Vendor Compliance Certificate Verification: Practical Guide 2026
How to verify vendor compliance certificates in the UK supply chain: legal obligations, HMRC checks, CHAS, Modern Slavery Act, and automated document verification tools.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokVendor compliance certificate verification is the structured process by which a contracting organisation confirms that its suppliers and subcontractors meet their tax, social security, health and safety, and regulatory obligations before and during the execution of a contract. In the UK, this obligation is distributed across several legislative frameworks โ from the Finance Act 2004 to the Modern Slavery Act 2015 โ making a fragmented approach to supplier verification one of the most common compliance gaps identified by HMRC and the FCA.
As of February 2026, organisations contracting with labour-intensive service providers in the construction, facilities management, and staffing sectors face enhanced scrutiny under the UK's Construction Industry Scheme (CIS) and the Gangmasters and Labour Abuse Authority (GLAA) licensing regime (HMRC CIS Overview). This guide covers the full landscape of vendor compliance certificates in the UK, their legal basis, verification procedures, and how to build a defensible compliance programme.
What Are Vendor Compliance Certificates?
Vendor compliance certificates are official documents issued by government agencies or accredited bodies that attest to a supplier's compliance with specific legal obligations. Unlike a simple supplier questionnaire, they carry legal weight: presenting a falsified certificate to a contracting party constitutes fraud under the Fraud Act 2006.
The most relevant certificates in a UK supply chain compliance context include:
| Certificate | Issued By | What It Confirms |
|---|---|---|
| CIS Verification / Gross Payment Status | HMRC | Tax compliance for construction subcontractors |
| HMRC Compliance Confirmation | HMRC | No outstanding PAYE/NIC liabilities |
| CHAS Certificate | CHAS / SSIP member bodies | Health and safety competence |
| SIA Licence | Security Industry Authority | Approved contractor status |
| GLAA Licence | Gangmasters and Labour Abuse Authority | Ethical labour standards |
| Modern Slavery Statement | Self-certified, published annually | Supply chain slavery risk management |
Under Section 57 of the Companies Act 2006 and the CIS regulations, a principal contractor who fails to verify a subcontractor's tax status before making payment becomes liable for any CIS deductions that should have been made (HMRC CIS Guidance, SI 2005/2045). This liability can be substantial: HMRC can recover unpaid CIS deductions โ currently 20% for verified subcontractors and 30% for unverified ones โ directly from the contractor.
Legal Obligations for UK Contracting Organisations
Construction Industry Scheme (CIS)
The CIS is the primary framework governing tax compliance verification in the UK construction supply chain. Every contractor must verify each new subcontractor with HMRC before making the first payment. Verification is carried out online via the Government Gateway HMRC CIS portal.
The verification process confirms whether the subcontractor should receive gross payments (no deduction), standard 20% deduction, or higher 30% deduction. This status must be re-verified when a subcontractor has not been paid in the previous two tax years.
Since April 2021, HMRC's Domestic Reverse Charge for construction services changed the VAT treatment for CIS-registered businesses, adding a further compliance layer that contractors must track (HMRC VAT Notice 735).
Employment Agency Standards and GLAA
Labour providers in agriculture, food processing, cleaning, and hospitality must hold a GLAA licence. Contracting organisations in these sectors must verify that all labour agencies they engage are GLAA-licensed before commencing a contract. The GLAA register is publicly searchable at gla.gov.uk.
Using an unlicensed labour provider exposes the principal contractor to criminal liability under the Gangmasters (Licensing) Act 2004, including fines and imprisonment for directors.
Modern Slavery Act 2015
Organisations with an annual turnover above ยฃ36 million must publish an annual Modern Slavery Transparency Statement under Section 54 of the Modern Slavery Act 2015. This statement must describe the steps taken to address slavery and human trafficking risks across the organisation's supply chain.
While the Modern Slavery Statement is self-certified, the Home Office has confirmed that enforcement actions will increase from 2026 onwards, with focus on organisations that publish boilerplate statements without demonstrable supplier vetting (Home Office Modern Slavery Guidance). Verifiable supplier compliance documentation is the primary defence.
How to Verify Vendor Compliance Certificates
Step 1: Identify Required Certificates Per Vendor Category
Not every supplier requires every certificate. A structured onboarding questionnaire should map the vendor's activity to the applicable regulatory regimes:
- Construction subcontractors: CIS verification + CHAS or equivalent SSIP certificate
- Labour suppliers: GLAA licence (if applicable sector) + employer liability insurance
- Financial services subcontractors: FCA Register check + information security certifications
- All vendors above ยฃ36m turnover: Modern Slavery Statement review
Step 2: Verify Directly with the Issuing Authority
Certificate authenticity must be confirmed against the issuing body's registry โ not just by visual inspection of a document provided by the vendor:
- CIS status: verify via HMRC's online portal using the subcontractor's UTR number
- FCA authorisation: check the FCA Register using the firm's FRN number
- GLAA licence: search the GLAA public register by company name or licence number
- SSIP/CHAS: verify via the SSIP portal using the certificate number
Accepting a photocopy or PDF without independently confirming its validity leaves the organisation exposed. The FCA's Supplier Code of Conduct explicitly requires that supply chain partners maintain compliance with applicable laws and proactively report suspected fraud (FCA Supplier Code of Conduct).
