SFO Guidance on Evaluating a Corporate Compliance Programme

Fifteen years on from the UK Bribery Act 2010, the United Kingdom’s corporate crime framework has matured into a cohesive ‘failure to prevent’ regime. That journey continued with the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which introduced the new offence of failure to prevent fraud for large organisations.

Against this backdrop, the Serious Fraud Office (SFO) has refreshed its Guidance on Evaluating a Corporate Compliance Programme (published on 26 November 2025). The updated Guidance clarifies when, why and how the SFO will examine an organisation’s compliance arrangements across investigations, prosecution decisions, Deferred Prosecution Agreements (DPAs), potential defences to bribery and fraud charges, and sentencing. 

This article explains what the Guidance means in practice, integrates legal analysis on how compliance evidence influences outcomes, and sets out pragmatic steps to strengthen programmes in line with regulatory expectations. It also assesses whether the UK is moving toward the US Department of Justice’s (DOJ) structured approach to evaluating effective compliance programmes, and whether similar clarity would be useful for the Bribery Act 2010.

Scope and themes of the refreshed Guidance

The SFO sets out six scenarios in which a corporate compliance programme will be evaluated. This will be to inform: 

(i) decisions to prosecute under the Full Code Test; 

(ii) whether to invite a company into DPA negotiations and, if so, on what terms;

(iii) whether to include compliance undertakings and/or a monitorship within any DPA; 

(iv) whether a company can rely on the Bribery Act 2010 section 7 defence of ‘adequate procedures’; 

(v) whether a company can rely on ECCTA’s ‘reasonable procedures’ defence to failure to prevent fraud; and 

(vi) the relevance of programme design and operation at sentencing. 

Evaluation is holistic and fact‑specific. The existence of policies is not determinative: prosecutors will assess whether controls operate effectively in practice and whether leadership has fostered behaviour that prevents fraud and bribery. 

Effectiveness is judged at two points in time: the state of the programme when misconduct occurred and the state of the programme at the point of charge or resolution, including any remediation undertaken.  

Practical pointers and SFO approach

The updated document includes a helpful question‑and‑answer section and is at its best when explaining how the SFO will approach evaluation. In particular, it recognises that isolated compliance failures do not inevitably render a programme ineffective, and reiterates that the SFO will take a holistic view when forming its conclusions. The Guidance also summarises the role of DPAs and monitors, and sets out how the agency will consider remedial commitments, oversight, and proportionate monitoring where appropriate.

Legal analysis: how the Guidance affects key outcomes

Prosecution decisions: A programme that was ineffective at the time of offending will weigh in favour of prosecution; conversely, genuine remediation and a proactive, effective programme can weigh against prosecution. 

DPA eligibility and terms: Programme effectiveness is a key factor in whether the SFO will invite a company to negotiate a DPA. Where appropriate, undertakings may include enhancements to policies, controls, training, reporting and independent monitoring. 

Statutory defences: For bribery, the statutory defence turns on ‘adequate procedures’; for fraud under ECCTA, the defence turns on ‘reasonable procedures’. Both standards are principle‑based and proportionate to risk. In narrow circumstances, limited procedures may be defensible, but organisations should assume that a documented risk assessment and proportionate controls are the practical baseline. 

Sentencing: Courts can consider the existence and nature of a compliance programme in mitigation, particularly where the company evidences culture, governance and operations designed to prevent misconduct and shows measurable improvements following discovery.

Is the SFO moving toward the DOJ’s approach?

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is widely regarded as a clear, operational framework. It organises prosecutorial inquiry around three fundamental questions—design, empowerment and resourcing, and whether the programme works in practice—and encourages assessment in terms of a programme’s ‘technostructure’ (governance, policies, data access, tools) and its outputs (deterrence, detection, remediation). By contrast, the SFO’s compliance evaluation Guidance, consistent with the UK’s principle‑based tradition, is less prescriptive and emphasises holistic, context‑specific analysis. 

There are signs of convergence—particularly the SFO’s emphasis on effectiveness in practice, dual timeframe assessment (at offence and at resolution), and the growing importance of technology, data and whistleblowing—but the SFO has not yet adopted a question‑led evaluative framework akin to the DOJ’s ECCP. Many corporates would benefit from an articulation that mirrors the DOJ’s clarity, not least because it facilitates planning, benchmarking and internal audit of compliance capability. It would potentially be useful if the Ministry of Justice or the SFO replicated that approach for the Bribery Act 2010, translating the six prevention principles into operational questions and output measures provided that this did not place too higher additional burden on business.

