The Serious Fraud Office has reached a Deferred Prosecution Agreement with Ultra Electronics Holdings Ltd in a major corporate bribery settlement. The case shows how bribery risk can build across agents, intermediaries, joint ventures, overseas public contracts and semi-autonomous business units when commercial pressure is not matched by effective anti-bribery controls. The £10.08m financial penalty, combined with £4.8m in SFO costs, resolves three counts of failing to prevent bribery under section 7 of the Bribery Act 2010, relating to public sector contracts in Oman and Algeria. It also marks the SFO’s first DPA in five years and its first major corporate bribery outcome since Glencore in 2022.
The case is especially significant for defence, aerospace, infrastructure and technology firms operating in high-risk jurisdictions. The contracts involved were not small local sales. They included a major airport technology project in Oman worth between £150m and £200m, plus two attempted projects in Algeria involving airport IT, e-commerce and public key infrastructure. It’s very easy for bribery risks to be dressed up as consultancy, local liaison, market access, bid support or agent fees, and this is what ultimately cost Ultra Electronics.
What is the bribery case about?
Ultra Electronics Holdings Ltd, previously a FTSE 250 company, was the parent company of a group whose subsidiaries designed, developed and manufactured electronic systems for the international defence and aerospace market. Between 2009 and 2017, the Ultra Group employed around 4,150 to 4,850 staff worldwide and generated annual revenues in the range of £651m to £786m. At the relevant time, the group operated through divisions and semi-autonomous business units, including Ultra Electronics Airport Systems, which sold specialised IT software solutions for airports and airlines.
The SFO investigation concerned suspected bribes paid or facilitated through local agents and associated persons in Oman and Algeria. In Oman, Ultra Electronics Airport Systems pursued a major IT and systems contract for Muscat and Salalah airports, known as the MC6 Project. In Algeria, the company bid for two projects: one for IT and e-commerce solutions at Houari Boumediene Airport in Algiers, and another for public key infrastructure for the Algerian Ministry of Post and Information and Communication Technology. The Omani project was awarded, although it later became significantly loss-making. The Algerian bids were unsuccessful.
The DPA relates to three counts of failure to prevent bribery under section 7 of the Bribery Act 2010. The offence does not require prosecutors to prove that the company’s board authorised bribery. A commercial organisation can be liable where a person associated with it bribes another person intending to obtain or retain business or a business advantage, unless the organisation can show that it had adequate procedures designed to prevent bribery. In Ultra’s case, the company did not have adequate procedures designed to prevent associated persons from engaging in the conduct described.
It is important to be precise about the status of the DPA documents. The court did not make findings of fact against any individual. No individual admitted misconduct, and some individuals denied involvement. The DPA judgment concerns the culpability of the company, not the culpability of named individuals.
The Oman contract: the “third man” risk
Ultra Electronics Airport Systems worked with Oman Investment Corporation, as local law required the bidder to partner with an Omani business. This later led to the creation of a joint venture known as Ithra, owned 70% by Ultra Electronics Holdings and 30% by OIC.
From late 2009 Ultra employees discussed a payment of 800,000 Omani Rial, worth about £1.297m, for a “third man” or “fixer” who could deliver a “knockout blow” and secure the bid. The documents suggested that this person was believed to be able to influence the award of the project and may have been an official or connected to an official. After the MC6 Project was awarded to Ithra, the joint venture entered into a consultancy agreement with an Omani company, Golden Way. The agreed fee was OMR 800,000.
The payment structure created multiple obvious red flags. The consultancy agreement followed the award of the contract. The amount matched the earlier “third man” figure. The services were described in broad terms. The payments were made in instalments. The money was paid into the personal bank account of an individual connected to Golden Way. The SFO inferred that Ultra Group employees arranged for the payments with a view to some or all of the money being passed on as payment to an official for assistance provided.
