SFO publishes significant new guidance on evaluating corporate compliance programmes

The Serious Fraud Office (SFO) has published significant new guidance on how, when and why, it evaluates corporate compliance programmes, offering important insight for companies when implementing and operating their financial crime controls.

The new SFO guidance, released on 26 November 2025, underlines the importance the agency places on effective financial crime compliance programmes throughout the enforcement process. It also stresses that, when assessing compliance programmes, the SFO will look to their substance and how effective they are in operation.

When will the SFO assess compliance programmes?

The guidance sets out six scenarios in which the SFO may be expected to scrutinise a company’s compliance framework. Those scenarios are:

• when deciding whether to prosecute – an assessment of the compliance programme will form a key part of the application of the Full Code Test, with an ineffective compliance programme being a factor in favour of prosecuting
• when negotiating and approving deferred prosecution agreements (DPAs) – an assessment will be made on the effectiveness of the compliance programme at the time of the offending, the time of the self-reporting and the time of the DPA. This will be a relevant factor in both the appropriateness of the case for a DPA and whether the imposition of a monitor may be required. Generally, only companies with an effective compliance programme in place at the time of negotiations will be considered for a DPA
• when monitoring compliance with DPA terms and overseeing monitorships
• when assessing the “adequate procedures” defence under the Bribery Act 2010
• when assessing the “reasonable procedures” defence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA)
• during sentencing.

What makes compliance “effective”?

A central element of the guidance is the SFO’s position that compliance must be effective and not just a "paper exercise". Prosecutors will assess how policies and procedures operate in practice ie whether they are proportionate, risk-based, properly resourced and genuinely embedded across the organisation.

The SFO signals that it will go beyond high-level assertions and examine real world outcomes ie looking at how risks are identified, how issues are escalated, and whether policies actually influence conduct. It also reiterates that an ineffective compliance programme, at the time of the offence, is a public-interest factor in favour of prosecution.

Bribery Act and ECCTA defences

The guidance also restates the different standards for the “failure to prevent” offences that it will consider when assessing compliance procedures.

Bribery Act 2010: Adequate procedures

Organisations must show they had adequate procedures in place at the time of the bribe. 

An assessment will be made against the Ministry of Justice’s well-known six principles: proportionate procedures, top-level commitment, risk assessment, due diligence, communication and monitoring/review.

ECCTA 2023: Reasonable procedures

The ECCTA defence requires reasonable procedures to prevent fraud, or evidence that it was not reasonable to have such procedures. The Home Office principles mirror the Bribery Act 2010 framework but include additional focus on factors including:

• dynamic and frequently updated risk assessment; and
• learning from internal investigations, whistleblowing and near-misses.

How does the SFO assess compliance programmes?

The guidance states that the SFO will use a full range of investigative tools to evaluate corporate compliance, including:

• voluntary disclosures;
• compelled disclosure of documents; and
• interviews with witnesses and suspects.

This reinforces the need for companies to maintain clear, contemporaneous records showing how policies operate in practice and supporting key decisions made by the business around financial crime controls. 

Part of the SFO's wider enforcement approach

This new guidance reinforces guidance issued by the SFO in April 2025, relating to self-reporting, cooperation and DPAs. Read together, these two guidance documents underline the increasing importance of financial crime compliance programmes and the level of scrutiny that prosecuting agencies may apply to them. From an enforcement perspective, the two guidance documents make it clear that to avoid prosecution, or to obtain a DPA at the end of an investigation, the SFO will expect a company to have in place compliance procedures that are effective in practice, are supported by clear records and that demonstrate that the risks faced by the business have been properly considered. 

Practical steps for companies

In light of the updated guidance, organisations should consider taking active steps, including:

• reviewing their anti-bribery and anti-fraud frameworks to ensure that they meet the levels set out in the respective statutory guidance issued in connection with the Bribery Act 2010 and ECCTA
• when reviewing their financial crime compliance procedures, considering their operational effectiveness, not merely the presence of a set of policies
• ensuring financial crime risk assessments are dynamic and updated periodically and when new information emerges
• clearly documenting key decisions taken around financial crime compliance, whistleblowing and internal investigations.