Step 3: Define Renewal Schedules
Each certificate type carries a different validity period:
| Certificate | Validity Period | Action Required |
|---|---|---|
| CIS Verification | Permanent until gap in payments | Re-verify after 2-year payment gap |
| HMRC Tax Clearance | 30 days | Renew before major contract milestones |
| CHAS / SSIP | 12 months | Annual renewal before expiry |
| GLAA Licence | 1โ3 years (variable) | Check expiry date on register |
| FCA Authorisation | Ongoing | Monitor for regulatory changes |
Managing renewal dates manually across a vendor base of 50+ suppliers requires approximately 200 verification touchpoints per year for a typical mid-market organisation. Automated vendor compliance platforms can reduce this overhead by 80% through API integrations with HMRC, the FCA Register, and SSIP.
Common Failures in UK Vendor Compliance Verification
Forums for procurement and compliance professionals frequently surface the same recurring issues:
Accepting self-certified compliance statements: a vendor stating "we are CIS-compliant" in an email is not a compliance certificate. Legal exposure remains with the contracting organisation unless formal verification has been conducted.
Failing to re-verify after long payment gaps: CIS rules require re-verification when there has been no payment to a subcontractor in the preceding two tax years. Many contractor finance teams miss this trigger.
Missing the cascade obligation: if your direct subcontractor sub-contracts in turn, you retain an interest in their subcontractors' compliance in sectors covered by the GLAA and the Bribery Act 2010. The supply chain does not stop at tier 1.
No documented audit trail: HMRC can request evidence of verification for up to six years following the relevant tax year. Organisations without structured records face a near-impossible burden of proof in an investigation.
For a broader look at document verification frameworks relevant to financial services compliance, our guide on KYB business document verification covers the cross-sector principles in detail.
Our right-to-work check employer compliance guide also addresses the documentation requirements for directly employed contractors, which frequently overlap with vendor compliance obligations.
For a broader view of document compliance principles that apply across industries, consult the documentary compliance guide.
Building a Defensible Vendor Compliance Programme
A compliance programme that survives regulatory scrutiny must satisfy three criteria: it must be documented, repeatable, and auditable.
Documentation: maintain a vendor compliance register that records, for each active supplier, the certificates held, the date of last verification, the method of verification (direct portal check vs. document review), and the date of next required renewal.
Repeatability: define a standard onboarding checklist that maps vendor categories to required certificates, and a standard operating procedure for mid-contract renewals. This SOP should be embedded in procurement systems, not held in individual team members' knowledge.
Auditability: every verification action must produce a timestamped record. Screenshots of HMRC CIS verification results, FCA Register searches, and GLAA licence checks should be stored with the vendor record and protected from alteration.
CheckFile provides an automated vendor compliance verification platform that integrates with HMRC's CIS portal and other UK regulatory registers, generating verifiable audit logs for every check performed. Our security architecture ensures that compliance records meet the evidential standards required in HMRC and FCA investigations.
For organisations scaling their vendor compliance operations, CheckFile's pricing is structured to support both SMEs with small supplier bases and enterprise procurement teams managing thousands of vendors.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific compliance guidance, consult a qualified solicitor or compliance professional.
Frequently Asked Questions
What is the difference between a vendor compliance certificate and a vendor questionnaire?
A vendor compliance certificate is an official document issued by a government body or accredited third party (HMRC, CHAS, GLAA) and carries legal weight. A vendor questionnaire is a self-certified statement by the supplier and provides no legal protection to the contracting organisation. Only verified certificates create a defensible compliance record.
Does CIS verification apply to foreign subcontractors working in the UK?
Yes. Any subcontractor carrying out construction operations in the UK is within the scope of CIS, regardless of where they are incorporated. Non-UK subcontractors can apply for CIS registration via HMRC using form CIS304. An unregistered foreign subcontractor must have the 30% higher rate deducted.
How long should vendor compliance records be retained?
HMRC recommends retaining CIS records for at least six years following the end of the relevant tax year. For other regulatory regimes (GLAA, Modern Slavery), records should be retained for a minimum of five years. The safest approach is a seven-year retention policy applied uniformly to all vendor compliance documentation.
What happens if a vendor's CHAS certificate lapses mid-contract?
The contracting organisation should notify the vendor immediately and suspend any high-risk activities until a new certificate is obtained. Continuing to allow a vendor to carry out health and safety-relevant work with a lapsed CHAS certificate may constitute a breach of the contractor's duty of care under the Health and Safety at Work Act 1974.
Can an AI system automatically verify vendor compliance certificates?
Yes, for certificates linked to public registries (FCA Register, GLAA, SSIP). Automated platforms can perform real-time checks via API and alert procurement teams when a certificate is about to expire or has been revoked. For CIS verification, HMRC's online portal supports automated queries for enrolled organisations.