The compliance issue here is not simply that an agent was used. Agents, local partners and joint ventures may be legally required or commercially necessary in some jurisdictions. The failure was the absence of sufficient control over why the intermediary was needed, what services were actually being provided, whether the payment was proportionate, whether the recipient had public official links, and whether the contract and invoices matched legitimate work.
The Algeria projects: consultancy agreements, personal payments and public officials
The Algerian conduct involved two attempted projects. The first concerned IT and e-commerce solutions at Houari Boumediene Airport. A senior executive, while employed by Ultra Electronics Limited and acting as CEO of a joint venture, arranged consultancy agreements between a joint venture partner and Algerian agents. Those agreements provided for substantial commission payments if the project was awarded. It was inferred that the purpose was to facilitate the corruption of senior officials who could influence the tender.
The details include a particularly stark example of risk indicators. There were personal payments to an Algerian agent, including transfers of £5,000 and £10,000, with communications referring to cash being handed over and a person expecting an “envelop”. The airport bid ultimately failed and the project was awarded to another supplier.
The second Algerian project concerned public key infrastructure for the Algerian ministry. The company bought an iPhone for the Director General of the ministry as a reward for providing the request for proposal outside the standard prequalification process. There was also a consultancy agreement involving a $4m fee and a separate $1.5m agreement with a former minister. Again, the stated inference was that the purpose of the arrangement was to facilitate corrupt payments to senior officials who would influence the tender.
A gift to an official, a request for proposal obtained outside the normal process, a large commission, a politically connected adviser and personal payments may each raise concern. Taken together, they should trigger immediate escalation, investigation and suspension of the opportunity until the risk is understood.
How the investigation developed
Ultra self-reported to the SFO in March 2018 during the early stages of an internal investigation into the Algerian matters. The SFO opened a criminal investigation in April 2018. Its investigation included searches, interviews with former employees and witnesses, targeted requests for material, compulsory notices, voluntary material, overseas requests, mailboxes and bank records.
The investigation then widened. In 2021, the SFO invited Ultra to enter DPA negotiations in relation to the Algerian projects. In July 2022, at a late stage in those negotiations, Ultra disclosed information about Oman. Ultra said an earlier internal investigation in 2015 had not identified evidence of bribery and corruption. The SFO did not accept that analysis and withdrew from DPA negotiations in November 2022. In December 2022, the SFO expanded the investigation to suspected corruption in Oman. In 2024, the investigation expanded further into other jurisdictions and then to Ultra’s historic conduct of business across all jurisdictions.
This is important as while self-reporting is always better, the mere fact of it alone will not guarantee a DPA. Cooperation has to be complete, credible and sustained. A company that self-reports one set of facts while underestimating or failing properly to identify other misconduct may lose the benefit of trust with prosecutors. In Ultra’s case, negotiations only resumed after significant changes in ownership, structure, leadership and approach.
The corporate failings
The central corporate failing was inadequate procedures to prevent bribery. In practical terms, the case points to weaknesses across third-party due diligence, intermediary approval, joint venture governance, financial controls, bid oversight, gifts and hospitality, escalation, and senior management challenge.
The Oman facts show how payments to an intermediary can be embedded in bid economics long before a formal contract appears. If a budget includes a local consultant, fixer or influence payment, compliance cannot wait until the invoice stage. By then, the commercial and political logic of the arrangement may already be established. Proper controls need to operate at bid inception, bid review, pricing approval, contract award and payment approval.
The Algeria facts show the risk of senior individuals operating across overlapping roles, particularly where they sit inside a joint venture structure, engage local agents and deal with public-sector opportunities. Joint ventures can blur accountability. A company may think a partner or affiliate is holding the risky relationship, while in reality the economic benefit and legal exposure remain with the group. Under section 7 of the Bribery Act, the question is whether an associated person committed bribery intending to obtain or retain business or a business advantage for the organisation. The fact that payments pass through an affiliate, partner or intermediary will not necessarily insulate the company.
