The Serious Fraud Office (SFO) updated its guidance on ‘Corporate Co-Operation’ in late April 2025 (the Guidance). The Guidance has been heralded by the SFO as bringing greater clarity for corporates in considering whether to self-report, with the aim of increasing the number of self-reports made by companies to the SFO.

The Guidance will undoubtedly be of some value to UK corporates faced with making this difficult decision, but it represents only one part of a wider decision-making process that companies must engage in when deciding whether, when and to whom to self-report wrongdoing. 

The SFO’s position

For the first time, the SFO has stated that if a corporate self-reports promptly to the SFO and fully co-operates, it will be invited to negotiate a Deferred Prosecution Agreement (DPA), unless exceptional circumstances apply.

Whilst this does introduce greater clarity than the SFO previously provided, there are aspects of this statement alone which undermine the available clarity. There is, for example, no definition of what would constitute “exceptional circumstances” nor sufficient certainty on whether a self-report would be considered “prompt”.

In relation to what constitutes “prompt”, the Guidance helpfully recognises that corporates “may consider it necessary” to investigate suspicions of suspected offending prior to self-reporting. In fact, the Guidance itself states that a self-report should provide sufficient information to enable the SFO to understand the "nature and extent of the suspected offending”. Accordingly, it is hard to see how a corporate could self-report in line with the Guidance without undertaking some form of prior investigation.

Whilst permitting some information gathering, the Guidance states that the SFO does not expect a corporate to “fully investigate” before self-reporting. The scope of an investigation which permits a corporate to understand the nature and extent of the suspected offending and a full investigation is likely to be a difficult one to define. 

Although the Guidance highlights the importance of a self-report, it notably does not go so far as to say that corporates who do not self-report will be denied the chance to enter into a DPA. The Guidance expressly states that corporates who do not self-report may be invited to enter DPA negotiations if they have provided “exemplary co-operation” with the SFO’s investigation. 

Nick Ephgrave QPM, the Director of the SFO, said upon publication of the Guidance: “If you have knowledge of wrongdoing, the gamble of keeping this to yourself has never been riskier.” However, the fact that the guidance in turn confirms that DPAs may remain available to corporates who keep the knowledge of wrongdoing to themselves undermines this message. 

Further, a self-report is only half of the equation; the Guidance states that only a “genuinely co-operative corporate” will be invited to engage in DPA negotiations. This means that a corporate who self-reports but then fails, in the SFO’s eyes, to genuinely co-operate, would not be offered the opportunity to enter into a DPA.

The Guidance sets out non-exhaustive examples of co-operative conduct, including:

• collecting and identifying to the SFO documents and information likely to be relevant to the investigation;
• preserving all digital and hard copy material likely to be relevant to the SFO’s investigation; 
• early engagement with the SFO on the parameters of any internal investigation; and
• providing financial information regarding the benefit and/or harm the offending has caused.

Examples of uncooperative conduct are also included: 

• seeking to overload the SFO’s investigation by providing unnecessarily large amounts of material;
• “forum shopping” by unreasonably reporting offending to another jurisdiction for strategic reasons; and
• attempts to obfuscate the involvement of individuals, minimise and/or withhold the full extent of the suspected offending.

If a corporate maintains a valid claim of legal professional privilege, the Guidance states that they will not be penalised for doing so. However, ambiguity remains over what this might mean in practice, particularly as the Guidance also states that a voluntary waiver of privilege over records of interviews will weigh strongly in favour of co-operation. 

As well as placing expectations on corporates, the Guidance sets out what the SFO will seek to do, namely:

• contact a self-reporting corporate within 48 business hours of a self-report or other initial contact;
• regularly update a self-reporting corporate throughout the process;
• decide whether or not to open an investigation within six months of a self-report;
• conclude any investigation within a “reasonably prompt” timeframe; and
• conclude DPA negotiations within six months of sending an invite.

Whilst the new, specific timetables set out above bring greater certainty for corporates, the other obligations upon the SFO are relatively basic expectations that any company might already expect to receive from the SFO or any other agency investigating it. 

A key factor for many corporates may be the length of time any SFO investigation hangs over their business. In this regard, the Guidance has done nothing to address concerns. An unhelpfully vague “reasonably prompt” provides little reassurance of a swift resolution. 

Beyond the SFO Guidance: when might companies come forward?

Considerations for those in the Regulated Sector

Principle 11 of the FCA Handbook imposes a duty on FCA-regulated entities to disclose anything of which the FCA would “reasonably expect notice”. As a result, if a regulated entity uncovers suspected corporate wrongdoing, it is very likely that the entity would need to report to the FCA in line with its Principle 11 duty.

Once a report to the FCA has been made, the extent to which a corporate is left with any real discretion as to whether to self-report to the SFO is significantly reduced. If the FCA is made aware of corporate misconduct which falls within the SFO’s sphere, it will likely pass on the relevant information to the SFO. Corporates will therefore want to ensure they make a simultaneous report to the SFO in circumstances when they are reporting relevant misconduct to the FCA. 

The SFO Guidance makes clear that a report to another regulator does not constitute a report to the SFO and so submitting simultaneous reports will be essential. 

This sharing of information between agencies goes both ways. The SFO will be sharing self-report information with the FCA when it pertains to regulated entities and senior managers of those regulated entities. 

