The April 2026 shift: from compliance to conduct

Until 6 April 2026, holding gross payment status (GPS) was primarily a compliance matter. Qualify by passing three tests, keep filing and paying on time, and HMRC would review you annually. Finance Act 2026 changed that. GPS is still subject to the same three qualifying tests, but keeping it now turns on conduct in your supply chain, not just your own filings. HMRC can revoke GPS immediately, without advance notice, where a contractor knew or should have known about fraudulent connections in the businesses they pay. Supply-chain due diligence is now the mechanism by which GPS can be taken away.

For the qualifying tests and the cash-flow case for GPS, our CIS gross payment status guide covers those in full. The April 2026 rule changes guide explains the legislative context. This post focuses on what the conduct-based layer requires in practice.

The "should have known" standard explained

The Finance Act 2026 provisions use the phrase "knew or should have known" about a fraudulent connection. The second limb does the work. HMRC does not have to prove you were aware of any problem. It requires only that you failed to take steps a reasonable contractor would have taken. The absence of due diligence is itself sufficient. A contractor who paid promptly, filed on time and had no actual knowledge of any irregularity can still fall foul of the standard if they did not carry out reasonable supply-chain checks.

HMRC has not published a prescriptive list of required steps. The standard is proportionate to risk. But the Finance Act 2026 policy papers, read alongside existing HMRC verification guidance, make three core steps clear: re-verify CIS status, run a Companies House legitimacy check, and verify the bank account name. These are the baseline.

Director liability under sections 72A and 72B

Finance Act 2026 also introduced personal exposure for the individuals behind a company. Section 220 of Finance Act 2026 inserted new sections 72A and 72B into Finance Act 2004. Section 72A imposes a penalty on the company of up to 30% of the amount determined under ss.62A or 62B (itself 20% of the fraudulent payment). Section 72B then allows HMRC to apportion up to 100% of that section 72A penalty to an individual officer personally. The liability does not stop at the company level. A director who delegates subcontractor management and whose process turns out to have been inadequate is not automatically shielded: the question is whether that director took reasonable steps to ensure the company's due-diligence obligations were met.

The three core due-diligence steps

Based on the Finance Act 2026 provisions and existing HMRC verification guidance, the following three steps represent the baseline for meeting the "should have known" standard before the first payment on any new engagement.

Step 1: Re-verify CIS status with HMRC

Before paying a subcontractor for the first time, contact HMRC to verify their CIS status. This can be done via the online CIS verification service or by calling the HMRC CIS helpline on 0300 200 3210 (Monday to Friday, 8am to 6pm). HMRC will confirm whether the subcontractor holds GPS (0% rate), is registered (20% rate) or is unregistered (30% rate), and will issue a verification number. Log the verification number and the date. The verification is both the mechanism that sets the correct deduction rate and the first piece of evidence that you carried out a genuine check. For more detail on how verification works and what information you need to hand, see our guide to verifying subcontractors under CIS.

Step 2: Companies House legitimacy check

For any limited company, LLP or other registered entity in your supply chain, run a check on the free Companies House register. Confirm that the entity is registered, that its status is "active", that the registered address matches what appears on the invoice and contract, and that the directors named on the register are the people you have been dealing with. A newly incorporated shell with no filing history, a registered address that appears to be a mailbox, or a mismatch between the trading name and the registered name are all worth following up before payment is released.

Step 3: Bank account name verification

Confirm that the bank account details you hold for the subcontractor are registered in the name of the entity you contracted with. Confirmation of Payee (CoP), available through most UK banks, allows you to verify whether the account name matches the intended payee. A mismatch between the invoice heading and the account name is one of the most common indicators of payment diversion, whether through fraud by a third party or a substitution of banking details mid-engagement. Keep a record of the result.

