Recruitment Agency Compliance 2026: Umbrella Liability, ICO Rules and the Employment Rights Act
120 recruitment agencies entered liquidation in the last six months. On 6 April 2026, joint and several liability for umbrella company tax failures went live: if an umbrella in your supply chain does not pay PAYE or NICs, HMRC can come to you for the full amount. On 31 March 2026, the ICO published a report finding that most AI recruitment tools in the UK are non-compliant with data protection law. And the Employment Rights Act is reshaping unfair dismissal, zero-hours contracts, and day-one rights across every placement you make. This guide covers what your recruitment software needs to handle now.
Speak to us about recruitment software · +44 7494 618 651 · Mon to Fri, 9am to 6pm
120
Recruitment businesses entered liquidation in the last six months
6 Apr
Joint and several liability for umbrella company PAYE/NICs went live
29 May
ICO consultation on automated recruitment decisions closes
Umbrella Company Liability: What Changed on 6 April 2026
The Finance Act introduced a new Chapter 11 of Part 2 ITEPA 2003, creating joint and several liability for PAYE income tax and Class 1 National Insurance contributions where an umbrella company sits in the supply chain. The operative date was 6 April 2026. A parallel secondary legislation creates equivalent liability for NICs.
What This Means in Practice
If a worker is supplied via an umbrella company and there is a UK recruitment agency in the chain, the agency is the party HMRC will pursue for any PAYE and NIC shortfall. If there is no agency in the chain, the end client takes on that liability instead. The liability is for the full amount of unpaid tax and NICs, not just a proportional share.
This is not theoretical. The FCSA (Freelancer and Contractor Services Association) warned that agencies must act before 6 April. The REC issued guidance confirming that agencies using umbrella companies need to verify compliance as part of their standard supply chain management.
This is a tax compliance measure, not full regulation. The April 2026 change creates the liability. A separate regulatory regime for umbrella companies is still pencilled in for 2027. Until that regime exists, the burden of verifying umbrella company compliance sits entirely with the agency. Your systems need to support that verification.
What Your Software Needs to Handle
Umbrella company register. A record of every umbrella company in your supply chain, including their PAYE registration, FCSA or Professional Passport accreditation status, and last verification date
Due diligence workflows. Before placing a worker through an umbrella, your system should flag whether the umbrella has been verified. If verification is expired or missing, the placement should be blocked or flagged for manual review
Payslip monitoring. The FCSA recommends checking that workers are receiving compliant payslips showing gross pay, PAYE deductions, NIC deductions, and net pay. Your system should log that payslip checks have been performed
Audit trail. If HMRC pursues your agency for an umbrella company's tax shortfall, your defence rests on demonstrating that you took reasonable steps to verify compliance. Every check, every verification, every flag needs to be timestamped and retrievable
No major recruitment CRM (Bullhorn, Vincere, JobAdder, Firefish) has announced a dedicated umbrella compliance module, because this liability is new. Most agencies are managing it through spreadsheets, manual checks, or bolted-on processes outside their CRM. That is a compliance risk in itself: if the evidence of your due diligence does not live in your system of record, it is harder to produce under HMRC scrutiny. For a comparison of the main CRM platforms, see our CRM vs ATS guide.
The ICO and Automated Recruitment Decisions
On 31 March 2026, the ICO published a report on automated decision-making in recruitment, drawing on engagement with more than 30 employers and audits of AI recruitment tool providers. The findings were stark: most organisations using automated recruitment tools are not meeting their data protection obligations.
What the ICO Found
The central problem: employers believe they are using "decision support" tools (where AI makes recommendations and a human decides) when in practice those tools are making fully automated decisions with no meaningful human involvement. A recruiter who rubber-stamps every AI recommendation without independent assessment is not providing meaningful human oversight.
Under UK GDPR Article 22, solely automated decisions that produce legal or similarly significant effects on individuals are restricted. Rejecting a candidate from a hiring process is a "similarly significant effect." If your ATS auto-rejects candidates based on keyword scoring, CV parsing, or algorithmic ranking without genuine human review at the decision point, you may be in breach.
The Three ICO Expectations
Proactive bias monitoring. Test AI recruitment tools regularly for biased outputs. Ask developers about their own bias testing when procuring tools. Consider monthly bias reviews.
Transparency. Tell candidates if automated decision-making is being used. Explain how it works. This is a legal obligation under UK GDPR Articles 13 and 14, not a best-practice recommendation.
Right to challenge. Tell candidates how to exercise their right to request human review of an automated decision. Ensure there is a functioning process to carry out that review.
The ICO consultation on draft automated decision-making guidance is open until 29 May 2026. Final guidance will follow. The ICO also wrote directly to 16 named organisations likely to be using ADM in hiring, and those organisations have committed to acting on the recommendations.
47% of UK job seekers have now had an AI interview. The scale of automated recruitment is already massive. The regulatory framework is catching up. Agencies that provide AI screening tools to clients, or that use them internally, need to assess whether those tools meet the ICO's three expectations before the final guidance lands.
