Director Personal Liability Under the 2026 CIS Rules

There is a phrase from the accountancy firm Wright Vigar that captures what changed on 6 April 2026 better than any piece of HMRC guidance: tax liabilities are jumping the fence from the company balance sheet to your personal assets.

The new sections 62A and 62B of the Finance Act 2004 do something the previous CIS regime did not. They let HMRC charge penalties directly to the directors and officers of a construction business, separately from the company itself. For directors of family construction firms, owner-managed businesses, and any operation where the same handful of people make commercial decisions and operational decisions, this is the single most consequential change in the reform.

The structure of the new penalty

The HMRC policy paper "Tackling Construction Industry Scheme fraud," published on 26 November 2025, sets out the position in plain language:

New legislation will also be introduced in Part 3, Chapter 3 FA04 and SI 2005/2045 to allow the business that knew or should have known that the payments made or received were connected with fraudulent evasion of tax liable for the lost tax and penalties of up to 30% of the lost tax. The officers of the business could also be liable for these penalties.

Three things follow from that paragraph.

First, the penalty is up to 30% of the lost tax. The "lost tax" itself is the CIS deduction that should have been withheld — typically 20% of the gross payment, or an amount equal to a CIS credit that should not have been claimed.

Second, the penalty is chargeable to the business and to officers personally. Not the business or the directors. Both. The architecture allows HMRC to recover from the company and, separately, from the individuals connected to it.

Third, "officers" is broad. It covers directors and other persons connected to the business. It is not limited to formally appointed company officers. A shadow director, a controlling shareholder who exerts effective control, or a senior individual making the relevant decisions can fall inside the scope.

How the numbers actually work

A worked example shows the scale clearly.

Suppose a contractor makes a £1,000,000 gross payment to a subcontractor over a tax year, without applying any CIS deduction. Suppose further that the "knew or should have known" test under section 62A is met — the contractor was, on an objective view, in a position where a reasonably diligent business would have identified the risk.

The mechanics are then:

• Tax determination: £200,000 — that is, 20% of the £1m payment, the CIS deduction that should have been applied.
• Penalty: up to £60,000 — that is, 30% of the £200,000 tax loss.

That £60,000 can be charged to the company. It can also be charged personally to the director or directors who made or were responsible for the decisions in question. There is no rule preventing concurrent assessment.

For a director with a personal mortgage, school fees, family commitments, and assets outside the business, that is a real-world consequence. The point of the new framework — and HMRC has not been shy about making this clear — is precisely that it changes the personal calculation directors make when deciding how seriously to take CIS compliance.

When the penalty can be charged

The penalty applies where the section 62A or 62B test is met. Both sections turn on the same standard: the business "knew or should have known" that a connected party had been, or would be, deliberately non-compliant with their CIS or PAYE obligations, or that a CIS credit had not been deducted or would not be paid over.

The test is objective. HMRC does not need to prove actual knowledge. The question is whether a reasonably diligent business in the same position would have identified the risk. BHP's commentary on the reforms makes the point sharply: "should have known" can include "careless, you didn't ask enough questions." For a fuller examination of how the test works in practice, see our post on what 'knew or should have known' actually means.

No graduated mitigation framework — equivalent to the prompted-versus-unprompted disclosure reductions under Schedule 24 of the Finance Act 2007 — has been published specifically for these CIS fraud penalties. The 30% appears to be a standalone maximum, distinct from the Schedule 24 tiers (30% / 70% / 100%) for careless, deliberate, and deliberate-and-concealed conduct. The interaction between the two regimes has not been clarified by HMRC, and is one of the areas that BHP has flagged as needing further guidance.

Lookback periods that compound the exposure

A 30% penalty looks contained when applied to a single year. It looks rather different when the lookback periods open up.

Schedule 24 of the Finance Act 2007 sets the framework. Standard enquiry windows are four years. Where conduct is found to be careless, the window extends to six years. Where conduct is found to be deliberate, it extends to twenty.

The "should have known" test does not by itself prove deliberate conduct. But the absence of a documented compliance process — no GfC12-aligned due diligence, no recorded supply-chain assurance, no contemporaneous evidence of monitoring — is exactly the pattern that supports a careless or deliberate conclusion. Once the longer lookback windows are unlocked, the same percentage penalty applied across six or twenty years can produce numbers that are existential rather than uncomfortable.

