The New UK Procurement Regime and the Economic Crime & Corporate Transparency Act: Heightened Exclusion & Debarment Risks | McDermott
MWE Logo
|

The New UK Procurement Regime and the Economic Crime & Corporate Transparency Act: Heightened Exclusion & Debarment Risks

| |
  1. HOME
  2. INSIGHTS

Overview

  • The UK Procurement Act 2023 (the Procurement Act) came into force on 24 February 2025. It introduced significant changes to the UK public procurement landscape including a new regime for suppliers to be excluded from a procurement process by the relevant contracting authority and placed on a central debarment list for up to five years.
  • The overhaul of corporate criminal liability under the UK Economic Crime & Corporate Transparency Act 2023 (ECCTA) makes it much easier for UK authorities to prosecute corporate wrongdoing. Prosecution may trigger mandatory or discretionary sanctions under the Procurement Act.
  • The interplay between ECCTA and the Procurement Act means that companies relying on UK public contracts (e.g., those in the defence, healthcare, transport or utilities sectors) face materially expanded risks. Given the potentially catastrophic consequences of exclusion and debarment, it is even more important that affected companies take steps now to mitigate the risks posed by ECCTA. Key provisions of ECCTA come into force on 1 September 2025; others have been in force since 26 December 2023.
  • This alert highlights the key risks and explains what companies need to do now. For further detail on compliance with ECCTA, see our previous alert The UK Economic Crime & Corporate Transparency Act: What companies need to know and what they can do to prepare.[1]

In Depth

The Old UK Procurement Regime

The previous UK procurement regime was made up of a patchwork of regulations,[2] all of which have been replaced by the Procurement Act.

Broadly, under the old regime, mandatory exclusion was triggered by a conviction for any specified offence including bribery (pursuant to sections 1, 2 or 6 of the UK Bribery Act 2010 (UKBA) or under the pre-UKBA laws) and certain fraud, money laundering and tax offences.[3]

Discretionary grounds for exclusion included a company being “guilty of grave professional misconduct, which renders its integrity questionable…”[4] It was generally understood that a conviction for the corporate offence of failing to prevent bribery (s.7 UKBA) was capable, in principle, of meeting this test. For example, the judgment approving the 2020 Airbus Deferred Prosecution Agreement (DPA) acknowledged that a conviction for the s.7 UKBA offence could result in discretionary exclusion.[5]

Further, as this discretionary ground did not hinge on a criminal conviction, the facts giving rise to a non-prosecution outcome such as a DPA could, depending on their nature, amount to sufficiently grave misconduct.

This was illustrated by the 2019 DPA between the Serious Fraud Office (SFO) and Serco Geografix Limited (SGL) in respect of certain fraud offences relating to contracts with the UK Ministry of Justice (MoJ). The judgment approving the DPA stated that “[t]he facts giving rise to the DPA must amount to such misconduct[6] but the exercise of the discretion was entirely a matter for the UK government.[7] The government determined not to exclude SGL or its parent companies because it was satisfied with the extent of the company’s ‘self-cleaning’[8] measures.[9]

The issue received effectively the same consideration in the judgment approving the 2020 DPA between the SFO and G4S Care and Justice Services (UK) Limited.[10]

The Procurement Act

Overview

As with the old regime, companies risk exclusion from public procurement processes based on both mandatory and discretionary grounds. Subject to certain changes, the grounds remain substantially the same.

However, the Procurement Act also introduces an entirely new debarment list managed by central government. Following exclusion by a contracting authority (on mandatory or discretionary grounds) and a subsequent investigation, a Minister can place a company on the debarment list, excluding them from all public contracting, for up to five years.

Mandatory Exclusion Grounds

The mandatory exclusion grounds are set out in Schedule 6 of the Procurement Act.[11] These include a conviction for various specified offences, typically within the last five years.[12] The list includes many of the offences whereby, due to ECCTA, corporate liability can now be triggered by the conduct of a company’s ‘senior managers’ (the Senior Manager Regime). This regime came into force on 26 December 2023.

