Warning HMRC has powers to penalise contractors who make or receive payments connected to fraud. You can be held liable even if you did not directly commit fraud, but "knew or should have known" about it.

Organised criminal groups use the Construction Industry Scheme to extract tax that is never paid to HMRC. They create false supply chains, issue fake invoices, and disappear before HMRC can collect the tax. If your business is part of a fraudulent supply chain, you could face serious consequences.

This guide explains what these rules mean for your business and the practical steps you can take to protect yourself.

Under the Finance Act 2004 (as amended), HMRC has powers to tackle CIS fraud. If you make or receive a payment that you knew or should have known was connected to fraudulent tax evasion, HMRC can:

Cancel your Gross Payment Status immediately
Make you liable for the total unpaid tax in the supply chain
Charge you a penalty of 30% of the lost tax
Extend penalties to directors and other connected persons

These powers apply to both payments you make to subcontractors AND payments you receive from contractors above you in the chain.

CIS supply chain fraud penalties from April 2026

Penalties for contractors who knew or should have known about supply chain fraud, including 30% tax penalty, GPS cancellation, and joint liability for unpaid tax.

From 6 April 2026, HMRC has strengthened powers to tackle CIS supply chain fraud. If a business makes or receives a payment that it knew or should have known was connected to fraudulent evasion of tax, HMRC can take immediate action against the business, its directors, and other connected persons.

These measures target organised criminal groups (OCGs) who use contrived supply chains and false invoices to pass payments through multiple layers of subcontractors, extracting tax deductions and VAT that is never paid to HMRC.

Tax liability penalty: 30% of the lost tax
Who can be penalised: Business, directors, and other persons connected with the business
GPS cancellation: Immediate cancellation where HMRC believes business knew or should have known of fraud
GPS disqualification period: Minimum 5 years from date of cancellation
Unpaid tax recovery: Business can be made liable for total unpaid tax in the fraudulent supply chain
Effective date: 6 April 2026
Applies to payments: Both payments made and payments received connected to fraud

The "knew or should have known" test

HMRC will consider all circumstances relating to specific transactions to establish whether a business knew or should have known that payments were connected to fraud. This includes:

What due diligence checks were carried out
Whether those checks were suitable and designed to address identified risks
Whether warning signs were present that should have prompted further investigation
The business's knowledge of the industry and typical fraud patterns
Steps taken when concerns were identified

Joint and several liability

Under these new powers, HMRC can pursue the lost tax from any business in the supply chain that should have known about the fraud. This creates joint and several liability, meaning a legitimate contractor at the top of a chain can be held responsible for unpaid CIS deductions and VAT further down the chain.

Tackling Construction Industry Scheme fraud

The "knew or should have known" test

HMRC will assess whether you knew or should have known about fraud by examining your due diligence processes. They will consider:

What checks did you carry out before engaging each subcontractor?
Were those checks appropriate for the level of risk?
Were warning signs present that should have prompted further investigation?
What did you do when concerns arose?
Did you document your checks and decisions?

Due diligence is not optional. If you cannot show you took reasonable steps to check your supply chain, HMRC may conclude you "should have known" about fraud, even if you had no actual knowledge.

Who is most at risk

While all CIS contractors should implement due diligence, some situations carry higher risk:

Long supply chains - Multiple layers of subcontracting create more opportunities for fraud
Labour-only arrangements - Contracts with no materials element are commonly used in fraud schemes
New subcontractor relationships - You have less history to assess legitimacy
Unusually low prices - If rates are significantly below market, question how the subcontractor can afford it
Umbrella company structures - Complex employment structures can mask fraud
High-turnover subcontractors - Different companies providing the same workers week after week

Due diligence requirements

HMRC does not prescribe exactly what checks you must carry out. Instead, your due diligence must be proportionate to the risk. Higher-risk situations require more thorough checking.

The following checks form the foundation of a robust due diligence process:

CIS supply chain due diligence requirements

Due diligence steps contractors must take to demonstrate they did not know and could not have known about supply chain fraud, protecting against HMRC penalties.

To protect against the "knew or should have known" test, contractors must implement robust due diligence procedures for their subcontractor supply chains. HMRC does not specify exactly what checks businesses must undertake, but will assess whether the checks carried out were suitable and designed to address identified risks.

Due diligence must be proportionate to risk - higher-risk supply chains (long chains, labour-only arrangements, new relationships) require more thorough checking.

