GfC12 Explained: HMRC's Labour Supply Chain Assurance Framework

On 16 January 2025, HMRC published Guidelines for Compliance 12 — known as GfC12, formally titled "Help with labour supply chain assurance." It runs to roughly 90 pages across 13 sections, making it the longest Guidelines for Compliance product HMRC has ever issued. It was updated on 26 March 2026.

It is technically guidance, not legislation. But anyone treating it as optional has missed the point of why HMRC published it, and why they published it when they did.

The timing tells the story

GfC12 was published in January 2025. The new CIS enforcement powers in sections 62A and 62B of the Finance Act 2004 — which turn on whether a business "knew or should have known" about non-compliance in its supply chain — took effect on 6 April 2026. That is fifteen months between the publication of the standard and the activation of the powers that punish firms which fall short of it.

The sequence was deliberate. HMRC put the specification into the public domain, gave the construction industry more than a year to engage with it, and then turned on enforcement powers that ask whether a reasonably diligent business would have followed it. Once the question becomes what a firm should have known, HMRC's own published view of what prudent labour supply-chain assurance looks like becomes the natural benchmark.

That makes GfC12 the most important compliance document in UK construction at the moment, regardless of its formal legal status.

Who GfC12 applies to

GfC12 is aimed primarily at larger businesses sitting towards the top of labour supply chains. But HMRC is explicit that the general principles "apply to businesses anywhere in labour supply chains." For construction firms — almost all of which sit somewhere in a chain that includes labour-only subcontractors, payroll bureaus, umbrella companies, agencies, or all four — that means the framework is in scope regardless of size.

The guidance targets three broad risks:

• Tax fraud risks, including outsourced labour payroll fraud, labour fraud in construction, and mini umbrella companies.
• Worker exploitation risks, including modern slavery and underpayment.
• Failure-to-prevent offence risks under the Criminal Finances Act 2017 and the Economic Crime and Corporate Transparency Act 2023.

CIS sits squarely inside the first category, and GfC12 addresses CIS-specific risks directly and at length.

The four-stage assurance cycle

The heart of GfC12 is a continuous assurance cycle made up of four stages, supported by senior commitment, communication and training, and integration with broader risk management.

Stage 1 — Due diligence

GfC12 defines due diligence as "the appropriate reasonable care a business uses when entering trading relationships or contracts with other businesses." The phrase "reasonable care" is not chosen accidentally. It directly mirrors the threshold in Schedule 24 of the Finance Act 2007 that determines whether a tax penalty is treated as careless or innocent.

Specific checks GfC12 expects include:

• Business credentials, verified through Companies House and active-trading checks.
• Financial and insurance credentials.
• Price quoted against market rate — unusually low pricing is itself a flag.
• Contractual conditions on tax compliance and sub-contracting.
• Licence and accreditation status.
• Tax status relating to VAT and CIS — including verifying current registration and history.
• Payroll arrangements.
• Key Information Documents (KIDs) for agency-supplied workers.

GfC12 also lists the verification tools businesses are expected to use: Companies House records, GOV.UK's VAT bulk-checker, the CIS online service, the CEST tool, SIA and GLAA licence registers, HMRC's published deliberate defaulter list, and HMRC's promoter of tax avoidance schemes list, alongside payslip sampling, timesheet review, and site attendance records.

A specific warning is worth quoting: "Checking only your 'immediate' suppliers and customers will not necessarily be enough to make sound judgements on the integrity of your supply chains, potentially leaving your business exposed." Looking one layer deep is not enough.

Stage 2 — Risk assessment

Once due diligence is complete, businesses are expected to use the information to assess risks across the chain. GfC12 asks businesses to identify "multiple LSC risks at the same time, throughout the contract" — and to apply the assessment both at supplier selection and during the contract.

The point is that risk assessment is not a one-off exercise at onboarding. It is a continuous discipline.

Stage 3 — Risk management

Stage 3 covers how to mitigate identified risks. GfC12 asks businesses to weigh the cost of preventative measures against the potential cost of a risk materialising — a sensible test, but one that increasingly tilts towards investment given the scale of the new penalties.

It also covers contractual provisions that enable effective chain management: rights to audit, rights to terminate on non-compliance, and reporting requirements that surface problems before they crystallise.

Stage 4 — Monitor and review

The final stage is ongoing monitoring of supply-chain changes — which GfC12 identifies as "a key risk indicator for multiple labour supply chain risks." Periodic reviews, internal or external audit involvement, and trigger-based reassessments are all expected. Specific trigger events include:

• An identified risk, whether self-identified or notified by HMRC, a customer, a supplier, or a worker.
• A change of supplier anywhere in the chain.
• Audit findings.
• Changes to legislation.
• New procurement opportunities.
• Forthcoming acquisitions.