Statutory guidance and the case for updates

For multi‑nationals, interpreting what will constitute ‘adequate’ or ‘reasonable’ procedures remains challenging. The refreshed SFO document summarises the six principles at a high level, but detailed statutory guidance sits elsewhere: the Ministry of Justice’s Bribery Act Guidance on section 7, and the Home Office’s Failure to Prevent Fraud Guidance. The absence of an update to the Bribery Act Guidance comparable to the breadth of the Failure to Prevent Fraud Guidance raises a practical question: when will the 2011 Bribery Act Guidance be modernised to reflect current market practice, evolving US expectations, and technology? The intervening years have transformed both compliance tooling and risk landscapes; UK business would benefit from aligned, contemporary guidance across both regimes.

Practical steps to align with SFO expectations

• Refresh the risk assessment with a ‘benefit of fraud’ lens: identify where the organisation could benefit from fraud (e.g., sales practices, channel incentives, revenue timing, disclosures, ESG claims) and extend the assessment to associated persons (agents, distributors, outsourcers, resellers) and group entities. 
• Map policies to controls and evidence operation: create a risk–control matrix, assign owners, define metrics, and test operation through sampling, walk‑throughs and data analytics. Maintain an audit trail of findings and remediation. 
• Strengthen third‑party governance: update onboarding, contractual clauses and ongoing monitoring to address fraud‑prevention obligations; enforce audit rights, reporting triggers and termination provisions. 
• Align incentives and culture: review Key Performance Indicators (KPIs) and reward structures to reduce pressure points; deliver role‑specific training; track speak‑up data, investigations and outcomes as indicators of behavioural effectiveness. 
• Leverage technology: deploy monitoring tools and analytics to surface anomalies and automate evidence of control execution, policy delivery and training completion.

Clyde & Co perspective

Clyde & Co’s previous commentary on UK corporate crime enforcement and our Corporate Risk Radar series underline that regulatory complexity is now a board‑level strategic variable. Organisations that treat compliance as a resilience capability—risk‑driven, evidence‑based and tech‑enabled—are better positioned to reduce enforcement exposure, secure pragmatic outcomes and sustain growth. The SFO’s refreshed Guidance reinforces that the decisive question is not whether policies exist, but whether they work in practice and are continuously improved.

Purpose and context of the update

The SFO states that the refreshed Guidance aims to provide clarity and transparency on how compliance programmes are assessed. It is intended to help organisations understand the factors prosecutors consider when evaluating effectiveness, particularly in light of the new failure to prevent fraud offence under ECCTA. The Guidance also includes practical resources and hyperlinks to related materials on DPAs and monitors, reinforcing its role as a reference point for corporates navigating enforcement risk.

Holistic evaluation and practical implications

The SFO emphasises that isolated compliance failures do not automatically render a programme ineffective. Instead, evaluation will be holistic, considering governance, culture, and operational evidence. This approach reflects a shift from box-ticking to outcome-based assessment, requiring companies to demonstrate that controls work in practice and are proportionate to risk. For multi-nationals, this means aligning global compliance frameworks with UK expectations while maintaining agility to respond to evolving enforcement priorities.

Convergence with international standards

While the UK remains principle-based, there are signs of convergence with the DOJ’s structured approach. The DOJ’s Guidance frames evaluation around design, empowerment, and effectiveness, supported by measurable outputs. The SFO’s focus on effectiveness and remediation echoes these themes, but lacks the prescriptive clarity of the DOJ model. Many corporates could benefit from a UK equivalent that translates prevention principles into operational questions and performance indicators, enabling benchmarking and internal audit readiness. However, a half way house might be updated HMG guidance with more details FAQs, scenarios and details in relation to the expected use of technology and KPIs.

Technology and data-driven compliance

The Guidance implicitly recognises the growing role of technology and analytics in compliance. Organisations should leverage monitoring tools, data insights, and automation to evidence control execution and detect anomalies. This trend aligns with global best practice and supports the SFO’s expectation that programmes are not static but continuously improved based on risk and performance data.

Conclusion

The SFO’s refreshed Guidance marks a material moment in UK enforcement. Organisations should prioritise evidencing operational effectiveness, embedding proportionate procedures under both the Bribery Act 2010 and ECCTA, and maintaining credible cooperation frameworks. Beyond compliance, this is about resilience: leveraging technology, data, and governance to anticipate regulatory expectations. While the UK remains principle-based, convergence with global standards in this area over time is clear. The future may include a more granular level of UK requirements but until then, corporates must translate high-level principles into measurable outputs and continuous improvement to stay ahead of enforcement risk.

Link to the hub: Regulatory & Investigations : Clyde & Co