News

SFO guidance on evaluating a corporate compliance programme

27 November 2025

Key takeaways

Failure to prevent fraud – pick up the nuances. Reflect the SFO’s emphasis on dynamic, regularly reviewed risk assessments and on maintaining fraud-focused training over time.

Learn from problems, not just policies. Show how investigations, whistleblowing reports and sector incidents have led to specific updates to your procedures.

Make circumvention difficult. Identify where controls could be bypassed and evidence checks that test whether they are followed.

If you self-report, focus on remediation. Be ready to show concrete improvements which may lead to a more proportionate approach from the SFO, instead of defaulting to an expensive monitor.

Use international benchmarks intelligently. Even without a US or French nexus, DOJ and AFA guidance remain useful reference points when stress-testing a compliance programme.

The SFO has issued updated guidance on how it evaluates an organisation's compliance programme, accompanied by a press release positioning this as part of its “refreshed” approach to corporates. The new document replaces the SFO's 2020 internal guidance and is now explicitly framed for external use, including a short FAQ section. For companies, the two substantive shifts are (i) the integration of the new failure to prevent fraud offence into the SFO's evaluation framework, with a restated set of compliance principles; and (ii) a clearer – and slightly softer – line on when an independent monitor may be imposed under a deferred prosecution agreement (DPA). The rest is largely re-packaging and incremental clarification rather than a wholesale re-write, but there are some useful takeaways for businesses.

Context – from internal tool to outward-facing framework

The SFO’s 2020 guidance was an internal document aimed at prosecutors. It was structured primarily around time periods: the state of the programme at the time of the offending, the position at the time of charging or DPA negotiations, and how the programme might change under a DPA. The starting point was essentially the compliance programme itself, with questions about relevance added on afterwards.

The new 2025 guidance takes a different route. It identifies six scenarios in which the SFO might need to evaluate a programme – for example when considering charging decisions, entering into a DPA, agreeing DPA terms (including monitorship), sentencing, and in the context of the failure to prevent offences (bribery and now fraud). In each scenario, the guidance explains why the programme matters and how it may influence the SFO’s approach.

Evaluation is not an abstract exercise in asking “is this a good programme?”, but something rooted in specific decisions – whether to charge, whether to invite DPA discussions, the terms of any DPA, and how to assess any failure to prevent offence.

Analysis – what has really changed?

1. Failure to prevent fraud – familiar principles with a twist

The most obvious change is the integration of the new failure to prevent (FTP) fraud offence, which only came into force in September 2025. Unsurprisingly, the guidance leans heavily on the existing “six principles” model familiar from the Bribery Act guidance, and on the Home Office’s own failure to prevent fraud guidance, while insisting that there are “noteworthy differences” between the sets of principles. There is a slightly awkward assertion that those differences are highlighted in bold – they are not – but this is more of an editorial quirk than anything else, and the areas of different emphasis are reasonably clear.

In practice, the differences are subtle and largely in emphasis:

Proportionate procedures and top-level commitment– the language is extended to stress that fraud is never acceptable and that profit based on, or assisted by, fraud should be rejected. This underscores the cultural expectation that business models must not depend on aggressive practices that shade into fraud.
Risk assessment – where the original Bribery Act guidance spoke of periodic, informed and documented assessments, the SFO now talks about risk assessments being “dynamic, documented and kept under regular review”. This is consistent with the Home Office’s move towards more iterative, event-driven risk assessment, rather than purely cyclical reviews.
Communication and training – the core message is familiar, but there is an explicit emphasis on “maintaining” training, not just providing it. That reflects an expectation of refreshers and targeted top-ups as fraud risks evolve.
Monitoring and review – as with the Bribery Act, organisations are expected to review and improve their procedures around detection and prevention. The SFO now adds that this should include learning from internal investigations and whistleblowing incidents, and reviewing information from the wider sector.