Subcontractor verification: Verify CIS registration and UTR number with HMRC before first payment
VAT registration check: Verify VAT registration on HMRC VAT checker for VAT-registered subcontractors
Companies House check: Verify company is active and directors match those you are dealing with
Bank account matching: Ensure bank account details match the registered business name
Physical verification: Visit business premises and verify workforce exists and operates as described
Supply chain mapping: Know your full supply chain, especially beyond immediate subcontractors
Ongoing monitoring: Repeat checks periodically, not just at onboarding
Record keeping: Document all due diligence checks and retain records for at least 6 years

Key due diligence steps

Before engaging a new subcontractor:

Verify CIS registration with HMRC using their verification service
Check the subcontractor's UTR is valid and matches the business name
Confirm VAT registration status if they charge VAT
Search Companies House for company status, filing history, and directors
Verify business address is genuine (not a virtual office or residential property presenting as commercial)
Request and verify trade references from other contractors
Check insurance certificates (Employers' Liability, Public Liability)
Review their website and online presence for legitimacy

During the relationship:

Monitor for warning signs on every invoice and payment
Question unusual payment patterns or requests
Re-verify CIS status periodically (at least annually)
Investigate if subcontractor's workforce appears different from contract
Maintain clear audit trail of all payments and the work they relate to

For longer supply chains:

Map your complete supply chain beyond immediate subcontractors
Request Key Information Documents (KIDs) from labour providers
Ask direct questions about how labour is sourced and paid
Consider using GLAA-licensed labour providers for licensed sectors
Be especially cautious with umbrella company arrangements

Supply chain due diligence principles

Help with labour supply chain assurance (GfC12)

Step-by-step due diligence process

Follow this process for every new subcontractor, and repeat key checks periodically for existing relationships.

Step 1: Verify identity and registration

Before making any payment, confirm the subcontractor exists and is properly registered:

Request documentation - Ask for the subcontractor's UTR, National Insurance number (sole traders) or Company Registration Number (companies), and VAT registration number if applicable
Verify CIS registration - Use the CIS online service to verify the subcontractor with HMRC. Record the verification number and deduction rate
Check VAT registration - If the subcontractor charges VAT, verify their VAT number using HMRC's online VAT checker
Search Companies House - For limited companies, check: company is active, directors match people you are dealing with, registered address is genuine, filing history is up to date

Step 2: Verify physical presence

Fraud schemes often use "shell" companies with no real business operations:

Visit the business premises - Is there a genuine office or yard? Are workers present?
Check the registered address - Virtual offices or mail forwarding addresses are a warning sign
Verify the workforce exists - If they are providing labour, where do the workers come from?
Request references - Ask for contact details of other contractors they have worked for

Step 3: Understand the supply chain

Know who you are really dealing with:

Map your supply chain - Who does your subcontractor use? Are there further layers of subcontracting?
Ask direct questions - How do they source and pay their labour? Are workers employed directly or through intermediaries?
Request Key Information Documents - If using labour providers, ask for KIDs showing worker terms
Consider GLAA licensing - For gangmaster-regulated sectors, verify GLAA licence status

Step 4: Ongoing monitoring

Due diligence is not a one-time exercise. Monitor throughout the relationship:

Review every invoice - Does the work described match what was done? Are amounts reasonable?
Question unusual patterns - Sudden changes in pricing, payment requests to different accounts, or round-number invoices
Re-verify periodically - At least annually, re-run CIS verification and Companies House checks
Investigate concerns immediately - If something seems wrong, pause payments until resolved

Warning signs of fraud

HMRC has identified common patterns in CIS supply chain fraud. If you encounter these warning signs, investigate further before making or accepting payments.

CIS fraud warning signs

Red flags indicating potential CIS supply chain fraud, including missing UTRs, circular payment patterns, phoenix company indicators, and labour-only invoice anomalies.

HMRC has identified common patterns in CIS supply chain fraud. Contractors who ignore these warning signs may fail the "knew or should have known" test. If you identify these red flags, investigate further before making or receiving payments.

The presence of warning signs does not mean fraud is occurring, but requires additional scrutiny and documentation of your investigation.

Missing or invalid UTR: Subcontractor cannot provide UTR or HMRC cannot verify it
Unregistered status: Subcontractor refuses to register for CIS despite regular construction work
Mismatched details: Bank account name does not match business name or individual
No physical presence: Registered address is virtual office, mail forwarding, or cannot be verified
Newly incorporated: Company formed recently with no trading history but claims significant turnover
Labour-only with no substance: Invoices for labour only with no evidence of actual workforce
Phoenix patterns: Directors have multiple dissolved companies with same business pattern
Circular payments: Payments appear to loop back through related entities
Unusual margins: Prices significantly below market rate suggesting tax not being paid
Multiple UTRs: Individual appears to have multiple CIS registrations under different names

