SFO issues new guidance to end ‘box ticking’ corporate compliance

Hinesh Shah and Melanie Ryan of Pinsent Masons were commenting after the SFO issued updated guidance clarifying its approach to evaluating businesses’ compliance programmes, particularly in light of the new failure to prevent fraud offence.

The guidance outlines six scenarios in which the SFO may need to evaluate an organisation’s compliance programme, including: when considering prosecutions; deferred prosecution agreements (DPAs); compliance terms and monitorships; potential defences to corporate offences, and sentencing considerations.

The biggest change follows the introduction of the new failure to prevent fraud offence, which was introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) and came into effect in September 2025.

Under this new offence, a large organisation will be liable for economic crimes committed by an ‘associated person’, which includes directors, employees and agents of the organisation, who act for the benefit of the business or for the benefit of another associated person of the organisation. A ‘large organisation’ is one which meets two of three criteria: having a turnover of more than £36 million; a balance sheet total of more than £18m; and having more than 250 employees. Penalties include unlimited fines for businesses and separate criminal convictions for any individuals involved in committing the offence.

The SFO says an organisation may have a defence “if, at the time of the offence, they had reasonable procedures in place to prevent fraud” or if the organisation can demonstrate that “it was not reasonable in the circumstance” to expect it to have any procedures in place. However, it reiterates that the burden of proof to prove this line of defence falls to the organisation itself.

Shah, a forensic accountant at Pinsent Masons, said the updated guidance would send a strong signal to businesses to get their compliance procedures in order. "The refreshed SFO guidance reinforces the importance of practical compliance measures,” he said. “Organisations must go beyond having policies on paper and demonstrate real-world effectiveness, particularly in light of the new failure-to-prevent fraud offence under ECCTA. This means investing resources, embedding controls, ongoing monitoring, and effecting cultural change to mitigate risk and satisfy regulatory expectations."

Although the SFO acknowledges that many businesses already have “some level” of compliance in place, it says policies alone are insufficient and that compliance should entail developing and implementing anti-fraud and anti-bribery cultures, not tick-box exercises. It says that evaluation will be based on an organisation’s individual circumstances, not a one-size-fits-all model, and expects the revamped guidance to help determine how businesses’ “policies and procedures translate into conduct on the ground.”

The updated guidance follows the publication of joint guidance on corporate prosecution issued by the SFO together with the Crown Prosecution Service in August 2025 and the SFO’s guidance on corporate cooperation and enforcement in relation to corporate criminal offending in April 2025. Separately, the Home Office also published its own statutory guidance in November 2024 that highlighted procedures that businesses can implement to prevent “associated persons from committing fraud” (PDF 46 pages / 516KB).

Ryan, an investigations specialist at Pinsent Masons, said businesses should pay close attention to the new evaluation criteria to minimise the risk of failing to comply. "The updated guidance does not change the law – it clarifies how the SFO will evaluate compliance programmes and apply public interest factors,” she said. “Companies should focus on evidencing adequate or reasonable procedures, as these will be critical in defending enforcement actions and influencing decisions on deferred prosecution agreements."

The guidance applies to businesses operating across England, Northern Ireland and Wales. The SFO's jurisdiction does not extend to Scotland, which operates its own self-reporting regime under the Crown Office and Procurator Fiscal Service (the COPFS).