Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance11 min read

Detecting Forged Vendor Compliance Certificates in the UK

How UK procurement teams detect forged CIS verification, Companies House and GLAA compliance certificates during vendor and subcontractor onboarding checks.

CheckFile Team
CheckFile Teamยท
Illustration for Detecting Forged Vendor Compliance Certificates in the UK โ€” Compliance

Summarize this article with

A forged CIS verification printout, a doctored Companies House confirmation statement, or a cloned GLAA licence number can all pass a five-second visual check during vendor onboarding. Catching them means checking every reference number against the issuing authority's own register โ€” HMRC's CIS online service, Companies House's public register, and the GLAA's licence search โ€” rather than trusting the document a supplier hands over. From 6 April 2026, HMRC can also hold the contracting business liable for fraud it "should have known" was happening in its supply chain, turning this from good practice into a legal necessity.

This article is deliberately narrow: it is not a guide to obtaining CIS registration, a confirmation statement, or a GLAA licence โ€” those processes are covered in our guides on construction subcontractor compliance documents and vendor compliance certificate verification. This piece covers the opposite problem: how these documents get faked, and what a procurement team should do the moment one looks wrong.

Why Forged Compliance Certificates Are Appearing in Supplier Onboarding

Forged certificates surface most where margins are thin and onboarding is fast, because fabrication is cheaper for a non-compliant subcontractor than fixing the underlying tax, insurance, or licensing problem. Construction, facilities management, and labour-supply sectors see this disproportionately, combining tight tender pricing with multi-tier subcontracting chains that dilute oversight of who is actually doing the work.

From 6 April 2026, HMRC's reformed Construction Industry Scheme rules allow it to recover lost tax and impose penalties of up to 30% on a contractor โ€” and personally on its directors โ€” where the business "knew or should have known" a payment was connected to fraud in its supply chain (GOV.UK, Tackling Construction Industry Scheme fraud). The test is objective: HMRC need not prove a contractor saw the forgery, only that a reasonable business ought to have spotted it, moving certificate verification from a courtesy check to a direct financial exposure.

How Forgers Fabricate CIS, Companies House and GLAA Documents

A genuine CIS "certificate" barely exists in the form fraudsters fabricate it. HMRC's Construction Industry Scheme confirms a subcontractor's status through a verification number returned by its online CIS service, not through a downloadable certificate document (GOV.UK, Verify subcontractors under CIS), so a supplier presenting a polished "HMRC CIS Certificate" PDF is already showing a document type HMRC does not issue. Forgers copy the layout of a genuine HMRC letter, edit a PDF text layer, and invent a verification reference that looks plausible but matches no real subcontractor.

Companies House documents are forged differently, because the underlying filings are genuinely public and free to view. Fraudsters typically alter a real filing's screenshot or PDF export โ€” the confirmation statement date, registered office, or "active" status โ€” since editing an existing image is faster than fabricating one from scratch. A Certificate of Good Standing is a common target because it looks authoritative and few reviewers know it is time-limited: a genuine certificate is only valid for three months from issue, and will not be granted at all if the company's confirmation statement or accounts are overdue (Companies House, Certificates and certified document copies blog). An expired certificate reused months later, or one claiming "good standing" for a company with an overdue filing, is a contradiction any reviewer can catch on the free register.

GLAA licences follow the CIS pattern: forgers invent or reuse a licence number rather than fabricate the licence design, since the goal is passing an onboarding checklist, not producing an aesthetically perfect fake. A number copied from a genuine licensee and attached to a different company will fail the moment it is checked against the register rather than just read off the page.

Certificate Issuing authority What forgers typically fake Verification channel
CIS verification HMRC A certificate-style PDF HMRC does not issue, or an invented verification number HMRC CIS Online, via the contractor's Government Gateway login
Confirmation statement Companies House Edited filing date, registered office, or company status Free search on the public register
Certificate of Good Standing Companies House Expired certificate reused past its 3-month validity Order a fresh certificate, cross-check the live register
GLAA licence Gangmasters and Labour Abuse Authority A real licence number attached to the wrong company GLAA public register and Active Check portal

Red Flags in Forged CIS Verification Documents

The strongest red flag is the document format itself: CIS verification produces a number and a deduction rate through HMRC's online service, so a "certificate" complete with a crest and signature block is presenting something HMRC's process does not generate. A genuine Unique Taxpayer Reference is a ten-digit number; anything shorter, longer, or containing letters is invalid and should stop onboarding immediately.

Contractors must verify each subcontractor with HMRC before making the first payment, receiving one of three outcomes: 0% deduction for gross payment status, 20% for standard registration, or 30% where verification fails or the subcontractor is unregistered (GOV.UK, Verify subcontractors under CIS). A subcontractor claiming gross payment status who cannot produce a matching result when the contractor checks directly with HMRC has presented a document with no real record behind it. Other red flags include resistance to a joint call with the contractor's HMRC agent line, a UTR that returns no match, and pricing conspicuously below market rate โ€” a marker HMRC treats as evidence a business "should have known" status was misrepresented.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Request a free pilot

Spotting a Forged Confirmation Statement or Certificate of Good Standing

The cross-check for any Companies House document is free and takes under a minute, which is why an unchecked forged certificate is inexcusable in an onboarding file. Search the company name or number on the register and compare every field on the supplier's document โ€” company number, registered office, filing dates, officer names โ€” against what the register actually shows; any mismatch means the document does not reflect the company's real record.

Companies House is phasing in mandatory identity verification for directors, LLP members and persons with significant control under the Economic Crime and Corporate Transparency Act 2023, with active enforcement against those who have not completed it due to begin once transition periods close later in 2026 (GOV.UK, Companies House identity verification). From spring 2026, filing is increasingly restricted to individuals who have completed identity verification, narrowing who can alter the public record and making an unverified, freshly incorporated "shell" supplier worth extra scrutiny. Procurement forums often ask why a statement "looks fine but something feels off" โ€” usually because the free register's filing history tells a different story than the PDF sent, and the register is the source of truth.