Identity and registration red flags

Subcontractor is reluctant to provide UTR or National Insurance number
HMRC verification shows "unverified" or "not matched" status
VAT registration cannot be confirmed through HMRC VAT checker
Company director names do not match individuals you are dealing with
Business contact details change frequently without explanation
Subcontractor requests payments to different bank accounts or third parties

Payment and invoicing red flags

Labour-only invoices with no workforce evidence - Claims for labour but you never see workers on site
Round number invoices - Invoices for exact amounts like "10,000" with no breakdown
No materials component - Every invoice is 100% labour when work clearly requires materials
Circular payment flows - Money appears to return to the payer through intermediaries
Pressure for quick payment - Urgent requests to pay before normal verification
Cash payment requests - Requests for cash rather than bank transfers
Discounted rates - Prices significantly below market rate (could indicate tax not being paid)

Phoenix company indicators

Directors have previously been involved with companies that were dissolved with unpaid tax
Company is dissolved and replaced with similar company, same people, different name
Pattern of companies lasting 12-18 months then disappearing
History of Companies House late filing or strike-off notices
Company address is shared with many other companies (possible fraud networks)

Supply chain structure red flags

Long supply chains - Multiple layers of subcontracting for simple work
Opaque structures - Difficulty identifying who actually employs the workers
Umbrella company proliferation - Workers split across many small umbrella companies
Mini umbrella company patterns - High volume of small companies claiming Employment Allowance
Offshore elements - Payments routed through non-UK entities for UK work
Rapid subcontractor turnover - Different companies providing same labour week to week

What to do if you identify warning signs

Document everything - Record what you found and when
Investigate further - Ask questions and request additional evidence
Do not make payment - Pause until concerns are resolved
Seek professional advice - Consult your accountant or solicitor
Consider reporting - Report suspected fraud to HMRC
Terminate relationship - If concerns cannot be resolved, end the arrangement

If you proceed despite warning signs without adequate investigation, HMRC may determine you "should have known" about fraud and hold you liable for penalties and unpaid tax.

Check for signs of payroll company fraud

Mini umbrella company fraud

Report tax fraud or avoidance to HMRC

Documenting your due diligence

Your records are evidence that you took reasonable steps to check your supply chain. If HMRC investigates, documented due diligence can demonstrate you did not "know or should have known" about fraud.

What to record

For each subcontractor, maintain a due diligence file containing:

Identity verification - Copies of documents provided (UTR, VAT certificate, insurance certificates)
HMRC verification results - Verification number, date, and deduction rate confirmed
Companies House search - Screenshot or printout showing company status and directors
VAT verification - Result from HMRC VAT checker
Bank account details - Confirmation that account matches business name
Physical verification notes - Record of any site visits or premises checks
References - Contact details of referees and notes from conversations
Ongoing monitoring notes - Record of any concerns and how they were resolved
Decision records - If you identified a warning sign, record what you investigated and why you proceeded (or did not proceed)

How long to keep records

Retain due diligence records for at least 6 years from the date of the last payment to that subcontractor. HMRC can investigate historical payments, so having records protects you even after the relationship ends.

Format of records

Records can be paper or electronic. If electronic, ensure they are backed up and you can produce them if requested. Consider using a consistent folder structure and checklist template for each subcontractor.

What to do if you identify concerns

Do not make or accept the payment - Pause until you have investigated
Document what you found - Record the concern, when you identified it, and what it relates to
Ask questions - Request explanation and additional evidence from the subcontractor
Seek professional advice - Consult your accountant or solicitor before proceeding
Consider reporting - If you suspect fraud, report to HMRC through their fraud hotline
Terminate if concerns remain - If you cannot satisfy yourself that the arrangement is legitimate, end the relationship

Proceeding despite unresolved concerns is dangerous. If fraud is later discovered, HMRC will question why you continued to deal with the subcontractor despite warning signs.

Building due diligence into your processes

Before engaging any new subcontractor

Make due diligence part of your standard onboarding process:

Create a checklist of required checks and documents
Assign responsibility for completing checks before first payment
Use a standard subcontractor application form requesting all necessary information
Do not add subcontractors to your payment system until checks are complete

For existing subcontractors

Review your current supply chain against the due diligence requirements:

Identify subcontractors you have not fully checked
Prioritise higher-risk relationships (long chains, labour-only, new)
Complete retrospective checks as soon as possible
Set calendar reminders for annual re-verification

Training your team

If multiple people in your business deal with subcontractors:

Ensure everyone understands the warning signs of fraud
Create clear escalation procedures for concerns
Make it clear that reporting concerns is expected and protected
Review due diligence practices regularly

CONSTRUCTION & PROPERTY Requirement

The construction industry is particularly targeted by organised fraud due to:

Complex supply chains with multiple tiers of subcontracting
High-value contracts with significant labour components
Cash-intensive operations in some segments
Transient workforce making verification harder

HMRC's CIS fraud powers are specifically designed for construction. Main contractors are increasingly requiring enhanced due diligence from their supply chain as a contractual requirement.