For the purpose of the Senior Manager Regime, a ‘senior manager’ is any individual that plays a significant role in: (i) the making of decisions about how the whole, or a substantial part of, the company’s activities are to be managed or organised; or (ii) the actual managing or organising of the whole, or a substantial part of, the company’s activities.

The test is one of fact based on all the circumstances. Government guidance published in November 2024 (the ECCTA Guidance)[13] confirmed that senior individuals within non-executive and non-client facing roles could satisfy the definition (e.g. persons in Legal, Compliance, Finance, Sales, Marketing and Human Resources). Accordingly, this is potentially a very broad group indeed.

The offences which overlap the Senior Manager Regime and Schedule 6 of the Procurement Act include:[14]

  • sections 1, 2 and 6 of the UKBA
  • sections 2, 3, 4, 6 or 7 of the Fraud Act 2006
  • sections 327-329 of the Proceeds of Crime Act 2002
  • false accounting and related offences under the Theft Act 1968
  • conspiracy to defraud
  • cheating the public revenue and various statutory tax offences

 

The previous procurement regime had similar consequences for companies convicted of these offences. However, before ECCTA, establishing corporate criminal liability was generally very difficult due to the ‘identification principle’ in English law whereby only the conduct of a company’s ‘directing mind and will’ (DMW) could be imputed to the company. The narrow scope of the DMW meant that a prosecutor effectively had to prove that the board (or individuals with specific authority delegated to them by the board) were involved in the relevant crime. This led to difficulties prosecuting companies, as evidence implicating such individuals was generally hard to find, or it was generally more junior employees who engaged in the relevant conduct. Importantly, the Senior Manager Regime has replaced the DMW requirement for the offences listed above and captures a much broader range of individuals.  This means that a major obstacle to convictions for mandatory exclusion offences has now been removed.

Importantly, the mandatory exclusion grounds under the Procurement Act also extend to any “connected person” or “associated person” of the supplier. In the context of the Procurement Act, that includes:

  • “connected person” – parent and subsidiary companies, any person (legal or natural) who exercises, or has the right to exercise, significant control or influence over the supplier, and any person (legal or natural) over whom the supplier exercises, or has the right to exercise, significant influence or control.[15]
  • “associated person” – anyone the supplier is relying on in order to satisfy the conditions of participation[16] (other than a guarantor),[17] such as consortium partners and sub-contractors.[18]

This combines with the Senior Manager Regime to expansive effect. The implication is that the mandatory debarment of a supplier may be triggered not only by the actions of any of their own senior managers, but also the senior managers of any company that, for Procurement Act purposes, is a “connected person” or “associated person” of the supplier. This potentially casts an extremely wide net.

Discretionary Exclusion Grounds

The discretionary exclusion grounds are set out in Schedule 7 of the Procurement Act. These include where the contracting authority “considers that the supplier or a connected person has engaged in professional misconduct which brings into question the supplier’s integrity” or where a court, regulator or other authority has ruled to the same effect. Again, this extends to any “associated person” of the supplier for the purposes of the Procurement Act.

Consistent with the equivalent provision under the old regime (as discussed above), a conviction for failing to prevent bribery (s.7 UKBA), or a DPA in respect of, e.g., bribery or fraud offences, all appear capable of triggering this.

As regards ECCTA, the ‘failure to prevent fraud’ offence (s.199 ECCTA) comes into force on 1 September 2025. In essence, a company commits this offence where one of its ‘associates’ (including its employees, agents, subsidiaries and anyone who performs services for it or on its behalf) commits a specified fraud offence intending to benefit the company. The only defence is for the company to prove that it had reasonable fraud prevention procedures in place.

The question therefore arises as to how a conviction for this new offence, or a DPA in respect of the same, would be considered under the Procurement Act.

