SFO guidance on evaluating corporate compliance programmes (2025)

The UK Serious Fraud Office (SFO) has released new guidance on when and how it evaluates corporate compliance programmes, with particular focus on the offences of Failure to Prevent Bribery (FtPB) under the Bribery Act 2010 (Section 7) and Failure to Prevent Fraud (FtPF) under the Economic Crime and Corporate Transparency Act 2023 (s199) (ECCTA).

The guidance demonstrates that compliance is not only an effective defence, but also a critical factor in prosecutorial decision-making, including decisions to prosecute, offer a DPA, impose terms under a monitorship and at sentencing.

Significantly, the guidance sets out that the SFO will use the full range of its evidence – gathering powers (including compulsion) to obtain information regarding a company’s compliance systems and processes.   For companies seeking to avoid prosecution via a DPA, this carries an added risk that undisclosed compliance issues may come to the SFO’s attention at any stage in the cycle, meaning that proactive disclosure may be tactically advantageous.

Overview

The Guidance sets out that the SFO will consider corporate compliance programmes at five interrelated junctures:

1. When taking a prosecutorial decision (in accordance with the Full Code Test).
2. When considering whether to invite a company to enter a DPA.
3. When considering the inclusion of compliance terms or a monitorship in a DPA.
4. When assessing whether the corporate is likely to have a defence of (i) “adequate procedures” (for FtPB) or “reasonable procedures” (for FtPF).
5. In preparation for sentencing.

The guidance emphasises that an assessment will be made not only of the “paper-based” system, but also of its effectiveness, proactivity, and proper implementation.

Prosecution decisions and the Full Code Test

Under the Code for Crown Prosecutors, the Full Code Test[1] includes both an evidential and public-interest limb. The SFO directly links compliance assessments to the public-interest test:

Public interest in favour of prosecution: the company had an ineffective compliance programme at the time of the offence.

Public interest against prosecution:  at the time of charge, the company has demonstrated a genuinely proactive approach to compliance, including through the implementation of remedial actions.

The guidance sets out that, for the purposes of such assessment, the SFO expects companies to fully cooperate by providing sufficient information on their compliance programme, including internal investigation records, and making witnesses available.

DPA invitations: compliance as a decisive factor

When considering whether to invite a corporate to enter a DPA (as opposed to proceeding with prosecution), the SFO will apply the DPA Code, which lists the following factors against a DPA and in favour of prosecution:

• The organisation had no or an ineffective compliance programme at the time of offending; and
• The organisation has not been able to demonstrate a significant improvement in its compliance programme.

Factors in favour of a DPA (and against prosecution):

• At the time of offending and reporting, a proactive compliance programme existed, but it failed to be effective on this occasion.
• At the time of the decision to enter a DPA, the company has cooperated fully with the SFO and management has shown a genuinely proactive approach, including remedial action.

The SFO may instruct  external specialists to evaluate an organisation’s compliance culture and programme, including assessing whether it aligns with the company’s  self-report.

DPA Terms

Under Schedule 17 of the Crime and Courts Act 2013, the terms of a DPA may include a requirement to implement or enhance compliance policies. The DPA terms must be tailored to the organisation and be proportionate to the offence.

The SFO may require the appointment of a monitor, but only where necessary, proportionate, and cost-justified. Consideration will also be given to any monitorships imposed by overseas authorities and whether a less intrusive arrangement is adequate.

The focus of any monitor will be to advise on compliance improvements to reduce the future risk of offending.

Statutory defences under the Bribery Act and ECCTA

For both Failure to Prevent Bribery (FtPB) under the Bribery Act 2010 (Section 7) and Failure to Prevent Fraud (FtPF) under the Economic Crime and Corporate Transparency Act 2023 (s199) (ECCTA), there is a compliance defence available.

In each case it is for the company to prove that its systems and processes were “adequate” (FtPB) or “reasonable” (FtPF).

For FtPB, assessment is based against the Ministry of Justice’s six principles: proportionate procedures, top-level commitment, risk assessment, due diligence, communication/training, monitoring and review.

For FtPF, the company must show “reasonable procedures”, or that it was not reasonable to expect procedures at all. The reasonableness of the procedures will be judged against the Home Office’s 6 principles (top level commitment, risk assessment, proportionate procedures, due diligence, communication/training, monitoring and review).

Sentencing: compliance affects culpability and penalties

The guidance highlights that the SFO will consider compliance when addressing culpability in accordance with the Sentencing Council Guidelines for corporate offending (including fraud, money laundering and bribery).

Culpability assessment (which impacts on the ultimate level of the fine):

• High culpability: a culture of wilful disregard of the commission of offences by employees or associated persons, with no effective systems in place.
• Lesser culpability: some efforts made to put prevention procedures in place, although insufficient for a defence.

Alternatively, the appropriate fine can be calculated by reference to the “cost avoided” by failing to implement effective controls.

What evidence will the SFO rely on?

The SFO will use a range of evidence-gathering powers, including:

• Voluntary disclosures and self-reports.
• Section 2 compelled documents and interviews.
• PACE suspect interviews.
• Direct written questions to the organisation.

Corporates being investigated should be aware that there will be a focus on compliance systems and processes, and that evidence will be gathered during the underlying investigation.  Accordingly, careful consideration should be given to the strategic advantage of voluntary disclosure of ancillary issues likely to form part of the compliance assessment (e.g. prior whistle-blowing reports, prior internal investigations etc).

Evidence of implementation will be important to show an effective process.   Key indicators of implementation include:

• Proactive, tailored risk assessments.
• Regularly reviewed controls.
• Anti-circumvention checks (audits, approvals, verification).
• Documented outcomes when issues have been identified: training, investigations, disciplinary actions.
• Demonstrable compliance culture and senior leadership commitment.

Preparedness – 5 practical steps for companies

1. Conduct a compliance effectiveness review, applicable to relevant jurisdictions of operations.
2. Strengthen documentation and processes.
3. Improve fraud and bribery frameworks independently.
4. Consider and prepare for potential SFO scrutiny.
5. Prioritise culture and leadership involvement.

How can Gherson help?

At Gherson Solicitors LLP we regularly advise organisations on designing and implementing effective financial crime prevention policies, procedures and controls.

If you need further advice on what the new offence of failure to prevent fraud means for your organisation, please do not hesitate to contact Caroline Black or Thomas Cattee at Gherson Solicitors LLP.

If you have any questions arising from this blog, please do not hesitate to contact us for advice, send us an e-mail, or, alternatively, follow us on X, Facebook, Instagram, or LinkedIn to stay-up-to-date.

The information in this blog is for general information purposes only and does not purport to be comprehensive or to provide legal advice. Whilst every effort is made to ensure the information and law is current as of the date of publication it should be stressed that, due to the passage of time, this does not necessarily reflect the present legal position. Gherson accepts no responsibility for loss which may arise from accessing or reliance on information contained in this blog. For formal advice on the current law please do not hesitate to contact Gherson. Legal advice is only provided pursuant to a written agreement, identified as such, and signed by the client and by or on behalf of Gherson.

©Gherson 2025

[1] That there is sufficient evidence to provide a realistic prospect of  conviction, and that prosecution is in the public interest.