×
This document is prepared for the Mace Group Office of Tax, Compliance & Procurement. Please enter the passkey shared with you to continue.
A structured response to the legislative shift now bearing on Tier 1 contractors — the Criminal Finances Act 2017, the Economic Crime & Corporate Transparency Act 2023, the Employment Rights Act 2025, the Finance Act 2026, and HMRC's evolving supply-chain due diligence guidance.
Five pieces of legislation now converge on Mace's labour supply chain. Three have already commenced. One commences mid-cycle. The standard is no longer "did you know" — it is "should you have known."
The Criminal Finances Act 2017 (CFA) has applied since September 2017 — yet most Tier 1 contractors still cannot evidence the "reasonable prevention procedures" defence in respect of their indirect labour. The Economic Crime & Corporate Transparency Act 2023 (ECCTA) extended the same logic to fraud on 1 September 2025, with senior-manager attribution under the new identification doctrine. The Fair Work Agency, established under the Employment Rights Act 2025, became operational on 7 April 2026, consolidating EAS, GLAA and (from April 2027) HMRC NMW enforcement into a single body. The Finance Act 2026 introduced joint and several liability for PAYE umbrella shortfalls, effective 6 April 2026 — first impacted payday 17 April 2026. HMRC's supply-chain due diligence guidance, long-standing but rarely tested at scale, has materially hardened.
Every one of these regimes turns on the same evidential question: what did Mace, as the principal, know — or what should it have known — about the people, structures and money flows in its labour chain.
A three-stage engagement:
An evidenced, defensible position — capable of withstanding scrutiny by HMRC, the Fair Work Agency, or a Crown Prosecutor — across the agency, umbrella, and PSC populations engaged on Mace projects. Demonstrable "reasonable prevention procedures" under both CFA s.45–46 and ECCTA s.199. A documented baseline against which improvements can be measured.
An independent, construction-specialist assurance regime, operated since 2018, currently embedded in the supply-chain governance of nine Tier 1 UK contractors.
Workforce Assured is currently embedded in the supply-chain governance, accreditation, or due-diligence programmes of:
Workforce Assured is owned and operated by Nutral Solutions Ltd, a construction-specialist neutral vendor managed service provider. Workforce Assured itself supplies no labour, holds no agency interest, and earns no margin from worker placement. This is a deliberate structural choice. It allows the assurance regime to function as a credible third-party determination — distinct from a self-attestation by an agency or in-house procurement function, and capable of supporting the reasonable-prevention-procedures defence in a way self-assessment cannot.
Workforce Assured does not advise on, draft, or sign off the underlying tax positions of the suppliers it assesses; that remains the supplier's own responsibility. Workforce Assured does not indemnify Mace against tax or employment liability — its role is to evidence the diligence on which any defence to those liabilities will turn. The boundary is deliberate, and the engagement should be understood with that boundary in clear sight.
Each statute below imposes a distinct corporate liability on Mace as principal. Each shares the same evidential threshold: actual or constructive knowledge of irregularity in the supply chain.
A Tier 1 contractor commits the UK facilitation offence (s. 45) where any associated person — including agencies, umbrellas, payroll providers, and labour-only sub-contractors — criminally facilitates tax evasion in connection with the contractor's business. The foreign equivalent (s. 46) follows the same logic across border. Liability is corporate and strict, mitigated only by demonstrable reasonable prevention procedures aligned to HMRC's six guiding principles.
Mace exposure: mini-umbrella fraud, disguised remuneration schemes, false self-employment under CIS, undeclared cash payments, and abusive intermediary chains all sit squarely within this offence — irrespective of whether Mace contracted with the offending entity directly.
ECCTA imports CFA-style strict liability into the wider fraud landscape. A large organisation commits an offence where an associated person commits a specified fraud offence intending to benefit (directly or indirectly) the organisation. The defence — again — is reasonable prevention procedures.
Compounding the position, s. 196 broadens corporate criminal attribution: the acts and intentions of senior managers (not only the directing mind) are now the company's own. A regional procurement director acting fraudulently — or recklessly — binds the corporate.
Mace exposure: false invoicing through tiered agencies, inflated headcount or hours claims, fraudulent CIS deductions retained at intermediary level, and ghost-worker scams all engage s. 199 where Mace stands to benefit.
The Fair Work Agency is now the single state enforcement body for agency worker rules, modern slavery indicators in labour markets, holiday pay, and (from April 2027) the National Minimum Wage. It inherits the GLAA's licensing reach into construction labour suppliers and the EAS's investigatory powers, and applies a unified case-management approach across all three.
Mace exposure: a single FWA inspection now triggers cross-checks against agency licensing, AWR rights, NMW compression in CIS rates, and modern slavery red flags simultaneously. Findings are shared inter-agency by design.
Where workers are supplied through a PAYE umbrella in the chain, joint and several liability for unpaid PAYE and NIC now sits with the agency or end-client (or, in the absence of an agency, the end-client directly). The provisions are CIS-exempt — but every PAYE umbrella worker on a Mace project is now a direct fiscal-recovery vector.
