The UK private security industry stands on the edge of what may prove to be its most significant structural reform since the introduction of individual licensing under the Private Security Industry Act 2001. For over two decades, regulation has focused almost entirely on the individual operative. Now, attention is shifting, decisively, towards the businesses that employ them.
At the centre of this shift sits the proposed Business Approval Scheme (BAS), the successor to the long-standing Approved Contractor Scheme (ACS). To understand its significance, we must first understand why it exists at all.
How We Got Here
The current regulatory framework, overseen by the Security Industry Authority (SIA), was built on a simple principle: license the individual, and you regulate the industry. That approach has striven to deliver a baseline of competence. Today, hundreds of thousands of licensed operatives work across the UK under that system.
But there has always been a gap, one that seasoned professionals have known about for years. The SIA licenses people, not companies. There is no legal requirement for a security business itself to be approved, registered, or even inspected before trading.
The Approved Contractor Scheme was introduced to fill that gap. It is, and remains, a voluntary quality mark. Companies that opt in are assessed against standards of service delivery, management and compliance.
And therein lies the problem.
Voluntary schemes attract the willing, the better operators, the established firms, those already invested in compliance. Meanwhile, a significant proportion of the market operates entirely outside that framework. Currently, only around 750 businesses are approved, representing a small fraction of the total industry.
The result is a two-tier market: one regulated by choice, the other only by minimum legal obligations.
The Case for Change
The SIA has been candid in its assessment. The existing model is no longer sufficient to deliver consistent standards or robust public protection. The consultation launched in 2024 made that clear, seeking views on a new approach that would place “public protection at the heart” of business approval.
What followed was not a minor tweak, but a recognition that the ACS, in its current form, has reached the limits of what a voluntary scheme can achieve.
The proposed Business Approval Scheme represents a fundamental redesign. It is intended to shift the focus from process-driven audits to the outcomes that security companies actually deliver on the ground.
This is more than semantics. It signals a move away from annual, tick-box assessments towards a more intelligence-led, risk-based, model of oversight. Higher risk businesses will face greater scrutiny, and specialist providers will be expected to demonstrate sector-specific competence.
In short, the regulator is attempting to become more agile, more targeted, and more aligned with real-world risk.
How BAS Differs from the ACS
At first glance, BAS may appear to be a rebranded ACS. That would be a mistake.
The ACS was built as a quality assurance scheme, an optional badge of credibility. BAS is being designed as something closer to a regulatory framework in waiting.
Key differences are already emerging:
1. From Voluntary Badge to Strategic Lever
The ACS has always been optional. BAS, while initially likely to remain voluntary, is clearly being positioned as a stepping stone to something more formal. The language of “public protection” and “outcomes” reflects a regulatory mindset rather than a purely commercial one.
2. Risk-Based Assessment
Under the ACS, companies undergo periodic assessments, often three-yearly. BAS proposes a more dynamic model, focusing regulatory effort where the risk is greatest. This is a more modern approach, aligned with how other regulators operate.
3. Sector Specific Standards
The new scheme is expected to introduce enhanced requirements for specialist sectors, events, healthcare, and critical infrastructure, recognising that one-size-fits-all standards are no longer adequate.
4. Greater Emphasis on Service Delivery
There is a clear intention to shift assessment time towards how services are actually delivered, rather than purely how systems are documented.
Taken together, these changes represent a move from compliance on paper to performance in practice.
The Impact on Security Companies
For reputable operators, the direction of travel will feel familiar, perhaps even overdue. Many already operate to standards that exceed those currently required by the ACS.
However, BAS will raise the bar in several important ways.
First, it will demand greater transparency. Companies will need to demonstrate not just that they have policies, but that those policies are effective. That means better data, better reporting, and stronger governance.
Second, it will increase scrutiny on labour models. Issues such as subcontracting, use of labour providers, and employment practices will come under closer examination. For those operating on razor-thin margins, that scrutiny may prove uncomfortable.
Third, it will widen the gap between compliant and non-compliant businesses. Those already invested in quality will adapt. Those relying on minimal compliance, or worse, will find it increasingly difficult to compete in a market where clients are encouraged to look beyond price.
The Link to Mandatory Business Licensing
We cannot discuss BAS without addressing the larger question: is this a precursor to mandatory business licensing?
The honest answer is yes. At least in principle….
The SIA itself has acknowledged that any move to mandatory licensing would require government approval and legislative change. But the direction of travel is unmistakable. The development of BAS sits alongside wider consultation on business licensing, described by many as a “defining moment” for the industry.
Why does this matter?
Because mandatory licensing would fundamentally change the industry landscape. For the first time, every security business, not just individuals, would need to meet defined standards to operate legally.
That would address one of the sector’s most persistent weaknesses: the ability of poor or unethical operators to enter the market with minimal oversight.
BAS, in this context, can be seen as both a testing ground and a bridge. It allows the SIA to refine standards, develop assessment models, and build industry consensus before any legislative step is taken.
Risks and Realities
There are, of course, risks.
If BAS remains voluntary, it may struggle to achieve the scale required to drive meaningful change. The same structural limitation that affects the ACS could persist.
If it becomes mandatory, the challenge shifts to proportionality. Over-regulation could stifle smaller, legitimate businesses, particularly in a sector already under intense commercial pressure.
There is also the question of enforcement. Standards, however well designed, are only as effective as the resources and mechanisms used to enforce them.
What It Means for Clients
Clients, as ever, play a critical role.
A more robust business approval framework, whether voluntary or mandatory, will only deliver its intended benefits if buyers engage with it. Selecting providers based on verified standards rather than the lowest cost will be essential.
BAS offers the potential for a clearer, more meaningful benchmark of quality. But it will require clients to value that benchmark.
Recommended Reading: Why the Cheapest Bid Can Fund Organised Crime
Final Thoughts
The Business Approval Scheme is not just another industry initiative. It is a signal of intent, a recognition that the current model has limits, and that the future of security regulation must extend beyond the individual licence.
Whether BAS becomes a stepping stone to mandatory licensing or remains a strengthened voluntary framework, its impact will be significant.
For those who have long argued that the industry needs to move beyond minimum compliance, this is a moment of opportunity.
For those who have built their business on the margins of that compliance, it may be a moment of reckoning.
Either way, the message is clear: the days of light-touch oversight at the business level are numbered, and in a sector that exists to protect the public, that can only be a good thing.
Is Your Business Ready for What’s Coming?
Whether BAS remains voluntary or becomes mandatory, the direction is clear: standards are rising. GuardPass helps security companies stay ahead — connecting you with SIA-licensed professionals through the UK’s largest talent pool, with BS7858-compliant vetting through GuardCheck built in from the start.