On 26 November 2025, the Serious Fraud Office (SFO) published updated Guidance on Evaluating a Corporate Compliance Programme.
The new guidance replaces the previous guidance introduced in January 2020 and sets out six scenarios in which the SFO may assess an organisation’s compliance programme.
Following the introduction of the “failure to prevent fraud” offence (effective 1 September 2025), the updated guidance includes a scenario for evaluating whether an organisation has in place “reasonable procedures” to meet the threshold for a defence under the failure to prevent fraud offence.
The Six Scenarios
The guidance states that there are six scenarios in which the SFO may review an organisation’s compliance programme:
Deciding whether to bring a prosecution: in deciding whether to bring a prosecution, the SFO will have regard to the Full Code Test within the Code for Crown Prosecutors and the factors set out in the Corporate Prosecution Guidance (which was also recently updated, in August 2025). Whether an organisation has in place an effective compliance programme and its management takes a proactive approach to that programme – both at the time the offence was potentially committed and at the time of the charge – are factors that will be taken into account under both the evidential and public interest limbs of the test.
Considering an organisation’s eligibility for a Deferred Prosecution Agreement (DPA): the SFO will also take into account whether an organisation had a proactive and effective compliance programme at the time the potential offence was committed in considering whether to offer a DPA instead of prosecuting, in accordance with the DPA Code.
Evaluating the appropriateness of a monitorship under any DPA: a DPA can include terms requiring an organisation to implement a compliance programme or make changes to its existing programme, and it may also require the appointment of a monitor. In seeking to include such terms in a DPA, the SFO will need to evaluate the existence or adequacy of an organisation’s compliance programme.
Evaluating whether an organisation has a defence of “adequate procedures” to a charge of failure to prevent bribery: the defence to the failure to prevent bribery offence under section 7 of the Bribery Act 2010 is if an organisation had in place, at the time of the bribe, “adequate procedures” to prevent bribery. The statutory guidance issued by the Ministry of Justice sets out six principles against which this will be evaluated and the SFO’s guidance cites the six principles.
Evaluating whether an organisation has a defence of “reasonable procedures” to a charge of failure to prevent fraud: the defence to the failure to prevent fraud offence under section 199 of the Economic Crime and Corporate Transparency Act 2023 is if an organisation had in place, at the time of the fraud, “reasonable procedures” to prevent fraud. The statutory guidance issued by the Home Office sets out six principles against which this will be evaluated. These principles are similar, but not identical, to the principles in the guidance on failure to prevent bribery mentioned above and the SFO’s guidance also cites these principles.
Sentencing: in considering what sentence to seek in respect of an organisation that has been successfully prosecuted, the SFO will have regard to the Sentencing Council guidelines, which require determination of an organisation’s culpability and harm. The levels of culpability and harm will be assessed to an extent on the effectiveness of an organisation’s compliance programme.
In addition to now addressing the new offence of failure to prevent fraud, the updated guidance builds upon the previous guidance introduced in January 2020 with additional practical hints for corporates in the form of an FAQ.
While the updated guidance does not reveal any particularly novel insights into the way in which the SFO will assess an organisation’s compliance programme (other than that it will be “based on the organisation’s individual circumstances”), it does helpfully pull together the various different (and increasing number of) government-issued guidance notes on corporate compliance programmes (as well as including links to guidance on compliance programmes issued by the US DOJ and the French AFA) and neatly outlines the circumstances in which an organisation’s compliance programme might be assessed.
A key takeaway for corporates is that the guidance reiterates the point that simply having policies, procedures and controls in place is not sufficient by itself to deem a compliance programme effective, and that the SFO will be looking beyond this to “determine how policies and procedures translate into conduct on the ground.” This makes clear that corporates should ensure they are, as a minimum:
regularly communicating their policies and procedures to their staff members and relevant associated persons;
conducting training on these policies and procedures; and
taking steps to measure their effectiveness within their business.
Additionally, the guidance states that the SFO will consider any potential for circumvention of the systems and controls in place, for example “having an approval process as well as a system for checking that necessary approvals are in place and adhered to, for example through periodic audits.”
Overall the update reinforces the importance of organisations maintaining robust compliance programmes and regularly assessing whether they are fit-for-purpose, to ensure they do not fall short in the event of an assessment by the SFO.
