The Serious Fraud Office (SFO) closes 2025 with its third revamped guidance document for businesses. After updating its corporate co-operation guidance and the joint CPS guidance on corporate prosecutions earlier in the year, the SFO has just published a refreshed edition of its guidelines on evaluating corporate compliance programmes.

The free-standing guidance remains in line with the SFO’s drive to reset the tone and build a cooperative relationship with corporates (including those under investigation, to the extent that is possible).

The guidance identifies three main areas where corporate compliance programmes will be of relevance to the SFO:

(1) when determining whether to prosecute;

(2) when determining whether it is appropriate to offer a DPA and its terms; and

(3) when making sentencing submissions following a guilty plea or verdict.

Of course, the decision-making across points one and two is closely interlinked (and point three is a worst-case scenario that corporations will hope to avoid).

Like other recent SFO publications and speeches, the new guidance emphasises the need for genuine proactivity; papering over compliance cracks with neat looking but ineffective compliance programmes will not be sufficient. In fact, the guidance and accompanying press releases go to great pains to emphasise that compliance is not a box ticking exercise, and the SFO will look behind “announcements” and “generalities” to assess practical implementation.

At the same time, the guidance makes clear that the SFO will take a holistic view on effectiveness and look at each corporate’s individual circumstances. The SFO also accepts that one size does not fit all, and while it is unable to provide a definitive list of what makes compliance programmes effective, it acknowledges that an organisation’s size will influence what form its programme takes. The guidance also makes clear that even small corporations will be expected to have at least some compliance arrangements in place, even if these do not take the shape of a formal compliance team. Of course, regulated entities in the financial services sphere will be subject to heightened industry-specific requirements.

It is clear from the guidance that the SFO will look at the skeletons in corporate cupboards when assessing the effectiveness of compliance programmes. It is interested in how a programme functioned at the time of alleged wrongdoing as well as how it is functioning in the present. The guidance also reassures businesses that an isolated compliance failure will not automatically render their programme ineffective in the SFO’s view. Corporations must be prepared to tackle knotty issues of privilege, given the guidance makes clear that as part of providing information about their compliance programmes, the SFO expects them to also make witnesses available and share details of internal investigations.

This underlines the importance of obtaining legal advice, including on potential self-reporting to the SFO, at an early stage. The guidance also makes clear that the SFO will not be shy to use its full toolkit, including compelled powers, to obtain information on compliance efforts.

No law enforcement guidance in 2025 would be complete without considering the new corporate failure to prevent fraud offence (introduced by the Economic Crime and Corporate Transparency Act 2023 but only in effect as of 1 September 2025). Helpfully, the guidance does so by contrasting the “reasonable procedures” defence with the “adequate procedures” defence available for corporates under the Bribery Act 2010. In the case of both offences, it will be on the corporate defendant to raise and prove that it had the right processes in place to prevent wrongdoing by individuals – but whether it may be able to do so successfully will be an important factor for the SFO when considering whether there is sufficient evidence to merit prosecution. As corporations will know, the statutory guidance for each offence identifies six principles indicating good corporate governance, and the existence of effective compliance programmes will be of relevance to all twelve.

Where does this leave businesses? As usual, the guidance provides no guarantees and an effective compliance framework on its own will be unlikely to stave off prosecution if the offending is particularly egregious, or it is otherwise deemed to be in the public interest to prosecute, especially if no other factors in favour of a DPA are present.

Conversely (and predictably), a lack of effective compliance programme will weigh heavily in favour of prosecuting over offering a DPA, as long as the other building blocks of a successful case are present.