Due diligence checklist with evidencing guidance

StepWhat to checkTools and sourcesHow to evidence itWhen to run it
CIS status re-verificationGPS / registered / unregistered status; correct UTR and entity nameHMRC online CIS verification or helpline 0300 200 3210Log verification number, date, status confirmed and rate appliedBefore first payment on every new engagement; re-verify annually for continuing relationships
Companies House legitimacy checkEntity registered and active; registered address; named directors match expectationfind-and-update.company-information.service.gov.uk (free)Save a PDF or screenshot of the Companies House filing, noting date of searchBefore first payment; repeat if you receive new banking or contact details mid-engagement
Bank account name verificationAccount name matches the entity named on the invoice and contractConfirmation of Payee (CoP) via your bank's payment portalRecord the CoP result and date; note any mismatch and how it was resolvedBefore the first payment; repeat whenever bank details change
Invoice authenticity reviewInvoice references UTR, entity name consistent with registration, amounts plausible for the work scopeCross-reference against contract, Companies House name and verified UTRFile the invoice alongside the verification log for that engagementEvery invoice cycle
Periodic re-verificationCIS status still current; no changes to entity or banking details since last checkHMRC CIS service; Companies House; repeat CoP check if details have changedUpdate verification log with new date and verification numberAt minimum annually; immediately on any change in subcontractor contact, banking or invoice details

What "reasonable" due diligence looks like in practice

HMRC has not published a prescriptive checklist. The test is proportionate to risk: the depth of checking should reflect the value and nature of the engagement. A high-value, one-off subcontractor warrants more investigation than a business you have paid continuously for three years with a clean verification history. For most contracting businesses, a straightforward verification log (a spreadsheet or dated screenshots) is sufficient. The purpose is to be able to show, if HMRC asks, that you took proportionate action before the money moved.

Red flags that warrant enhanced checking

Certain circumstances raise the risk profile of an engagement and should prompt closer investigation before any payment is released.

  • Cash-in-hand or off-account payment requests. Any request to pay outside normal bank transfer is inconsistent with legitimate CIS work and with the business-test requirement that the business operates through a bank account.
  • Refusal or inability to provide a UTR. A subcontractor without a UTR cannot be verified and falls to the 30% unregistered rate. Repeated evasion or inconsistent UTRs across invoices is a clear warning sign.
  • Newly incorporated company with no trading history. A company registered days or weeks before the engagement, with no filing history and a virtual-office address, deserves detailed scrutiny before work starts.
  • Prices significantly below market rates. Implausibly cheap invoices can indicate labour or materials costs are being obscured or that the subcontractor is not meeting its own PAYE and CIS obligations.
  • Account name does not match the invoice or contract name. A CoP mismatch, or a personal bank account rather than a business one, should be resolved before payment is released, not after.

The cost of getting it wrong: working through the numbers

The 5-year reapplication ban after a fraud-related GPS removal is not an abstract sanction. A contractor turning over £500,000 a year who loses GPS faces roughly £100,000 a year deducted at source instead of being available to the business. Spread across five years, that is a potential working-capital deficit of up to £500,000, recoverable eventually through Self Assessment or Corporation Tax repayments, but unavailable for payroll, materials or the pipeline in the meantime. At £200,000 annual turnover the equivalent figure is around £40,000 a year still large enough to create a real cash squeeze.

The sections 72A and 72B personal penalty adds a separate layer. A director whose company loses GPS and who also faces a personal apportionment of the section 72A penalty (itself up to 30% of the ss.62A/62B liability, then up to 100% apportionable to the officer) is managing two distinct financial exposures simultaneously. These are not alternatives. They are cumulative. The cost of a proper due-diligence process is negligible compared to either one.

Where this fits in your GPS strategy

Keeping GPS now requires two disciplines running in parallel. The first is the existing annual compliance test: stay current on your own filings, payments and PAYE. The second, added by Finance Act 2026, is ongoing conduct in the supply chain. A GPS holder with a perfect compliance record but no due-diligence process can still lose the status under the new conduct-based power. Neither discipline alone is sufficient.

If you need help building a verification log and due-diligence routine that meets the post-April 2026 standard, our team works with construction contractors on GPS applications and supply-chain hygiene every week. You can read more on our gross payment status service page, or use our GPS eligibility checker to see whether you are likely to clear the qualifying tests before you apply.