Summary: Your due diligence checklist

Use this checklist for every new subcontractor and review periodically for existing relationships:

Verify CIS registration with HMRC

Use the CIS online service to verify the subcontractor. Record the verification number and deduction rate. Re-verify if no payments for over 2 tax years.
Check VAT registration if applicable

If the subcontractor charges VAT, verify their VAT number using HMRC's online checker. Mismatched or invalid VAT numbers are a warning sign.
Search Companies House for limited companies

Confirm the company is active, directors match your contacts, the registered address is genuine, and filing history is up to date.
Verify bank account matches business name

Ensure the bank account you are paying matches the registered business name. Payment requests to different accounts or third parties are a red flag.
Check physical presence

For significant relationships, visit the business premises. Is there a genuine office or yard? Does the workforce exist as described?
Request and check references

Ask for details of other contractors they have worked for. Contact references to verify the relationship.
Map your supply chain

Understand who your subcontractor uses. Are there multiple layers? How is labour sourced and paid?
Document everything

Maintain a due diligence file for each subcontractor. Record all checks, results, and any concerns investigated.
Monitor ongoing relationships

Review invoices for unusual patterns. Re-verify at least annually. Investigate any concerns immediately.
Act on warning signs

If you identify red flags, pause payments and investigate. Document your investigation. Seek professional advice if needed.

What happens if you are investigated

If HMRC suspects you were involved in a fraudulent supply chain, they will examine your due diligence processes. Having documented evidence of thorough checks is your best defence.

HMRC will consider:

What checks did you actually carry out? (They will want evidence)
Were the checks proportionate to the risk?
Did you identify any warning signs?
If you identified concerns, what did you do about them?
Is there evidence you deliberately ignored red flags?

If HMRC concludes you "knew or should have known" about fraud, the consequences are severe: 30% penalties, potential GPS cancellation for 5 years, and liability for unpaid tax across the supply chain.

Getting help

If you are unsure whether your due diligence processes are adequate, or if you have concerns about your current supply chain:

Talk to your accountant - They can review your processes and suggest improvements
Consult a solicitor - For complex situations or if you suspect fraud in your supply chain
Contact your trade association - Many provide guidance and templates for supply chain due diligence
Report suspected fraud to HMRC - Reporting known fraud protects you and the industry

Related guides

Register as a CIS contractor - Setting up as a contractor and understanding your obligations
Verify a subcontractor's CIS status - How to verify subcontractors with HMRC
Submit your CIS monthly return - Filing requirements and deadlines
Apply for Gross Payment Status - How to get GPS and the compliance tests you must pass
Warning signs of CIS fraud in your supply chain - Detailed guide to red flags

Business Context Testing

Content Graph

Guvnor

Protecting your business from CIS supply chain fraud

The "knew or should have known" test

Who is most at risk

Due diligence requirements

Step-by-step due diligence process

Step 1: Verify identity and registration

Step 2: Verify physical presence

Step 3: Understand the supply chain

Step 4: Ongoing monitoring

Warning signs of fraud

Documenting your due diligence

What to record

How long to keep records

Format of records

What to do if you identify concerns

Building due diligence into your processes

Before engaging any new subcontractor

For existing subcontractors

Training your team

Construction sector specific requirements

Summary: Your due diligence checklist

Verify CIS registration with HMRC

Check VAT registration if applicable

Search Companies House for limited companies

Verify bank account matches business name

Check physical presence

Request and check references

Map your supply chain

Document everything

Monitor ongoing relationships

Act on warning signs

What happens if you are investigated

Getting help

Related guides

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

The "knew or should have known" test

Who is most at risk

Due diligence requirements

Step-by-step due diligence process

Step 1: Verify identity and registration

Step 2: Verify physical presence

Step 3: Understand the supply chain

Step 4: Ongoing monitoring

Warning signs of fraud

Documenting your due diligence

What to record

How long to keep records

Format of records

What to do if you identify concerns

Building due diligence into your processes

Before engaging any new subcontractor

For existing subcontractors

Training your team

Construction sector specific requirements

Summary: Your due diligence checklist

Verify CIS registration with HMRC

Check VAT registration if applicable

Search Companies House for limited companies

Verify bank account matches business name

Check physical presence

Request and check references

Map your supply chain

Document everything

Monitor ongoing relationships

Act on warning signs

What happens if you are investigated

Getting help

Related guides

Related guides in General Compliance

Business Context Testing

Content Graph