A civil penalty notice is rarely just an HR problem
A civil penalty notice for illegal working is not an administrative inconvenience. It is a serious compliance event with immediate financial exposure, reputational sensitivity, and wider commercial implications for the business. The Home Office can impose a civil penalty if up to £60,000 per illegal worker, and where it considers that an employer knew, or had reasonable cause to believe, that a person did not have the right to work, criminal liability may also arise. The official guidance also confirms that an employer served with a civil penalty notice has 28 days to respond.
For many businesses, the most dangerous misconception is that this is simply an HR issue. It is not. A civil penalty notice can affect sponsor compliance, licensing, lender and investor confidence, procurement, insurance, governance and the wider perception of the business in the market. Home Office reporting shows that during 2025, 2,438 civil penalties were issued to employers, representing more than £130 million in exposure.
The businesses most exposed are rarely those acting with overt bad faith. More often, the problem is inconsistency of process. A manager relied on the wrong document. A follow up check was not diarised. A share code was not verified properly. A screenshot was stored instead of the prescribed evidence. A third-party recruiter was assumed to have dealt with the issue. It is precisely in these routine operational failures that exposure arises.
The real legal question: can the employer prove a statutory excuse
The central legal concept is not whether the business asked to see a passport. It is whether the employer established a statutory excuse. The Home Office employer guidance states that statutory excuse is the employer’s protection against liability for a civil penalty, but only where the prescribed form of right to work check was carried out correctly before employment begins and the evidence was retained in the required manner.
That protection only arises where the employer has followed one of the permitted routes properly, namely a manual check, an online check, or in limited eligible cases a digital verification service check. The guidance further requires employers to retain evidence securely for the duration of employment and for 2 years afterwards, and to be able to produce it if requested. It also makes clear that the employer remains responsible for compliance event where others are involved in recruitment or onboarding.
That is why many employers are caught off guard. They believe that some form of checking took place. The Home Office’s position is often that what occurred was not the prescribed check, was carried out too late, or was not evidenced sufficiently to create a statutory excuse.
What the notice means and why timing matters
A civil penalty notice is not usually the first sign of difficulty, but it is the point at which the Home Office has crystallised its position. In many cases, an employer first receives a referral notice indicating that liability is under consideration. If the Home Office concludes that illegal working occurred and that the employer cannot rely on a statutory excuse, a civil penalty notice may follow. The guidance states that the employer then has 28 days to respond.
That 28 day period is not merely administrative. It is the window in which the business must establish what happened, preserve evidence, analyse whether a statutory excuse can genuinely be demonstrated, assess whether an objection is viable and manage wider risk across the organisation. The Code of Practice also explains that the civil penalty regime sits alongside mitigation concepts such as active cooperation and provides for faster payment arrangements in some circumstances. Passive delay is therefore dangerous. The first response often determines the quality of the evidential record that exists thereafter and can materially affect both the penalty position and the business’s wider compliance narrative.
Where employers most often go wrong
The most common failures are technical rather than dramatic. Employers often conduct the check after employment has already started, rely on copies sent casually by email or messaging apps, fail to record the date of the check, miss repeat checks for time limited permission, or assume that a recruiter or adviser has completed the necessary process. The Home Office guidance is explicit that the employer must be able to prove that the correct prescribed check was carried out in the correct way.
A further recurring weakness concerns digital status. The Home Office guidance confirms that for many individuals the correct process is now digital and must be undertaken through the official online service. Informal screenshots or unsupported assertions from the worker are not a substitute for the prescribed online check.
This matters more, not less, in the current eVisa environment. Employers that have not updated internal processes to reflect the digital framework are increasingly exposed, even if their older paper-based habits once appeared sufficient.
The first 72 hours after receipt
When a civil penalty notice arrives, the business should respond with discipline rather than alarm. One senior person should coordinate the response, and evidence should be centralised immediately. Site level managers should not be allowed to improvise explanations or reconstruct records informally. The matter should be treated as a controlled compliance issue from the outset.
The business should gather the recruitment file, onboarding records, right to work evidence retained at the time, online check records, share code records, notes identifying who carried out the checks, dated copies, repeat check diary records, agency correspondence, and internal communications relevant to the worker’s engagement and continued employment. The Home Office guidance is clear that the right evidence must not only exist but be capable of being produced.
A precise chronology should then be established showing when the individual was offered work, when they started, what right to work check was undertaken, by whom, what evidence was retained, whether the person held time limited permission and whether any repeat check should have been performed. This is the foundation of any serious legal analysis.
At the same time, the employer should assess whether the issue is isolated or systemic. A case where no compliant check occurred is very different from one where a compliant check may have occurred, but records are fragmented. A single error is also different from a wider control failure across multiple sites or teams. Those distinctions matter for objection strategy, mitigation, and future regulatory exposure.
