evidence of "Forensic Assurance" (not just standard due diligence) before writing this risk.

What Industry Experts Say

The shift to strict liability has been the subject of extensive industry discussion. Legal advisors and compliance specialists have been clear: the old approach is dead.

"Due diligence is imperative, but it's no longer enough. This is strict liability. There's no defence to the liability based on due diligence conducted."

The emphasis has shifted from "checking paperwork" to "verifying reality."

"Sampling is not sufficient anymore — it has to be across every single worker. You cannot create transparency around how much tax should be paid without auditing every single pay slip."

The industry consensus is clear: agencies need two types of protection working together.

The 2-Layer Protection Framework

Layer 2 — Tax verification services (like SafeRec) verify that taxes are calculated correctly and paid to HMRC. They audit the payslips, check RTI submissions, and confirm money reaches the tax authority. This is essential.

Layer 1 — Organisation verification services (like Diligens) verify who is making those payments. We forensically audit the organisations themselves — their directors, their history, their ownership structures, their locations, and their patterns within your supply chain.

Neither service alone provides complete protection under strict liability. If you only verify taxes, you might be paying a network of 500 shell companies. If you only verify entities, you don't know if they're actually paying the tax.

Complete protection requires both layers.

Conclusion

The transition to Strict Liability is not merely a regulatory update; it is a fundamental restructuring of the commercial reality of the recruitment sector.

For twenty years, agencies have outsourced their tax risk to Umbrella companies. From April 2026, that risk is being returned to sender. The "Filing Cabinet" approach to compliance—collecting PDFs and ticking boxes—is no longer a shield. It is a paper tiger.

To survive the Death of Reasonable Care, you do not need more documents. You need data. You need the ability to see through the "Promoter Paradox" and identify the forensic signals of fraud before the liability attaches to your balance sheet.

Diligens is the architecture of that survival.

Get Peace of Mind

Don't wait for 2026. Upload your supply chain for a confidential forensic audit. We identify the Section 61Y risks sitting in your ledger today.

Book Your Forensic Audit
Back to all insights