SFO Issues “Refreshed” Guidance on Evaluating Corporate Compliance Programmes

The Serious Fraud Office (“SFO”) – the agency tasked with fighting serious complex fraud and bribery in the UK - has released refreshed guidance on how it evaluates corporate compliance programmes when making enforcement decisions (the “Guidance”).  The Guidance clarifies when, why and how the SFO will examine an organisation’s compliance programme including investigations, prosecution decisions, Deferred Prosecution Agreements (“DPA”), potential defences to bribery and fraud charges, and sentencing.

For compliance officers, general counsel, boards, and senior management, the message is clear: a good compliance programme can determine prosecution decisions, influence the terms of DPAs, impact sentencing outcomes, and shape how the SFO views corporate culture and remediation.  The Guidance also brings the UK closer to international approaches by outlining what evidence the SFO expects from organisations and how it evaluates policies, controls, training, governance and culture.

Background

The guidance clarifies how the SFO evaluates compliance programmes in six scenarios, including:

• deciding whether prosecution is in the public interest;
• assessing “adequate procedures” in failure-to-prevent bribery cases;
• evaluating “reasonable procedures” for the purposes of the failure-to-prevent fraud offence;
• determining whether a monitor should be imposed as part of a DPA;
• reviewing compliance improvements mandated by a DPA; and
• assessing compliance methodically during corporate investigations.

The timing of the publication of the Guidance follows two other key developments:

1. The expanding scope of corporate criminal liability in the UK.  The introduction of the failure-to-prevent fraud offence in September 2025 and the reformulation of the old “identification principle” to allow liability for the actions of “senior managers” instead of just the “directing mind and will” of the company mean organisations face broader corporate criminal liability.
2. A growing emphasis on governance, culture and proactive remediation.  As shown in the UK courts’ comments in recent DPA judgments, companies with proactive, embedded, and properly resourced compliance programmes fare significantly better when negotiating resolutions.

The Guidance aims to harmonise expectations, enhance transparency, and increase consistency in corporate enforcement.

Legal Framework for Compliance Evaluation

The Guidance draws on several statutory and regulatory regimes, which together shape how the SFO approaches compliance assessments:

Full Code Test

When deciding whether to prosecute a corporate offender, the SFO applies the Full Code Test (“FCT”) set out in the Code for Crown Prosecutors.  The quality of a company’s compliance programme is relevant to both limbs of the FCT; on the evidential limb (whether there is enough evidence to provide a “realistic prospect of conviction”), prosecutors will consider whether deficiencies in the compliance framework undermine any available defence; on the public interest limb (which requires prosecutors to weigh public interest factors for and against prosecution), the Guidance expressly states that an ineffective compliance programme at the time of the misconduct weighs in favour of prosecution.  Other public interest factors weighing against prosecution include proactive compliance remediation, cooperation with the investigation, the presence of an effective compliance programme at the time of offending; and demonstrable cultural change.

Deferred Prosecution Agreements

Under Schedule 17 of the Crime and Courts Act 2013, prosecutors must consider whether an organisation has a “genuinely proactive and effective” compliance programme when determining whether (or not) to invite a company to enter into negotiations for a DPA.  

The SFO may also impose compliance monitorships as a term of a DPA, with the scope being dependent on the seriousness of the deficiencies identified.  Monitorships add significantly to the costs of, and management time involved in, a resolution.

Failure to Prevent Bribery

Section 7 of the UK Bribery Act 2010 provides that a commercial organisation will be liable if a person associated with it bribes another person to obtain or retain business for that organisation.  A company has a defence if it can prove it had “adequate procedures” in place to prevent bribery.  Those “adequate procedures” are likely to be guided by the following six principles:

1. Proportionate procedures;
2. Top-level commitment;
3. Risk assessment;
4. Due diligence;
5. Communication (including training); and
6. Monitoring and review.

In assessing the adequacy of procedures, the SFO will examine both the design of these procedures and whether they were applied effectively.

Failure to Prevent Fraud

When dealing with a potential offence of failure to prevent fraud under Section 199 of the Economic Crime and Corporate Transparency Act 2023, a company may avail itself of a defence if it can show that it had in place “reasonable procedures” to prevent fraud.  The Home Office guidance sets out nine principles to inform the procedures that relevant organisations can put in place to prevent associated persons from committing fraud, including governance, opportunity reduction, transparency, and oversight.

Sentencing Considerations

Under the Sentencing Council guidelines, a weak compliance programme can indicate “high culpability”, whereas an effective, organised and implemented programme can reduce culpability levels.

