From 6 April 2026, HMRC have new, expanded powers which will significantly strengthen their ability to tackle Construction Industry Scheme (CIS) and Pay As You Earn (PAYE) fraud within construction supply chains.

While HMRC are primarily targeting deliberate abuse of the CIS deduction and credit system, otherwise compliant businesses will face a different challenge. This means understanding the ’knew or should have known’ test in the new legislation. Businesses must also put processes in place to meet the increased HMRC expectation of appropriate due diligence across the entire supply chain.

What has changed under the new CIS fraud rules from April 2026?

Under new measures effective from 6 April 2026, if a business:

• Makes a payment under a contract for construction operations and before making the payment, knew or should have known that a party to the contract, or a party to another construction contract relating to the same construction operations, would deliberately fail to make or pay a CIS deduction or deduct or pay an amount due under PAYE regulations; or
• Files a return (for example a self-assessment return or a PAYE return) containing a CIS deduction which before filing they knew or should have known had not been deducted or paid.

HMRC will be able to:

• Recover the tax from the business by serving the business with a tax determination. The amount, depending on the context, will either be 20% of the payment made, or an amount equal to the CIS credit claimed.
• Charge the business a penalty of up to 30% of the tax determination.
• If the business is a corporate body or an unincorporated association potentially transfer all or part of the penalty to an officer.
• Immediately cancel the gross payment status of the business (if held) for five years. Losing gross payment status could create cash flow issues and restrict its ability to win client contracts.

HMRC’s primary concern is with deliberate compliance failures. This is where fraudulent businesses claim CIS credits to obtain repayments and/or reduce tax and National Insurance liabilities where the underlying CIS tax has not been deducted or paid. The new powers are not targeting non-deliberate errors. However, compliant businesses will be expected to have appropriate due diligence checks and processes in place to deal with the ’known or should have known‘ test.

What does ’known or should have known‘ mean?

The term 'known or should have known' isn’t defined. HMRC will consider it objectively, based on the evidence and circumstances of each case.

The word ’known‘ means actual knowledge the transactions were connected to deliberate non-compliance.

For the ’should have known' part of the test, the following evidence will be considered by HMRC:

Awareness of compliance failures and supply chain fraud

The business’s awareness of deliberate compliance failures and fraud within the supply chain at the time the transactions took place, both generally and specific to construction supply chains. HMRC will consider the awareness of the business’ relevant employees, its officers (such as directors) and third parties involved in transactions, including agents and advisers.

HMRC’s guidance states that they will consider evidence such as previous warnings given to the business by HMRC about the risks. This may also include membership of a trade body that has highlighted supply chain fraud, and general press coverage about deliberate CIS and PAYE non-compliance.

HMRC will want to understand whether that awareness meant the business should have known that the only reasonable explanation for the transaction was that it related to deliberate CIS or PAYE compliance failures.

Transaction features that should have raised suspicion

The features of the payments or contracts that, especially when combined, should have resulted in the business questioning whether the transactions related to deliberate compliance failures.

These are, broadly, warning signs or indicators which meant the business should have known the transactions were too good to be true.

Warning signs might include unsolicited approaches from organisations with little or no history in construction and suspiciously low prices. They may also include an absence of formal contracts for high value work, and payroll companies or agencies with no physical or online presence.

Due diligence and risk assessment expectations

The due diligence and risk assessments performed by the business to identify and then address any deliberate non-compliance.

This is the reasonable care a business should undertake to assess the integrity of its entire supply chain, through appropriate due diligence, risk assessments, and actions. The emphasis is on the entire supply chain, not just with direct subcontractors, contractors, or customers. HMRC state in their guidance that:

“If a person has genuinely done everything they can to check the integrity of the supply chain, can demonstrate they have done so, have taken heed of any indications that tax may go unpaid and have no other reason to suspect tax would go unpaid, it is unlikely they knew or should have known there would be a deliberate failure to comply.”

An absence of due diligence, poor checks, and/or ignoring any risks identified, could all result in HMRC contending the checks in place were not appropriate. HMRC may also argue that the business should have known about the deliberate non compliance if it arises.

Robust due diligence of the entire supply chain will be expected and is now increasingly important.

What should businesses do now?

Given the potential consequences, including tax determinations, penalties, loss of gross payment status for five years and potential personal liability for company officers, businesses in construction supply chains should take proactive steps to protect themselves.

Those steps might include, but are not limited to:

• Putting processes in place for initial and ongoing review of existing CIS supply chains to check for evidence or warnings signs of deliberate non-compliance.
• Introducing/enhancing due diligence and risk assessment procedures to ensure they are appropriate and can assess the integrity of the entire supply chain, not just direct subcontractors, contractors, or customers.
• Ensuring there is clear consideration of warning signs or ’red flags‘ and that these are acted upon promptly and decisions recorded.
• Introducing initial and ongoing training for relevant staff, directors and decision makers on CIS and PAYE fraud supply chain risks.
• Where relevant, ensuring processes are in place for the review of CIS credit and repayment claims and that deductions have genuinely been made and paid.

How we can help with CIS and PAYE fraud risk

Our specialist teams have extensive experience helping businesses identify and manage CIS, PAYE and supply chain risk. We can support businesses with responding to these new measures and can assist with the steps above.

If you would like to discuss the impact of these changes or need support reviewing your due diligence processes and training, please get in touch with Lee Knight, David Williams-Richardson or your usual RSM contact.

Latest related insights