These adjustments track the Home Office’s failure to prevent fraud guidance more than they break new ground. The message for corporates is that the SFO sees the failure to prevent fraud and bribery regimes as cousins, not twins: the same six principles apply, but with some tweaks.

2. DPAs and monitors – no longer “likely” by default

One of the more practical developments is the treatment of monitorships in the DPA context.

The 2020 guidance suggested that where a DPA included requirements around a company’s compliance programme – and the means by which it would satisfy the prosecutor – this would “likely include” the appointment of an independent monitor, at the company’s expense. The default expectation was that a serious failure would attract a monitor.

The 2025 guidance is more guarded. It emphasises that a DPA presupposes a “genuinely proactive and effective” programme, and that a monitor should not be imposed automatically. Instead, the necessity of a monitor must be considered carefully in light of the factual circumstances of the case, including who will bear the costs. Where a monitor is appointed, the guidance now sets out more detailed expectations around the scope of their role and the standards of fairness, reasonableness and proportionality that must be met.

For companies, this is a modest but important development in the broader context of self-reporting and engagement. It suggests that a well-evidenced, improving compliance programme may not only support a DPA outcome, but also underpin arguments that an expensive, intrusive monitor is not the proportionate tool in every case – with other forms of remediation and oversight potentially capable of delivering sufficient comfort to the SFO.

3. FAQs, benchmarks and “paper” programmes

The new guidance closes with a very brief FAQ section. Four key points emerge:

First, the SFO considers as its first question the difference between “adequate” or “reasonable” procedures (the language of the statutory defences) and an “effective” compliance programme. The answer is striking mainly for what it does not do: it acknowledges that, beyond the Bribery Act guidance or the failure to prevent fraud guidance, there is no formal guidance on what constitutes adequate or reasonable procedures or an effective programme, and then falls back on the truism that “each compliance programme is different”. In that sense, the FAQ does little to reconcile the different standards – adequate, reasonable and effective – and instead underlines the tension between them. The only practical steer is that, in the SFO’s view, external benchmarks and real-world outcomes will matter more than labels.

Second, on external benchmarks, the SFO is more explicit than in 2020 that references to external sources may assist in determining what constitutes an effective programme. It namechecks the US DOJ’s 2024 guidance and the French AFA guidance, although then immediately ties their relevance to companies with US or French links. That caveat may make sense jurisdictionally, but it slightly underplays the reality that many multinational organisations already use these frameworks more broadly as reference points.

Third, on evidence sources, the SFO lists the usual toolkit: voluntary disclosures, compelled production under section 2, witness and suspect interviews, and direct questions to the organisation. There is nothing surprising here, but it is a reminder that prosecutors will check whether what a policy says aligns with what employees, third parties and documents reveal about how it operates in practice.

Fourth, on what makes a programme effective, the SFO goes beyond the familiar warning that programmes must not be a “paper exercise”. It stresses, slightly haughtily, that there are no “pre-ordained answers” that guarantee a particular outcome, and that isolated failures do not inevitably prove a programme ineffective. The more useful point is that the SFO will look at whether measures include controls against circumvention: for example, not just requiring approvals, but checking through periodic audits that those approvals are being obtained and enforced in practice. Here, the key signal is that companies cannot credibly claim to have “reasonable procedures” if it is easy for employees or intermediaries to bypass them.

Conclusion

The SFO’s updated guidance is best understood as part of a broader shift, rather than a dramatic reset. It aligns the agency’s public messaging with the new failure to prevent fraud offence, updates its stance on monitorships to a more case-by-case footing, and signals a continued focus on real-world outcomes, not just paperwork.

For corporates, the core expectations are familiar: risk-based, documented and living programmes; clear tone from the top; robust training and monitoring; and evidence that controls are hard to bypass.

The real test will be how the SFO applies these principles in live investigations and DPA negotiations over the coming years – and whether its “refreshed” approach translates into more consistent, predictable decision-making for cooperating businesses.

Authored by Reuben Vandercruyssen, Liam Naidoo, Olga Tocewicz, and Alex Cumming.