There is a sentence that should be on every CFO's desk this week: there is no safe harbour.
From 6 April 2026, Joint and Several Liability (JSL) rules will fundamentally change how tax liabilities flow through contractor supply chains. If an umbrella company fails to pay the correct PAYE or National Insurance, HMRC can recover those amounts from relevant parties in the labour supply chain — typically the recruitment agency that contracts with the client, and if that party is absent or not UK-resident, the end-client may be pursued.
This is not a hypothetical risk. HMRC estimates that umbrella company non-compliance costs the Exchequer hundreds of millions annually, including GBP 500m lost to disguised remuneration schemes in 2022-23 alone. The new rules are designed to recover GBP 2.8 billion over the next four years.
The question for finance, HR, and procurement leaders is not whether this affects you. It is whether you know where your exposure sits.
How JSL Actually Works
The mechanics are straightforward, even if the implications are not.
Under the new Chapter 11 of ITEPA 2003, when a worker is supplied via an umbrella company:
If the umbrella fails to pay correct PAYE/NICs, HMRC can pursue the debt
First in line is the recruitment agency (if one exists in the chain)
If there is no agency, or they cannot pay, liability transfers to the end-client
The critical detail: there is no "reasonable care" defence. Unlike some compliance frameworks, the JSL rules do not reward good behaviour with protection. When asked about due diligence, HMRC's response was unequivocal: "In the event of non-compliance by the umbrella company, the agency or end client engaging the umbrella company remains jointly and severally liable in all cases."
You can check every accreditation. Review every process. Audit every quarter. If that umbrella fails, the liability can still transfer to you.
Why Due Diligence Is Not Enough
This creates an uncomfortable reality for finance leaders.
We are used to the idea that doing the right thing provides protection. Proper processes, documented checks, reasonable care - these typically demonstrate good faith and limit exposure.
Not here. Not under these rules.
Due diligence reduces probability. It helps you choose compliant umbrella companies more often. But it does not eliminate the liability transfer mechanism. The central question HMRC asks is simple: "Has the tax been paid?" Not whether you performed due diligence. Not whether you believed everything was in order. Just: has the tax been paid?
This changes the risk calculation entirely.
The practical response is not to abandon due diligence - it still matters. But it is to recognise that due diligence is risk management, not risk elimination.
The Visibility Problem
Here is where many organisations discover a more fundamental gap.
Before you can assess your JSL exposure, you need to answer a deceptively simple question: how many workers in your organisation are paid through umbrella companies?
Most finance leaders I speak with cannot answer this confidently. The reality is that contractor arrangements are often scattered across:
Procurement systems tracking supplier relationships
HR systems flagging non-employee workers
Line manager relationships that bypass formal processes entirely
Services contracts where labour is buried within broader supplier agreements
The gap between perceived headcount and actual headcount is the gap where risk lives.
A CFO might estimate 50 contractors. Procurement shows 120 supplier relationships involving labour. HR flags 80 non-employee workers. Line managers, when surveyed, identify another 35 individuals they consider "their contractors" who appear in neither system.
This is not unusual. It is the norm.
You cannot manage JSL exposure you cannot see. The compliance challenge of April starts with the visibility challenge of today.
Your Supply Chain Goes Deeper Than You Think
There is another layer to this problem.
Most organisations can identify their direct suppliers. Some can distinguish which suppliers provide labour rather than just goods or services. Very few can identify their suppliers' suppliers - the second and third-tier relationships where workers actually sit.
Consider a typical supply chain:
Your organisation engages a consultancy to deliver a project
That consultancy uses subcontractors to supplement capacity
Those subcontractors may be paid through umbrella companies
You never directly engaged the umbrella - but under JSL, the liability can still reach you
This is how many labour supply chains actually operate. Consultancies subcontracting. Managed service providers using umbrella companies. Professional services firms engaging freelancers through intermediaries. Layers upon layers.
The worker you never knew existed creates a liability you never saw coming.
What Finance Leaders Should Do Now
April 2026 is weeks away. Perfect systems are not achievable in that timeframe. But meaningful progress is.
1. Map Your Umbrella Exposure
Start with the question: where do umbrella-paid workers enter your organisation?
Review recruitment agency relationships
Examine services contracts with labour components
Survey line managers about informal contractor arrangements
Check procurement for any supplier categorised as "staffing" or "workforce"
The goal is not perfection. It is establishing a baseline understanding of where umbrella arrangements exist.
2. Assess Concentration Risk
Once you know where umbrella exposure sits, assess concentration:
Are multiple workers flowing through a single umbrella?
Is significant spend concentrated with one recruitment agency using a particular umbrella?
What would the impact be if that umbrella failed?
Concentration amplifies risk. Diversification - across compliant providers - reduces it.
3. Review Supplier Relationships
For second and third-tier exposure:
Include supply chain labour clauses in services contracts
Require visibility into how suppliers engage subcontractors
Ask suppliers directly about their use of umbrella companies
You may not achieve full visibility immediately. But you can start asking the right questions.
4. Prepare for the Timeline
Key dates to note:
6 April 2026: JSL rules commence
Any payments made on or after 6 April 2026 where a worker is supplied via an umbrella company fall within the JSL regime — so organisations need to be prepared for the first pay runs that occur after that date
2027: Separate umbrella company regulation expected under the Fair Work Agency
This means any work paid for on or after 6 April falls within scope, regardless of when the work was performed. Organisations should ensure their processes are ready before that date.
Key Takeaways
There is no safe harbour - due diligence reduces probability but does not eliminate liability transfer under JSL rules
HMRC can pursue any relevant party - typically the agency, or if absent/non-UK-resident, the end-client may be pursued
The visibility gap is the primary challenge - you cannot manage exposure you cannot see
Supply chains go deeper than direct relationships - second and third-tier arrangements create exposure you may not be aware of
April 2026 is weeks away - the time for mapping exposure is now, not after the rules are active
What This Means for Your Organisation
The organisations best positioned for JSL are not those with perfect processes. They are those with clear visibility into their contractor workforce - who is working, through what structures, and where the exposure sits.
If you cannot confidently answer "how many umbrella-paid workers do we have?", the first step is not compliance process design. It is establishing that baseline visibility.
The compliance gap starts with the visibility gap. Address the visibility gap first.
