CIS Changes from April 2026


What's Changed
The 2025 Autumn Budget introduced tougher compliance obligations for businesses purchasing construction services under the Construction
Industry Scheme (CIS) and granted HMRC enhanced powers to act on non‑compliance. Effective April 2026, these reforms add significant reporting complexity and
financial exposure across construction supply chains — including recruitment agencies operating within them.
The key update aligns CIS with the “knew or should have known” test already applied in VAT fraud cases. If HMRC can demonstrate that a business knew or should have known it was involved in a transaction linked to fraudulent tax evasion by a supplier — such as a CIS umbrella or subcontractor further down the chain — HMRC may:
Cancel the business’s gross payment status immediately, extending the re‑application period from one year to five years.
Hold the end‑user liable for the unpaid tax, even if the invoice (including tax) has already been settled.
Impose a penalty of 30% of the lost tax, chargeable to the business, its directors, or connected persons.
Why This Matters to Recruitment Agencies
Gross Payment Status allows eligible businesses to receive payments from contractors without deductions being made at source. If that status is withdrawn, CIS deductions will apply to every qualifying payment, creating an immediate and significant impact on cash flow. Under the updated rules, the loss of Gross Payment Status can last for up to five years, rather than the previous one-year period.
For recruitment agencies operating on tight margins, a five-year restriction is far more than an administrative issue—it can place considerable strain on working capital and, in some cases, threaten the long-term viability of the business.
When combined with the potential for joint liability on unpaid tax and penalties of up to 30%, which may extend to company directors in certain circumstances, the importance of robust compliance and thorough due diligence has never been greater. Taking proactive steps to assess payroll providers and maintain compliance is now a critical business priority rather than simply a matter of best practice.


Why This Has a Greater Impact on Recruitment Agencies
Gross Payment Status allows eligible businesses to receive payments from contractors without CIS deductions at source. If this status is lost, deductions apply to every qualifying payment, creating an immediate reduction in cash flow. Under the updated rules, the restriction can remain in place for up to five years, rather than the previous one-year period.
For recruitment agencies operating on tight margins, this is far more than an administrative issue. A prolonged loss of Gross Payment Status can significantly affect cash flow, limit business flexibility, and place considerable pressure on day-to-day operations.
When combined with potential joint liability for unpaid tax and penalties of up to 30% that may extend to company directors, the importance of carrying out thorough due diligence has never been greater. Proactive compliance is no longer simply best practice—it is an essential part of protecting your business.
What "should have known" looks like in practice
A subcontractor or umbrella with frequent, unexplained changes to bank account details
No VAT registration where the scale of activity would normally require one
Director histories with prior insolvencies, disqualifications, or links to other flagged entities
Onboarding checks done once at the start of a relationship and never revisited
A one-off check at onboarding won't meet the new standard. "Should have known" is a continuous test. HMRC will look at what a reasonably diligent business would have picked up over the life of the relationship, not just on day one.
What agencies should do now
Confirm, in writing, which party in the chain is legally responsible for carrying out right to work checks on each placement.
Check that any digital verification tool in use is on the Home Office's current certified IDSP list.
Build a diary system for repeat checks ahead of time-limited permission expiry dates.
Retain evidence of every check — not just the document copy, but who checked it, when, and how.
Refresh consultant training on the current codes of practice, including the eVisa transition.
Don't assume the client's check covers you. If you're the legal employer of the worker, their process is not your statutory excuse — build and evidence your own.
Paying the invoice in full no longer closes the risk. From April 2026, what an agency should have known matters as much as what it actually did.
This newsletter is for general information purposes only and does not constitute legal or tax advice. Agencies should seek advice from a qualified tax adviser on their specific supply chain arrangements ahead of the April 2026 changes.
HMRC warns against "Bills of Exchange" as a JSL workaround


