Manual Right to Work Checks Are Not Safe. They Are Just Unchallenged.
There is a version of compliance that looks exactly like the real thing from the outside. The file exists. The photocopy is in it. Someone initialled the bottom. The date is recorded. Everything appears to be in order.
And then an inspector arrives, or a civil penalty notice lands on a director's desk, and the organisation discovers that appearing to be in order and actually being in order are two entirely different things.
Manual right to work checks are the single most common source of that gap. Not because people are careless. Because nobody told them the rules had changed, the landscape had shifted, and what passed for a solid process three years ago no longer holds up in 2026.
The myth, stated plainly
Here is what a significant number of UK employers currently believe: manual right to work checks are a legitimate, broadly applicable, equally safe alternative to digital or online verification. They have always done it this way. Nobody has ever questioned it. Therefore it must be fine.
That is the myth. And it is one worth dismantling carefully, because the consequences of leaving it intact are serious.
Manual checks have not been abolished. There are specific, defined circumstances in which they remain the correct prescribed method, and I will come to those. But the idea that they are a safe default choice for a modern UK workforce, that they provide the same protection as the prescribed digital and online routes, and that an employer running them broadly across most of their hires has a sound compliance position, is not accurate. It has simply not been tested yet for most of the organisations still doing it.
What changed, and when
The right to work checking framework has shifted fundamentally over the past three years, and the changes stack on top of each other in a way that has left many employers in a position they do not know they are in.
From January 2026, physical Biometric Residence Permits are legacy documents. Non-British and non-Irish workers can no longer use a physical BRP card to prove their right to work. The correct route is a share code, generated by the individual through the Home Office online service, checked by the employer at the official GOV.UK service. If your team accepted a physical BRP card for any hire after that date, the statutory excuse on that hire does not exist. We covered the full detail of the BRP phase-out and what it means for employers in this post, which is worth reading if you have not already.
For EU nationals with settled or pre-settled status under the EU Settlement Scheme, the position has been clear for some time. The correct method is the online share code check. A manual inspection of a European passport for someone whose immigration status is held digitally provides no statutory excuse. None. The document may be genuine, the person may have every right to work, and the check still counts for nothing in law because the wrong method was used.
For British and Irish citizens, where manual checks remain technically permissible, the risk profile in 2026 is so fundamentally different to what it was even two years ago that choosing a manual check over a certified digital verification route is a decision that needs deliberate justification, not habit.
Our detailed comparison of manual versus digital identity checks in employment screening sets out the practical differences clearly if you want to look at the two approaches side by side.
The document fraud problem that changes everything
This is the conversation most employers are not having, and it is the one that matters most.
AI-generated document fraud is not an emerging threat on the horizon. It is active, it is widespread, and it is specifically designed to exploit the gap between what a human eye can detect in a manual check and what is actually being presented.
Research published this year demonstrated that a convincing digital replica of a genuine British passport can be produced in under five minutes using generative AI tools that are freely and publicly accessible. Not by an organised criminal network. Not by a specialist with technical skills and expensive equipment. By anyone who decides to do it.
The result does not look like a forgery. It looks like a passport. The photograph is of the person handing it to your team member because the person creating the forgery put their photograph in it. The machine readable zone appears correct. The security features appear to be present. What it does not have is the depth, the embedded data and the cryptographic integrity of a genuine document, but none of that is visible to the human eye during a manual check.
A certified digital verification service, by contrast, analyses the document at a level that goes entirely beyond visual inspection. It interrogates metadata, cross-references data points, checks for manipulation at a pixel level, and produces a verifiable audit trail. That is not a marginal improvement on a manual check. It is a categorically different level of protection.
We wrote about the wider AI document fraud landscape and what it means for employment screening in this post. The picture it paints is not comfortable reading, but it is the reality your process needs to be built around.
Where the statutory excuse actually sits
Let me be precise about this, because it matters more than anything else in this piece.
The statutory excuse is your legal protection. It is the defence that stands between your organisation and a civil penalty of up to £60,000 per worker found to be working without the right to do so. You earn it by following the prescribed process correctly for that individual's specific nationality and immigration status. You lose it the moment you use the wrong method, even if the document you examined was entirely genuine, even if the person in front of you had every right to work, and even if you acted in complete good faith.
The Home Office does not assess your intentions. It assesses your method. And if the method was wrong for that individual's circumstances, the excuse does not exist.
This is where the comfortable assumption of "we've always done it this way and nothing has ever gone wrong" becomes genuinely dangerous. Nothing going wrong is not evidence that the process is sound. It is evidence that the process has not been scrutinised yet. Those are not the same thing, and every employer in the target of a Home Office inspection is about to discover that distinction the hard way. Our post on civil penalties and how they happen to employers who believed they were compliant is the clearest explanation of exactly this pattern that we have written.
Where manual checks still belong
To be clear about what I am and am not saying.
Manual checks remain the correct and required route in specific circumstances. Where a British or Irish citizen does not hold a valid current passport or passport card, a certified digital verification check is not available to them, and a manual check of original acceptable documents from the Home Office Lists is the prescribed method. Where the Employer Checking Service is involved, the process follows a different route entirely. And no employer is permitted to treat individuals less favourably because they cannot or do not wish to use a digital check.
These are real and important circumstances. The point is that they are defined and specific, not a broad permission for organisations to run manual checks as their default process across a mixed UK workforce in 2026.
And even within those specific circumstances, the standard required is not a quick visual inspection. It is a thorough examination of original documents, in person or via live video link, with a signed and dated copy retained in the correct format, held for the duration of employment and two years beyond. If your process falls short of that standard in any of those elements, the check does not give you what you think it gives you.
The audit question
Here is what I would ask any HR Director, Compliance Manager or Business Owner reading this.
If you audited your right to work files for the last twelve months today, could you confirm with complete confidence that every check used the correct prescribed method for that individual's specific nationality and immigration status? That no EU national was checked via a manual passport inspection when a share code was the required route? That no BRP card was accepted after January 2026? That every manual check carried out on a British or Irish citizen was documented to the standard the Home Office guidance actually requires?
If the honest answer is not a clear yes, the process has gaps. And the time to find those gaps is before an inspection finds them for you.
Our post on where right to work processes typically break down is a useful place to start if you want to work through that audit yourself.
The organisations that will face penalties in the next twelve months are not, for the most part, organisations that ignored right to work compliance. They are organisations that believed their process was sound because it had always worked before. That is what unchallenged looks like. And unchallenged is not the same as safe.
Working with Vetting Hub
Vetting Hub is a subscription based consultancy and specialist training platform founded by Graham and Vivianne Johnson. We spent twenty years running National Vetting Solutions, processing hundreds of thousands of vetting files across security, healthcare, financial services and government. We built Vetting Hub because the knowledge that protects organisations from exactly this kind of exposure should not be locked inside a specialist firm. It should be directly available to the people who need it.
A Vetting Hub subscription gives your organisation the knowledge to understand right to work and employment screening compliance in full, the tools to implement that knowledge through practical frameworks, templates and decision guides, and direct access to Graham and me whenever a specific question needs an experienced answer. It is an ongoing relationship, not a one-off course, because the regulatory landscape that shapes your compliance obligations does not stand still.
If you would like to understand what that looks like for your organisation, or if you have an immediate compliance question that needs a straight answer from someone who has been doing this work for two decades, you can find out more at www.vettinghub.co.uk