Helpfully in this respect, “professional misconduct” is defined in Schedule 7 of the Procurement Act as conduct involving dishonesty, impropriety, or a serious breach of applicable ethical or professional standards. The fraud offences specified in ECCTA for the purpose of the failure to prevent offence all require an element of dishonesty.[19] However, that dishonesty would be on the part of the associate. The question for the purpose of the discretionary exclusion ground is whether the company (or a “connected person” or an “associated person”)[20] engaged in dishonest or improper conduct, etc.

In some scenarios, the associate whose fraudulent conduct the company failed to prevent will also be a “connected person” or “associated person” (as defined in the Procurement Act), thereby falling within the discretionary ground for exclusion. However, this will not necessarily be the case. The analysis will always hinge on the precise nature of the associate’s role. Where the associate is not a “connected person” or an “associated person” (as defined in the Procurement Act), the relevant professional misconduct would need to be on the part of the company itself.

In some circumstances, a company convicted of failing to prevent fraud may not have engaged in dishonest or improper conduct – the offence can be committed without the knowledge or involvement of the company in the underlying fraud. Ultimately, much will turn on the particular facts in each case, including, for example, the degree of culpability of the board and/or senior management.[21]

Additional Test (Self-Cleaning)

Where a mandatory or discretionary exclusion ground does apply, the contracting authority must also be satisfied that the circumstances giving rise to its application are “continuing or likely to occur again”.[22] This test effectively replaces the self-cleaning mechanism under the old regime. A non-exhaustive list of factors that may be considered include:[23]

  • evidence that the company has “taken the circumstances seriously”, such as by paying compensation;
  • taking steps to prevent the circumstances continuing or reoccurring, such as by changing personnel or implementing procedures and training;
  • allowing the monitoring or verification of such steps; and
  • the time since the circumstances last occurred.

A company can make representations and provide evidence in relation to the above (and any other relevant factors).

Government guidance on the Procurement Act (Procurement Act Guidance) states that, in this context, the circumstances giving rise to the application of the exclusion ground include the “underlying issues” as well as the specific misconduct. The Procurement Act Guidance gives the examples of a “a toxic office culture, due diligence failures, a lack of a compliance function or inappropriate governance mechanisms.”[24]

A company that has previously resolved wrongdoing through a DPA (whether for substantive offences or failure to prevent offences), and subsequently complied with its terms, may have a strong chance of arguing that the underlying circumstances are not continuing or likely to reoccur.

For a DPA to have been approved, the prosecutor and the court must have been satisfied that it was in the public interest. Had they considered the circumstances to be continuing or likely to reoccur, there would – almost by definition – have been no DPA. DPAs also invariably involve the payment of a financial penalty, a recognition that the company has taken matters seriously (e.g., through cooperating and, potentially, self-reporting) and substantial compliance remediation. Indeed, the Procurement Act Guidance expressly states that contracting authorities should take into account “the level and nature of cooperation” with the appropriate authorities in determining whether a company has taken matters seriously.[25] The factors in the DPA Code of Practice tending against prosecution also broadly map against the relevant criteria, including, for example, that the company “in its current form is effectively a different entity from that which committed the offences…”[26]

On 24 April 2025, the SFO published new guidance stating that if a company promptly self-reports suspected corporate criminal conduct and co-operates fully it can expect to be invited into DPA negotiations “unless exceptional circumstances apply”.[27] Given the potential importance of a DPA in helping to satisfy the self-cleaning test – and thereby avoiding exclusion and debarment – this may prove to be an attractive incentive to relevant companies.

On the other hand, a company convicted of an offence (i.e., where a DPA was not in the public interest) may well still have arguments to make in relation to self-cleaning, given the fact-specific nature of the evaluation, albeit from a less advantageous starting point compared to a DPA.

