SFO guidance on evaluating a compliance programme: would yours be assessed as fit for purpose?

Written on 29 Jan 2020

On 17 January 2020, with little fanfare, the Serious Fraud Office (the SFO) published an update to its Operational Handbook to give guidance on how it will evaluate corporate compliance programmes. At first blush the guidance might appear to contain nothing new, but it may in fact be an indication of a significant change in focus in the way the SFO will structure investigations looking at corporate wrongdoing.

Of note, the opening line of the guidance states: "If the SFO is investigating an organisation it will need to assess the effectiveness of the organisation's compliance programme". It then immediately goes on to indicate that this assessment will "inform decisions" the SFO takes relating to the case, including in relation to the following questions:

  • Is a prosecution in the public interest?
  • Should the organisation be invited to enter into Deferred Prosecution Agreement (DPA) negotiations, and if so on what terms (we analyse DPAs in our Straight to the Point video series)?
  • Does the organisation have an "adequate procedures" defence to a charge under section 7 of the Bribery Act 2010 (failure to prevent bribery)?
  • Is the existence and nature of the compliance programme a relevant factor for sentencing considerations?

What is required?

The key principle is that a compliance programme should be "effective and not simply a paper exercise'". The programme must be "proportionate, risk-based and regularly reviewed". It appears clear that the SFO's investigators will be tasked to make searching inquiries to establish whether or not these principles have been met.


As the guidance notes, when evaluating a compliance policy, the SFO will need to look at the past, the present and (possibly) the future.

Reflecting the Guidance on Corporate Prosecutions issued by the Director of Public Prosecutions and the SFO, if an organisation is found to have had an ineffective compliance programme at the point any offending occurred, this will be a factor tending towards prosecution. Conversely, if the organisation can establish that it had an effective programme, that might be likely to satisfy the SFO that it had adequate procedures in place to prevent bribery, which might lead to a decision not to prosecute.

The guidance looks at the different factors that may apply at each of these stages and the impact they might have on how the SFO or a court would view the position. What is clear is that the SFO will want to be satisfied that the business had, or potentially will have, a "genuinely proactive and effective" compliance policy.

How will a compliance programme be tested?

A further point of interest is that the guidance strongly suggests that the SFO will seek to deploy all its various investigatory tools to undertake the assessment, including:

  • Voluntary disclosure and interviews.
  • Compelled disclosure of documents or information.
  • Compelled interviews of witnesses.
  • Interviews with suspects that are conducted under caution.

In deploying these tools, the SFO will look to access an organisation's records (which it will expect to have been generated and maintained), detailing how its compliance policy operates. Again, the SFO will want to be satisfied that the policy is genuinely proactive and effective.

The guidance requires investigators to review the effectiveness of the policy as against the "Six Principles" detailed in the Ministry of Justice, The Bribery Act 2010: Guidance, as follows:

  1. Proportionate Procedures.
  2. Top Level Commitment.
  3. Risk Assessment.
  4. Due Diligence.
  5. Communication (including training).
  6. Monitoring and Review.


As noted, not least because the guidance refers back to the Six Principles, it might be thought of as not containing much that is new. However, the guidance clearly looks to build on remarks repeatedly made by Lisa Osofsky, the SFO Director, since she took office in August 2018, indicating that the agency would look to do things differently.

A significant element of this new regime will be a focus on how compliance policies are operated, or sought to be circumvented, as potential sources of evidence pointing to illegality. The Director has given clear warning that the SFO will expect programmes to be more than mere "window dressing" and that organisations under investigation should anticipate the SFO asking "tough questions" when assessing their compliance programmes. Critically, the SFO will look for any evidence suggesting that management has tried to bully compliance officers into not adhering to a programme.

The guidance is further evidence that the Director is bringing more clarity of purpose and direction to SFO investigations that historically have too often appeared to be unfocussed. Ms Osofsky has promised to be a "new kind of Director" and the guidance is, in part, carrying that promise into effect. It will be interesting to see how future SFO investigations progress, but all commercial organisations should now ensure that their programmes would be viewed as being fit for purpose if the SFO ever came knocking.