Making Compliance Count While Avoiding Prosecution: Key Insights from the Serious Fraud Office’s New Guidance

Executive Overview

On 26 November 2025 the Serious Fraud Office (SFO) published its first ever guidance on Evaluating Corporate Compliance Programmes. The document provides organisations with greater visibility into how the SFO assesses the effectiveness of compliance programmes and how those assessments influence decisions on prosecution, Deferred Prosecution Agreements (DPAs), statutory defences and sentencing.

The central message is that compliance must operate effectively in practice rather than exist solely as a set of written policies. Organisations should therefore ensure that their compliance programmes are both legally robust and demonstrably effective in managing the risks arising from their operational reality.

The SFO’s Assessment Framework

The guidance explains how the SFO will evaluate compliance programmes across six scenarios when:

• deciding whether to prosecute;
• deciding DPA eligibility;
• considering the inclusion of compliance terms in a DPA or a spart of a monitorship;
• assessing the merits of statutory defences under the Bribery Act 2010
• assessing the merits of statutory defences under ECCTA; and
• as a mitigation factor in sentencing.

These assessments will be contextual, risk-based and organisation-specific, with emphasis placed on how compliance operates in practice rather than how it is described in policy documentation. Programmes are evaluated both at the time of the alleged misconduct and at charge, meaning organisations must maintain effective preventative controls and show proportionate remediation where failures occur.

Organisations operating in the U.S. and already structuring their compliance programmes around the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs will recognise that the SFO’s guidance aligns closely with this framework.

What does it tell us about “Reasonable” and “Adequate” procedures?

The SFO guidance provides evaluation principles which are aligned with the six compliance pillars contained in the Home Office’s Guidance for the Bribery Act 2010 and Failure to Prevent Fraud and Tax Evasion. The SFO guidance outlines how prosecutors will assess the procedures in place when deciding what action to take. The primary definition of “reasonable procedures” and “adequate procedures” remains in the relevant government body guidance. What it does not provide is detailed operational benchmarks or industry-specific expectations. As a result, organisations must calibrate their controls to their size, risk profile and operational footprint without prosecutorial certainty.

How the SFO Assesses Compliance Programmes

The SFO places significant emphasis on evidence that a compliance programme functions effectively in the ordinary course of business. The SFO’s assessment will be a holistic one, based on the organisation’s specific circumstances. Organisations are expected to demonstrate that their compliance programmes are not legal tick-box exercises but consist of controls that are:

• proportionate to the organisation’s specific risks,
• integrated into the organisation’s day-to-day operations; and
• supported by verifiable evidence of implementation.

This evidence may take many forms, including training completion and comprehension records, whistleblowing and investigation logs, audit trails and documented follow-up actions, disciplinary enforcement where appropriate, and demonstrable management oversight.

What an Effective Compliance Programme Looks Like

As reflected in the SFO’s guidance, an effective programme is more than a set of policies. It must operate consistently, adapt to emerging risks and prevent or detect misconduct. Key features include:

• alignment between risk assessments and controls;
• strong leadership engagement and accountability;
• accessible reporting channels;
• periodic review and adjustment;
• documented remediation and learning processes; and
• appropriate use of technology and data-driven monitoring to support assurance.

The guidance confirms that isolated failures do not automatically invalidate an otherwise credible programme. An organisation should however demonstrate how its controls minimise circumvention, for example, through layered approvals, automated monitoring and additional scrutiny of high-risk activities.

These expectations are consistent with international standards, including the US DOJ’s guidance, which emphasises data-driven, well resourced and operationally integrated compliance functions.

How Compliance Can Influences SFO Outcomes

The practical effectiveness of an organisation’s compliance programme is a key determinant of the SFO’s enforcement response and the outcomes available. In particular:

• Prosecution decisions: A genuinely effective compliance programme is a powerful factor pointing away from prosecution. It can support statutory defences and weigh heavily in the public-interest assessment.
• DPAs: Organisations that can demonstrate proactive governance, transparent cooperation, and credible remediation are significantly more likely to be considered for a DPA.
• Statutory defences: For Failure To Prevent offences, the adequacy or reasonableness of procedures at the time of the offence remains central. Remediation is relevant to charging decisions but cannot retrospectively cure past deficiencies.
• Sentencing: Courts consider the robustness of compliance arrangements when assessing culpability. Weak or ineffective programmes will heighten exposure whereas genuine albeit imperfect efforts may operate as a mitigating factor.

Key Takeaways

The SFO’s guidance represents a welcome step towards transparency but does not provide a definitive compliance shield. Organisations should focus on defensible compliance positioning supported by evidence-driven governance and alignment between risk exposure and control investment.

Organisations that can evidence a strong compliance culture at board and executive level and have an embedded, responsive and evolving compliance programme will be best positioned to minimise enforcement risk in an increasingly demanding regulatory environment.