How the SFO Evaluates a Compliance Programme

According to the Guidance, when assessing a corporate compliance programme, the SFO examines both its design and its operational effectiveness.  It looks at whether the programme is properly risk-based, proportionate to the organisation’s size and exposure, and supported by clear governance, accountability and resources.  A key consideration is whether senior leadership actively promotes ethical conduct and whether compliance policies are embedded across business functions rather than existing only on paper.  The SFO evaluates the robustness of risk assessments, the quality of third-party due diligence, and the organisation’s ability to identify, escalate and respond to red flags.

Equally critical is how the programme operates in practice.  The SFO will review evidence of training effectiveness, internal reporting channels, and the organisation’s ability to monitor, review and remediate risks.  Companies are expected to demonstrate continuous improvement, including adapting policies in response to incidents, audits, regulatory changes or emerging threats.  The assessment is holistic: the SFO considers culture, governance, information flows, and the degree to which compliance is integrated into strategic and operational decision-making.

What Evidence the SFO Will Seek

When reviewing a compliance programme, the Guidance provides that SFO prosecutors will consider governance, culture, risk management, controls, and reporting mechanisms.  At the governance level, they assess whether compliance has clear ownership, sufficient authority, and regular board engagement.  Culture is equally important: prosecutors look for evidence that ethical conduct is embedded in the organisation and that staff feel empowered to raise concerns.  Risk assessments must be thorough, regularly updated, and aligned with the company’s geographic and commercial footprint.

Prosecutors also scrutinise specific operational elements—training, monitoring, third-party due diligence, whistleblowing channels, and incident response workflows.  They look for documented evidence of escalation procedures, follow-up investigations, and remediation.  The SFO places weight on whether compliance efforts were genuine or merely performative.  For example, a programme that exists only on paper, is outdated, or is inconsistently applied will carry little weight in the eyes of prosecutors.  Conversely, companies that can show active, ongoing risk management and continuous improvement position themselves more favourably during investigative and charging decisions.

Crucially, isolated compliance failings do not automatically mean a programme is ineffective.  The question is whether the organisation had sufficient safeguards to prevent or detect offending.

When the SFO Evaluates a Compliance Programme 

A company’s compliance posture can materially affect outcomes from the moment the SFO becomes aware of potential misconduct through to post-resolution oversight.

The SFO analyses a company’s compliance programme at every stage of its engagement with the organisation.  This begins at case acceptance, where the existence and maturity of a compliance programme can influence investigative priorities.  During investigations, the SFO reviews historical and current controls to determine whether misconduct occurred despite adequate safeguards or because such safeguards were absent or ineffective.  Companies must therefore show not only what their compliance programme looks like today but also what it looked like at the time of the alleged wrongdoing.

Compliance evaluation is also central to decisions around charging, resolution and being invited to negotiate a DPA.  A well-designed and well-implemented programme may support mitigation arguments, while deficiencies or cultural failings can weigh strongly against the organisation.  After resolution, the SFO may continue monitoring improvements through undertakings or review mechanisms.  

Recommendations

Organisations are well advised to conduct a review of their compliance programmes against the Guidance.  This includes revisiting governance frameworks, updating risk assessments, evaluating third-party due diligence processes, and ensuring that training is role-specific and regularly refreshed.  Companies should also scrutinise whether their policies are genuinely embedded in day-to-day operations, supported by senior leadership, and tailored to the organisation’s sector, geographical footprint, and risk profile.  Equally important is improving documentation: the SFO will require clear evidence of how compliance decisions were made, how risks were assessed, and how controls have been tested, monitored and remediated over time.

Beyond design improvements, businesses must strengthen operational effectiveness.  This means enhancing oversight at board level, implementing structured reporting channels, and ensuring whistleblowing and escalation mechanisms function as intended.  Companies should test and audit controls regularly, close identified gaps promptly, and maintain robust records demonstrating continuous improvement.  By embedding compliance into culture and ensuring that policies translate into real-world practice, organisations will be better positioned to meet the SFO’s expectations and significantly reduce enforcement risk.

Conclusion

The SFO’s Guidance provides a detailed roadmap for how, when and why prosecutors will assess a company’s compliance programme.  It sends another strong message to businesses: compliance must be embedded, evidenced, and continuously improved.  Companies with strong, well-documented programmes will enter enforcement discussions in a significantly better position, while those without them face heightened risk.  The cost of inaction may be substantial—not only in enforcement exposure but in reputational and commercial impact.

For additional information regarding this development please contact one of the authors in our London Financial Crime Practice.