Exclusion in Practice: Connected and Associated Persons under the Procurement Act 2023

In our first article in this series, we explored the expanded mandatory and discretionary exclusion grounds under the Procurement Act 2023 (the "Act").

The Act doesn't just expand the grounds for exclusion.

It also changes how those grounds are applied and, importantly, who triggers exclusion. At its core, the new regime reflects a familiar and growing theme: you can be held responsible not only for what your company does, but also for what others do on your behalf.

This article focuses on how that principle plays out in procurement exclusions, and why compliance teams must think broadly about their third-party risk landscape – drawing parallels with the wider concept of "associated persons" under the failure to prevent offences.

A forward-looking test

Under the old regime, authorities were required to consider self-cleaning measures taken by suppliers.

Building upon this, under the Act contracting authorities must now ask not only whether a ground for exclusion is present, but also whether the underlying conduct is continuing or is likely to occur again. Exclusion isn't just about past wrongdoing, but about future risk. Consistent with existing best practice, authorities are therefore encouraged to take a forward-looking approach.

This is consistent with the Cabinet Office guidance's emphasis on protecting public money and ensuring reliable delivery. Authorities must consider whether the supplier has remediated the issue, changed leadership, improved controls or otherwise reduced the likelihood of recurrence. Authorities must also give the supplier a fair opportunity to respond before any exclusion decision is made.

For example, a company convicted of a tax offence two years ago may not be excluded if it can show it has replaced senior leadership, overhauled its financial governance and cooperated fully with HMRC. Conversely, a supplier facing repeated whistleblowing complaints or unresolved regulatory findings may be excluded even without a conviction, if the underlying risk appears ongoing.

Beyond the four walls: whose conduct counts?

The most significant change under the new exclusion framework is how far liability can extend beyond the contracting entity itself.

Connected persons

The Act introduces a broader definition of "connected persons" than existed under the previous regime in the Public Contracts Regulations 2015. A supplier may be an excluded supplier or an excludable supplier if certain exclusion grounds apply to a connected person and if the circumstances giving rise to the ground are continuing or likely to occur again.

So who qualifies as connected? The definition includes:

• any person with "significant control" over the supplier, as defined in section 790C(2) of the Companies Act 2006 – for example, someone holding more than 25% of the shares or voting rights, or with the right to appoint or remove a majority of the board;
• a director or shadow director of the supplier;
• a parent or subsidiary undertaking of the supplier;
• a predecessor company (e.g. where the supplier has been restructured or reconstituted);
• any person in an equivalent position to the categories above – including individuals or entities that play a similar controlling role even if not formally designated;
• any person with the right to exercise, or who actually exercises, significant influence or control over the supplier (whether formally recorded or informally exerted);
• any person over whom the supplier has the right to exercise, or actually exercises, significant influence or control.

This definition is designed to capture both formal and informal relationships of control, recognising that misconduct or risk may not be neatly confined to legal entities. It extends exclusion exposure beyond the supplier itself to its broader corporate group, key controllers and affiliated entities.

By contrast, under the old regime, the focus was on individuals with powers of representation, decision or control within the supplier, such as directors or board members. This test was perceived as allowing companies to rebrand or restructure to avoid scrutiny.

Where a supplier is excludable due to a connected person’s misconduct, contracting authorities may consider the strength of that connection when deciding whether to exclude. A weaker link may suggest lower risk to the procurement or contract delivery, supporting a decision not to exclude.

Unlike associated persons or subcontractors, connected persons cannot be substituted, so authorities are not required to offer the supplier an opportunity to replace them before exclusion.

Associated persons: a new route to exclusion

The Act also introduces a procurement-specific version of the “associated person” concept – familiar from failure to prevent bribery, tax evasion and fraud offences. In those contexts, it includes anyone performing services for or on behalf of a company – employees, agents, intermediaries, subsidiaries, and more.

Under the Act, an associated person is someone the supplier relies on to:

• meet the conditions of participation in the procurement (e.g. relevant qualifications, experience, or capacity); or
• perform the contract in question.

This brings third-party conduct squarely into scope. If a subcontractor, delivery partner or consortium member is found to have committed a relevant offence – and the supplier relies on them to meet participation conditions or to perform the contract in a significant way – the supplier may be excluded. The definition is intended to cover material contributors to eligibility or delivery.

Exclusion may arise not just from the conduct of an associated person, but also from the conduct of a connected person of that associated person (e.g. a director of an associated person of the supplier). This introduces a layered risk.

However, unlike connected persons, the exclusion risk in connection with associated persons only arises if the supplier is relying on that individual or entity in the context of the specific contract.

If a supplier is an excluded supplier or an excludable supplier by virtue of an associated person (and the circumstances giving rise to the exclusion ground are continuing or likely to occur again), the supplier must be given the opportunity to replace the associated person before being excluded.

The Cabinet Office guidance provides a useful worked example of this in the context of an integrated facilities management (IFM) contract. The table below sets out examples using this hypothetical contract, and highlights the key differences between the concept of an associated person under failure to prevent offences and under the Procurement Act.

Practical implications for compliance teams

The Act therefore reinforces a familiar compliance message: effective risk management requires suppliers to have visibility and oversight not only over their own conduct, but across all entities and individuals they rely on – whether within their corporate structure or outside it.

It also introduces practical challenges:

• Mapping exposure: Who is performing services on your behalf? Are they clean?
• Due diligence depth: Do you understand the ownership and control of your delivery partners – and whether their affiliates pose a risk?
• Contract structuring: Have you reserved rights to replace problematic partners if issues emerge?
• Remediation credibility: Can you show that issues in your delivery chain have been addressed, not just discovered?

Failure to prevent: a useful framework

Although the definition of “associated person” under the Act is narrower than under failure to prevent offences, the conceptual overlap is clear: if someone is acting on your behalf, their conduct can expose you to risk.

In fact, many of the controls designed to prevent bribery, tax evasion or fraud can be repurposed to mitigate exclusion risk in procurement. These include:

• Risk-based due diligence on third parties
• Proportionate contractual safeguards
• Ongoing monitoring and audit rights
• Clear ownership of relationships and accountability

In some cases, conduct that triggers exclusion may also give rise to liability under the failure to prevent offences, or vice versa. The definitions are distinct, but the compliance approach can be integrated.

Compliance takeaways

Authorities will assess whether risk is ongoing or likely to recur – not just past misconduct. Effective remediation may determine your eligibility.

1. Map your risk

   Know your connected persons – including legacy entities, parent companies, subsidiaries and joint ventures.

2. Scrutinise your delivery chain

   Identify who your associated persons are for each procurement. Focus on those relied upon for eligibility or performance.

3. Anticipate layered risk

   A supplier can be excluded based on the conduct of a connected person of an associated person. This requires deeper due diligence; scrutinise ownership and influence across your supply chain.

4. Plan for substitution

   If you're relying on an associated person who is later caught by an exclusion ground, you may be able to replace them – so always have a Plan B.

5. Use failure to prevent controls

   Your existing systems may also mitigate exclusion risk. Adapt and apply them as needed.

6. Look ahead

Conclusion

The Procurement Act 2023 introduces a more dynamic and interconnected approach to exclusion – one that reflects the reality of modern supply chains, group structures and third-party relationships.

Understanding who counts as a connected or associated person is central to navigating exclusion risk.

For compliance teams, the message is clear: know your group, know your partners, and monitor how your eligibility could be affected by the conduct of others.

[View source.]