Question to the HM Treasury:

To ask the Chancellor of the Exchequer, what policy HMRC follows on suspending automated penalty notices and enforcement action in cases where a taxpayer's account has been compromised by a third party.

Since May 2025, HMRC has seen a significant increase in VAT fraud attempts relating to criminals compromising legitimate customer accounts. HMRC security teams actively investigate these incidents and work with experts across the department to continually strengthen the security of online services.

HMRC’s approach is to identify and prevent fraud upstream by strengthening perimeter controls to prevent fraudulent access to systems, applying effective risk‑based controls at the point of registration and repayment, and targeting the organised criminal groups behind these attacks. HMRC’s Cybercrime team works proactively to understand these threats and identify those responsible.

Where HMRC identifies that a taxpayer’s VAT account has been compromised by a third party, the department takes action to lock the digital account to prevent further unauthorised access and to mitigate any adverse impact on the customer.

HMRC contacts the customer to explain what has occurred, the action taken to correct their account, and any steps the customer needs to take. Until recently, customers were asked to appeal any penalties or interest incurred. However, the process has been adjusted so that any incorrect penalties are now inhibited and removed.

Once the customer regains access to their account, HMRC provides appropriate support and allows additional time for the customer to submit updates and returns without accruing penalties.