From 06 April 2026, a new tax avoidance regime will come into force aimed squarely at the umbrella company market. Inserted as a new Chapter 11 into ITEPA 2003, the legislation is designed to address long-standing non-compliance in a sector that HMRC estimates costs the Exchequer around £1bn a year.
At its core, the legislation introduces Joint and Several Liability (JSL) for PAYE and Class 1 NICs where workers are paid via umbrella companies. The policy intent is simple: if tax is not paid to the tax authority, it will be automatically recoverable from someone higher up the labour supply chain – and there is no defence.
Since the IR35 reforms (off-payroll rules), “use an umbrella” has become the default answer for firms that cannot hire workers off-payroll (Outside IR35). That assumption no longer holds. Under the new rules, umbrellas are no longer a risk buffer; they are a potential source of systemic liability.
Mechanics of the new legislation
Relevant party
The legislation operates by identifying “relevant parties” in the supply chain. In most cases, the relevant party will be the recruitment agency that contracts directly with the end client for the supply of labour. Where there is no agency, the end client itself becomes the relevant party.
However, the legislation goes further. If the agency is “connected” with the umbrella company under the connected persons rules (section 993 of the Income Taxes Act 2007), the end client is also treated as a relevant party, even where the client has no direct contractual relationship with the umbrella.
Once an umbrella company pays the worker, JSL is triggered, and the group of all “relevant parties” is simultaneously on the hook until one of them pays the PAYE and NICs to HMRC.
Who is liable?
Liability under JSL is automatic and strict. If there is a failure to account for PAYE or NICs, the unpaid tax can be recovered in whole from any relevant party in the chain – HMRC has stated it will start with the agency or client. There is no statutory defence based on due diligence, audits, accreditations or intent.
The test is not whether reasonable checks were carried out. The only question that matters is whether the tax has been paid on time. If it has not, the liability sits with all relevant parties in the JSL group.
The operational mechanics create an uncontrollable exposure for the agency and the client if they choose to allow the umbrella to pay the tax monies rather than account for them themselves. Where tax monies are passed from the client or agency to the umbrella, the umbrella effectively acts as a tax postbox. If they do not pay, the tax is still owed, and HMRC will come after the agency first, and then, if connected, also the client. HMRC has confirmed that it is agnostic about which party pays the tax, provided it has been paid.
Risks for “the client” as a relevant party
Risk of being connected
For end clients, an uncomfortable feature of the legislation is the risk of connected-party transactions. If an agency and an umbrella are connected (section 993 Incomes Taxes Act 2007), the liability does not stop at the agency level. The client is also a “relevant party” and equally liable for the tax.
Connection is not limited to obvious shareholdings. It includes control through connected persons, groups acting together, shadow directors and indirect arrangements. In practice, many of the most problematic umbrella structures deliberately obscure these links through complex ownership structures, nominee arrangements, or offshore entities.
From a client perspective, this creates invisible exposure. It is practically impossible to rule out a connection with certainty. Clients do not have statutory powers to compel full disclosure of ownership, control arrangements or acting-together behaviours across an agency’s preferred umbrella list.
Even if a client is satisfied that no connection exists today, that conclusion is fragile. Ownership structures change, directors move, financing arrangements are put in place, and shadow influence emerges over time. A client could move from “not connected” to “connected” without any operational change on its part.
Connection is not a static risk; it can arise at any time, making the client jointly and severally liable for unpaid payroll taxes it neither calculated nor controlled.
Options for clients
Faced with this new risk profile, clients and agencies are reassessing their operating models. Broadly, there are three options.
Option 1: Due diligence (Does not work)
The first option is to allow agencies to use umbrellas, supported by audits, accreditations and contractual warranties. This approach carries the highest risk because due diligence is no defence, and the client is relying on third-party behaviour over which the client has no control. If an umbrella fails, the client or agency still pays.
Whilst working only with large, well-established umbrellas with strong balance sheets reduces risk, it does not remove liability. Umbrella insolvency, mismanagement or deliberate non-payment can occur. Trust is not a control mechanism, and under JSL, it offers no legal protection. From a governance and fiduciary perspective, relying on trust alone may be hard to justify.
As Osborne Clarke's 2026 Regulatory Outlook document puts clearly:
“Agencies (or in certain cases, client hirers) will be jointly and severally liable for any failure by an umbrella company to pay PAYE and National Insurance Contributions on payments to umbrella workers. There will be no statutory defence to liability, which means that compliance due diligence, relying on industry accreditations or payslip checking services will provide no defence to liability if an umbrella company fails to account to HMRC for any PAYE and/or NICs for any reason."
Option 2: Direct HMRC Payments
Many organisations are exploring models that retain control of PAYE remittance. This can include agency-run payroll or structures in which the tax is paid directly to HMRC by the client or agency, with only net wages flowing to the umbrella.
From a risk perspective, it is the only way to ensure that the question “has the tax been paid?” can always be answered affirmatively. The method neutralises the risk.
Option 3: Ban umbrellas
For some clients, particularly those with zero-risk supply chain policies, the simplest response will be prohibition, and may be seen as the safest option.
This may involve greater use of agency payroll or fixed-term employment contracts. While commercially disruptive, blanket bans are a predictable response to strict liability regimes where risk cannot be audited away.
Key points to take away
The introduction of umbrella JSL represents a fundamental shift in how labour supply chain risk is allocated. Umbrellas no longer act as a safe harbour for deemed employees or workers who cannot operate outside IR35.
“Use an umbrella” is no longer the answer it once was. In many cases, it may now be the riskiest option.
Clients and agencies must recognise that liability under the new rules is systemic and defence-free. Connection risk cannot be reliably excluded, and accreditations, audits and assurances do not change the outcome if tax is unpaid.
IR35 Shield Recommendation:
As a tax advisory, IR35 Shield cannot reasonably recommend that firms adopt an approach that introduces unnecessary and uncontrollable risk when there are no commercial reasons to do so, and most importantly, when alternative options are available.
Our view is that taking on tax risk is a commercial decision, and should be taken only where the taxpayer can be fully in control of the risk, which is not the case for the new umbrella rules.
We recommend that, where umbrellas are used and there is a group of relevant parties, option 2 is adopted. This means that the first relevant party in the list pays the tax directly to HMRC, passes net monies to the umbrella, so that when JSL is triggered, the liability is always zero because the tax has been paid.
If firms choose to rule out the use of umbrellas, we recommend they conduct active due diligence to secure their supply chain.
