CIS fraud: how to protect gross payment status

From 6 April 2026, the construction industry faces a significant shift in how HMRC tackles supply chain fraud within the Construction Industry Scheme (CIS). New measures introduced in Finance Bill 2025-26 will allow HMRC to cancel a business’s gross payment status and hold it responsible for tax losses where it ‘knew or should have known’ that payments made or received were connected to fraudulent evasion of tax.

The measures are modelled on the well-established VAT Kittel principle. They represent a deliberate alignment of CIS enforcement with an approach that has proved effective in disrupting VAT supply chain fraud for over a decade.

HMRC estimates that these new powers will raise £205 million in 2026-27, reducing to £110 million by 2030-31 as behavioural change takes effect. The message is clear: businesses operating within CIS can no longer afford to turn a blind eye to the legitimacy of their supply chains.

‘Knew or should have known’

The ‘knew or should have known’ formulation is not new to UK tax law. It derives from the European Court of Justice’s decision in Axel Kittel v Belgian State (Case C-439/04 and Case C-440/04). The court held that a taxpayer must be denied the right to deduct input VAT if they knew, or should have known, that their transaction was connected to the fraudulent evasion of VAT elsewhere in the supply chain.

The principle was subsequently developed in UK case law, most notably in Mobilx Ltd [2010] EWCA Civ 517. The Court of Appeal confirmed that the test is objective: a trader will be treated as having knowledge where the only reasonable explanation for the circumstances surrounding a transaction was that it was connected to fraud.

Crucially, this is not a test of mere negligence or carelessness. The standard sits between actual knowledge of fraud and simple failure to exercise reasonable care. It captures what is often known as ‘blind-eye’ knowledge: a deliberate choice to ignore facts that a reasonable person in the same position would have investigated. As Moses LJ put it in Mobilx, a trader ‘may properly be regarded as a participant [in fraud] where he should have known that the only reasonable explanation for the circumstances in which his purchase took place was that it was a transaction connected with such fraudulent evasion’.

For CIS purposes, it may be found that a building contractor ‘should have known’ that the transaction was connected to fraud if they:

• engage a subcontractor at a rate that is conspicuously below market price;
• fail to verify the subcontractor’s CIS registration status; or
• ignore a pattern of subcontractors disappearing after receiving gross payments.

Importantly, HMRC does not need to prove that the business actively participated in or benefited from the fraud. It is sufficient that the business entered into a transaction connected to fraud in circumstances where it should have recognised that connection.

The test will be applied by reference to what a reasonable person in the position of the taxpayer, with the knowledge and experience they had or ought to have had, would have concluded.

What can HMRC do under the new measures?

Under existing CIS legislation, HMRC’s powers to address supply chain fraud are comparatively limited. Gross payment status can be cancelled immediately only where the business itself has fraudulently provided incorrect information or knowingly failed to comply with CIS obligations.

The new provisions amend Part 3, Chapter 3 and Schedule 11 of the Finance Act 2004 and the Income Tax (Construction Industry Scheme) Regulations 2005 (SI 2005/2045). Where HMRC can demonstrate that a business knew or should have known that a payment made or received was connected to fraudulent evasion of tax, three consequences follow.

1. Immediate cancellation of gross payment status

Finance Act 2004 s 66(3) is amended to add a new ground for the immediate removal of gross payment status. This is distinct from the existing annual compliance review process and requires no prior notice.

Once gross payment status is removed under this provision, the business cannot reapply for five years (increased from the previous one-year restriction under the amendment to FA 2004 s 66(7)). For businesses reliant on receiving gross payments to manage cash flow, this could have potentially devastating consequences. During the five-year exclusion period, the business will be subject to 20% (or 30% if unregistered) CIS deductions on all contract payments received.

2. Liability for lost tax

The business that entered into the transaction connected to fraud is made directly liable for the tax that was evaded. This applies even if the business has met its own tax obligations in full.

In practice, a contractor who paid a subcontractor gross – having verified that subcontractor’s gross payment status with HMRC – may nevertheless find itself liable for the income tax and NICs that the subcontractor failed to pay, if HMRC can show that the contractor should have known the arrangement was connected to fraud.

3. Penalties of up to 30%

A penalty of up to 30% of the lost tax may be charged not only to the business itself but also to its directors and other persons connected to the business. The express inclusion of potential personal liability is a notable feature and increases the risk exposure for those managing construction businesses. It mirrors the approach taken in VAT fraud cases where, following a Kittel denial, directors of the company have been held personally liable through separate assessment mechanisms.

The defence: due diligence in practice

The critical question for businesses is how to demonstrate that they did not know, and could not reasonably have known, that a transaction was connected to fraud.

Experience from VAT litigation, including the extensive Kittel case law, suggests that the quality and rigour of supply chain due diligence will be central. In Red Rose Payroll Ltd v HMRC [2025] UKFTT, the First-tier Tribunal dismissed over £9 million in VAT assessments because HMRC failed to demonstrate that the taxpayer should have known of the fraud, noting that the company had taken responsive steps when concerns arose.