What's Changed
In 2026/27, Bills of Exchange are being promoted as a way for umbrella companies and recruitment agencies to circumvent the Joint & Several Liability (JSL) rules introduced on 6 April 2026.
Originally governed by the Bills of Exchange Act 1882, these instruments function as formalised IOUs. Promoters now claim they can be used to settle PAYE liabilities outside conventional banking channels and to avoid deemed‑employer status under the new umbrella legislation.
However, HMRC’s 13 May 2026 alert makes its position clear: it does not recognise Bills of Exchange or similar “private instruments” as valid payment of tax liabilities.
How the schemes are marketed
⚠️ References to obscure, historic legislation to lend false credibility
⚠️ Claims that mainstream accountants and banks "don't understand" the process
⚠️ Offers to manage the whole process, including drawing up affidavits and dealing with HMRC directly
⚠️ Claims the instrument has been "approved by King's Counsel"
The knowledge point
Before this year's rulings and warnings, participants might have argued they misunderstood the risks, or relied on assurances from promoters. That argument is fast disappearing.
"These arrangements do not remove risk from recruitment agencies; they transfer it and concentrate it. Following the High Court's decision, it will be increasingly difficult for agencies to argue the risks were not apparent."Employment lawyer commentary, C2E Law
Continued participation after such clear public warnings raises difficult questions around deliberate behaviour, governance failures, and whether reasonable due diligence was carried out before entering into, or continuing with, the arrangement.
What agencies should do now
Review any current or proposed use of Bills of Exchange or similar "private instruments" in connection with HMRC liabilities
Brief directors and finance teams on the HMRC alert and the Halifax RLFC ruling.
Carry out, and document, enhanced due diligence on umbrella companies and other supply chain partners, particularly on how PAYE is actually being paid.
Treat any claim that a scheme "avoids" the new JSL legislation as a red flag. HMRC has expressly rejected this.
Seek independent professional advice before engaging with any arrangement claiming to reduce or eliminate tax liabilities through unconventional means.
Employment businesses should ensure they are working with a reputable, accredited umbrella company, and should carry out their own extensive due diligence, rather than relying solely on assurances from the umbrella or promoter.
Businesses being offered these arrangements are, in effect, being sold magic beans. HMRC has made its position clear: anyone who continues to use them does so at their own risk.
This newsletter is for general information purposes only and does not constitute legal or tax advice. Businesses concerned about existing arrangements, or approached by promoters of similar schemes, should seek advice from a qualified professional without delay.
Where the risk actually lands
f an umbrella relies on a Bill of Exchange, no valid payment has been made; the underlying PAYE liability remains outstanding. Under Chapter 11 ITEPA, where PAYE isn't properly operated in the supply chain, an agency can be treated as the deemed employer. HMRC typically pursues the most solvent party in the chain, usually the agency.


HMRC has expressly rejected the KC-endorsement claim.
A KC constructing a defence says nothing about whether it would succeed. There is no arrangement so unlawful that a lawyer couldn't attempt to defend it.
The Employment Rights Act 2025:
what agencies need to do now


The ERA 2025 signals a material shift in operational obligations, risk allocation, enforcement exposure, and contractual frameworks for the recruitment sector. Below is what's changing, why it matters, and what to put in motion this quarter.


01 — ENFORCEMENT
A new enforcement environment: the Fair Work Agency
Agencies and employment businesses fall directly within the enforcement scope of the new Fair Work Agency (FWA), expected to be established in April 2026. It will enforce the Employment Agencies Act 1973 and the 2003 Conduct Regulations, alongside wider labour market law — a move toward proactive, consolidated enforcement and sharper inspection readiness.
02 — CONTRACTS
Update your contracts now
Guaranteed hours offers, a two-week initial information duty, reasonable shift notice, and cancellation compensation are coming — with commencement expected in 2027 following 2026 consultation. Contract suites should be refreshed now, with placeholders for thresholds still to be set.
Supply chain split: hirers offer guaranteed hours; agencies pay cancellation compensation, with recoupment routes back to hirers.
Pre-existing arrangements: a two-month window from 18 Dec 2025 to review and preserve recoupment terms already in place.
Action: freeze or tightly control amendments to existing recoupment arrangements while this review is underway.
03 — SHIFT RISK
Protect yourself operationally on shift cancellations
New rights to reasonable notice and compensation for cancelled, moved, or curtailed shifts are coming, with short-notice parameters set by regulation. Compensation is payable up to a worker's original remuneration and is taxable as employment income — pricing and margin models with hirers should be adjusted accordingly.
Build playbooks now: who issues notices, how communications are documented, and how costs are shared and recovered.
04 — RECORDS
Strengthen compliance and record keeping
The FWA can require attendance, answers, and documents, and enter premises to inspect records. Map, retain, and be ready to produce evidence of shift offers, notices, cancellations, and compensation calculations.
Working Time annual leave and pay records now carry six-year retention expectations.
Notices for exceptions or withdrawals within the guaranteed hours framework must be retained for audit.
05 — CLIENT RELATIONSHIPS
Manage client relationships to mitigate risk
Review master services agreements and call-off terms to address responsibility splits, cancellation and curtailment decision rights, evidence sharing, and indemnities aligned to Schedule A1. Build in service credits or indemnities where hirers fail to relay required worker notices on time.
06 — TRIBUNAL EXPOSURE
Prepare for tribunal exposure and longer limitation
Time limits extend to six months for certain claims, with dedicated remedies for failures to offer guaranteed hours, provide information, give notice, or pay compensation. Automatic unfair dismissal protection without a qualifying period applies in relevant circumstances, and tribunals may add financial penalties for aggravating conduct.
07 — DATA & INVESTIGATIONS
Data sharing and investigations readiness
Disclosures to the FWA are permitted without breaching confidentiality, subject to data protection obligations. Update governance policies and client terms to allow lawful information sharing during investigations while keeping proper safeguards in place.