Debarment List and Investigations

The Procurement Act introduces a new, centralised debarment list. The process is triggered by a contracting authority notifying central government that it has excluded a supplier from a given process.[28] Following an investigation, a decision will be taken on whether to add the supplier to the debarment list.[29]

Suppliers must be notified of an investigation and given an opportunity to make representations. The government also has extensive powers to require the supplier (and their “connected persons”) to provide any documents and/or other assistance it may reasonably require.[30] Although there is no duty to cooperate, serious non-compliance may itself constitute a mandatory ground for exclusion.[31]

Once concluded, the government must provide to the supplier, and publish, an investigation report.[32] The report must give reasons why any mandatory or discretionary grounds are considered to apply (including the self-cleaning assessment discussed above) and whether an entry will be made on the debarment list.[33]

Where a supplier is to be added to the list, they must be provided with a decision notice, triggering: (i) an 8 day standstill period during which the supplier may apply to court for interim relief;[34] and (ii) a 30 day period during which they may appeal the debarment decision – but only where it believes there has been a material mistake of law.[35] Additionally, suppliers may apply to the government at any time for their removal. The government need only consider such applications where there has been a material change in circumstances, or the supplier provides significant new information.[36]

Take-Aways in Relation to ECCTA

The interplay between ECCTA and the Procurement Act has the potential to trigger a chain of events with extremely serious consequences.

Prior to ECCTA, it was generally very difficult to establish corporate criminal liability in the UK. The range of circumstances in which a company could have been successfully prosecuted for an offence carrying mandatory exclusion was correspondingly narrow. The Senior Manager Regime has removed that obstacle and significantly widened the net for many such offences (e.g., bribery, fraud, false accounting, money laundering, tax evasion).

Combined with the Procurement Act, this means that the conduct of a single senior manager of (i) the company, (ii) its “connected persons”, or (iii) its “associated persons”[37] is potentially sufficient to trigger exclusion from a specific procurement process and, thereafter, an investigation leading to a place on the central debarment list and debarment from all public contracts.

All of the above may play out in public, leading to contagion risk under the applicable exclusion/debarment regimes of other countries and/or any relevant multilateral development banks.

Likewise, from 1 September 2025, the new failure to prevent fraud offence (s.199 ECCTA) means that the actions of all a company’s ‘associates’ (i.e., employees, agents, subsidiaries and anyone else providing services for it or on its behalf) will be capable of triggering discretionary exclusion and debarment.

Conclusion

The combined impact of ECCTA and the Procurement Act means that companies relying on UK public contracts face a materially expanded risk universe. To avoid the potentially catastrophic consequences of exclusion and debarment, such companies have an even greater imperative to implement the steps detailed in our previous alert.[38] In summary, key aspects include:

Senior Manager Regime:

  • Identifying all potential ‘senior managers’ (according to the definition in ECCTA), across all functions and wherever located. This exercise should factor in succession planning and be refreshed periodically and following reorganisations.
  • Rolling out tailored, enhanced compliance training to the key population(s) identified.
  • Drafting or refreshing policies and procedures relating to the relevant offences.[39]

Failure to Prevent Fraud:

  • A vital starting point is to undertake a detailed fraud risk assessment to determine the risk profile across the business.
  • The methodology for conducting a safe and reliable risk assessment is crucial to avoid certain common pitfalls, including around privilege risk. Our previous alert provides further information in this respect.
  • Based on the fraud risk assessment, companies will need to design and implement proportionate policies and procedures to help ensure that the ‘reasonable procedures’ defence is available. The approach should be informed by the six key principles underpinning the official ECCTA Guidance.[40]

Notably, the components of ‘reasonable procedures’ may substantially overlap with the representations a company would make if it was seeking to demonstrate that it had effectively self-cleaned. For example, a company may point towards a genuine culture of compliance,[41] and supply chain due diligence and monitoring procedures, as evidence that the circumstances giving rise to a mandatory or discretionary exclusion ground will not reoccur. This added value further strengthens the investment case for taking pro-active steps now.

————-

McDermott’s Investigations & Compliance team has decades of experience helping multinational organisations navigate the UK’s increasingly challenging compliance environment, has advised on the design and implementation of compliance procedures, and has acted on some of the highest profile corporate investigations and resolutions in recent years.

Please contact us if you wish to discuss any of the issues in this note.