The financial and reputational exposure
A civil penalty notice can have a far longer tail than many employers expect. The immediate issue may be the fine, but the wider consequences can extend to sponsor licence risk, licensing scrutiny, insurer questions, lender or investor concern, procurement sensitivity, and internal governance pressure.
The public record risk is also real. The Home Office states that employer details may be published by Immigration Enforcement, and the official quarterly illegal working penalties report identifies certain employers in accordance with the relevant publication criteria after objection and appeal stages have been exhausted.
In some sectors, particularly hospitality, retail and leisure, illegal working issues may also appear in wider public materials such as licensing records and committee papers, increasing discoverability beyond the Home Office regime itself. The consequence is that the issue is rarely confined to the penalty alone.
When the Home Office decision can be challenged
A civil penalty notice can be challenges, but not every case should be challenged in the same way. The official guidance states that the notice will explain how to object and what the employer must do within the applicable response window.
A serious objection is usually based on one or more of the following propositions: that the employer did establish a statutory excuse and can evidence it properly, that the Home Office misunderstood the worker’s immigration position or work conditions, that they employer has been misidentified, that the liability analysis is legally or factually flawed, or that substantial mitigation points and remedial steps should be put forward with precision.
What should be avoided is superficial objection based on general assertions of good faith. Good faith without documentary discipline is rarely enough. A strong response requires close analysis of the worker’s immigration status, the correct check route, the retained evidence, the work performed, the timing of employment commencement and the internal systems in place at the relevant time.
Why even sophisticated businesses get this wrong
Right to work compliance appears simple at headline level and exacting in execution. Most employers know they are meant to check a person’s right to work. Far fewer understand the operational significance of the prescribed route, the difference between outline and manual checks, the requirement for dated retention, the role of the Employer Checking Service, the limits of delegated checking and the need for follow up checks in time limited cases.
That is why otherwise capable businesses can still drift into non-compliance. The weakness is often not the policy on paper but the inconsistency of implementation. One office follows the process carefully. Another improvises. One manager store dated evidence properly. Another relies on a screenshot. One HR team diarises repeat checks. Another assumes the visa looked acceptable. Exposure emerges from these inconsistencies rather than from any single dramatic failure.
What a strong legal and compliance response looks like
A strong response is calm, technically accurate and commercially aware. It does not simply assert that the business takes compliance seriously. It proves what was done, when it was done, by whom, and why it satisfied the prescribed framework, or if it does not, what has been done immediately to remediate and prevent repetition.
It should demonstrate a clear understanding of the right to work architecture, identify whether a statutory excuse can genuinely be maintained, isolate whether the issue is individual or systemic and, where appropriate, present an objection or mitigation case that is legally coherent and evidence led.
It should also be paired with real internal remediation: a standardised right to work operating procedure, consistent digital storage of evidence, clear responsibility lines, manager training, and a repeat check diary for time limited permissions. Those measures will not erase past error, but they can materially reduce future exposure and improve the credibility of the employer’s position.
From enforcement issue to board level risk
By the time a civil penalty notice arrives, the issue is no longer simply recruitment compliance. It is risk management. Handled well, the notice can become the catalyst for building a more defensible and audit ready compliance structure. Handled poorly, it can become the start of repeat problems, wider enforcement vulnerability, and commercial damage.
The strongest businesses respond by doing 2 things at once. They defend the immediate position rigorously, and they strengthen the system that allowed the issue to arise. That is the point at which a discrete enforcement problem becomes a board level governance issue.
Frequently Asked Questions
How much can the Home Office fine an employer for illegal working?
The Home Office states that employers may face a civil penalty of up to £60,000 per illegal worker.
How long does an employer have to respond to a civil penalty notice?
The official guidance states that an employer has 28 days to respond once a civil penalty notice is issued.
What is a statutory excuse?
It is the employer’s legal protection against liability for a civil penalty, but only where the prescribed right to work check was carried out correctly before employment began and the evidence was retained properly.
Can a recruitment agency’s checks protect the employer automatically?
No. The Home Office guidance makes clear that the employer remains responsible for compliance, save within the limited permitted framework for digital verification services in eligible cases.
Can a business be named publicly?
Yes. The Home Office states that details may be published, and official quarterly reports identify certain employers in accordance with the relevant publication criteria.
Taking control of the risk
A civil penalty notice should not be treated as a routine HR issue or a penalty to be absorbed and forgotten. It requires immediate legal analysis; careful evidence review and a broader assessment of the business’s compliance architecture. The objective is not only to address the present notice, but to protect the business against wider regulatory, commercial, and reputational consequences while ensuring the same vulnerability does not arise again.
The right questions is not simply whether a penalty can be challenged. It is whether the business can demonstrate a statutory excuse, protect its wider commercial position and emerge with a stronger compliance infrastructure than it had before. That is the difference between reacting to enforcement and taking control of it.
