HMRC Can Now Fine You Personally 30% and Ban You as a Director for Your Subbies' CIS Mistakes
HMRC Can Now Fine You Personally 30% and Ban You as a Director for Your Subbies' CIS Mistakes
Since 6 April 2026, the Finance Act 2026 has given HMRC sweeping new powers to hold construction directors personally liable for Construction Industry Scheme (CIS) fraud in their supply chains — even when they didn't commit the fraud themselves. If HMRC decides you "knew or should have known" about CIS non-compliance by a subcontractor, you face a personal financial penalty of up to 30% of the tax loss, plus potential revocation of your Gross Payment Status (GPS) for five years. This guide explains exactly what changed, who is at risk, and how to protect yourself.
What Changed on 6 April 2026
The Finance Act 2026 — which received Royal Assent earlier this year — introduced two specific changes that directly affect construction directors and sole traders running subcontractor supply chains:
- Director personal liability for supply chain CIS fraud. HMRC can now issue a personal liability notice to a director (not just the company) where they determine the director "knew or should have known" that a subcontractor was committing CIS fraud. The personal penalty can be up to 30% of the total tax loss caused by the fraud.
- Gross Payment Status revocation for associated fraud. If your company benefits from GPS and a CIS fraud is traced to your supply chain, HMRC can revoke that GPS for up to five years. Losing GPS means 20% tax is deducted at source on all your construction payments — an immediate cash-flow hit that can cripple smaller contractors.
This is a dramatic escalation from the previous position, where CIS fraud liability generally stopped at the company that filed the incorrect returns. HMRC's stated rationale is that organised CIS fraud — estimated to cost the Treasury over £500 million per year — typically requires knowing participation from up the chain. The new powers are designed to break that chain by making the financial risk personal.
The "Knew or Should Have Known" Standard
The phrase "knew or should have known" is doing a lot of heavy lifting in this legislation, and it matters enormously how HMRC interprets it in practice.
"Knew" is straightforward — if you have evidence you were aware of a subcontractor operating fraudulently, HMRC will use it. That includes emails, WhatsApp messages, internal memos, and any record showing you were warned of issues.
"Should have known" is the dangerous one. This is an objective standard — it does not require proof you were told. HMRC's position is that a director exercising reasonable care would have discovered the fraud through normal due diligence. In practice, this means HMRC will ask:
- Did you verify the subcontractor's CIS registration before engaging them?
- Did you run HMRC verification checks before making payments?
- Were there red flags you ignored — for example, invoices from companies with no online presence, or subcontractors who couldn't provide verifiable UTR numbers?
- Did you apply the correct deduction rate (or zero rate for GPS holders) without checking the verification result?
- Did you maintain records showing you reviewed subcontractor compliance at least annually?
If the answer to several of these is "no" or "we didn't document it", HMRC has a reasonable basis for arguing you should have known. The absence of a due diligence process is itself evidence of negligence under this standard.
Gross Payment Status: What You Stand to Lose
For many contractors, GPS is the single most valuable administrative asset the business holds. With GPS, you receive construction payments gross — no 20% CIS deduction withheld. That means better cash flow, less chasing refunds from HMRC, and a competitive edge when bidding for work.
Under the Finance Act 2026, HMRC can revoke GPS for up to five years where:
- The GPS holder is involved in (or connected to) a CIS fraud — even as an unwitting beneficiary
- The holder "facilitated" the fraud through inadequate due diligence (the "should have known" test again)
- The holder is a director who received a personal liability notice for supply chain CIS fraud
A five-year GPS ban is not a slap on the wrist. For a company turning over £1 million in construction contracts, a 20% deduction on all payments represents £200,000 per year withheld — funds you can eventually reclaim through self-assessment, but cash you cannot use in the meantime. For many SME contractors, this level of cash-flow disruption causes business failure before the tax refund arrives.
GPS applications also take time. Even after the five-year ban ends, applying for reinstatement requires a clean 12-month compliance record, which means the effective exclusion period can stretch to six years or more.
Who Is Most at Risk
HMRC has been clear that its enforcement focus under the Finance Act 2026 is not the sole trader using one or two subbies. The investigations will target:
- Main contractors using large labour-only subcontractor networks — particularly those in residential new-build and commercial fit-out, where supply chains are long and verification gaps are common
- GPS holders who apply zero-rate deductions without running fresh verification checks — HMRC knows that many contractors verify once, assume GPS status is permanent, and never re-check
- Directors of companies that have been sold or restructured — HMRC can still pursue personal liability even after a company changes hands, if the fraud occurred on the director's watch
- Contractors who use intermediary labour providers or umbrella companies — where the actual employment status of workers is obscured and CIS obligations are unclear
If your business fits any of these profiles, you are a realistic target for an investigation triggered by a subcontractor further down your chain — a subcontractor you may never have met.
What Triggers an HMRC Investigation
HMRC does not need to audit your business directly to open a personal liability case. The most common triggers are:
- A subcontractor investigation that uncovers payments from your company. When HMRC investigates a fraudulent subcontractor, it follows the money upstream. Every contractor that made payments will be assessed for due diligence failures.
- CIS300 mismatches. If your monthly CIS return shows payments to a subcontractor whose UTR does not match HMRC records, the discrepancy flags automatically.
- Unexplained GPS use. If you deduct at 0% but the subcontractor does not hold valid GPS at the time of payment, HMRC treats the missing deduction as a debt — and will investigate how it happened.