The case also raises questions about internal investigations. Ultra’s earlier analysis of the Oman material was not accepted by the SFO. That is a warning for companies conducting privileged internal reviews. An internal investigation that is too narrow, too deferential to commercial explanations, or too reluctant to draw adverse inferences from documents may create further difficulty later. Prosecutors will test whether the company truly understood the misconduct or simply managed the most visible part of it.
The DPA and financial penalty
Under the DPA, prosecution is deferred for three years, ending on 1 May 2029, provided Ultra complies with its obligations. The agreement does not protect the company against prosecution for undisclosed conduct or future criminal conduct. It also does not protect officers, directors, employees or associated persons from prosecution.
Ultra agreed to pay a financial penalty of £10,083,150 and SFO costs of £4,804,831.12. The penalty calculation was based on harm figures of £5.329m for Oman and £1.461m for Algeria, a 300% multiplier, a 45% guilty plea discount and a 10% totality discount. There was no disgorgement of profits because the Omani contract resulted in a loss and the two Algerian contracts were not obtained.
Cobham Ultra Limited, Ultra’s ultimate parent company in England and Wales, also gave an undertaking to ensure Ultra performs its obligations under the DPA. That includes assuming responsibility for the financial penalty and SFO costs if Ultra fails or is unable to pay, ensuring Ultra remains a valid legal entity under its control during the term, and cooperating with the SFO and other domestic or foreign authorities in related investigations or prosecutions.
The structure of the DPA is significant. It reflects the SFO’s concern that corporate restructuring should not frustrate enforcement. Parent company undertakings are likely to become increasingly important where legacy misconduct is discovered after acquisition, where entities have been delisted, divested or reorganised, or where prosecutors want assurance that a defendant company will remain available and accountable throughout the term of the agreement.
What Ultra has pledged to do
The DPA recognises extensive remediation, particularly after the 2022 acquisition. Ultra appointed new management and a new internal legal and compliance team. It provided comprehensive disclosure, factual narrative reports, limited waivers of privilege over key material, access to legacy entities and data, and assistance with interviews and overseas documents. The SFO described its cooperation after the acquisition as exemplary.
The compliance reforms are substantial. Ultra appointed an experienced Chief Compliance Officer with a direct reporting line to the Chief Financial Officer and the board. It instructed a leading law firm to assess its compliance framework, including anti-bribery and corruption risk management, and implemented the recommendations. It also instructed an external consulting firm to review its anti-fraud compliance programme in response to the new failure to prevent fraud offence.
Ultra also took steps to terminate legacy joint ventures and radically reduce the number of intermediaries used by the group. Its revised Ethics & Compliance Programme includes a Code of Conduct, Global Supplier Code of Conduct, Selection and Management of Intermediaries Procedure, Anti-Bribery and Corruption Manual, Anti-Bribery and Corruption Policy for Intermediaries, Speak Up and Investigations Policy, and Group Sanctions Policy. The company introduced risk-based due diligence and onboarding for intermediaries, extensive approval processes requiring board and General Counsel approval, annual training, enhanced in-person anti-bribery training for higher-risk functions and senior employees, and audits of financial controls covering expenses, third parties, gifts and hospitality, and charitable and political donations.
Under the DPA, Ultra must continue improving its anti-bribery and corruption programme and provide yearly reports to the SFO during the three-year term. The agreement specifically refers to mitigating risks inherent in third-party intermediaries, joint ventures and consortia, implementing an internal ABC risk assessment process, maintaining an independent compliance function, and retaining only necessary intermediaries after a wholesale review.
What firms can learn from the Ultra case
Intermediary risk must be governed from the start of the commercial process. Due diligence shortly before payment approval is too late. A company should be asking why the intermediary is needed, who introduced them, what services they will provide, whether they have public official connections, how they will be paid, whether fees are proportionate, and whether the same objective could be achieved through lower-risk channels. These questions should be answered before the bid is submitted and then revisited when the contract is awarded, amended or invoiced.