What Your Software Needs to Handle
Decision logging. For every candidate rejection or progression decision, record whether the decision was made by a human, by an AI tool, or by a human acting on an AI recommendation. If the decision was AI-assisted, record what the AI recommended and what the human decided independently
Transparency records. Log that each candidate was informed about the use of automated decision-making at the point of application or at first contact. Your system should generate or trigger this disclosure automatically
Human review workflow. When a candidate requests human review of an automated decision, your system needs to route that request to a qualified reviewer, record the review outcome, and communicate the result. This cannot be an ad-hoc email thread
Bias audit trail. If you use AI screening tools, log when bias testing was last performed, what was tested, and what the results were. The ICO expects this as standard practice
Speak to us about recruitment software · +44 7494 618 651 · Mon to Fri, 9am to 6pm
The Employment Rights Act: What Is Changing for Agencies
The Employment Rights Act 2025 received Royal Assent on 18 December 2025. Changes are being phased in across 2026 and 2027. Several provisions directly affect how recruitment agencies operate.
Already Live (April 2026)
Fair Work Agency launched 7 April 2026. A single enforcement body consolidating three existing bodies, chaired by Matthew Taylor. This is the regulator that will police agency compliance
Day-one Statutory Sick Pay. No earnings threshold, no three-day waiting period. Every temporary worker placed through your agency qualifies from their first day of work
Day-one paternity and parental leave. Candidates placed through your agency have these rights immediately
Coming January 2027
Unfair dismissal at six months (not two years). The qualifying period drops from two years to six months. Compensation caps are being abolished entirely. Anyone hired from July 2026 onwards will gain protection when this kicks in. For agencies, this means placement quality and screening become more important: a bad placement that leads to dismissal within the first year now carries much higher legal risk for the client
Zero-hours contract reforms. Workers on zero-hours or low-hours contracts must be offered guaranteed hours based on patterns worked over a 12-week reference period. This applies to agency workers too. Your system needs to track hours worked per assignment and calculate when a guaranteed-hours offer is triggered
Shift cancellation compensation. Employers (and agencies placing workers) may need to compensate staff for short-notice shift cancellations. Your system needs to record shift schedules, cancellations, and notice periods
The definition of "employment agencies" is expanding. The Employment Rights Act brings umbrella companies under the definition of employment agencies for the first time. A live government consultation ("Make Work Pay: Modernising the Agency Work Regulatory Framework") is shaping these rules. When the final regulations land, your compliance obligations will be broader than they are today.
120 Agencies Went Bust: What the Survivors Are Doing Differently
The insolvency rate in recruitment is the highest since 2008. 120 agencies entered liquidation in six months. Even Hays, one of the largest UK recruiters, saw operating profits halve from £105.1 million to £45.6 million. The pressures are structural: employer NICs rising to 15%, a tech-sector hiring slowdown, pandemic-era BBLS debt repayments coming due, and now the umbrella liability shift adding compliance cost.
The agencies surviving are the ones that have reduced their cost-per-placement through automation, tightened their compliance processes to avoid regulatory penalties, and maintained margin discipline through accurate scoping and pricing. All three of these depend on software that works.
Compliance Area
Status
What Your System Must Do
Umbrella PAYE/NIC liability
Live (6 Apr 2026)
Umbrella register, due diligence workflow, payslip monitoring, audit trail
ICO automated decisions
Consultation closes 29 May 2026
Decision logging, transparency records, human review workflow, bias audit
Day-one SSP
Live (6 Apr 2026)
SSP calculation from first day, no earnings threshold
Fair Work Agency
Live (7 Apr 2026)
Consolidated compliance records accessible for enforcement review
Unfair dismissal at 6 months
January 2027
Placement tracking, probation period management, screening documentation
Zero-hours guaranteed hours
January 2027
12-week reference period tracking, guaranteed-hours offer generation
When Bespoke Software Makes Sense
For agencies using a major CRM like Bullhorn or Vincere with a clean, standard workflow (perm placements, no umbrella supply chain, no AI screening), the existing platforms will likely adapt as new features roll out. For agencies that need to move faster than their CRM vendor, bespoke makes sense in specific scenarios.
Agencies with significant umbrella supply chains. If you place workers through multiple umbrella companies and need a compliance verification workflow integrated into your CRM (not a separate spreadsheet), a bespoke module can connect your placement workflow to umbrella due diligence, payslip monitoring, and audit logging in a single system. No major CRM offers this natively
Agencies using AI screening that need ICO compliance now. If your ATS uses automated screening (keyword scoring, CV parsing, video interview analysis) and you need to demonstrate decision logging, transparency disclosures, and human review workflows before the ICO's final guidance lands, building those capabilities into your system now is faster than waiting for your ATS vendor to update
Agencies managing both permanent and temporary placements. The Employment Rights Act affects temp placements differently from perm placements (day-one SSP, zero-hours reforms, shift cancellation rules). A system that tracks these obligations per assignment type, calculates SSP eligibility automatically, and flags guaranteed-hours triggers based on actual hours worked, removes manual compliance overhead that scales with placement volume
Agencies that have outgrown their CRM but cannot afford downtime. For agencies considering a move from Bullhorn or Vincere (we have covered alternatives in our Bullhorn alternatives and Vincere alternatives guides), a bespoke system built around your actual workflow, with compliance built in from day one, avoids the compromises that come with adapting another off-the-shelf platform
The compliance landscape for recruitment agencies has shifted fundamentally in 2026. The umbrella liability is new. The ICO expectations are new. The Employment Rights Act changes are phased but accelerating. The same Act is hitting other labour-intensive sectors equally hard (see our guide to the Employment Rights Act for cleaning companies for how day-one SSP and zero-hours reforms affect multi-site shift operations). Agencies that treat these as separate, manual processes will spend more time on compliance admin than on placing candidates. Agencies that build compliance into their software stack will spend less.