Mace exposure: any PAYE umbrella default — mini-umbrella, phoenixed entity, or mere insolvency — converts to a Mace liability if no compliant agency stands between Mace and the umbrella.
HMRC's supply-chain due diligence guidance is not legislation — but it is the framework against which Mace's "should have known" position will be tested in any of the regimes above. It expects principal contractors to know who is in their chain, to check their compliance posture, and to act on adverse findings. The Managed Service Company legislation, the Off-payroll rules, and the CIS verification regime each layer additional specific tests.
Mace exposure: the absence of evidenced supplier checks is itself evidence of constructive knowledge. Procurement files that say nothing are louder than ones that say something difficult.
Across MTIC VAT (the Kittel line), the MSC legislation, modern slavery enforcement, and now the failure-to-prevent regimes, the same evidential test recurs: would a competent principal, with the information reasonably available to it, have identified the irregularity? The corollary is that a contemporaneous, structured due-diligence record is itself the defence. Workforce Assured exists to produce that record.
This proposal interprets "EFA 2025" in your brief as the Employment Rights Act 2025, which received Royal Assent in 2025 and established the Fair Work Agency in April 2026. If you intended a different statute, we will revise on notice.
The risk assessment in § 1 establishes where exposure lies. A procurement review establishes how Mace's existing controls perform against that exposure — and what is missing.
An eight-domain review covering the full life-cycle of a labour-supplier engagement:
| Ref | Domain | Evidence sought |
|---|---|---|
| 2.1.1 | Supplier onboarding gateway | Pre-qualification questionnaire, ownership and beneficial-owner checks, financial health screening, sanctions and PEP checks, bona-fides of payroll arrangements. |
| 2.1.2 | Tax status determination | IR35 SDS process and quality, CIS verification, VAT reverse-charge controls, evidence of off-payroll Chapter 10 ITEPA discipline. |
| 2.1.3 | PAYE umbrella governance | Approved umbrella list, KID issuance evidence, FA 2026 JSL exposure mapping, audit-trail to first impacted payday (17 Apr 2026). |
| 2.1.4 | Contractual architecture | Upper-tier MSA, lower-tier flow-down (PSC, CIS, PAYE umbrella), indemnity and step-in rights, cooperation clauses for HMRC and FWA inquiry. |
| 2.1.5 | Worker-level data integrity | Right-to-work, identity, qualifications and competence records, and the data-protection regime around them (post the Requidex sector-wide lessons of Q1 2026). |
| 2.1.6 | Time, attendance, pay | Working-time records, NMW compliance against the April 2026 threshold, holiday-pay calculation, evidence of timesheet reconciliation against billing. |
| 2.1.7 | Ongoing assurance cadence | Re-audit frequency, trigger-based review, supplier exit and remediation procedures, board-level reporting cadence. |
| 2.1.8 | Reasonable prevention procedures | Documented policy under CFA 2017 ss. 45–46 and ECCTA 2023 s. 199, evidenced training, risk assessment refresh cycle, escalation routes. |
Drawn from Workforce Assured engagements across Balfour Beatty, GRAHAM, P.J. Carey, John Sisk & Son, Skanska, Kier, Lendlease, Multiplex, and Sizewell C — patterns recurring with material frequency:
Tax-status interrogation is delegated to the supplier's own attestation. There is no independent verification of payroll model, umbrella relationships, or sub-tier population.
Principal contractors typically have visibility of their direct agency, partial visibility of the umbrella, and effectively none of the worker-level reality. The "should have known" test bites here.
Status determinations are produced at scale with insufficient role-by-role analysis — vulnerable to reasonable-care challenge under Chapter 10 ITEPA.
A static onboarding pack does not refresh against material change at the supplier — phoenixing, ownership change, payroll-model switch.
CFA-aligned policies are commonly drafted, but training, risk assessment refresh, and live escalation are absent. This is the single most common defence failure.
Sector-wide breach incidents in Q1 2026 evidenced indemnity exposure under standard MSA clauses where data flows through the chain were never documented.
A written findings report addressed to Mace's Office of Tax, Compliance & Procurement, comprising:
Three pathways are offered. They are not mutually exclusive — a typical engagement combines Option A across the supplier population with Option B for a critical-tier subset.
A ten-week structured engagement covering Stages 1 and 2 (risk assessment FOC; procurement review costed). Stage 3 mobilisation runs from Week 9 where elected. Step through each week below — or use the arrow keys.
Mandate confirmation, NDA execution, kick-off workshop with Mace Office of Tax, Compliance & Procurement. Stakeholder mapping and engagement-charter sign-off within five working days.
Stage 1 — the Risk Assessment — is offered free of charge and can be delivered within four weeks of Mace's instruction. It will give the Office of Tax, Compliance & Procurement a defensible baseline before the next reporting cycle, and a clear basis on which to scope Stage 2 and elect Stage 3.
We propose an introductory call within the next ten working days to confirm scope, agree the Mace-side single point of contact, and book the kick-off workshop.