Conversely, in Zed-UK Ltd v HMRC [2025] UKFTT 801 (TC), the tribunal upheld a denial of input tax and a 30% penalty where the director had failed to carry out adequate due diligence and ignored warning signs such as unusually low prices.

The lesson from the VAT jurisprudence is unambiguous: enhanced due diligence is the single most effective defence. At a minimum, businesses should be able to demonstrate that they have:

• verified the subcontractor’s CIS registration and gross payment status with HMRC before making any payment and periodically thereafter;
• checked the subcontractor’s company details at Companies House;
• assessed whether the commercial terms of the arrangement are consistent with legitimate market practice;
• investigated any red flags, such as subcontractors operating from virtual offices, newly incorporated companies with no trading history, or links to directors with a history of dissolved companies;
• maintained contemporaneous records of the due diligence undertaken and the decisions made as a result; and
• established a policy for the ongoing monitoring of subcontractor relationships.

The HMRC Tax Information and Impact Note (TIIN) published alongside the Budget 2025 announcement states explicitly that ‘this measure should not impact compliant businesses in the construction industry who undertake the due diligence required to ensure those they contract with in the supply chain are not engaged in supply chain fraud’. The implication is clear: due diligence is both the shield and the standard, and will form both the practical and evidential basis of any defence.

The Kittel parallels: lessons from VAT

The TIIN confirms that the CIS measures were modelled on VAT countermeasures that have been effective at disrupting supply chain fraud. The parallels are deliberate and extensive.

HMRC must establish:

• fraudulent evasion of tax somewhere in the supply chain;
• a connection between the taxpayer’s transaction and that fraud; and
• that the taxpayer knew or should have known of that connection.

HMRC must establish these elements on the civil standard of proof – that is, on the balance of probabilities. In other words, it must show that it is more likely than not that the business knew or should have known of the connection to fraud. There are, however, important differences to the VAT measures, and areas of likely uncertainty.

First, the VAT Kittel principle has been developed over nearly two decades of tribunal and court decisions. The CIS regime is new. Until tested before the tribunals, there will be uncertainty as to how the ‘should have known’ test will be applied in construction-specific contexts.

Second, the financial consequences differ. In VAT, denial of input tax recovery leaves the trader bearing a VAT cost it believed it had already paid through its supplier. Under CIS, the business may become liable for the income tax and NICs that the fraudulent subcontractor evaded, plus a potential 30% penalty. The exposure could therefore be very substantial, particularly for contractors with high-volume supply chains.

Finally, the explicit provision for penalties against directors and connected persons increases the personal dimension of risk. While personal liability can arise in VAT fraud through other mechanisms, its express inclusion here underscores the seriousness with which HMRC views CIS supply chain fraud.

What businesses and advisers should do now

Construction supply chains are often complex and multi-layered. Implementing effective due diligence processes may require operational change. Advisers should encourage clients to take the following practical steps

• Review existing onboarding processes: Introduce a structured onboarding procedure that includes CIS verification, Companies House checks, assessment of commercial terms and clear documentation.
• Implement continuous monitoring: The compliance status of sub-contractors can change after their initial engagement. Periodic reverification of CIS status and monitoring of subcontractor behaviour will be essential.
• Adopt a risk-based approach: Not all subcontractor relationships present the same level of risk, and intensive due diligence should be carried out for higher-risk engagements. Newly incorporated entities, subcontractors operating through intermediaries, and pricing significantly below market rates will all justify enhanced scrutiny.
• Invest in technology: The volume and complexity of data involved in subcontractor due diligence can be significant. Technology solutions that integrate CIS verification, company data analysis and risk scoring can support more efficient and more defensible compliance. HMRC itself is investing in AI to target compliance checks more effectively.
• Train relevant staff: Individuals responsible for engaging subcontractors should understand common red flags and escalation procedures. A documented training programme may be valuable in the event of a HMRC challenge.
• Maintain clear records: Contemporaneous documentation of checks and decisions made will be critical. In any dispute, a business that can show it had a robust, documented process will be in a far stronger position than one that relied on informal checks.

In conclusion

The new CIS fraud measures represent a fundamental shift in HMRC’s approach to enforcement. Immediate gross payment status cancellation, a five-year reapplication ban, liability for lost tax and penalties extending to directors create substantial commercial and personal risk. However, the core principle is not unfamiliar.

The VAT Kittel case law demonstrates that businesses which maintain robust, documented and responsive due diligence processes are best placed to resist allegations they knew or should have known of fraud.

For the construction industry, the message is clear: supply chain verification can no longer be treated as a procedural formality. It is a central element of risk management. For advisers, early engagement with clients to review and strengthen due diligence processes may prove critical in protecting gross payment status and limiting exposure under the new regime.

© Getty images