Need the paperwork to match the plan?
Get in touch for template clauses for hirer contracts, a worker terms addendum, or a shift-cancellation SOP aligned to the ERA 2025 framework.
Royal Assent
18 Dec 2025
Fair Work Agency live
April 2026 (expected)
Zero/low hours regime
2027 (anticipated)
IR35: where the agency's risk actually sits


What the rules actually require
Since 6 April 2021, medium and large private-sector clients have been responsible for deciding whether an engagement falls inside or outside IR35, and for issuing a Status Determination Statement (SDS) to every party in the labour supply chain. Public sector clients have carried this duty since 2017.
Where the engagement is inside IR35, the fee-payer — usually the agency, or an umbrella company further down the chain — must operate PAYE and National Insurance on payments to the worker's intermediary, as if the worker were an employee.
The rules are deliberately designed so liability can move. If the client fails to take reasonable care in reaching its determination, or fails to pass the SDS down the chain, liability can sit with the client. But once an agency has received a valid SDS, responsibility for acting on it correctly — and for deducting the right tax — sits with the agency.
Reasonable Care — What It Really Means
Clients must exercise reasonable care when making a status determination. What qualifies as reasonable care isn’t fixed — it depends on how complex the engagement is and how robust the decision‑making process appears.
"A determination made without considering the individual's actual working arrangements — or one changed at the last minute close to contract renewal, without a documented reason — is difficult to defend as reasonable care if HMRC ever asks the question."
For agencies, the real exposure lies less in whether the client’s call was correct and more in whether there’s a clear, documented process for collecting, verifying, and acting on the SDS for every engagement.
Paper terms don't override working practice. If a contract says "outside IR35" but the day-to-day reality looks like employment — fixed hours, supervision, no real substitution — HMRC will look at what actually happens, not what the contract says.
Practices worth a second look
⚠️ Blanket "inside IR35" determinations applied across a role or contract type, without individual assessment
⚠️Relying solely on HMRC's CEST tool output, without considering factors like mutuality of obligation that CEST doesn't fully capture
⚠️No SDS on file for an engagement, or an SDS that was never actually passed down the chain by the client
⚠️ Contract paperwork that doesn't reflect how the engagement actually operates day to day
What agencies should do now
Confirm there's a valid, dated Status Determination Statement on file for every current inside-IR35 engagement.
Build and document a process for the statutory client-led status disagreement route, so disputes don't stall.
Review the umbrella and payroll chain behind every placement — who is the fee-payer, and can you evidence it.
Audit contract templates against actual working practices, not just against the CEST output.
Train consultants to flag status changes, scope creep, or blanket determinations before they become a liability.


The fee-payer carries the deduction risk, and the fee-payer is very often the agency. A documented process beats a confident assumption every time.
This newsletter is for general information purposes only and does not constitute legal or tax advice. Some figures and dates may have moved on since publication — agencies should confirm current requirements with HMRC guidance or a qualified adviser before relying on this summary.
Right to work checks: who actually carries the penalty


What the law actually require
Under the Immigration, Asylum and Nationality Act 2006, employing someone without the right to work in the UK can lead to a civil penalty. Carrying out a compliant right to work check before employment starts gives the employer a statutory excuse against that penalty — provided the check was done correctly.
Civil penalties were significantly increased from 13 February 2024: up to £45,000 per illegal worker for a first breach, and up to £60,000 for repeat breaches — a substantial rise from the previous framework.
There are three routes to a compliant check: a manual document check, a digital check via a Home Office-certified Identity Service Provider (IDSP) for British and Irish citizens, and the Home Office online right to work checking service (using a share code) for those with digital immigration status.


Where the penalty actually lands
In a temp labour supply chain, it isn't always obvious who is legally the "employer" for right to work purposes — and that's exactly where gaps open up. The penalty falls on whoever employs the individual, which depends on the actual contractual chain, not on who happened to run the check.
Practices worth a second look
⚠️ Accepting an expired Biometric Residence Permit at face value, without checking current status online
⚠️ Using a digital ID verification app or service that isn't on the Home Office's certified IDSP list
⚠️ No diary system for repeat checks on workers with time-limited permission before it expires
⚠️ Relying on a client or umbrella's word that "the check's been done" without seeing the evidence
A share code isn't optional for digital status holders. A physical document alone no longer establishes the statutory excuse for someone with an eVisa — the online check has to actually be carried out and the output retained.
The evidence point
The statutory excuse depends on being able to show the check was done properly at the time — not on being able to say, after the fact, that the person turned out to be eligible to work.
"A copy of a document with no record of who checked it, when, or against what verification service, is a weak position to be in if the Home Office ever asks the question. The excuse is built on process, not on hindsight."
For agencies working through umbrellas or in multi-party chains, the practical priority is making sure it's contractually and operationally clear who is running the check, and that the paper trail proving it actually exists.
What agencies should do now
Confirm, in writing, which party in the chain is legally responsible for carrying out right to work checks on each placement.
Check that any digital verification tool in use is on the Home Office's current certified IDSP list.
Build a diary system for repeat checks ahead of time-limited permission expiry dates.
Retain evidence of every check — not just the document copy, but who checked it, when, and how.
Refresh consultant training on the current codes of practice, including the eVisa transition.

A £60,000 penalty per worker concentrates the mind. The statutory excuse is only as good as the process and paperwork behind it.
This newsletter is for general information purposes only and does not constitute legal or immigration advice. Penalty figures, certified provider lists, and transition dates can change — agencies should confirm current requirements with Home Office guidance or a qualified adviser before relying on this summary.
