SFO Revamps Its Corporate Compliance Guidance

Introduction

On November 26 2025, the UK Serious Fraud Office (“SFO”) issued updated guidance on when, why and how it will evaluate corporate compliance programs¹ (the "Guidance"). While the Guidance does not provide granular or detailed tips on improving procedures, instead pointing the reader to other guidance (such as the Bribery Act Guidance² and the Failure to Prevent Fraud Guidance³), it provides a useful insight into the SFO’s attitude and approach. The Guidance replaces the SFO's 2020 internal guidance⁴ and is now clearly calibrated to send an external message.

The progressive adoption of the "failure to prevent" model of corporate offences (bribery; tax evasion; fraud) places much greater emphasis on corporate compliance programs and how they measure up. Companies should take this opportunity to reflect upon and sense-check their policies to ensure they are robust and effective.

The Guidance

The Guidance identifies six scenarios in which the SFO may need to evaluate an organization’s compliance program, to determine whether:

1. a prosecution of the organization is in the public interest
2. a deferred prosecution agreement ("DPA") is in the public interest
3. compliance terms and/or a monitorship should be included in the terms of a DPA
4. an organization has a defense of “adequate procedures” to a charge of failure of a commercial organization to prevent bribery under section 7 of the Bribery Act 2010 (“Bribery Act”)
5. an organization has a defense of “reasonable procedures” to a charge of failure of a commercial organization to prevent fraud under section 199 of the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”)
6. the compliance program is a relevant factor for sentencing considerations.

The Guidance notes that an organization’s compliance program is relevant to both the evidential and public interest limbs of the Full Code Test which prosecutors apply when considering whether to initiate a prosecution. If an organization can establish that its anti-bribery procedures were adequate, or its anti-fraud procedures were reasonable, then the evidential test would not be satisfied because there would be no realistic prospect of conviction. A prosecution of the organization would not follow, regardless of how egregious or grave the underlying offending by the associated person. Where an organization has only just fallen short of that standard but has responded appropriately and enhanced their program following the breach, this may support the argument that the public interest does not require the organization to be prosecuted.

This makes clear that establishing and maintaining a compliance program may not only prevent offences from occurring in the first place but may enable an organization to avoid criminal prosecution, secure a DPA on favourable terms, mount a successful defence or mitigate a sentence where offences are committed by associated persons. Similarly, lack of attention to the compliance program will aggravate the organization’s position and lead to a worse outcome.

DPAs

The SFO will consider entering into a DPA with an organization as an alternative to immediate prosecution. The SFO will take a holistic approach to this determination and will consider the effectiveness of a given organization’s compliance program at the time the offence was committed, and any steps taken to remediate since. Prosecution will be favored where the organization had no compliance program in place at the time of the offence and has not demonstrated any improvements since.

The Guidance retreats from the SFO’s previous position that, if a DPA includes terms regarding an organization’s compliance program, the DPA would also likely impose a monitor. The Guidance takes a more measured approach, noting that the imposition of a monitor must be considered carefully in light of what is fair, reasonable and proportionate, and who would bear the costs of the monitorship.

Failing to Prevent Bribery and Failing to Prevent Fraud

An organization will have a defense to failing to prevent bribery under section 7 of the Bribery Act where it can show that it had "adequate" procedures in place "designed to prevent persons associated with [it] from undertaking such conduct." Proportionate procedures are described in the Bribery Act Guidance as "proportionate to the bribery risks [a commercial organization] faces and to the nature, scale and complexity of the commercial organization’s activities."

An organization will have a defense to failing to prevent fraud under section 199 of ECCTA where it can show that, at the time of the offence, it had "reasonable procedures" in place to prevent fraud.

While there may be a linguistic difference between “adequate” and “reasonable”, neither term has been considered by the courts in the context of these offences. It is hard to imagine circumstances in which the SFO would prosecute an organization which had reasonable procedures on the basis that the procedures were not adequate, or vice versa. When assessing your compliance program it is a technical distinction best ignored. 

This is reflected in the substantial overlap between the principles set out in the Bribery Act Guidance and the Failure to Prevent Fraud Guidance that should inform the procedures put in place by commercial organizations to prevent bribery or fraud, including:

1. Top Level Commitment: management and top-level staff must be committed to preventing associates from committing bribery or fraud.
2. Risk assessment: the commercial organization must carry out an assessment of the risk posed to it of its associates committing bribery or fraud.
3. Proportionate procedures: procedures must be proportionate to the bribery or fraud risks faced by the commercial organization.
4. Due diligence must be carried out on people who will perform services on behalf of the organization.
5.  Communication (including training): organization must seek to ensure that its bribery and fraud related prevention policies are disseminated throughout the organization and understood by staff.
6. Monitoring and review of procedures.

Conclusion

The Guidance sets out principles at a high level, but does little to elaborate on them. However, the themes underpinning the Guidance show the SFO taking a realistic and pragmatic approach.

• Focus on how policies work in practice, not just whether an organization has policies in place. Compliance programs must be effective in operation; the SFO will seek to get behind the wording of policies and assess how they translate into conduct on the ground.
• Expectation that policies and procedures are reviewed regularly, with dynamic risk assessment focused on whether the program works in practice.
• Flexibility for organizations to consider their own programs in the context of their own business risks, rejecting a prescriptive tick-box approach.
• An open stance to external sources. The Guidance specifically signposts the U.S. Department of Justice and the Agence Française Anticorruption corporate compliance guidance for companies with either a US or a French nexus.
• Recognition that isolated compliance failures do not inevitably mean that a compliance program is ineffective or that anti-bribery and anti-fraud procedures were not adequate or reasonable.