- Whistleblower reports. Former employees, competitors, and disgruntled subcontractors all represent intelligence sources HMRC actively encourages through its fraud reporting line.
- Risk profiling. HMRC's Connect system analyses cross-referenced data — VAT, PAYE, CIS, self-assessment — to flag anomalies. High subcontractor payment volumes with low CIS deduction rates attract automated flags.
How to Protect Yourself: Six Steps
The Finance Act 2026 is now in force. There is nothing to be done about past supply chain arrangements other than documenting your existing due diligence processes and correcting any gaps you find. For current and future subcontractor relationships, these six steps are non-negotiable.
1. Verify every subcontractor before first payment — without exception
Run an HMRC CIS verification for every new subcontractor before making any payment. Record the verification reference number and the result. Keep this documentation in a file tied to the subcontractor's record. The reference number is your proof that you performed the check.
2. Re-verify annually for all ongoing relationships
GPS status can be revoked. UTR registrations can be cancelled. HMRC does not notify you when a subcontractor's status changes — it is your responsibility to check. Set a calendar reminder and re-verify all active subcontractors at the start of each tax year.
3. Apply the correct deduction rate based on the most recent verification
Never assume. If a subcontractor held GPS last year, that does not mean they hold it today. Apply the rate your most recent verification result tells you to apply. If there is any doubt, default to the 20% deduction — you can always refund the difference, but you cannot retrospectively change a zero-rate payment to 20%.
4. Document your due diligence on red-flag subcontractors
If a subcontractor is new, unknown in the market, or unusually cheap — document your checks in writing. Evidence that you asked questions, received satisfactory answers, and recorded them is your primary defence against a "should have known" finding.
5. Review your CIS300 returns against verification records monthly
Before filing each monthly CIS300, cross-reference payment amounts against the verification status for each subcontractor. This takes 20 minutes and creates a contemporaneous record showing active, ongoing compliance — exactly the kind of evidence that refutes an HMRC investigation.
6. Take professional advice if you have GPS and a complex supply chain
If your business holds GPS and regularly works with multiple subcontractors, an annual CIS compliance health check with a specialist accountant is now a business necessity rather than an optional extra. The cost of an annual review is a fraction of a 30% personal penalty on a six-figure tax loss.
When HMRC updates its CIS enforcement guidance, issues new compliance notices, or the regulations change again, you'll receive a plain-English alert — before it affects your business. Pro plan from £78/month. See how it works for construction →
Frequently Asked Questions
Can HMRC fine me personally if the fraud was committed by my subcontractor, not me?
Yes — under the Finance Act 2026, HMRC can issue a personal liability notice to a director if they "knew or should have known" about the fraud. You do not need to have committed the fraud yourself. Inadequate due diligence is sufficient.
What is the maximum personal penalty?
Up to 30% of the total tax loss caused by the CIS fraud in your supply chain. On a significant contract, this can represent a very large personal liability.
Does this apply to sole traders, or only company directors?
The legislation targets directors specifically, but sole traders who engage subcontractors through the CIS have separate obligations and can still face penalties for incorrect deductions. The personal liability provisions are most directly targeted at company directors.
If I lose GPS, how long before I can reapply?
HMRC can revoke GPS for up to five years under the Finance Act 2026. After the ban period, you will need a 12-month clean compliance record before a successful GPS application is likely — giving an effective exclusion of six or more years in the worst case.
What counts as adequate CIS due diligence?
At minimum: HMRC verification before first payment, annual re-verification, records of verification reference numbers, correct deduction rates applied based on current verification status, and monthly CIS300 accuracy checks. Documented evidence of these processes is your primary defence.
What should I do if I think a subcontractor in my supply chain is non-compliant?
Stop payments until you can verify their status. Document the steps you took. Seek specialist CIS advice immediately — proactive disclosure to HMRC is treated more favourably than waiting for an investigation to begin.
Key Takeaways
- Finance Act 2026 (in force from 6 April 2026) makes construction directors personally liable for supply chain CIS fraud if they "knew or should have known"
- Personal penalties can reach 30% of the total tax loss — not a company fine, a personal one
- GPS can be revoked for up to five years for directors connected to CIS fraud
- The "should have known" standard means inadequate due diligence is itself a liability
- Six steps protect you: verify before payment, re-verify annually, apply the right rate, document red-flag checks, review CIS300 monthly, and take professional advice if your supply chain is complex
HMRC has made it clear that CIS enforcement is a priority. The Finance Act 2026 gives them the tools to make that enforcement personal. The directors who will be investigated first are those with no documented due diligence process — because those are the easiest cases to make.
If you are a construction contractor with GPS and an active subcontractor supply chain, review your CIS processes this week. The cost of not doing so is now directly personal.
Need a CIS specialist? Find a verified accountant or tax adviser at compliancemarket.co.uk/accountants — over 3,400 verified UK compliance professionals, free to search.
ComplianceAlert monitors HMRC CIS guidance, the Finance Act, and all 16 UK regulatory bodies in real time. Get plain-English alerts before the rules change again. Free forever plan — no card required →
Stay ahead of UK regulations
ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.
Try ComplianceAlert free for 7 days →7-day free trial · No card needed · Free for 7 days · Cancel anytime
Have a question?
Talk to us about how ComplianceAlert can help your business. We reply within one business day.
Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk
