There is a paragraph towards the end of the UK Serious Fraud Office’s ten page refreshed Guidance on Evaluating a Corporate Compliance Programme, published on 26 November 2025, which contains perhaps the most telling message: “Many organisations have some level of policies in place. The SFO will seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground.” They will do this through interviewing key individuals, compelling documents and information from the relevant organisation.
The SFO’s new corporate compliance guidance does contain a few other new nuggets of information, but in general it is there to align the SFO’s published position with the evolving “failure to prevent” landscape and clarifies how programme effectiveness will be assessed during charging decisions, DPAs, statutory defences and sentencing. The message is clear: the SFO expects living, risk-responsive programmes evidenced by outcomes, not paper.
From internal note to outward-facing framework
The previous guidance, published in 2020, sat in the SFO Operational Handbook as internal guidance to case teams. It was framed around timing – what the programme looked like at the time of the offending, at charging/DPA negotiations and what it should look like under any DPA. Much of the substance leaned heavily on the Ministry of Justice’s 2011 Bribery Act guidance and the six prevention principles, with limited practical elaboration.
The new guidance is explicitly outward-facing. It organises evaluation around six decision-points: prosecution decisions; whether to invite an organisation to enter into a DPA; whether to include compliance undertakings and/or a monitor in any DPA; the availability of an “adequate procedures” defence to a failure to prevent bribery offence under s7 Bribery Act; the availability of a “reasonable procedures” defence to a failure to prevent fraud offence under s199 ECCTA; and sentencing. A strange omission is its silence on the failure to prevent the facilitation of overseas tax evasion, for which it is the lead prosecutor.
It ties the assessment of compliance to concrete prosecutorial choices and clarifies the time horizons during which a compliance programme will be considered – at the time of offending, at reporting or charge, and at resolution.
Integration of “failure to prevent fraud” and the “reasonable procedures” defence
The most substantive development is the integration into this guidance of the new failure to prevent fraud offence, which came into effect on 1 September this year. The SFO confirms it will evaluate whether an organisation can meet the “reasonable procedures” defence, noting two important distinctions from bribery:
- The standard is “reasonable” rather than “adequate”, with the guidance explicitly acknowledging that, in limited circumstances, an organisation could argue that it is not reasonable to expect an organisation to have any procedures at all (although we think this will succeed very rarely in practice).
- The fraud-focused principles are slightly different – emphasising dynamic, regularly reviewed risk assessments; maintaining training over time; and learning from internal investigations, whistleblowing and sector developments.
Large organisations should have carried out their risk assessments and implemented their fraud strategy plans into their compliance framework by 1 September, in order to meet this standard. However it will be important for in-house teams not to sit still having done so, but to treat fraud risk as ongoing and responsive to events, since static periodic reviews may not be sufficient if there are significant changes in the business or its partners.
A more nuanced stance on monitorships
One of the most notable updates concerns the use of monitors. In 2020, the guidance indicated that an independent monitor would “likely” be appointed, at the company’s expense, if a DPA required compliance reforms (as a prosecutor would need to be able to assess whether the reforms have been made).
By 2025, the language is more nuanced. The DPA should, the guidance states, set out the means and timeline by which an organisation will satisfy a prosecutor of its compliance. A monitor ‘can be appointed’; a watering down of ‘likely’. The guidance recognises that an organisation that has been offered a DPA will already have a genuinely proactive and effective compliance programme in place. The decision should be fair, reasonable, and proportionate, especially considering the costs involved.
The updated guidance also expands upon a monitor’s primary function with explicit reference to considering what compliance improvements are fair, reasonable and proportionate to include in a monitorship agreement.
These changes should mean that organisations with proactive and effective compliance programs now have stronger grounds to argue that proportionate undertakings and testing can replace costly, onerous monitorships.
Effectiveness in practice, not policies on paper
Both the previous and the current versions insist compliance must be effective and not a paper exercise. However, as we set out in our introduction, the 2025 document pushes further on how effectiveness will be evidenced. ‘Generalities’ and ‘high level assertions’ will not do.
Whilst the guidance states that isolated failures do not doom a programme, the SFO will “get behind the pronouncements” to test whether controls work and whether circumvention is hard.