For a director, that means personal exposure is not capped at one year's CIS liability. The 30% can be applied across the full enquiry period. Compounded with employer NIC at 15%, income tax that should have been operated through PAYE, and interest on late paid amounts, the total figure for a firm with 50 to 200 long-term subcontractors over six years can run into the high six figures or beyond — and a meaningful proportion of it can sit on a personal balance sheet rather than a corporate one.

Where directors are most exposed

Not every construction director sits at the same level of risk. The pattern of exposure is reasonably predictable:

Family construction businesses are at the top of the list. Decision-making is concentrated, the same individuals act as directors and operational managers, and outsourcing of CIS compliance — where it happens at all — tends to be informal. The "officer" definition catches almost everyone making decisions.

Directors who are themselves operatives sit in a particularly difficult position. The same people setting CIS compliance policy are the people who would be reclassified as workers on a status review, with the dual exposure that creates.

Directors with personal guarantees on company facilities — bank loans, leases, performance bonds — face the additional risk that a 30% personal CIS penalty crystallising at the same time as company financial pressure can trigger personal insolvency events on guaranteed obligations.

Smaller firms with concentrated decision-making are not safer because they are smaller. HMRC's one-to-many compliance methodology is designed precisely for volume work — a single batch of letters, standard questions, automated scoring. Smaller firms have fewer resources to defend themselves and less sophisticated records. They are not harder to pursue. They are easier.

GPS removal: separate but linked

Director personal liability is the most attention-grabbing element of the reforms. It is not the only one. Under amended section 66(3) of the Finance Act 2004, HMRC can now remove a contractor's Gross Payment Status with immediate effect, with no prior notice. New section 66(3A) blocks re-application for five years — up from one.

In practice, the same finding that triggers a 30% penalty on a director typically triggers GPS removal on the company at the same time. Every gross-paid subcontractor on the firm's books drops to a 20% deduction simultaneously. For a firm running on conventional construction working capital, the cashflow consequence can be more immediate and more damaging than the penalty itself — and it is locked in for half a decade.

The two measures together — the 5-year GPS ban on the company, the 30% personal penalty on the director — are designed to work as a combination. One affects the entity's capacity to operate. The other affects the individual's incentive to allow the situation to recur.

For more detail on how the powers fit together, see our overview of the April 2026 CIS reforms.

What directors should be doing now

The defensible position under the new rules looks the same for directors as it does for the businesses they run, but a few elements take on personal significance.

Personal awareness of supply-chain arrangements. A director who has not personally engaged with the question of how CIS compliance is operated cannot easily argue that reasonable care was taken at officer level. Documented board attention to supply-chain risk — recorded in board minutes, with reference to GfC12 — is itself a piece of evidence.

Insurance review. Standard directors' and officers' liability cover may or may not respond to a CIS personal penalty. Tax liability and status risk policies sit in a separate class. At bureau or main-contractor scale, no off-the-shelf product covers the full exposure; bespoke underwriting is typically required, and brokers like Qdos and Kingsbridge are the natural starting points.

Documented status assessments. A CEST result on every operative, retained on file, with the working pattern actually applied. Not as a guarantee — CEST is not infallible — but as evidence that the question was asked.

Continuous monitoring, not point-in-time review. A worker who started genuinely self-employed can drift into employment over time. The drift is precisely what creates "should have known" exposure. A monitoring process needs to catch it before HMRC does. Quarterly check-ins with operatives, recorded against a consistent set of questions, are the practical baseline.

Clear escalation when the line moves. When an arrangement stops being defensible as self-employment, there needs to be somewhere for the operative to go. PAYE migration is not a failure of the process. The failure is continuing to treat someone as self-employed when the working pattern has changed. A director who can show a documented escalation trail — assessment, drift detected, formal review, migration — has a defensible position. A director whose subcontractor list has been static for five years probably does not.

The point of the change

The new personal liability framework is not an accident of drafting. The HMRC policy paper, the published revenue targets, the sequencing alongside GfC12, and the focus of the 5,000 new compliance officers on construction as a priority sector all point in the same direction. The reform is designed to make CIS compliance a personal issue for the people who actually make the decisions — not just a corporate balance-sheet issue.

For directors who have historically delegated, that is the change to absorb. The penalty does not stop at the company any more.

---