CIS due diligence, as tightened by Finance Act 2026 (Royal Assent 18 March 2026), is the set of checks a contractor must carry out before paying each subcontractor to protect its Gross Payment Status and avoid the knowledge-based penalties introduced by FA 2004 ss.62A and 62B (inserted by Finance Act 2026, in force 6 April 2026).
Under the pre-2026 regime, due diligence was a best practice rather than an enforceable standard. Finance Act 2026 changed that. HMRC can now revoke GPS immediately and without advance notice where a contractor “knew or should have known” about fraudulent activity in the supply chain. Crucially, failure to carry out due diligence is itself sufficient to meet the “should have known” standard: HMRC does not have to prove that the contractor was aware of the fraud, only that a competent contractor acting reasonably would have identified the risk.
HMRC expects contractors to complete three core steps before each payment:
- Re-verify CIS status. Verify (or re-verify) each subcontractor through HMRC before payment and record the verification reference number and the date.
- Companies House legitimacy check. Confirm that a limited-company subcontractor is registered at Companies House, that the company details match those on the invoice, and that the company is not dissolved or in compulsory strike-off.
- Bank account name verification. Confirm that the payee name on the bank account matches the contracted party. Payments redirected to a mismatched account are a primary vector for supply-chain fraud.
Documentary evidence of each check should be retained. GPS holders who cannot show a contemporaneous due-diligence record are exposed to revocation and the 5-year reapplication ban, as well as a penalty of 20% of the relevant payment under FA 2004 s.62A.
The full April 2026 supply-chain compliance framework is at CIS supply chain compliance and due diligence. The GPS consequences of failing the standard are at CIS gross payment status: how to qualify, apply and keep it.