From tick-box to culture: What the new SFO guidance means for organisations
What's this about?
The Serious Fraud Office (‘SFO’) has issued updated guidance on assessing corporate compliance programmes during enforcement decisions. The SFO’s message is clear: compliance policies cannot simply exist 'on paper’. Organisations must demonstrate that these policies work in practice and foster a proactive compliance culture.
Our Head of Risk and Financial Crime, Ben Cooper says...
“The SFO has made it crystal clear that written compliance policies cannot be a tick box exercise anymore. This is a call for organisations to actively identify and address issues and be prepared to self-report serious problems. In practice, that means fostering a culture where compliance is genuine and proactive. The organisations that fail to maintain robust compliance frameworks risk finding themselves in the enforcement firing line.”
The points not to miss...
The guidance now extends beyond bribery to include fraud prevention under Economic Crime and Corporate Transparency Act 2023 (‘ECCTA’). This significantly broadens compliance obligations, as organisations must be ready to demonstrate that they have reasonable procedures in place to prevent fraud by associated persons.
The refreshed guidance sets out six distinct situations where the SFO will examine a business’s compliance programme, including: (1) a prosecution under the Joint SFO-CPS Corporate Prosecution Guidance; (2) a deferred prosecution agreement under the Deferred Prosecution Agreements Code of Practice (and its monitorship); (3) to assess a defence of “adequate procedures” to a charge of failure to prevent bribery and of “reasonable procedures” to a charge of failure to prevent fraud; and (4) to assess the existence and nature of the compliance programme in circumstances where this is a relevant factor for sentencing considerations.
Organisations must ensure that their compliance measures are not just well-designed, but also well-implemented and operating effectively. Regulators will now look for a genuine compliance culture embedded in business operations, and organisations must be able to demonstrate real-world implementation, monitoring, and remediation.
Organisations should not wait for a knock on their door to address issues. It is imperative that organisations investigate, remediate, and notify authorities on their own terms if something goes wrong. Failure to do so will count against the organisation when the SFO is considering the question of ‘is there a genuinely proactive and effective compliance programme in place’.
The effectiveness of a compliance program will be assessed at multiple stages: at the time of the offence, when the issue is reported, and at the charging or deferred prosecution arrangement stage. This means organisations must maintain continuous compliance readiness, not just react after problems arise.
At a glance...
Authors: Ben Cooper and Nadina Miltiadou
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Get in touch
Get in touch
Insights & events
Strengthening Trade Sanctions Compliance - Real World Lessons in Trade Sanctions Breach Detection
