SFO Publishes New Guidance on Evaluating Corporate Compliance Programmes

On 26 November 2025, the Serious Fraud Office (SFO) published its Updated Guidance on how it would evaluate a company’s compliance programme (the Guidance) for the purposes of prosecutions, considering defences to the ‘failure to prevent offences’ and assessing factors relevant to sentencing, among others.

The new Guidance sets out six scenarios where the SFO may assess a compliance programme. A key addition is where an organisation will have a defence of ‘reasonable procedures’ for the purposes of the failure to prevent fraud offence under s.199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA). A significant portion of the Guidance focuses on the ECCTA defence, which is discussed in detail below. 

The Guidance also touches on the circumstances when a monitor may be appointed as part of a deferred prosecution agreement (DPA).

When Might Evaluation be Necessary 

The SFO has set out six scenarios specifying when a compliance programme may be assessed. These mostly build on the previous edition of the Guidance and introduce an ECCTA-based scenario. The scenarios arise in the following circumstances: 

• When deciding whether an organisation should be prosecuted.
• When considering whether to enter into a DPA, and if so, whether it should encompass compliance terms or a monitorship.
• When an organisation charged with failure to prevent bribery under s.9 Bribery Act 2010 has a defence of ‘adequate procedures’.
• When an organisation charged with failure to prevent fraud under s.199 ECCTA 2023 has a defence of ‘reasonable procedures’.
• When determining whether the existence and nature of a programme could constitute a relevant factor for the purposes of sentencing.

How the Defence to s.199 ECCTA Offence Fits into the Regulatory Framework

The offence of failure to prevent fraud came into effect in September 2025, which in turn brought in the defence of having reasonable procedures to prevent fraud. It is also a defence under ECCTA to show it was reasonable to not have any procedures in place at all. This is in contrast to the Bribery Act, which requires adequate procedures in all circumstances. Organisations relying on the defence will have the burden of proving the existence of the procedures or the lack of need for them.

The SFO will assess the effectiveness of the procedures rather than the fact there is a compliance programme in place, indicating that the control measures aimed at preventing fraud will be at the forefront of their investigation. 

The Guidance sets out six principles, which should inform the preventive procedures. They are similar to those accompanying the failure to prevent bribery guidance, save for the distinction between ‘reasonable’ and ‘adequate’, discussed below.

‘Adequate’, ‘Reasonable,’ and ‘Effective’

The SFO has stressed that beyond the individual guidance under the Bribery Act and ECCTA, there are no further directions on how to interpret ‘reasonable’ and ‘adequate’.

The effectiveness of compliance programmes will depend on the size, industry, and risk profile of each organisation. Organisations have discretion to decide on a strategy that must be effective in practice and not just a paper exercise. Accordingly, there is an expectation that an organisation’s compliance programme will be tailored to the specific organisation, proportionate to the risks it faces and reviewed on a regular basis.

In addition, the SFO refers to the equivalent US and French guidelines to aid organisations in deciding the appropriate approach. For instance, the Department of Justice guidelines might be particularly useful when carrying out a holistic review of a compliance programme by asking the following questions:

• Is the programme well designed?
• Is the programme applied in good faith, adequately resourced, and empowered to function effectively?
• Does the programme work in practice?

What Makes a Compliance Programme Effective: Practical Considerations

The SFO is clear that simply having controls and procedures in place is not sufficient to demonstrate that a compliance programme is effective. The focus is on practical results of the processes and controls, and how they influence actions undertaken by the organisation.

Such a holistic approach would mean that isolated failures do not necessarily render the programme ineffective.

Additionally, the SFO will consider if compliance measures had sufficient systems to prevent circumvention. It should be considered if a compliance programme can be bypassed, and if so, how this can be prevented going forward.

DPA Monitorships 

The Guidance notes that organisations eligible for a DPA will most likely already have a functional compliance programme. As such, the need to appoint a monitor will be carefully assessed on the individual facts, especially considering the costs involved. 

This approach signifies that monitors can be appointed if appropriate in the particular circumstances and are not default elements of DPAs.

Concluding Remarks

The Guidance stresses the importance of having a tailored, effective compliance programme focused on anticipating and mitigating risks. ‘Effectiveness’ is defined by reference to results, rather than focusing on the internal workings of a particular programme. With the failure to prevent fraud offence recently added to the regulatory landscape, organisations must proactively prevent compliance breaches from occurring.

The new Guidance forms part of a recent wider updating of procedures by the SFO, including the Updated Corporate Cooperation Guidance and the Joint SFO–Crown Prosecution Service Corporate Prosecution Update.

Against this backdrop, organisations should ensure their compliance programmes can stand up to regulatory scrutiny. Our experienced team can help you develop an effective programme, tailored to your organisation’s needs. If you have any questions or would like to further discuss how you can improve your compliance programme, please do not hesitate to contact the authors listed above.