The forthcoming umbrella tax legislation introduces a structural shift in how tax risk is allocated across the labour supply chain, exposing a dangerous misunderstanding taking hold among otherwise diligent firms: what can best be described as the Due-Diligence Illusion - the belief that better checks can neutralise an outcome-based tax liability.
From 06 April 2026, the introduction of joint and several liability (JSL) for PAYE and National Insurance will hard-wire tax risk into labour supply chains in a way that no amount of checking, accreditation, or contractual drafting can neutralise. The problem is that risk sits in places it cannot be audited away.
At the heart of the issue are six structural fault lines.
- Upward Liability Transfer
- Strict Liability Without Defence
- Rolling Exposure Risk
- Cross-Contagion Risk
- Invisible Connections
- Loss of Payment Control
Each of these fault lines represents a point at which due diligence and traditional governance tools fail, not because they are poorly applied, but because they were never designed for outcome-based liability.
Fault Line: Upward Liability Transfer
Under the new rules, tax liability no longer rests primarily with the party that causes the failure. It flows upward, towards the party with the deepest pockets - typically the recruitment agency, and in some cases the end client. If tax does not reach the Exchequer, it can be recovered from whichever party is most able to pay.
Careful supplier selection no longer avoids exposure.
Fault Line: Strict Liability Without Defence
JSL operates on a strict liability basis, with no statutory defence. It does not matter whether checks were performed, audits were passed, or accreditations or certifications were relied upon.
Under JSL, these activities may demonstrate good governance, but they have no legal effect on liability. This is the precise point at which due diligence ceases to function as a risk control and becomes, at best, descriptive.
Fault Line: Rolling Exposure Risk
A significant risk lies in understanding the mechanics of real-time payroll.
Umbrella workers are often paid weekly. PAYE and NICs, however, are typically remitted to HMRC weeks later, on the 22nd of the following month. This creates a permanent rolling window of exposure in which workers have been paid, liability has crystallised, but tax has not yet reached HMRC. At no point does aggregate liability return to zero. JSL exposure exists continuously, in real time, while funds sit outside the firm's or agencies' control. No amount of due diligence can close a liability window that never shuts, because the exposure exists before any review can take place.
If an umbrella fails for any reason, at any point in the cycle, unpaid tax crystallises instantly elsewhere in the chain.
Fault Line: Cross-Contagion Risk
Where multiple agencies use the same umbrella, PAYE/NICs are effectively pooled once held by the umbrella. If one agency defaults or is given credit and fails, the umbrella can collapse. JSL is then triggered, and the non-defaulting agency, still solvent, is pursued and pays the same tax again.
The cross-contagion risk is beyond the agency's control and cannot be mitigated through due diligence. An agency can do everything "right" and still inherit another party's failure. This is the Due-Diligence Illusion at its clearest: compliance without control offers no protection.
Fault Line: Invisible Connections
The legislation introduces the concept of "connected" parties, under which liability can bypass the agency and land directly on the end client if the agency below it is connected to the umbrella.
Connections can occur where there are shadow directors, shared controllers, informal financial dependence, or historic relationships, and can manifest at any time. Connections can occur through the lineal descendants of either company party. This creates a class of risk that is both material and unknowable.
Firms would have to conduct extensive real-time checks and verify those arising from relationships they could not reasonably discover.
It is a due diligence requirement that cannot be satisfied in practice.
Fault Line: Loss of payment control
The final fault line is the kernel of the problem.
When a firm delegates tax payments to an umbrella company, it gives up control over the funds but retains liability.
Due diligence tools can assess behaviour, but they are no substitute for ultimate control. Under JSL, delegating payment creates an unnecessary and entirely avoidable risk.
The "Due-Diligence Illusion"
Due diligence is effective in regimes where demonstrating reasonable care can mitigate liability. Joint and Several Liability is not such a regime. It is outcome-based: the only question is whether tax has been paid. Due diligence is not worthless, but under JSL, it has no bearing on liability and therefore cannot mitigate the risk it is now being asked to manage.
The persistence of the due diligence mindset is understandable. Following consultation, the prevailing expectation across the market was a regime in which agencies could avert risk through mandated due diligence procedures, and significant investment was made on that basis.
Had that route been chosen, audits, accreditations, certifications, and enhanced checks would have been the appropriate and proportionate response.
The Government did not adopt that approach, having concluded that due diligence and accreditation frameworks were insufficient to address systemic non-compliance in the umbrella market. Instead, they decided to place responsibility for PAYE/NICs squarely on agencies.
Joint and Several Liability was subsequently introduced. Whatever its original intent, its practical effect is to increase exposure for agencies and end clients while removing any meaningful defensive role for due diligence.
As a result, parts of the market continue to promote due diligence as the solution, mainly because existing commercial and compliance models depend on it. This reflects a category error: applying a fault-based control mechanism to an outcome-based liability regime.
Where liability is absolute, and no defence exists, rational firms do not seek better evidence; they seek to remove exposure altogether. Under JSL, due diligence may inform decisions, but it cannot neutralise liability. Continuing to treat it as a solution is to mistake the appearance of control for control itself, which is the essence of the Due-Diligence Illusion.