The Serious Fraud Office (SFO) has entered into its first Deferred Prosecution Agreement (DPA) in five years. The agreement with Ultra Electronics Holdings Limited (Ultra), a British defence, security and aerospace manufacturer, covers historic alleged conduct relating to failure to prevent bribery under the UK Bribery Act 2010 (UKBA).
The SFO commenced an investigation in 2018, following Ultra self-reporting suspected corruption in Algeria relating to Ultra’s overseas third-party agents. The scope was later widened by the SFO in 2022 to cover Oman, and again in 2024 to encompass all jurisdictions in which Ultra operated.
Under the DPA, Ultra agreed to:
- pay a £10 million financial penalty, plus £4.8 million in SFO costs; and
- meet strict conditions, including annual reporting to the SFO on the operation of its ABC programme, and demonstrating genuine and sustained reform over a forward-looking three-year period.
This DPA provides important insights into the evolving UK criminal enforcement landscape. We explore five key takeaways below.
1. Reminder of the broad scope of failure to prevent offences
The Ultra DPA is a good reminder of the breadth of failure to prevent offences following the recent coming into force of the failure to prevent fraud offence in September 2025.
The DPA serves as a reminder to organisations to ensure that risk assessments, controls and policies are regularly reviewed and updated. Notably, during the investigation, Ultra undertook extensive steps to enhance its compliance programme, including commissioning an independent external risk assessment focusing on the failure to prevent fraud offence.
2. Third‑party risk remains a critical exposure
The SFO’s investigation centred on the alleged activity of Ultra’s third-party sales and commercial agents in relation to securing high-value contracts. The Ultra DPA underpins the importance of ensuring compliance programmes deal head on with bribery and corruption risks arising from third party agents and intermediaries.
Practical steps include:
- mapping and risk-rating all third-party channels and relationships;
- clearly explaining to third parties compliance expectations and understanding what policies and procedures they have in place (to ensure that ABC reps and warranties have meaning);
- conducting thorough due diligence (including considering business intelligence review for higher risk third parties);
- testing the commerciality of arrangements and the rationale for the engagement of particular third parties;
- applying enhanced due diligence and ongoing monitoring to higher-risk third parties; and
- undertaking an audit on financial controls on payments, including for expenses, third parties, gifts and hospitality and charitable and political donations (as Ultra did as part of its remediation steps).
It is critical that companies can provide detailed documentation and data on how third-party risks are managed.
3. The benefits of early and fulsome self-reporting
Ultra submitted a self-report to the SFO in 2018, following concerns raised about payments to an Algerian agent. This was followed by a detailed internal investigation report submitted to the SFO in 2019.
In 2022, Ultra made a further disclosure to the SFO relating to conduct in Oman. However, the SFO rejected Ultra’s analysis that a prior internal investigation into the conduct in 2015 had not identified evidence of bribery and corruption, leading to a temporary breakdown in DPA negotiations that were on foot.
The case illustrates two important points:
- Self-reporting can significantly improve the prospects of securing a DPA, rather than facing prosecution.
- However, the timing, completeness, and accuracy of self-disclosures are critical.
In April last year, the SFO published its Cooperation Guidance that made clear prompt self-reports to the SFO, accompanied by full cooperation, would result in an invitation to negotiate a DPA, rather than prosecution.
While the Ultra DPA indicates that progressive disclosures made over the course of the investigation are not prohibitive to securing a DPA, early and fulsome reporting helps to ensure the best outcome if you are intending the get the benefit of self-reporting. When assessing the Ultra DPA, the court noted that it had not overlooked the late reporting of the Oman conduct, and that it could properly be reflected in assessing the penalty.
The message for corporates is clear: early, comprehensive and transparent engagement with authorities can have significant benefits down the track.
4. Cooperation and remediation are determinative
A pivotal factor in securing the DPA was Ultra’s extensive cooperation and remediation efforts, particularly following its acquisition by new owners who were unconnected to the misconduct.
Under new ownership and leadership, Ultra executed a “post-acquisition compliance reset” and provided substantial cooperation to the SFO, including:
- identifying relevant individuals and producing key documents;
- facilitating access to overseas records and legacy entities;
- offering limited waivers of privilege;
- supporting witnesses interviews; and
- delivering detailed investigative findings, reports and presentations.
The company also strengthened its compliance culture, demonstrating active steps to remediate, including:
- engaging external lawyers to assess its compliance programme and implementing recommendations, and an external accounting firm to undertake a risk assessment;
- enhancing policy frameworks across business units;
- undertaking a wholesale review on the approach to selecting and managing third-party agents and intermediaries and a subsequent reduction on the reliance on third-parties;
- overhauling the Board of Directors and providing the Board with data on Ultra’s ABC programme, as well as introducing a group-level Chief Compliance Officer to report directly to the Board;
- establishing an independent compliance function and introducing “compliance champions” to sit within business units; and
- implementing a mandatory training programme.
These efforts ultimately led to the SFO resuming DPA negotiations. The outcome demonstrates that meaningful cooperation and remediation can materially influence enforcement outcomes in the right case.
5. Increasing emphasis on group-level accountability
The DPA also reflects a growing focus on accountability at the group level. Ultra’s parent company, Cobham Ultra Limited, provided formal undertakings to ensure that Ultra would:
- comply with the terms of the DPA; and
- remain operational and under its control for the duration of the agreement.
This was similarly the case in a previous DPA entered into in 2019 between the SFO and Serco Geografix Ltd, where the parent company (Serco Limited) was required to provide undertakings. In approving the DPA, the Court noted that without undertakings given by the parent company, it was very unlikely that the goals of the DPA could have been achieved, and that it is the parent company which necessarily must engage in any compliance programme and cooperate with law enforcement agencies.
This requirement highlights the SFO’s expectation that parent entities play an active role in ensuring compliance and remediation across group structures.
The Ultra DPA also serves as a reminder to acquiring entities to undertake thorough due diligence during an acquisition, as they may effectively assume successor liability for the target’s historic misconduct. Conclusion
The Ultra DPA is a significant development in the UK corporate criminal enforcement. It reinforces several themes: the centrality of prevention-focused compliance, the critical importance of third-party risk management, and the tangible potential benefits of early cooperation and genuine remediation.
For organisations operating in high-risk sectors or jurisdictions, the case serves as both a warning and a roadmap, demonstrating not only how failures can arise, but also how companies can navigate enforcement processes and, ultimately, mitigate outcomes through proactive and sustained compliance efforts.