Business crime

UK Serious Fraud Office publishes guidance on how it will evaluate corporate compliance programmes

Published on 8th December 2025

SFO sets expectations on compliance, cooperation and failure to prevent fraud  

Close up view of home sensor in living room

The Serious Fraud Office (SFO) has published updated guidance on how it will evaluate corporate compliance programmes. It provides organisations with greater clarity on how their compliance measures will be assessed in enforcement contexts.

A transparent approach 

The SFO has identified six scenarios in which it may need to evaluate an organisation's compliance programme: 

  • determining whether prosecution is in the public interest under the Joint SFO-CPS Prosecution Guidance;
  • considering deferred prosecution agreements (DPAs) under the Deferred Prosecution Agreements Code of Practice;
  • deciding on terms or monitorships as part of a DPA;
  • assessing the "adequate procedures" defence under section 7 of the Bribery Act 2010;
  • assessing the "reasonable procedures" defence under section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA); and
  • considering the existence and nature of a compliance programme as a relevant factor for sentencing.

Failure to prevent fraud 

The guidance forms part of the SFO's "refreshed approach" to working with cooperating businesses and follows the publication of the Corporate Cooperation Guidance in April 2025 and the Joint SFO-CPS Corporate Prosecution Guidance from August 2025.

With the failure to prevent fraud offence now in force, the SFO notes that while the guidance for both the bribery and fraud offence contains six principles that should inform the procedures put in place, these are similar but distinct. Notable differences include the ordering of principles and where the emphasis lies on dynamic risk assessments and learning from investigations. (Read more about the reasonable fraud prevention procedures guidance.)

Effectiveness 

In its FAQ on the distinction between the "adequate" and "reasonable" procedures defences under the Bribery Act 2010 and the ECCTA respectively, the SFO emphasises that organisations should focus on having an effective compliance programme. A compliance programme must be tailored for each organisation, proportionate, risk-based and regularly reviewed. 

The SFO confirms that assessment will be holistic, based on the organisation's individual circumstances. The guidance explicitly references external sources which organisations may use to determine what constitutes an effective compliance programme: the US Department of Justice guidance on the Evaluation of Corporate Compliance Programs and the French Anti-Corruption Agency's guidance on anti-bribery compliance programmes and guidelines on preventing and detecting bribery.

Organisations should take account of these guidelines even where there is no US or French connection, as they provide more detailed and informative examples of what the regulator may consider an effective compliance programme.

Proactivity and timing

The SFO will evaluate the proactivity of compliance programmes, examining them at the time the offence was committed as well as at the time of charge. When considering DPAs, the evaluation extends to the time of reporting and the time of entering into the DPA. 

The guidance repeatedly emphasises that a "genuinely proactive approach" by the corporate management team and an "effective" compliance programme is a public interest factor against prosecution. This complements the SFO's April guidance, which states that a prompt self-report of suspected corporate criminal conduct is a significant factor in favour of a DPA over prosecution. Organisations that self-report should therefore focus on remedial actions taken to enhance their compliance programme and be prepared to demonstrate meaningful improvements made.

Osborne Clarke comment 

As the CPS has  done, the SFO has made it clear that it intends to make early use of the new ECCTA offence and equally that it will look closely at whether improper conduct can be dealt with by a DPA rather than a full prosecution. This guidance provides further clarity on the SFO's intended approach to compliance programme evaluation. However, the guidance is not as detailed as perhaps it might be, which in our view is a missed opportunity. Organisations should now review their existing programmes against the principles highlighted in the guidance and take suitably experienced advice when considering whether their policies need to be enhanced or in circumstances where a breach of any policy may have occurred.  

Michelle Tong, Senior Paralegal, and Jacob Elsdon, Solicitor Apprentice at Osborne Clarke, assisted in writing this Insight.

Related articles
Money laundering in the UK undergoes first national risk assessment for five years
04/09/2025 4 mins
'Failure to prevent fraud' prosecution guidance reinforces prospect of UK authorities' early use of new power
26/08/2025 3 mins
UK Serious Fraud Office publishes guidance on corporate co-operation and enforcement
29/04/2025 3 mins
Responding to dawn raids: an introductory guide for sports organisations 
31/03/2025 9 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up