Serious Fraud Office guidance on evaluating a corporate compliance programme
New Guidance: Practices Beat Promises
On 26 November 2025, the UK Serious Fraud Office (SFO) released new guidance on how it evaluates corporate compliance programmes. For businesses hoping for a neat checklist or a prescriptive rulebook, this is not it. The SFO’s message is far more pointed: in an era of expansive corporate liability, cosmetic “paper” compliance is no longer defensible. Only programmes that can be seen as working – demonstrably, culturally, and continuously – will count.
The publication lands at a pivotal moment, following the introduction of the failure-to-prevent fraud offence (“FTPF”) on 1 September 2025 and a wave of new and updated SFO guidance. This includes a clear policy commitment to favour alternatives to prosecution where companies self-report and fully co-operate[1], updated guidance clarifying what will constitute ‘reasonable procedures’ for the FTPF defence[2], and joint SFO-CPS guidance on corporate prosecutions[3].
As if this were not enough, corporate criminal liability is also expanding – first to senior managers’ economic crimes, and soon, at least potentially, to all criminal offences under the Crime and Policing Bill 2025. What it all comes down to is that financial crime compliance programmes are not a matter of paperwork, but a central factor in financial reputational risk. Compliance has become a strategic asset, not a defensive afterthought.
Six Strategic Scenarios: Where Compliance Really Matters
For companies facing liability for failure-to-prevent offences under FTPF (or the Bribery Act 2010) only “reasonable” or “adequate” policies and compliance procedures will offer a statutory defence. The new SFO Guidance emphasises how compliance programmes can influence everything from whether an investigation proceeds, to whether a DPA is offered, to the ultimate sentence on conviction.
The SFO identifies six scenarios when it will assess an organisation’s compliance programme, applying existing statutory provisions and prior SFO guidance.
| Strategic Scenario | Why It Matters |
|---|---|
| 1. Deciding whether to prosecute a company | Under the public-interest limb of the Full Code Test, the state of the compliance programme – both at the time of offending and at charge – may influence the decision: a poor programme can weigh in favour of prosecution; a genuinely effective and proactively maintained one might weigh against it. |
| 2. Deciding whether to offer a Deferred Prosecution Agreement (DPA) | When determining if a DPA is appropriate (instead of immediate prosecution), the SFO will examine whether the compliance programme was ineffective or absent at the time of wrongdoing – and whether there has been material improvement since. |
| 3. Deciding whether a DPA should include compliance-related terms or a monitorship | If a DPA is proposed, the SFO may require companies to implement or upgrade compliance programmes – potentially including external monitoring – but will only impose such measures if they are proportionate and justified by the facts. |
| 4. Assessing the statutory “adequate procedures” defence under the Bribery Act 2010 | For a potential bribery offence, the SFO will review whether the company had adequate prevention procedures in place at the time the misconduct occurred. |
| 5. Assessing the statutory “reasonable procedures” defence under ECCTA’s failure-to-prevent fraud offence | For offences under ECCTA (fraud), the SFO will review whether the company had reasonable preventive procedures in place – a defence introduced with the new failure-to-prevent fraud offence. |
| 6. Sentencing decisions after conviction | If a company is convicted, the design, operation, and effectiveness of its compliance programme may be considered in sentencing – potentially reducing culpability if the programme was robust and genuine. |
In each scenario, the SFO is less concerned with the mere existence of written policies, and more focused on how the programme actually performs in practice – at the time of the wrongdoing, and at the time of resolution or charge.
Critical Gaps: What the Guidance Leaves Unsaid
The Guidance reiterates the well-established six principles underpinning what constitutes “reasonable” or “adequate” procedures for preventing fraud and bribery and endorses prior SFO guidance on corporate co-operation and prosecution. But it stops short of laying out the evaluative methodology the SFO will apply in practice. The underlying theory is straightforward: effectiveness is critical. Yet companies are not offered useful specifics on how that is to be measured. There are no scoring criteria, no benchmarks, no framework for weighing evidence, and no guidance on how the SFO will distinguish between programmes that are robust in practice and those that are superficially compliant.
Six Practical Steps: Translating Guidance into Action
It is nevertheless possible to provide some practical insight into what demonstrably effective compliance looks like: Benchmark and update compliance programmes: Frameworks should be risk-based, proportionate to the business, and go beyond generic “tick-box” policies. Past court-sanctioned SFO compliance interventions imposed under DPAs required companies to commission independent external reviews of their compliance frameworks and implement all recommendations within specified periods (commonly 12 months).
- Regular, dynamic risk assessments: Keep risk-assessments current as business practices and external risks evolve. DPAs have emphasised the need for formal implementation plans, tracking risks identified in audits and reviews, and documenting subsequent remedial actions.
- Maintain clear, auditable records: Document training, investigations, incidents, remedial actions, and decision-making to show how the programme works in practice. DPAs routinely require companies to maintain comprehensive audit trails, including third-party due diligence, training attendance, and evidence of remediation, to demonstrate operational compliance.
- Demonstrate leadership commitment: Ensure senior management visibly supports compliance, allocates resources, and fosters a culture intolerant of misconduct. DPAs highlight the importance of board-level oversight and accountability, often requiring the creation of compliance committees or designation of responsible executives to embed ownership of the programme at the highest level.
- Stress-test and monitor controls: Periodically review procedures to ensure they are followed and cannot be easily circumvented. DPAs frequently impose ongoing internal or external monitoring, including periodic reports to the SFO or independent reviewers, testing the effectiveness of controls, and ensuring deficiencies are promptly remediated.
- Prepare for scrutiny: Be ready to provide evidence of compliance, including internal data, audit trails, and remedial actions, in the event of an SFO investigation. Past DPAs show that transparent cooperation, structured internal reporting, and documented remediation are key mitigators; companies that demonstrate proactive self-reporting and responsiveness to identified issues tend to secure more favourable outcomes.
Conclusion
The SFO’s updated Guidance on Evaluating a Corporate Compliance Programme should not be read as a compliance “rule-book.” Rather, it should be seen as a window into how prosecutors will assess such a programme in real cases.
For companies, the message is unmistakable: compliance cannot rest on paper alone. To stand up to future scrutiny, policies – and the cultures behind them – must have demonstrable results.
This article was co-authored by Lillie Bandarchi, Trainee Solicitor.