Stay Connected

Subscribe Follow Us on LinkedIn Get in Touch

Authors

Simon Airey
Partner | London
/ +44 20 75773470
View Profile MWE Icon

Andrew Butel
Counsel | London
/ +44 20 7575 0323
View Profile MWE Icon

Endnotes

[1] https://www.mwe.com/pdf/eccta-what-companies-need-to-know/

[2] The Public Contracts Regulations 2015 (PCR 2015), the Utilities Contracts Regulations 2016 (UCR 2016), the Defence and Security Public Contracts Regulations 2011 (DSPCR 2011) and the Concession Contracts Regulations 2016 (CCR 2016).

[3] The grounds for mandatory and discretionary exclusion were specified in Reg. 57(1) of the PCR 2015, Reg. 80(1) of the UCR 2016, Reg. 23(1) of the DSPCR 2011, and Reg. 38(8) of the CCR 2016.

[4] Reg. 57(8)(c) of the PCR 2015. The same ground featured in the UCR 2016 (Reg. 80(1)) and CCR 2016 (Reg. 38(16)). The DSPCR 2011 included similar wording.

[5] SFO v Airbus SE [2020] at [84]

[6] SFO v Serco Geografix Limited [2019] at [29]

[7] Ibid., at [30]

[8] A mechanism by which a company could seek to convince the contracting authority that it had taken appropriate remedial measures that were “sufficient to demonstrate its reliability” despite the existence of mandatory or discretionary grounds for exclusion (Reg. 57(13)-(17) of the PCR 2015).

[9] SFO v Serco Geografix Limited [2019] at [30]

[10] SFO v G4S Care and Justice Services (UK) Limited [2020] at [31-33]. The case related to fraud under similar MoJ contracts as the SGL DPA.

[11] Per s.57(6)

[12] Schedule 6, paragraph 44(1)

[13] Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (November 2024)).

[14] Ancillary offences (e.g., attempting, conspiring, aiding, and abetting) also fall within Schedule 6 of the Procurement Act and the ambit of the Senior Manager Regime.

[15] Per Schedule 6, paragraph 46. It also includes directors.

[16] Conditions a contracting authority may set to ensure that suppliers have the legal and financial, or technical, or ability to perform the contract (s. 22).

[17] s.26(4)

[18] s.22(8)-(9)

[19] Schedule 13 ECCTA

[20] Per the Procurement Act definition

[21] Logically, the same analysis would apply to a DPA in respect of the failure to prevent fraud offence (s. 199 ECCTA), and a conviction or DPA for failing to prevent bribery (s. 7 UKBA).

[22] s.57(1)(a)(ii) and 57(2)(a)(ii)

[23] s.58(1)

[24] See https://www.gov.uk/government/publications/procurement-act-2023-guidance-documents-procure-phase/guidance-exclusions-html, paragraph 54

[25] Ibid., paragraph 57

[26] DPA Code of Practice, paragraph 2.8.2.v.

[27]SFO External Guidance on Corporate Co-Operation and Enforcement in relation to Corporate Criminal Offending (24 April 2025) at https://www.gov.uk/government/publications/sfo-corporate-guidance/sfo-corporate-guidance

[28] s.59

[29] s.60

[30] s.60(6)

[31] s.60(7) / s.43

[32] s.6(3). There are certain limited exceptions to the transparency and publication requirements, including for national security purposes.

[33] s.61(4)

[34] s.63

[35] s.65

[36] s.64

[37] As defined in the Procurement Act

[38] https://www.mwe.com/pdf/eccta-what-companies-need-to-know/

[39] There is no ‘reasonable procedures’ defence (unlike with the failure to prevent fraud offence). However, such procedures are vital to mitigate the risks of wrongdoing in the first place.

[40] Risk assessment; proportionate procedures; top level (board) commitment; communication and training; due diligence; and monitoring and review.

[41] Demonstrated, for example, by board-level commitment, a well-resourced compliance function and employees empowered to ‘speak up’.