The Compliance Conundrum: Updated SFO guidance brings new challenges for Corporates

The introduction of the Bribery Act fundamentally changed the nature of corporate criminal liability in the UK. By way of a quick recap, the FTP Bribery Offence provides that an organisation can be held criminally liable for 'failing to prevent' bribery committed on its behalf by an associated person. Prior to this, an organisation could only be held criminally liable for the corrupt acts of an individual if it could be shown that the individual represented the organisation's “directing mind and will” (known as the "Identification Doctrine"). The idea of strict criminal liability for offences which (like bribery) are focused on a criminal state of mind required a fundamental change to compliance cultures and risk management.

The approach taken by the FTP Bribery Offence (and the wider 'failure to prevent' model) has clearly been seen as effective by regulators. Whilst there has not been the step change in criminal enforcement that many expected, there is no doubt that a number of significant prosecutions have succeeded which would not have progressed under the previous Identification Doctrine; and the wider changes to compliance cultures and risk management have been significant. Prevention remains better than the cure. As such, two further 'failure to prevent' offences – the failure to prevent the criminal facilitation of tax evasion and the FTP Fraud Offence – were subsequently introduced. Though nuanced and distinct, each failure to prevent offence are based on two key concepts:  

(i) an organisation can be held criminally liable for failing to prevent associated persons (such as employees) carrying on the relevant criminal conduct, rather than (or in addition to) being held liable for conducting the underlying conduct itself (e.g. bribery, fraud, tax evasion), and

(ii) an organisation has a full defence to the relevant offence if it can demonstrate that, at the time of the conduct, it had adequate / reasonable procedures in place to prevent it from occurring.

While, fifteen years on, the 'failure to prevent' model is now firmly entrenched in the corporate compliance lexicon, and it is generally well understood that an assessment of prevention procedures will be considered when defending a charge of failure to prevent bribery / fraud (i.e. limb (ii) above), it is less well known that an organisation's culture and prevention measures can and will be assessed at other stages of an enforcement process. This includes determining whether there is a public interesting in bringing a prosecution and / or whether there are any aggravating or mitigating factors relevant to sentencing.

The Guidance is published against this backdrop and seeks to provide businesses with more information on exactly when, why and how the SFO assesses corporate compliance programmes

The Guidance states that the SFO may assess an organisation's compliance programme in the following six scenarios:

• in determining whether prosecution of an organisation is in the public interest under the Joint SFO-CPS Corporate Prosecution Guidance (i.e. in determining whether there are grounds to bring a prosecution);
  
  
• when considering the use of a Deferred Prosecution Agreement (“DPA”) (a DPA is legal arrangement between an organisation accused of a criminal offence and a regulator under which the organisation agrees to meet specific conditions, such as paying fines and improving compliance, to avoid the full expense, evidential complexities and criminal stigma of a prosecution);
  
  
• when determining whether to include compliance terms and/or a monitorship as part of any DPA;
  
  
• when considering whether an organisation has a defence of “adequate procedures” to a charge of failure to prevent bribery under s.7 Bribery Act 2010;
  
  
• when considering whether an organisation has a defence of “reasonable procedures” to a charge of failure to prevent fraud under s.199 of ECCTA; and/or
  
  
• when the existence and nature of the compliance programme is a relevant factor in sentencing (i.e. are there any aggravating or mitigating circumstances relevant to sentencing).

The Guidance confirms that the SFO will evaluate an organisation’s compliance programme as part of its prosecutorial decision-making, including at the very earliest stages of its investigation. Evidence will be obtained by the SFO via normal investigatory tools, including voluntary disclosures and interviews, compelled disclosure, witness interviews, suspect interviews, and questions put directly to regulated organisations.

Crucially, as a prosecuting authority, the SFO is bound by the Code for Crown Prosecutors (the "Code"), which sets out the general principles to be applied when making decisions regarding prosecutions. The Code sets out that prosecutors must only start or continue a prosecution when the case has passed the following two stages of what is known as the "Full Code Test":

• the evidential stage; followed by
  
  
• the public interest stage.

In effect, the evidential stage of the Full Code Test requires prosecutors to be satisfied that there is sufficient evidence to provide a realistic prospect of conviction.

As referenced in the Guidance, and set out in greater detail in the Joint SFO-CPS Corporate Prosecution Guidance, when determining whether the evidential part of the Full Code Test is met in relation to the failure to prevent offences, prosecutors should give careful consideration to the statutory defences to the offences. Namely, it should ask itself whether the corporate entity has in place such procedures as were adequate (for the purposes of the Bribery Act) or reasonable (under the Criminal Finances Act and ECCTA) in the circumstances to prevent the relevant offending. If the answer to this question is yes, the prosecutor should not proceed with the prosecution on the grounds that conviction would be unlikely (and therefore that the Full Code Test was not satisfied).

Effective prevention measures can therefore act as a first line of defence, capable of preventing a prosecution before it starts and averting the reputational harm of a prosecution being brought (which can arise regardless of whether a conviction is achieved).

3.2  A holistic assessment

The Guidance emphasises that the SFO's assessment of a compliance programme will be "holistic" and "based on the organisation's individual circumstances", noting there is "no set of preordained answers" to ensure a programme is effective. The Guidance further notes that the existence of policies and procedures does not necessarily mean that the compliance programme is effective, but also that isolated compliance failures also do not necessarily mean that a compliance programme is ineffective or that controls are inadequate.