Further, if entities in the regulated sector have suspicions of criminality, these will often by definition lead to knowledge or suspicion of money laundering as the proceeds of that criminality. They will then be under an obligation to file a Suspicious Activity Report (SAR) with the UK Financial Intelligence Unit within the National Crime Agency (NCA). If the predicate offence on which the money laundering is reliant is of the nature to be of interest to the SFO, the NCA will pass that information on to the SFO. 

Similarly, for any conduct involving potentially sanctioned persons or jurisdictions, entities in the regulated sector (and to some extent beyond) may have a mandatory reporting obligation to the Office of Financial Sanctions Implementation (OFSI) and/or the Office of Trade Sanctions Implementation.

Incentives to self-report

For those outside of the regulated sector, one of the considerations when deciding whether to self-report misconduct are any potential benefits to self-reporting. With the new Guidance, the SFO are clearly trying to incentivise corporates to self-report; offering the potential to resolve criminal wrongdoing through the DPA process, rather than through a criminal prosecution. 

The key benefit of DPA to many corporates is in avoiding the risk of being marked forever by a criminal conviction, an outcome which is often particularly valuable to companies whose business is reliant on public procurement contracts with governments – it is notable that many such companies show up amongst the list of DPA recipients. 

Further, on paper a DPA allows for wrongdoing to be dealt with in a more timely manner than a contested criminal prosecution; a public and potentially damaging criminal trial is avoided. 

However, in practice, whilst DPAs may be concluded more swiftly than a prosecution (and the SFO seem focussed on reducing the time it takes to conclude a DPA), the DPA process is still a lengthy one. Moreover, the financial benefit of a DPA is restricted to a discount of up to half of the penalty that would have been imposed by a court at trial. Companies can already receive a one third discount on penalty in the event of a guilty plea on charge, with no requirements for extraordinary cooperation or self-reporting. 

In this context, it is notable the Guidance expressly confirms that DPAs will be considered even where a corporate has not self-reported, but has provided “exemplary co-operation”. This approach has already been borne out in practice. A number of the most high profile DPAs were reached with corporates who did not self-report. It therefore remains an open question as to whether most companies will be sufficiently motivated by the prospect of avoiding a criminal conviction and a potential small reduction in fine, in order to self-report significant wrongdoing, when a DPA may be available regardless and a guilty plea may produce some of the same benefits.

Push-factors to self-report

Leaving aside the potential incentives to self-report, corporates will also need to consider whether there are other factors which might push them towards making a self-report. One such factor is whether, if they choose to stay quiet, someone else will report them. A third-party report could come from a number of quarters: an internal whistleblower who goes public; a competitor; a counterparty; a financial institution; an overseas law enforcement agency. 

The new regime at the SFO has followed other enforcement agencies in calling for greater financial incentives to be offered to whistleblowers. HM Revenue & Customs announced in March 2025 a new incentive scheme for whistleblowers. HMRC’s new scheme will look to target serious non-compliance by large corporates and wealthy individuals and will provide for rewards of a certain percentage of the additional tax collected, likely in the region of 5% to 30%. Similarly, the UK Government is also stated to be considering the creation of an independent Office of the Whistleblower to confidentially handle whistleblower complaints.

The potential for a whistleblower to go public with an allegation has always been a factor which an organisation will need to consider. If the calls to incentivise whistleblowers are answered, the weight given to this risk factor is likely to need to be increased. Further, from 26 June 2025, individuals making whistleblowing disclosures about breaches of sanctions will be covered by the statutory protections available to whistleblowers. 

Aside from whistleblowers from within an organisation, corporates need to consider the risk of a third party reporting their misconduct. An aggrieved competitor who feels they missed out due to misconduct may choose to report their suspicions to a law enforcement agency. 

Of even greater risk, as referred to above if a financial institution involved in the relevant activity has suspicions of criminality they may be required to file a SAR with the NCA, or similar report to another body with mandatory reporting obligations such as OFSI. 

As well as information sharing between UK law enforcement agencies, the SFO will also receive information and intelligence from overseas law enforcement. IIn March 2025, the SFO announced it had formed an anti-bribery taskforce in collaboration with its Swiss and French counterparts (see our latest article for more information),  and we recently covered INTERPOL’s introduction of a “Silver Notice” scheme to allow enforcement agencies to more easily share information that specifically relates to economic crime offences. Whilst some UK corporates may think they can take their chances on the SFO investigating and undercovering wrongdoing; the ability of other authorities to investigate also needs to be borne in mind, and therefore also the reporting obligations that other involved parties may have in overseas jurisdictions. 

Beyond the SFO Guidance: what might hold companies back from self-reporting?

The rise of claimant investor activism in recent years will be a factor which boards weigh in the balance when deciding whether to self-report. There is a very real risk, arguably more so than ever, that if a company self reports wrongdoing to the SFO or another law enforcement agency, they will face a claim from shareholders or investors over the manner in which they notified, or more likely, did not notify, the investors of the misconduct.

The threat of a shareholder claim may weigh more heavily with a company than the threat of an investigation by law enforcement agencies, particularly given the number of high-profile prosecution collapses there have been in recent years. 

Conclusion

Whilst the SFO will no doubt be hoping that the new Guidance will precipitate a new era of corporate self-reporting, the decision to self-report will continue to be influenced by a variety of factors and a complex pattern of incentivisation and disincentivisation. Ultimately, companies are likely to remain extremely cautious about reporting their own wrongdoing. The SFO’s Guidance is unlikely to significantly move the dial on this important decision. 

This article was prepared with assistance from Sarah Gashi, Training Scholar.