Prosecutors will draw on voluntary disclosures, compelled disclosure and interviews, and direct questioning to organisations, to examine whether operational reality meets policy intentions.
Clearer links to other SFO guidance and external benchmarks
The 2025 guidance lands in a broader “refreshed” SFO policy suite. It signposts the updated Joint SFO/CPS Corporate Prosecution Guidance and the Corporate Cooperation Guidance, which all but guarantees an invitation to DPA negotiations for an organisation that promptly self-report and fully cooperates, absent exceptional circumstances. It also acknowledges the utility of external benchmarks, citing the U.S. DOJ’s 2024 compliance programme guidance and the French AFA guidance as reference points for assessing effectiveness. For multinational groups, this tacitly endorses some level of cross-jurisdictional alignment. But even without a US or French nexus, those frameworks remain helpful when stress-testing a compliance programme.
It is of note that the SFO has not attempted to create equivalent practical guidance, continuing its traditional stance that it is not there to provide advice to organisations on what an effective compliance programme looks like.
Statutory defences and sentencing
Two defence frameworks now sit side-by-side. For bribery, the question remains whether “adequate procedures” designed to prevent bribery were in place at the time of the bribe, assessed against the familiar six principles. For fraud, as for facilitation of tax evasion, the test is whether “reasonable procedures” were in place (or it was not reasonable to have any) at the time of the offence. The SFO candidly admits that there is no formal yardstick for “adequate”, “reasonable” or “effective”, and that assessments are holistic and context-specific.
On sentencing, the 2025 guidance draws out how programme design and operation can influence culpability and harm assessments, including the concept of “cost avoided” by failing to implement appropriate measures. Although sentencing guidelines have not yet been updated for failure to prevent fraud, the new guidance signals likely convergence with bribery in how culpability factors are weighed.
FAQs and practicalities: more transparency, still principles-led
New for 2025 is a short FAQ that, while not transformative, provides transparency on three points that matter in practice:
- It acknowledges the unresolved tension between “adequate”, “reasonable” and “effective”, emphasising that labels matter less than outcomes and evidential substance.
- It lists sources of evidence the SFO will seek, underscoring early engagement on scope and sequencing if a company is conducting an internal investigation.
- It states plainly that programme effectiveness will be judged by outputs. What changed? What was detected? What was remediated, and how quickly? Circumvention is given a special mention – what are the controls against circumvention? How have they been tested?
What in-house teams should consider
First, recalibrate risk assessment through a fraud lens. Fraud exposure often hides in plain sight, e.g. sales practices, revenue recognition, disclosures, ESG claims and third-parties. The SFO’s emphasis on “dynamic” risk assessment frameworks means triggers for re-assessment should be hard wired: including new products, acquisitions, market entries, incentive redesigns and audit findings.
Second, evidence operation, not just design. Mapping risks to controls and owners is an essential first step, but effective oversight should be supported by operating metrics and a programme of testing. Audit trails of findings, management actions, and board reporting supported by meaningful MI will matter when prosecutors ask whether the programme “works in practice”.
Third, be thoughtful about cooperation and monitorships. The Corporate Cooperation Guidance and the softened stance on monitorships have likely been designed to try and shift the calculus on whether or not to self-report and cooperation. If self-reporting, engage early on investigation parameters, and be ready to present a credible analysis of programme gaps and remediation. If invited to DPA discussions, use the 2025 guidance to argue for proportionate undertakings calibrated to demonstrated improvements, not a default monitorship.
Fourthly, reinforce engagement with leadership. The new guidance is an ideal time to remind senior leaders that they may be questioned directly about an organisation’s compliance programme. This can help focus attention on the sorts of questions that leaders may want to be asking now.
To conclude
The 2025 guidance does not revolutionise the SFO’s approach; it consolidates and clarifies it. The main additions are the full integration of failure to prevent fraud, a more nuanced position on monitorships, and greater transparency on evidence and benchmarks.
For in-house lawyers, the message is pragmatic: programmes must be risk-driven, dynamic and evidenced by outcomes, and designed to prevent, detect and learn, and hard to bypass. Those that are, and can prove it, will be better placed to mitigate charging risk, shape DPA terms and avoid unnecessary monitorships.