The four stages run as a cycle, not a checklist. Outputs from Stage 4 feed back into Stage 1 for the next contract or the next review period.

The independent verification requirement

If there is one phrase from GfC12 that every construction firm should commit to memory, it is this: businesses must "select your own sample, rather than a sample provided by your supplier."

The exact phrase "independent verification" does not appear verbatim in GfC12. But the concept is expressed unambiguously across multiple pages. The contractual process page states that "if your terms include that your supplier must provide information about the chain and workers, you should do sample checks independently on those businesses and some workers to verify this."

The implication is straightforward and uncomfortable. A supplier producing a document confirming their own compliance is a supplier marking their own homework. A compliance certificate issued by an outsourced payroll provider, an umbrella company, or a contractor of record does not satisfy GfC12. Independent verification means the buying firm doing its own checks, on its own samples, with records it controls.

This single point disposes of one of the most common defences construction firms have historically relied on: "we used a reputable provider." GfC12 does not allow that defence. The check has to come from the firm. From outside. With records.

CIS-specific risks GfC12 addresses

GfC12 addresses three specific fraud models that all touch the construction industry directly.

Outsourced Labour Payroll Fraud (OLPF) describes how "criminals acquire or set up companies that act as agencies or payroll providers" in order to divert tax. The frauds typically work by the payroll provider being nominated as employer of record, taking control of payment flows, and then defaulting on PAYE or VAT obligations.

Labour Fraud in Construction (LFiC) describes how "criminals create artificial chains of companies to facilitate and hide fraud." Tax liabilities related to labour, CIS deductions, or both are moved through supply chains into companies that "then default, go missing or both."

Mini Umbrella Companies (MUCs) describes the practice of splitting employment across hundreds of small companies, each employing a handful of workers, with "stooge or nominee directors." The structure is designed to abuse Employment Allowance, the VAT flat rate scheme, and other small-business reliefs.

For CIS specifically, GfC12 warns that "failing to treat Construction Industry Scheme (CIS) payments correctly as a contractor could result in a tax liability relating to the underpayment" and that "a contractor's own tax position can be affected if they make gross payments incorrectly to sub-contractors — this can include losing their own GPS." Umbrella companies are flagged as presenting "more risk" generally — guidance that has obvious significance given the joint and several liability provisions for umbrella PAYE that took effect on 6 April 2026.

You cannot subcontract your way out

GfC12 contains a sentence that has reshaped how compliance lawyers advise construction clients. In the context of the failure-to-prevent offences under the Criminal Finances Act 2017 and the Economic Crime and Corporate Transparency Act 2023, GfC12 states bluntly: "an organisation cannot sub-contract its way out of its CCO liability."

It then explains why. "Associated persons" — the category of people whose conduct can trigger failure-to-prevent liability — explicitly include "employees, partnership partners, agents, subsidiary undertakings, contractors, sub-contractors and franchisees." Inserting an intermediary into the chain does not remove the firm from the chain. It does not shift the risk somewhere else. The firm remains connected to every transaction that runs through the chain, and remains responsible for what happens in it.

For construction firms that have historically treated outsourcing labour engagement as a way of moving compliance risk away from the company, this is the sentence that should change the conversation.

Voluntary in law, mandatory in practice

GfC12 is explicit that following it does not in itself satisfy a legal obligation. HMRC's general framework page states: "Choosing to follow Guidelines for Compliance may reduce your tax risk, but you are still responsible for self-assessing in line with the law."

But the legal status understates the practical force. Under the new sections 62A and 62B test, the question HMRC asks is what a reasonably diligent business should have known. GfC12 is HMRC's own published view of what reasonably diligent looks like. A firm that followed GfC12 has a strong, documented answer to that question. A firm that did not has a much harder conversation in front of it.

KPMG's analysis captures the practical reality: where a business cannot show it considered GfC12 or had equivalent arrangements in place, HMRC may conclude reasonable care was not taken. That single conclusion affects the penalty rate, the discount available for prompted versus unprompted disclosure, and the lookback window. Schedule 24 of the Finance Act 2007 extends HMRC's window from four years to six for careless conduct, and to twenty for deliberate conduct. The cost of not engaging with GfC12 compounds.

Where to start

For construction firms that have not yet built a GfC12-aligned process, the most useful first step is rarely "buy software" or "hire consultants." It is to write down what the business currently does — and to compare that document to the four stages.

Most firms find the gap is not at Stage 1. Onboarding due diligence is usually present in some form. The gap is at Stage 4: continuous monitoring, with documented evidence of what was checked, when, and what was found. That gap is where "should have known" challenges live.

For a fuller picture of how the GfC12 framework interacts with the new CIS enforcement powers, see our post on the April 2026 CIS reforms and our deeper dive on what 'knew or should have known' actually means.

---