authors
SFO Refreshes Compliance Programme Evaluation Standards
Briefing
04 December 2025
9 MIN READ
3 AUTHORS
On 26 November 2025, the SFO published refreshed guidance on how it evaluates a corporate’s compliance programme. This refresh turns the internal-looking January 2020 guidance for prosecutors into guidance for an external audience.
Why is it important?
Under the three ‘failure to prevent’ offences currently in force a corporate has a defence if it can show it had ‘adequate’ (in the case of bribery offences) or ‘reasonable’ (in the case of fraud and facilitation of tax evasion offences) procedures in place to prevent the conduct in question. Although the burden of proof is on the corporate to prove this defence, on the balance of probabilities, evaluating the likelihood of the defence being raised successfully is an important factor for the SFO, and other prosecutors, to consider when making a decision on whether to charge a company, offer a deferred prosecution agreement or take no further action.
Whether a company had an effective compliance programme is also amongst the factors that the courts will consider at the sentencing stage (if a company is convicted) when weighing up mitigating and aggravating factors in arriving at a fine amount for substantive economic crime offences as well as for the failure to prevent offences.
The guidance
The SFO guidance focuses on the offences of failure to prevent bribery and failure to prevent fraud and is aimed at helping corporates understand how the SFO goes about assessing whether a corporate it is investigating had, at the time of the offending, “a genuinely proactive and effective corporate compliance programme” and whether it took a “a genuinely proactive approach involving “remedial actions” (e.g. to enhance its compliance programme)” when the offending came to light. It does this with reference to the 6 principles in the government published guidance on the two offences. The table below summarises the key points from those principles which the SFO guidance highlights.
| Principle | Bribery Act Guidance | Failure to prevent fraud guidance |
|---|---|---|
| Proportionate Procedures | “A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced”. | “An organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.” |
| Top Level Commitment | “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.” | “The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.” |
| Risk Assessment | “The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.” | “The organisation assesses the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment is dynamic, documented and kept under regular review.” |
| Due Diligence | “The commercial organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” | “The organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.” |
| Communication (including training) | “The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.” | “The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.” |
| Monitoring and Review | “The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.” | “The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.” |
| SFO’s summary of relevant evaluation | Whether the organisation had adequate procedures designed to prevent the bribery at the time of the bribe. | Whether the organisation had reasonable procedures designed to prevent associated persons from committing fraud. |
The refreshed guidance includes a FAQ section which starts with: what is the difference between ‘adequate’ and ‘reasonable’ procedures and an “effective compliance programme”? It doesn’t provide any specific answer to the question of the difference between adequate or reasonable,1 instead noting that each compliance programme is different.
International approach
The SFO guidance also acknowledges other external sources may be helpful to the assessment of effectiveness. Picking up on the international scope of many organisations, it notes, in terms of the assessment of effectiveness of compliance programmes, that for companies with a US link, the Department of Justice’s guidance on the evaluation of corporate compliance programmes2 asks the following three questions:
- Is the corporate’s compliance programme well designed?
- Is the program being applied earnestly and in good faith? In other words, is the programme adequately resourced and empowered to function effectively?
- Does the corporate’s compliance programme work in practice?
For organisations with a French nexus, it also references the guidance published by the French Anti-Corruption Agency (‘Agence française anticorruption’ or ‘AFA’) has issued guidance specific to anti-bribery compliance programmes.3
Risk assessment
As the more recent guidance for the failure to prevent fraud offence makes clear, there is an expectation that businesses will conduct a risk assessment. Being able to evidence that a risk assessment has been conducted is going to be essential to satisfying the SFO that a company has considered the risks specific to its business in order to determine what procedures it needs. That risk assessment will need to be reviewed regularly, particularly if there are any changes to the business structure or markets in which it operates.
The importance of implementation
As we point out to clients when asked to review policies and procedures, and as confirmed by the SFO’s guidance, simply having a policy and procedures is not enough; they need to be properly implemented. This means making sure that any statements or commitments made in polices are followed through. The SFO make it clear they will look beyond the paper and will want to see evidence of how they are implemented and operating in practice and this will form a strand of the enquiries they undertake and the evidence they collect.
Conclusion
The guidance underscores the weight attached to a corporate compliance programme when offences and prosecution (and levels of fines if convicted) are being considered. The last 12 months have seen an uptick in economic crime enforcement in the UK and various law enforcement agencies have publicly stated their focus on it. If you would like an objective assessment of your corporate compliance programme, then our experts at HFW are offering a free compliance check-up. If you are interested, please get in contact with the authors of this briefing.
Footnotes:
- The question of the difference between the two was something considered by the House of Lords Select Committee on the Bribery Act when it conducted its post-legislative review of the Act. They took the view that “adequate” could be equated to “reasonable in all the circumstances”. See pages 61-62 of the report published in March 2019 – https://publications.parliament.uk/pa/ld201719/ldselect/ldbribact/303/303.pdf
- https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline=
- https://www.agence-francaise-anticorruption.gouv.fr/files/files/French%20AC%20Agency%20Guidelines%20.pdf
LATEST INSIGHTS
Briefing
The Employment Rights Bill – Where Are We Now?
The Employment Rights Bill, which is set to bring sweeping changes to almost all aspects of employment law as part of the Government's agenda to…
Read more
Briefing
Financing Satellites – Legal and Commercial Challenges – Part 2: Can the Space Assets Protocol Provide a Way Forward?
In the first part of this series, we looked at the key legal and commercial challenges associated with satellite financing. The space industry has…
Read more
Briefing
Rare Reinsurance Judgment Handed Down in English Court on Follow the Settlements and Other Issues
RSA v Equitas will be of interest to the reinsurance market, not least due to the scarcity of caselaw on common reinsurance policy issues as the…
Read more