The Serious Fraud Office (SFO) has issued updated guidance setting out when and how it will evaluate a corporate compliance programme. 

The guidance restates familiar principles, but now folds in the new “failure to prevent fraud” regime under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (please see our previous updates for further details on this). Furthermore, the SFO has set out the investigative tools it can use to gather information about compliance programmes whilst emphasising that every compliance programme is and should be different and tailored to the circumstances of a particular organisation. Matthew Wagstaff, the SFO’s Director of Legal Services stated that “effective compliance is not a tick‑box exercise; it’s about building genuine cultures that prevent fraud, bribery and corruption.”

When the SFO will be reviewing compliance programmes 

The guidance identifies six circumstances in which the SFO may consider an organisation’s compliance programme and the criteria it will use to assess compliance.

1. Charging decisions (corporate offences). In considering whether to bring a prosecution, Prosecutors apply the Full Code Test, comprised of the evidential limb and the public interest limb. The guidance states that an assessment of an organisation’s compliance programme is relevant to both limbs; noting that it is a public interest factor in favour of prosecution if the offence was committed at the time the organisation had an ineffective compliance programme. On the other hand, a factor against prosecution would be if the corporate management team take a “genuinely proactive approach” involving remedial actions.
2. Deferred Prosecution Agreements (DPAs). When deciding whether a DPA is in the public interest, a genuine, embedded compliance programme will tend to support resolution by DPA rather than prosecution.
3. DPA compliance terms and monitorship. Where changes to a compliance programme are recommended as part of a DPA, the prosecutor will need to assess whether those changes are fair, reasonable and proportionate. The DPA needs to clearly set out the timeline and parameters for determining how an organisation will demonstrate its compliance. The guidance also sets out a more nuanced position as to whether a monitor will always be needed with a DPA. In previous guidance the SFO had suggested that wherever a DPA required an organisation to update its compliance programme, its terms would “likely include” the appointment of a monitor. Now this will depend on the factual circumstances of the case and must be fair, reasonable and proportionate.
4. Adequate procedures (Bribery Act 2010, s.7). In assessing whether an organisation has a defence of “adequate procedures” to the offence of failure to prevent bribery, an organisation’s compliance procedures will be considered against the six principles in the Ministry of Justice’s Bribery Act Guidance.
5. Reasonable procedures (ECCTA, s.199). The guidance highlights that for the new offence of failure to prevent fraud, the emphasis is on reasonableness not proportionality. An organisation may therefore be able to argue that it was reasonable to have no procedures at all; however more commonly, organisations will require procedures and should be guided by the six principles in the Home Office Failure to Prevent Fraud Guidance.
6. Sentencing factors. The existence, quality and maturity of a compliance programme will be relevant at sentencing, with failure to put in place any measures constituting “high culpability” whilst demonstration of “some effort” to put prevention measures in place constituting “lesser culpability”. Prosecutors can alternatively consider the “cost” that might have been avoided by putting in place effective procedures to prevent the offence. This might include, for example, the cost of investigating and prosecuting an offence. 

How the SFO will gather and evaluate information 

The SFO will obtain information about compliance programmes from a variety of sources. To demonstrate co‑operation, organisations should be able to provide accurate information about the design and operation of their programmes. The SFO can deploy a range of investigatory tools early in an investigation, ranging from questions put to the organisation, voluntary disclosures and interviews to compelled disclosure of documents or information, section 2 witness interviews, and suspect interviews. 

The SFO has specifically highlighted that information about compliance failures will feed into wider questions such as direct or circumstantial evidence of criminality. This ability to compel information about historic failings raises the possibility of SFO investigations widening in scope when compliance failures are disclosed. 

Key takeaways 

The following key takeaways are included from the guidance for organisations.

1. Substance over form. The guidance makes clear that compliance is not a tick box, paper exercise. The guidance notes that many organisations will have some sort of compliance policy in place but they will seek to look beyond what is said and determine how this works in practice. Paper policies alone are not enough; organisations must have practical systems in place which are tailored to the organisation’s specific risks and are reviewed and updated regularly to reflect changes in the business and its risk environment.

2. Evidence and record keeping matter. Given the SFO’s broad investigative powers, robust, accurate record keeping is critical, particularly where shortcomings in a compliance programme are identified. The SFO’s guidance explains that a single compliance failing may not, by itself, demonstrate that an organisation’s procedures are generally inadequate. Accordingly, if the organisation maintains thorough records of the failing, its impact, and the remedial steps taken, this may in some cases satisfy the SFO that a broader investigation or prosecution is unnecessary. 

3. Prompt and proactive remediation. When compliance failings come to light, decisive action by management goes a long way. The SFO is looking for immediate, tangible remedial steps that address root causes and strengthen the compliance programme.