SFO turns the spotlight on corporate compliance programmes
Download PDFFrom Internal Guidance to a Public-Facing Framework
The SFO’s previous compliance guidance, published in 2020 as part of its Operational Handbook, was largely an internal tool for case teams. It was structured around a timeline that examined a company’s compliance programme at the point of offending, at charge or DPA discussions, and in the context of any remedial obligations under a DPA.
The new Guidance adopts a different, outward-facing approach. Instead of a chronological structure, it is organised around the six scenarios where the SFO may need to evaluate an organisation’s compliance arrangements, directly linking the assessment to real prosecutorial choices. These scenarios are:
- Whether prosecuting the organisation is in the public interest;
- Whether to invite the organisation into DPA negotiations;
- Whether to include compliance undertakings or a monitorship in a DPA;
- Whether the organisation can rely on adequate or reasonable procedures defences to failure to prevent bribery or fraud offences; and
- How compliance should influence sentencing.
Across all six scenarios, the new Guidance largely reaffirms principles already established in existing guidance and statutory frameworks, rather than introducing new or expanded expectations. It reiterates that weak or ineffective compliance arrangements weigh in favour of prosecution, while effective, proactive and well-embedded programmes count against prosecution and support an organisation’s eligibility for a DPA.
For the failure to prevent offences specifically, the Guidance closely follows established government guidance repeating the six recognised principles of: top-level commitment, risk assessment, proportionate procedures, due diligence, communication (including whistleblowing processes), and monitoring and review.
A More Measured Approach to Monitorships
In a welcome development for businesses, the new Guidance adopts a more measured approach to the use of monitorships in DPAs. The 2020 guidance suggested that a monitor was “likely” whenever a DPA included compliance requirements. The 2025 Guidance, however, takes a more balanced stance. It highlights that organisations invited to negotiate a DPA are expected to already have a proactive and effective compliance programme, and that a monitor should be imposed only where the circumstances of the case justify it. Factors such as cost, proportionality, and fairness should be considered when making the decision.
The Guidance also clarifies the monitor’s role, highlighting that any required compliance improvements must be fair, reasonable, and proportionate. In practice, this gives companies better grounds to argue that tailored oversight, undertakings, or other proportionate measures may suffice in place of a costly and intrusive monitorship.
Proving Compliance Works in Practice
The final section of the Guidance, titled ‘FAQ/General Guidance’, sets out a series of practical questions. Although the answers are not always detailed, this section provides some of the most illuminating points in the document.
It reiterates that there is no single blueprint for an effective compliance programme. Each programme is unique, and the SFO’s evaluation will be holistic and fact-specific, taking into account the organisation’s individual circumstances.
The Guidance also reiterates that, in evaluating a compliance programme, the SFO will look beyond written policies to assess substance and operational effectiveness. While this principle is not new, the updated Guidance places renewed emphasis on real-world outcomes - whether systems and controls are implemented in practice and are embedded across the organisation. The SFO will consider what issues were identified, whether safeguards prevent circumvention, and how the programme evolves in response to emerging risks. In short, businesses must ensure that their compliance programmes are functioning effectively in practice, not merely well-documented on paper.
Importantly, the Guidance also clarifies that isolated compliance failures will not automatically render a programme ineffective. This is a welcome clarification and a useful reference point for organisations engaging with the SFO, as it makes clear that the SFO will not automatically treat isolated instances of misconduct as evidence of an inadequate or unreasonable programme. This appears to recognise that the alternative approach would effectively undermine the statutory defences to the failure to prevent offences.
Evidence that Compliance Works
To evaluate a company’s compliance programme, the Guidance notes that the SFO is likely to draw on a range of investigative tools, including compelled document disclosure, witness evidence, and direct questioning of the organisation. In practice, this means SFO interviews with employees and other stakeholders may explore not only specific compliance failings but also broader aspects of the organisation’s compliance culture - for example, questions around whether the actions of top management incentivise ethical conduct, or conversely, incentives unethical behaviour to meet business objectives.
Organisations should also be prepared to provide documentary evidence demonstrating how their compliance programme operates in practice, should the organisation find itself facing an SFO investigation. This goes beyond simply producing policy documents; it requires proof of operational effectiveness. Maintaining accurate records of effectiveness metrics, and compliance activities and decisions are essential, ideally in a format that can be readily disclosed. Such records help show that the programme is embedded in day-to-day operations, is followed throughout the organisation and has real world outcomes.
Whilst these points may not be new, they serve as a reminder that the SFO will assess whether a programme’s stated policies are reflected in reality - comparing them to employee behaviour, organisation culture, third-party interactions, and supporting documentation - rather than taking written policies at face value.
International Comparators
In addressing how the SFO will evaluate corporate compliance programmes, the Guidance points to more detailed materials issued by foreign enforcement authorities - the U.S. Department of Justice (DOJ) and the French Anti-Corruption Agency (AFA). As such, even for companies without a French or U.S. nexus, in the absence of more prescriptive guidance from the SFO, the DOJ and AFA frameworks provide valuable benchmarks for stress-testing a compliance programme.
The DOJ’s September 2024 Evaluation of Corporate Compliance Programs (ECCP) is widely regarded as one of the clearest and most practical compliance guidance documents available. It directs U.S. prosecutors to assess compliance programmes by reference to three core questions:
-
- Is the programme well designed?
- Is it adequately resourced and empowered to operate effectively?
- Does it work in practice?
Each question is then unpacked into detailed sub-questions and measurable indicators of effectiveness, examining how compliance functions day to day - how risks are assessed, misconduct detected and deterred, controls operate, and programmes evolve over time. For example, when considering whether a programme is well designed and informed by risk assessments, the DOJ’s Guidance asks: What information does the company collect to detect the type of misconduct at issue? and does it have a process for capturing and applying lessons learned internally or from the wider industry?
By contrast, the SFO’s new Guidance is significantly less prescriptive, adopting a more holistic and context-specific assessment.
Conclusion
The updated Guidance sends a clear signal: the SFO is placing increased focus on organisations’ compliance programmes. Alongside recent changes to the UK corporate criminal liability framework - including the introduction of the failure to prevent fraud offence and the expanded identification doctrine - this Guidance underscores the critical importance for businesses of maintaining compliance frameworks that are dynamic, effective, and fit for purpose.
While no programme can eliminate risk entirely, a well-designed and effective framework can deter misconduct, strengthen a company’s position if issues arise - including potentially providing a defence to a failure to prevent offence - inform prosecutorial decision-making, support efforts to secure a DPA where appropriate, and reduce the likelihood of a costly or intrusive monitorship.
The core principles for organisations remain familiar: programmes should be risk-based, well-documented, and dynamic, underpinned by a clear tone from the top, robust training, and effective monitoring. However, policies alone are not enough. Organisations must map risks to relevant controls, learn from incidents, whistleblowing reports, and sector developments, and demonstrate how these insights have informed updates to procedures. True effectiveness also relies on ongoing oversight, supported by measurable metrics and a structured testing programme. Maintaining clear audit trails, documenting management actions and decisions, and providing well-defined reporting channels to the board are all essential to show that the programme is genuinely operational and delivering results.
As ever, the real test will be how the SFO evaluates these principles in practice, particularly in live investigations, and whether its “refreshed” approach leads to more collaborative and predictable outcomes for cooperating businesses.
This material is provided for general information only. It does not constitute legal or other professional advice.