Labour supply chain assurance has moved from a useful operating practice to a single line of evidence that two UK regulatory regimes now ask for together. From April 2026, the Joint and Several Liability regime under ITEPA Chapter 11 puts end-hirers and recruitment agencies on the same line as the umbrella for unpaid PAYE and NICs. In parallel, the Bank of England, PRA and FCA’s third-party oversight policy statements PS16/24 and PS7/26 raise the bar on how UK financial services firms evidence what their material and critical third parties are actually doing.
Read together, both regimes ask one question of the financial services end-hirer: Can you evidence, at any moment, who supplies labour into your business, on what terms, against which controls, with what assurance pattern. The OPRaaS Virtual Compliance Director (OPRaaS VCD) sits exactly on that question, because labour supply chain assurance is the single operating layer that produces evidence usable for both an FCA third-party file and an HMRC JSL enquiry.
What labour supply chain assurance means in practice for financial services end-hirers
Labour supply chain assurance, as OPRaaS practises it, is a continuously refreshed evidence record across every tier of the contingent-labour estate. It maps the contracted parties, the umbrellas and PEOs they introduce, the worker groupings underneath, the controls that should be in place at each tier, and the actual evidence that those controls are working. The output is not a periodic report. It is a live file that is ready for inspection on any working day.
For a UK bank, insurer or asset manager, this evidence file does double duty. It is what HMRC will ask for if a Joint and Several Liability question arises around an umbrella in the PSL. It is also the labour-related portion of the third-party file that the firm’s operational resilience function maintains under the FCA, PRA and Bank of England’s expectations.
The Bank of England, PRA and FCA third-party regime, in plain terms
The starting point is the joint policy statement PS16/24 Operational resilience: Critical third parties to the UK financial sector, published by the Bank of England, PRA and FCA in November 2024. PS16/24 introduces a dedicated regime for third parties designated as critical to the UK financial sector. It complements, rather than replaces, each firm’s own responsibility for resilience and third-party risk management.
The newer March 2026 policy statement PS7/26 Operational resilience: Operational incident and third-party reporting tightens the operational incident reporting expectations and adds a separate requirement to maintain, and on request submit, a register of material third-party arrangements. The reporting timeline is short. The detail required is granular. The lifecycle covered is from onboarding through to exit. Background to the regime is in the Bank of England’s November 2023 joint announcement with the PRA and the FCA.
What this means in practice for a financial services end-hirer is that the third-party file is no longer a procurement artefact. It is a live regulatory record. It must show due diligence at onboarding, the controls in place during the life of the arrangement, the assurance pattern that surfaces issues, the operational incidents that have been reported and how, and a defensible exit path.
How April 2026 JSL changes the labour supply chain ask at the same moment
Joint and Several Liability under ITEPA Chapter 11 lands on the end-hirer and the recruitment agency the moment an umbrella in their supply chain underpays PAYE or NICs from 6 April 2026. There is no statutory defence after the fact. The defence is in the evidence held before the underpayment, which has to show that the labour supply chain was mapped, that umbrellas were assessed against UK law tests rather than accreditation alone, that payslips and payroll evidence were sampled, and that any issue surfaced led to a documented remedial action.
For a financial services firm, this is the same evidence pattern PS16/24 and PS7/26 expect on the wider third-party side. The end-hirer’s procurement team and the firm’s operational resilience team are looking at the same file from two different doors.
Where the OPRaaS Virtual Compliance Director fits as a single answer to both
OPRaaS, On-Pay-Roll-as-a-Service, is a systemised governance and workforce management partner for organisations that rely on temporary, contractor and contingent labour. Through OPRaaS’s Virtual Compliance Director solutions we embed senior governance leadership into your business without the cost of a full-time director, building audit-ready controls across JSL, IR35, CIS, GLAA, modern slavery and HMRC labour supply chain expectations.
The OPRaaS VCD platform is accessed 24/7 and runs the OPRaaS LSCA 2.0 methodology across our Map, Train, Audit and Evidence framework. Output is a continuously refreshed evidence file rather than a periodic report. That is the file an FCA examiner and an HMRC officer will both ask for, and it is the file that a board paper draws on when the question is whether a labour line of the cost base is under control.
Five outcomes a financial services end-hirer should expect this year from OPRaaS LSCA 2.0:
- A mapped labour supply chain. Every agency, sub-agency, PEO, umbrella and worker grouping recorded with the controls expected at each tier, ready to surface inside the firm’s third-party register under PS7/26.
- An umbrella PSL assessed under UK law tests. Control, personal service, mutuality, financial risk and integration, supported by payslip and remittance sampling rather than reliance on accreditation alone.
- A retained governance function. The OPRaaS Virtual Compliance Director as a named, retained capability for end-hirers, recruitment agencies, umbrella companies and managed service providers (MSPs).
- An audit-ready evidence pack. Continuously refreshed evidence usable inside an FCA third-party file, an HMRC JSL enquiry or a public-sector framework audit.
- A defensible exit path. A documented remediation and supplier-exit pattern that satisfies both the FCA’s exit-strategy expectation and HMRC’s interest in remedial action when an umbrella underpays.
What this means for the next twelve months for financial services end-hirers
The phrase that fits this moment is consolidation, not duplication. Banks, insurers and asset managers, and the recruitment agencies serving them, will spend 2026 reconciling third-party files, labour supply chain files and procurement files that have historically lived in different places. The end state is one evidence record across labour and non-labour third parties, refreshed continuously, owned at board level.
Compliance is your asset. Evidenced, every day. The asset is the evidence file, and across 2026 the file an FCA examiner and an HMRC officer ask for is the same file.
OPRaaS Limited (On-Pay-Roll-as-a-Service) is approved on the UK Government Commercial Agency (formerly Crown Commercial Service) frameworks including RM6310 Audit & Assurance Services (Lots 2 & 4), RM6219 Learning & Training Services DPS and RM6237 Learning & Training Services DPS. Your next step, as both regimes settle in, is a thirty-minute scoping call to see how the OPRaaS VCD platform consolidates labour supply chain assurance into one operating layer that serves both the FCA file and the JSL file.
Compliance is your asset. Evidenced, every day.
Drawing on the Bank of England, PRA and FCA policy statements PS16/24 (November 2024) and PS7/26 (March 2026) on operational resilience, critical third parties and third-party reporting, alongside the April 2026 Joint and Several Liability regime under ITEPA Chapter 11.
Talk to OPRaaS about your supply chain.
Use the contact form in the sidebar, or email info@opraas.co.uk.
This article is provided for informational purposes only and is not intended as legal, tax, employment, accounting or regulatory advice. Compliance obligations vary by organisation, sector and supply chain. Readers should seek their own professional advice before acting on any of the points raised. Images are illustrative only. Third-party trademarks and brand names remain the property of their respective owners. Errors can occur; if you spot one, please report it to info@opraas.co.uk.