The backdrop for the new guidance – as SFO Director Nick Ephgrave affirmed when interviewed by our Eve Giles at a recent GIR Live event – is clear: the bar for corporate criminal liability has never been lower, the scope for detection has never been easier, and the gamble for ignoring these signs has never been bigger.
The new guidance seeks to do two main things:
- All but guarantee a deferred prosecution agreement (DPA) for organisations that self-report, and clarify when a corporate should self-report.
- Reiterate what good corporate cooperation looks like.
This article considers the first issue – self reporting. A second article will consider what, if anything, has changed regarding expectations of ‘cooperation’.
Self-reporting and DPAs
‘If a corporate self-reports promptly to the SFO and co-operates fully we will invite it to negotiate a DPA rather than prosecute unless exceptional circumstances apply’.
This is a marked change in tone from the previous guidance and is aimed at encouraging more businesses to self-report misconduct.
Take note of the caveats – ‘promptly’, ‘unless exceptional circumstances apply’ and ‘invite to enter into negotiations’. We consider each of these below.
When?
When does the SFO expect a company to self-report in order to benefit from a DPA invitation? The SFO recognises that a responsible corporate will want to investigate suspicions before self-reporting, to understand the nature and extent of any offending – but it does not expect a company to investigate ‘fully’ before doing so. If there is direct evidence of offending then the corporate is expected to self-report ‘soon after’ learning of that evidence. If the position is less clear-cut, the SFO recognises that some further investigation may be necessary.
The Director elaborated on the guidance – suggesting at GIR Live that the time to report is when a company has ‘reasonable suspicion’; it should not wait until it is ‘beyond reasonable doubt’. Whilst the reasonable suspicion threshold is an appropriate threshold for reporting in some contexts (for example, those working in the regulated sector with concerns of third party money laundering); it may be too low for other types of misconduct. It risks premature reporting before a company has had the opportunity to more fully establish the facts. Further digging may allay any suspicions or reveal that there is no criminal misconduct.
How?
For those that do decide to self-report there is clearer guidance on how to do it, and what to expect in return:
- An initial response should be received within 48 hours and a decision on whether the SFO will open an investigation should be received within six months.
- An investigation will be concluded within a ‘reasonably prompt’ time frame.
- DPA negotiations will aim to be concluded ‘within six months’ of an invitation.
These are all laudable goals. It shows the SFO recognising that the spectre of a lengthy investigation hanging over a business for years on end is a major disincentive to self-reporting. We know that the Director is keen to progress cases faster and ‘[get] rid of investigations that aren’t going anywhere.’1
To whom?
It must be to the Intelligence Division of the SFO. A report to the National Crime Agency (NCA) (e.g. a Suspicious Activity Report) or another domestic or foreign agency (e.g. the Financial Conduct Authority), is not treated as a self-report to the SFO unless it takes place simultaneously or immediately after.
Exceptional circumstances
The promise of a DPA also comes with another caveat – exceptional circumstances. There is no guidance on what this entails. It is no surprise to see this caveat – the SFO could not completely fetter its discretion to prosecute. ‘Exceptional’ could mean extremely serious (risk of harm to the public, shareholders, stability and integrity of financial markets, financial gain/loss, etc.). But some cases settled to date by way of a DPA have already entailed very serious misconduct, e.g. bribery schemes spanning many countries and decades involving vast sums of money.
An invitation to negotiation
As before, there is no guarantee that a DPA will be offered at the conclusion of the negotiations. Again this is not surprising – the SFO will not want to fetter its discretion.
Comment
As things currently stand, it may be difficult for the SFO to fully convince corporates to self-report given that history has demonstrated that corporates who have not self-reported, but who have later pleaded guilty, have also received sizable reductions on penalty and avoided the ongoing obligations that come with a DPA; and corporates who have not self-reported, but who later offered ‘exemplary cooperation’, have been offered DPAs. The new guidance states that ‘We will consider inviting to DPA negotiations a corporate that has not self-reported if it has provided exemplary co-operation with our investigation’. So whilst there is a (caveated) promise of a DPA if you self-report, a DPA is not ruled out if you do not.
It is never advisable to ignore suspicions of misconduct. But there may be different approaches to take when moving forward. Some businesses will decide to investigate, remediate and move on, without involving the authorities – and, absent proceeds of crime issues necessitating contact with the NCA, that may be a reasonable and appropriate decision in the circumstances. Others will want to self-report, and similarly there may be valid reasons for this – e.g. a reasonable chance the authorities will find out anyway, reporting requirements to the FCA, or concerns about the impact of a conviction (e.g. for those who rely on public contracts).
There are other factors to consider too, such as the domestic and cross-border enforcement context. Whilst in recent years the SFO has been active in opening investigations, few corporates have faced enforcement action, and the SFO has yet to successfully prosecute any individuals following any of the 13 DPAs that companies have signed since the DPA regime came into force in 2014. There is also always a risk, following a self-report, of follow-on civil claims: a number of claims have been brought by shareholders against companies that have entered into DPAs or pleaded guilty before trial.
A decision on whether or not to self-report will remain complex and very fact specific. There are multiple factors that need to be carefully weighed (including regulatory expectations for those in a regulated sector) and upon which agreement needs to be reached at a senior level within an organisation. Whilst the guidance goes some way in clarifying expectations, how the SFO will put this into practice will be demonstrative in setting the tone going forwards.
Footnote
1 Law Gazette 14 April 2025
