Proactive due diligence software that protects your business from CIS fraud liability. Monitor your subcontractor supply chain, document your compliance efforts, and be prepared if HMRC comes calling.
What's at Stake
Even if you had no involvement in the fraud, HMRC can hold you responsible if you "should have known" something was wrong.
Your Gross Payment Status can be cancelled immediately, with 20% deducted from every payment you receive. You cannot reapply for 5 years.
You could be held liable for the tax that someone else in your supply chain failed to pay—even if you're five levels removed from the fraud.
On top of the lost tax, HMRC can charge penalties of up to 30%—and these can be charged personally to directors and officers.
How Tax Radar Helps
CIS Defence gives you oversight of your entire supply chain and creates the evidence trail you need to defend against HMRC enquiries.
Automatically monitor your subcontractors against key risk indicators. The system checks Companies House data, GPS status changes, VAT registration validity, director histories, and more—alerting you when something changes that requires attention.
Each subcontractor receives a dynamic risk score based on multiple factors including company age, director history, payment patterns, and supply chain position. The system flags potential issues—like phoenix company indicators or uncommercial pricing—before they become problems.
Understand your exposure across your entire supply chain, not just your direct subcontractors. The system tracks supply chain depth and escalates due diligence requirements proportionally—because HMRC's GfC12 guidance makes clear that long supply chains are a red flag.
Generate comprehensive risk assessment reports that document exactly what due diligence you performed and when. If HMRC opens an enquiry, you have a complete evidence pack demonstrating you took reasonable care to verify your supply chain.
Your Defence
The "knew or should have known" test is objective—your intentions don't matter, only whether warning signs were present and whether you acted on them.
Detailed documentation of every risk assessment performed, including:
Demonstrate ongoing vigilance with documented records of:
Evidence that you followed a systematic process:
One-click export of all documentation for any subcontractor:
Field Verification
Paper-based due diligence cannot tell you who is actually on site. HMRC knows this — and so do fraudsters. Identity substitution, where a verified entity is paid but unverified labour is actually working, is one of the most common and difficult-to-detect patterns of CIS fraud.
CIS Defence lets you send targeted verification questions directly to project managers on site. They confirm who is present, what work is being carried out, and whether it matches the subcontractor on record. Every response is timestamped and stored automatically.
The “knew or should have known” test is not limited to paperwork. If HMRC can show that identity substitution was occurring on your sites and you had no process to detect it, your due diligence defence is significantly weakened. Boots on the Ground gives you documented, timestamped evidence that you verified not just who you were paying, but who was actually working.
The time to establish your due diligence procedures is now—not when HMRC opens an enquiry. Speak with our team about how Tax Radar can help.
From 6 April 2026, Finance Bill 2025–26 (Sections 62A/62B) introduced joint and several liability for principal contractors where CIS fraud occurs in their supply chain. HMRC defines “reasonable care” as taking active, documented steps to verify the compliance status of every subcontractor before payment — not simply accepting their word or a one-off check at onboarding. In practice, this means verifying Gross Payment Status directly with HMRC, monitoring for changes, checking for phoenix company patterns, benchmarking labour rates against industry norms, and keeping an auditable record of every decision made. Passive due diligence is no longer sufficient.
HMRC can remove a subcontractor’s Gross Payment Status (GPS) immediately and without prior notice if they identify a compliance failure. A subcontractor who held GPS yesterday may be deducted-rate today — and if you paid them gross in the interim without checking, the liability for the unpaid deduction can fall on you as the principal contractor. This is precisely why point-in-time checks at onboarding are insufficient. Continuous, real-time monitoring is the only way to ensure you are never caught paying gross to a subcontractor who has silently lost their GPS.
CIS Defence runs a multi-layered compliance screen across six key risk dimensions: HMRC Gateway (live verification of CIS status and Gross Payment Status via HMRC’s GovTalk API); Forensic History (phoenix company detection using Companies House data, flagging patterns of serial dissolution and re-registration); Benchmarking (labour rate analysis against NMW minimums, CIJC/JIB/JIB-PMES trade rates, and ASHE regional earnings data to identify artificially suppressed rates associated with fraud); Boots on the Ground (site-level verification to confirm the subcontractor is genuinely present and working); Manager Override (a structured, auditable process for senior sign-off when risk flags are present); and HMRC Passport (a timestamped PDF defence pack generated for every subcontractor, providing evidence of reasonable care if HMRC opens an enquiry).
All of them — without exception. The legislation does not distinguish between a subcontractor you onboarded last week and one you have worked with for a decade. Compliance status can change at any point: HMRC can revoke Gross Payment Status overnight, a company can enter administration, a director can be disqualified, or labour rates can drift into fraud territory. Long-standing relationships can actually present a higher risk precisely because familiarity breeds complacency. CIS Defence monitors your entire active supply chain continuously, not just at the point of onboarding.
Every screening action taken within CIS Defence is logged with a timestamp and the data used to reach each decision. If HMRC opens a CIS compliance enquiry, you can generate an HMRC Passport — a structured PDF defence pack — for any subcontractor, showing exactly what was checked, when, what the result was, and what action was taken. This creates the contemporaneous, auditable evidence trail that HMRC expects to see when assessing whether a principal contractor exercised reasonable care. CIS Defence was built by a founding team with deep HMRC investigation experience, and is designed around the standard of proof HMRC actually applies — not a generic compliance checklist.