When conducting investigations, the SFO will "seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground". The key element, it states, is that a compliance programme "needs to be effective and not simply a ‘paper exercise’". It must be proportionate, risk-based, regularly revised and specific to the organisation in question.

The first point may offer some reassurance to businesses concerned about compliance under the new FTP Fraud Offence; the SFO notes that isolated failures, if they occur in the context of what the SFO evaluates to be "reasonable procedures" to ensure compliance, may not necessarily result in liability. Assessment of an organisation's compliance processes is a holistic exercise, and organisations will not be deemed to have fallen below the relevant standard based on a single failure.

As the statutory test is vague ('adequate' / 'reasonable') and there is no pre-ordained set of policies or answers (albeit the relevant statutory guidance does provide a strong steer as to what is expected to be in place), organisations must ensure that, above all, their compliance approaches are defensible, proportionate, and tailored to the business.

3.3 The importance of implementation

Organisations should bear in mind the SFO's second point of emphasis noted above: that procedures must be effective in practice. Here, the SFO seeks to drive home that simply having procedures and policies in place to address the risk of fraud is insufficient; these must be followed and put into effect, with prosecutors evaluating whether the controls are effective in practice.

Implementation is key, with the SFO emphasising that they will examine "conduct on the ground" to ensure that businesses" procedures are effective – and effectively put into action - in the real world, not just on paper. The SFO has indicated with this guidance that their analysis of business compliance will be in-depth (indeed, they have emphasised the extent of their powers of investigation) and so businesses should make sure that their processes are rigorous, well-implemented and targeted to their own specific risks.

Organisations must ensure, therefore, that they are not simply "compliance-washing" – establishing policies and procedures to prevent fraud and bribery but not putting them into effect or taking actual action. Instead, organisations should ensure that their compliance policies and processes are implemented effectively and change behaviour within the company.

The Guidance is best understood within the context of the Government's broader policy objective of tackling complex fraud and corporate corruption. Although by no means a new goal – the UK has implemented an anti-corruption strategy for over a decade – it is clear that the Government is approaching the matter with renewed intensity. This no doubt stems from its desire to be seen as world leading and trustworthy financial centre, in an increasingly turbulent socio-economic environment.

In December 2025, the Home Office published its Anti-Corruption Strategy 2025 (the "Strategy"), which Transparency International welcomed as the UK's most ambitious anti-corruption plan in years. This may be timely: the UK has experienced a noticeable slump in its score on Transparency International's Global Corruption Perceptions Index, dropping sharply from the 7th to the 20th least corrupt nation in the last few years.

The Strategy confirms that a central pillar of the UK's approach to tackling corruption and promoting transparency is to strengthen the prosecutorial and investigatory powers of the UK's enforcement bodies. For example, it sets out the Government's intention to expand the new Domestic Corruption Unit in the City of London Police, support the new Independent Football Regulator to strengthen its anti-corruption capabilities, and continue to support the International Corruption Unit and the International Anti-Corruption Coordination Centre in the National Crime Agency.

The Strategy also states that the SFO will be seeking to capitalise on opportunities presented by artificial intelligence (including piloting a new artificial intelligence investigation assistant) to speed up its investigations. In regard to money laundering and counter-terrorism financing, the Government stated its intention to consolidate the supervisory functions of 22 professional services supervisory bodies into the Financial Conduct Authority ("FCA"), who will be given new powers and additional resources to enable it to take decisive action against non-compliance.

In addition to supporting the institutions and bodies that enforce corporate crime in the UK, the Government is also simplifying and expanding the legal framework they operate in. For example, in addition introducing the FTP Fraud Offence, ECCTA significantly reformed the law of corporate criminal attribution for a wide range of economic crimes in the UK (including bribery and fraud). The effect of Section 196 of the ECCTA is that prosecutors are now no longer required to prove that an offence was committed by the “directing mind and will” of the company; it is now sufficient to show that the individual was a "senior manager" acting within the actual or apparent scope of their authority. The Crime and Policing Bill (which is currently at the committee stage of the House of Lords), proposes to further expand the “senior manager” liability test to all criminal offences.  

Taken together these measures underpin a central theme of the Guidance – that organisations are increasingly (and will continue to be) held accountable for failing to meet expectations regarding compliance standards. With the entry into force of the FTP Fraud Offence and the strengthening of the prosecutorial framework, businesses will need to ensure that their processes for compliance are effective.

Organisations should take steps to ensure their compliance programmes are robust, well implemented, and proportionate before an issue arises – and now is as good as a time as any to think about reviewing and updating existing procedures, or implementing new procedures where appropriate. As the Guidance makes clear: doing so doesn't just mean an organisation can establish a defence in the event an incident does occur, it will more generally show the SFO and other stakeholders that a responsible approach is being taken – helping encourage a more constructive and proportionate engagement with regulators. With the SFO increasingly looking to bare its teeth (and with a wider toolset to deploy) this is becoming ever more important.

Our team at Travers Smith is already helping clients prepare to deal with the new FTP Fraud Offence in a way which is pragmatic, responsive and aligned with their existing compliance framework for the other failure to prevent offences and are well placed to offer pragmatic advice on this new guidance. Please feel free to reach out should you have any questions.