Detecting Fake GLAA Licences

A GLAA licence check is only meaningful if run against the register rather than read off the card the labour provider hands over. Search the public register by company name or licence number, and sign up separately for the Active Check alerts service so any revocation or licence change during the contract is flagged automatically rather than discovered at the next manual review.

Obtaining or possessing a false gangmaster's licence, or acting as an unlicensed gangmaster, is a criminal offence under the Gangmasters (Licensing) Act 2004, carrying a maximum penalty of ten years' imprisonment and an unlimited fine (GLAA, How to check if a labour provider has a licence). This severity reflects sector risk: labour supply, agriculture, food processing, and cleaning are among the areas the GLAA polices most closely, and a forged licence is often the only thing standing between an onboarding team and an exploitative operator. If a licence number cannot be found at all, the GLAA's guidance is not to assume the provider is unlicensed โ€” technical registration issues happen โ€” but to contact the GLAA directly.

Presenting a forged compliance document is a criminal offence in its own right, independent of any underlying tax or licensing breach. Under Section 1 of the Forgery and Counterfeiting Act 1981, making a false instrument with intent that it be accepted as genuine carries a maximum sentence of ten years' imprisonment on indictment (legislation.gov.uk, Forgery and Counterfeiting Act 1981), and using one to induce a contracting decision can also fall within Section 2 of the Fraud Act 2006, false representation, carrying the same maximum.

The exposure is not limited to the party who forged the document. As set out above, the reformed CIS rules make the hiring business โ€” and potentially its directors personally โ€” liable for lost tax where fraud should reasonably have been detected. Companies House and the GLAA impose no equivalent direct penalty on the hiring organisation for accepting a forged document, but a contractor who onboarded on the strength of a fabricated filing or licence remains exposed to contractual, reputational, and โ€” where the arrangement facilitated modern slavery or unlicensed labour โ€” regulatory risk of its own.

What to Do When You Suspect a Forged Certificate

Stop onboarding or payment immediately and do not confront the supplier before the document is independently verified, since an early warning can prompt evidence destruction or a hurried second forgery. Verify directly with the issuing body using your own login or a number sourced independently โ€” HMRC's CIS Online service, the free Companies House register, or the GLAA's public register and Active Check portal โ€” never a contact number printed on the suspect document.

Preserve the original file, including its metadata, rather than a screenshot or re-saved copy, since creation and modification history is often the clearest evidence of tampering. Report suspected fraud to Action Fraud, and notify the relevant regulator directly: HMRC has a dedicated route for reporting CIS fraud, and the GLAA runs an intelligence line for suspected licence fraud or labour exploitation. Procurement forums often ask whether one red flag justifies rejecting a supplier outright โ€” in practice, one anomaly should trigger verification, but two or more inconsistencies on the same document is a strong basis to pause the relationship pending confirmation from the issuing authority.

Building Systematic Verification Into Supplier Onboarding

Manual, ad hoc checking does not scale once a procurement team manages more than a handful of subcontractors, since every renewal and every new tier-two supplier creates another document needing verification against a register rather than a visual read. Platforms such as CheckFile apply structural, metadata and cross-document analysis to onboarding files, giving compliance teams high coverage across the document set, while contextual analysis keeps false-positive rates low by distinguishing normal variation from genuine fraud signals.

Manual fraud detection methods, including routine document review, catch only around 37% of occupational fraud cases, with a median delay of 87 days before detection (ACFE, 2024 Report to the Nations). CheckFile also deploys an additional AI-generation signal layer, depending on client configuration, as a complement to the structural checks above, not a replacement for them โ€” a forged CIS number still has to be checked against HMRC, and a cloned GLAA licence against the GLAA register. For a broader defence against synthetic paperwork, see CheckFile's AI-generated document detection.

Teams comparing platforms can review CheckFile's security architecture and pricing overview, or get in touch to discuss a specific supplier base. For the wider onboarding checklist beyond fraud detection, see our guides on know your supplier due diligence and verifying a company registration certificate against the register, or the document compliance guide for the full framework.

Frequently Asked Questions

Does HMRC issue a downloadable CIS certificate that can be checked for authenticity?

No. Standard CIS verification is confirmed as a verification number and a deduction rate through HMRC's online service, not as a downloadable certificate. A supplier presenting a formal "CIS certificate" PDF should be verified against HMRC's online result, not assessed on appearance.

How long is a Companies House Certificate of Good Standing valid?

A genuine certificate is valid for three months from issue. One presented outside that window, or claiming good standing for a company whose filing history shows an overdue confirmation statement, should be treated as unreliable until reconfirmed directly with Companies House.

What penalty applies to a business that accepts a forged compliance certificate without checking it?

The forger faces criminal liability under the Forgery and Counterfeiting Act 1981 and potentially the Fraud Act 2006, both carrying up to ten years' imprisonment. Separately, from 6 April 2026, the contracting business itself can face HMRC penalties of up to 30% of lost CIS tax, extending to its directors, if it "knew or should have known" the fraud was happening.

Can a GLAA licence number be verified without contacting the labour provider?

Yes. The public register can be searched by company name or licence number, and businesses can subscribe to the Active Check portal for alerts if a provider's licence changes or is revoked mid-contract, without needing to ask the provider directly.


This article is for informational purposes only and does not constitute legal, tax, or regulatory advice. Consult a solicitor or tax adviser for guidance specific to your organisation. Legislation and guidance referenced are current as of 7 July 2026.

Stay informed

Get our compliance insights and practical guides delivered to your inbox.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.