Guidance

SFO Guidance on Evaluating a Corporate Compliance Programme

Published 26 November 2025

Applies to England, Northern Ireland and Wales

1. Introduction

There are six scenarios in which the SFO may need to evaluate an organisation’s compliance programme. These are to determine whether:

1. a prosecution of the organisation is in the public interest under the Joint SFO-CPS Corporate Prosecution Guidance (“Corporate Prosecution Guidance”)
2. to consider a deferred prosecution agreement (DPA) under the Deferred Prosecution Agreements Code of Practice (“DPA Code”)
3. to include compliance terms and/or a monitorship as part of any DPA under the DPA Code
4. an organisation has a defence of “adequate procedures” to a charge of failure of a commercial organisation to prevent bribery, under s. 7 of the Bribery Act 2010
5. an organisation has a defence of “reasonable procedures” to a charge of failure of a commercial organisation to prevent fraud, under s.199 of the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”)
6. the existence and nature of the compliance programme is a relevant factor for sentencing considerations.

2. Legal Background and Guidance

2.1 Decision to prosecute a corporate offence

When considering whether to prosecute a corporate offender, the prosecutor will consider the Full Code Test (“FCT”) within the Code for Crown Prosecutors and the relevant factors set out in the Corporate Prosecution Guidance. The FCT has both an evidential limb and a public interest limb. An assessment of an organisation’s compliance programme is relevant to both the evidential limb of the FCT (see the section on potential defences below) and the public interest limb for which the Corporate Prosecution Guidance notes that:

• It is a public interest factor in favour of prosecution if “[t]he offence was committed at a time when the company had an ineffective corporate compliance programme”.

• It is a public interest factor against prosecution when:

  • the corporate management team take a genuinely proactive approach involving “remedial actions” (e.g. to enhance its compliance programme) and

  • there is “the existence of a genuinely proactive and effective corporate compliance programme.”

The prosecutor “needs to establish whether sufficient information about the operation of a company in its entirety has been supplied in order to assess whether the company has been proactively compliant. This will include making witnesses available and disclosure of the details of any internal investigation”.

In summary: the relevant evaluation is of the level of effectiveness and pro-activity of the compliance programme, both at the time the offence was committed as well as at the time of charge.

2.2 Decision to enter into a DPA

When considering whether it is in the public interest to enter into a DPA instead of commencing an immediate prosecution, the prosecutor will consider the DPA Code which stipulates:

• A public interest factor in favour of prosecution [instead of a DPA] is that “the offence was committed at a time when [the organisation] had no or an ineffective compliance programme and it has not been able to demonstrate a significant improvement in its compliance programme since then.”

This is similar to the public interest factor set out in the Corporate Prosecution Guidance, but considers the possibility that the organisation may have no compliance programme at all and any improvement in an organisation’s compliance programme since the time of offending.

• Public interest factors against prosecution include co-operation and a “genuinely proactive” approach adopted by the organisation’s management when the offending is brought to their notice, including taking remedial actions and

• The existence of a proactive compliance programme both at the time of the offending and at the time of reporting which failed to be effective in this instance.

The DPA Code also separately notes that “[a]n important consideration for entering into a DPA is whether [the organisation] already has a genuinely proactive and effective corporate compliance programme.”

The prosecutor may choose to bring in external resource to assist in the assessment of the organisation’s compliance culture and programme for example as described in any self-report.

In summary: the relevant evaluation is of the effectiveness and the proactive nature approach of the compliance programme, at the time of the offending, the time of reporting and at the time of entering into the DPA .

2.3 DPA compliance terms and monitorships

Under Schedule 17, section 5(3) of the Crime and Courts Act 2013, a DPA can include requirements that an organisation;

 “implement a compliance programme or make changes to an existing compliance programme relating to policies or to the training of [an organisation’s] employee or both.”

The DPA Code specifies that the terms must be tailored to the specific facts of the case, fair, reasonable and proportionate to the offence.

A prosecutor considering a DPA therefore needs to assess whether such terms may be appropriate, and to be ready to justify this to the Court. If a DPA includes terms about the organisation’s compliance programme, the prosecutor will need to be able to assess the expected reforms while the DPA is in force, to determine whether the organisation is complying with the terms of the DPA. The DPA should set out the means and timeline by which the organisation will satisfy the prosecutor of its compliance.

Monitors can also be appointed as part of a DPA. As it is already likely that any organisation eligible for a DPA will have a genuinely proactive and effective compliance programme in place, the necessity of such an appointment should be considered carefully with due consideration to who will bear the responsibility for the monitor’s costs. Any monitor appointment will depend on the factual circumstances of the case and must always be fair, reasonable and proportionate.

If a monitor is included in a DPA:

• an evaluation will be needed to assess the required scope of the monitor programme. In designing the monitoring programme, regard should be had to contemporary external guidance on compliance programmes.
• a monitor’s primary responsibility will include “advising of necessary compliance improvements that will reduce the risk of future recurrence of the conduct subject to the DPA.”

In summary: the relevant evaluation is to determine what changes to the compliance programme are fair, reasonable and proportionate and would result in a robust compliance programme, and what compliance improvements are fair, reasonable and proportionate to include in a monitorship agreement.