Local partner and joint venture risk should be treated as company risk. A mandatory local partner does not reduce bribery risk. It may increase it. Where a partner is state-linked, politically exposed or retained because of access to government decision-makers, the company must document why the relationship is legitimate and how improper influence will be prevented. Board or senior legal approval should be able to evidence challenge, risk analysis and conditions.
Vague consultancy services are a recurring danger sign. Descriptions such as “liaison”, “local communication”, “access”, “business development support” or “public relations” require detail. Firms should expect written scopes of work, deliverables, evidence of work performed, appropriate invoicing, and payment to a bank account in the contracting party’s name and country of operation unless there is a documented, approved explanation.
Another element is that success fees in public procurement need particular scrutiny. A large contingent fee linked to the award of a public contract creates a heightened risk that the intermediary is being rewarded for influence rather than legitimate services. That risk is greater where the intermediary has no clear technical role, no transparent work product, public official connections, or where fees are built into bid pricing without compliance review.
Next is that gifts and hospitality controls cannot sit apart from bid controls. A gift to a public official during a tender, access to non-public bid documents, a request for proposal obtained outside normal channels, or personal payments connected to agents should all trigger immediate escalation. Compliance programmes should make clear that employees cannot cure those risks by describing them as relationship management.
Finally, internal investigations must be sufficiently broad and sceptical. When red flags arise, the review should test related jurisdictions, business units, agents, contracts and historic practices. It should not assume that the first issue identified is the only issue. The SFO’s withdrawal from earlier DPA negotiations after the Oman material emerged shows how damaging it can be when prosecutors conclude that the company has not got to grips with the full picture.
What an effective anti-bribery programme should include
A defensible anti-bribery programme needs to be risk-based, evidenced and operational. It should begin with a current bribery risk assessment covering countries, customers, public-sector touchpoints, agents, distributors, joint ventures, consortia, tenders, licences, customs, gifts and hospitality, political exposure and financial controls. That risk assessment should feed directly into procedures rather than sit as a compliance document no one uses.
Third-party controls should require documented business justification, risk-tiering, due diligence, beneficial ownership checks, sanctions and PEP screening, contract clauses, fee benchmarking, approval thresholds, periodic renewal, payment controls and termination rights. Higher-risk intermediaries should be subject to enhanced due diligence and senior approval. Legacy intermediaries should not be grandfathered indefinitely because they have always been used.
Financial controls should be designed to detect bribery typologies. That means controls over round-sum consultancy fees, split payments, payments to personal accounts, payments to unrelated jurisdictions, urgent payment requests, invoices lacking detail, retrospective agreements, unusual success fees, charitable or political donations linked to public officials, and expenses involving government customers.
Training should be targeted. Generic annual anti-bribery training is not enough for employees in business development, sales, procurement, finance, project management and senior leadership. Those groups need practical training based on realistic scenarios: local agents, tender intelligence, gifts to officials, pressure from commercial partners, facilitation payment requests, payment approvals, and what to do when a senior colleague says a questionable arrangement is “how business is done”.
Speak-up and investigation processes also need credibility. Employees must know where to raise concerns and trust that concerns will be investigated independently. Finance, legal and compliance teams should be empowered to stop payments, pause bids and escalate to senior management or the board. A strong programme is not measured by how many policies exist. It is measured by whether risky deals are challenged before money leaves the business.
A broader warning for defence and infrastructure firms
The Ultra DPA comes at a time of increased defence spending and heightened geopolitical instability. That makes the case particularly important. Defence, aerospace, airport technology, critical infrastructure and security-related businesses often operate in markets where public officials, state-owned companies, local content rules and national security priorities intersect. That environment creates legitimate commercial complexity, as well as serious bribery risk.
The SFO’s message is that strategic importance is not a shield against enforcement. Companies supplying public services, defence systems or critical infrastructure must be able to show that their route to market is lawful, transparent and controlled. Where they rely on intermediaries to win public contracts, they need evidence that those intermediaries are providing legitimate services at proportionate cost and are not being used to channel improper payments.
