New UK SFO Guidance On Evaluating Corporate Compliance Programmes

On 26 November 2025, the UK Serious Fraud Office ("SFO") published an updated version of its Guidance on Evaluating a Corporate Compliance Programme (the "Guidance").¹ The Guidance expands on previously issued guidance to reflect the new failure to prevent fraud offence under section 199 of the Economic Crime and Corporate Transparency Act 2023, which came into force on 1 September 2025.

For companies, the importance of having an effective compliance programme cannot be overstated; an ineffective compliance programme can mean not only prosecution and financial penalties but also huge reputational damage. As the Guidance stresses, the effectiveness of a compliance programme will be considered by the SFO at every stage of the investigation and enforcement process. The SFO has also repeatedly asserted its intention to prosecute the new failure to prevent fraud offence,² signalling a heightened enforcement risk for companies.

In that context, the publication of any guidance on the evaluation of corporate compliance programmes is welcome. Those organisations looking for a clear, detailed and practical framework against which they can assess their own compliance programmes, equivalent to the US Department of Justice's ("DOJ") gold standard guidance, will be disappointed. The Guidance does little more than assert the same "generalities" and "high level assertions" that it warns companies against relying on as part of their compliance programmes.

Enforcement Scenarios

The first part of the Guidance considers six scenarios in which the SFO and / or the courts may be required to evaluate a company's compliance programme, namely:

• Deciding whether a prosecution of the organisation is in the public interest;
• Deciding whether to invite the organisation to enter into Deferred Prosecution Agreement ("DPA") negotiations;
• Deciding whether to include compliance terms and/or a monitorship as part of the terms of a DPA;
• Assessing whether an organisation has a defence of "adequate" or "reasonable" procedures to the failure to prevent bribery and fraud offences, respectively; and
• When determining the appropriate sentence post-conviction.

For each of these scenarios, the Guidance does little more than reference and summarise existing guidance and applicable legislative provisions, before stating what the SFO will evaluate in the organisation's compliance framework. In the context of the failure to prevent fraud offence, for example, the Guidance simply restates the familiar six principles contained therein³ and concludes that "the relevant evaluation is whether the organisation had reasonable procedures designed to prevent associated persons from committing fraud." Critically, the Guidance offers no insight as to how the SFO will go about evaluating the organisation's procedures.

What an Effective Compliance Programme is Not

The second part of the Guidance, titled "FAQs/General Guidance", does little to answer the questions it purports to address. To the essential question, "What makes a compliance programme effective?", the Guidance replies that there is "no set of pre-ordained answers" and that the SFO's assessment will be on a case-by-case basis. It notes that having policies and procedures does not necessarily mean a programme is effective, nor do "isolated compliance failures" necessarily mean it is ineffective. While true, this provides no practical help to companies seeking to assess and strengthen their programmes.

International Benchmarks: Lessons From the DOJ and AFA

The most helpful part of the Guidance is arguably its signposting of the more comprehensive guidance issued separately by the DOJ and the French Agence Anti-Corruption ("AFA") for companies with a US or French nexus, respectively.

The DOJ's Guidance on Evaluation of Corporate Compliance Programs ("DOJ Guidance")⁴ centres on three "fundamental questions" quoted in the SFO Guidance:

• Is the compliance programme well designed?
• Is the programme being applied earnestly and in good faith? In other words, is the programme adequately resourced and empowered to function effectively?
• Does the programme work in practice?

For each question, the DOJ Guidance sets out "topics" that the DOJ's Criminal Division has "frequently found relevant" in evaluating compliance programmes, and provides evaluation criteria for each topic. In relation to the compliance programme's design, for example, relevant topics include the company's risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions.

In relation to the risk assessment topic,⁵ the Guidance indicates the DOJ may examine the company's risk management process (e.g. the methodology and information used by the company), and ask whether the company deploys a risk-tailored resource allocation, whether risk assessments are subject to periodic reviews, whether "lessons learned" are incorporated in risk assessments, and whether the company has a process for identifying and managing emerging risks.

The AFA's Guidelines (the "AFA Guidelines")⁶ provide detailed guidance on anti-corruption core principles, including on the three core pillars of senior management commitment, risk mapping, and risk management measures and procedures, for companies and public entities.

The AFA Guidelines also provide guidance on the development of internal monitoring and evaluation systems for companies to ensure that their compliance measures and procedures⁷ are appropriate and effective. That guidance includes a monitoring typology that focuses on seven compliance elements, with three "lines of defence" for each element. For the training element, for instance, monitoring ranges from verifying the attendance of relevant employees (first line of defence) to analysis of the content and deployment of the training programme (third line of defence).

These frameworks demonstrate what the Guidance lacks: specific, practical and measurable indicators of effectiveness.

A Missed Opportunity

With the Guidance, the SFO has again missed an opportunity to give clear, practical and actionable instructions on the steps companies should take to ensure their compliance programme is effective, beyond the limited and piecemeal guidance already in existence. Until the UK's lead investigator and prosecutor of serious and complex fraud and corruption becomes more open and constructive, organisations will continue to turn to the DOJ Guidance and the AFA Guidelines, regardless of whether they have a US or French nexus.

Footnotes:

1 https://www.gov.uk/government/publications/sfo-guidance-on-evaluating-a-corporate-compliance-programme/sfo-guidance-on-evaluating-a-corporate-compliance-programme.

2 See, for instance, the SFO Business Plan 2025-26 or SFO Director Nick Ephgrave's statement in the Crown Prosecution Service Press Release of 18 August 2025, Organisations must prepare now for new fraud prevention law: "Now is the time to take action. Corporations must get their house in order or be ready to face investigation."

3 Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud, updated 10 October 2025.

4 DOJ Criminal Division's Guidance on Evaluation of Corporate Compliance Programs, updated September 2024.

5 Risk assessment is among the principles listed in both the Bribery Act Guidance and the Failure to Prevent Fraud Guidance

6 The French Anti-Corruption Agency Guidelines.

7 Measures and procedures stipulated in Article 17 of the Transparency, Anti-Corruption and Economic Modernisation Act 2016-1691 of 9 December 2016, known as the Sapin II Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.