2.4 Defence to s. 7 Bribery Act offence

When dealing with a potential offence of failure of a commercial organisation to prevent bribery, under s. 7 of the Bribery Act, the organisation has a defence if, at the time of the bribe, the organisation had in place “adequate procedures designed to prevent persons associated with [it] from undertaking such conduct.”

This defence refers to an assessment of “adequate procedures” rather than an assessment of the “compliance programme.” Whilst the burden of proof is on the organisation to prove this defence, on the balance of probabilities, evaluating the likelihood of the defence being raised successfully is an important factor when considering the evidential limb of the FCT.

The Ministry of Justice has published statutory guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (“the Bribery Act Guidance ”). The Bribery Act Guidance sets out six principles that should inform the procedures put in place by commercial organisations to prevent bribery. In summary the principles are:

Principle 1: Proportionate Procedures. “A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced”.

Principle 2: Top Level Commitment “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”

Principle 3: Risk Assessment “The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.”

Principle 4: Due Diligence “The commercial organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.”

Principle 5: Communication (including training) “The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.”

Principle 6: Monitoring and Review “The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.”

In summary: the relevant evaluation is whether the organisation had adequate procedures designed to prevent the bribery at the time of the bribe.

2.5 Defence to s.199 ECCTA offence

When dealing with a potential offence of failure of a relevant organisation to prevent fraud, under s.199 ECCTA, the organisation has a defence if, at the time of the offence, they had reasonable procedures in place to prevent fraud or if they can demonstrate that it was not reasonable in the circumstances to expect the organisation to have any procedures in place.

Note the difference to the Bribery Act of “reasonable” vs “proportionate” procedures and the fact that an organisation could argue under ECCTA that it was not reasonable to have any procedures in place at all.

This defence refers to an assessment of “reasonable procedures” rather than an assessment of the “compliance programme.” Whilst the burden of proof is on the organisation to prove this defence, on the balance of probabilities, evaluating the likelihood of the defence being raised successfully is an important factor when considering the evidential limb of the FCT.

The Home Office has published statutory guidance about the procedures that relevant organisations can put in place to prevent associated persons from committing fraud (“The Failure to Prevent Fraud Guidance”). This guidance sets out six principles that should inform the procedures put in place by relevant organisations to prevent fraud. Whilst these are very similar to those set out in the Bribery Act Guidance, there are some noteworthy differences (aside from the focus on fraud rather than bribery). These differences are in bold below. In summary the principles are:

Principle 1: Top Level Commitment  “The board of directors, partners and senior management of a relevant body should be committed to preventing associated persons from committing fraud. They should foster a culture within the organisation in which fraud is never acceptable and should reject profit based on, or assisted by, fraud.”

Principle 2: Risk Assessment “The organisation assesses the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment is dynamic, documented and kept under regular review.”

Principle 3: Proportionate Procedures “An organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.”

Principle 4: Due Diligence “The organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.”

Principle 5: Communication (including training) “The organisation seeks to ensure that its prevention policies and procedures are communicated, embedded and understood throughout the organisation, through internal and external communication. Training and maintaining training are key.”

Principle 6: Monitoring and Review “The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary. This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.”

In summary: the relevant evaluation is whether the organisation had reasonable procedures designed to prevent associated persons from committing fraud.

2.6 Sentencing

The Sentencing Council guidelines (effective from 1 October 2014) in relation to corporate offenders for fraud, bribery and money laundering offences involves an assessment of compliance:

 A “high culpability” factor is a “culture of willful disregard of commission of offences by employees or agents with no effort to put effective systems in place” (currently section 7 Bribery Act only)

 A “lesser culpability” factor is “some effort made to put bribery prevention measures in place but insufficient to amount to a defence” (currently section 7 Bribery Act only)

 An alternative measure for calculating harm is “likely cost avoided by failing to put in place appropriate measures to prevent bribery” (section 7 Bribery Act) or “likely cost avoided by failing to put in place an effective anti-money laundering programme” (money laundering).

This guidance has not yet been updated to cover failure to prevent fraud, but it is likely that the culpability factors will be similar to those for failure to prevent Bribery. 

In summary: the relevant evaluation is the effectiveness of the compliance systems, the effort to put those systems in place and the cost avoided by failing to put the systems in place.

3. FAQs/General Guidance

3.1 Q: What is the difference between “adequate” or ”reasonable” procedures” and an “effective compliance programme”?

A: Beyond the Bribery Act Guidance or the Failure to Prevent Fraud Guidance there is no formal guidance or interpretation of what constitutes adequate or reasonable procedures (or an effective compliance programme).

Each compliance programme is different. Compliance arrangements vary in scope, depending on the size of the organisation and the nature of the business. Larger organisations may have a unit, such as a compliance department, tasked with overseeing and helping ensure effective compliance across the organisation or even across a whole group of companies. Small and medium-sized enterprises (’SMEs’) might not have a separate compliance unit, but organisations of any size can be expected to have at least some compliance arrangements. The industry in which the organisation operates can also affect the required or expected compliance arrangements. In some sectors, such as financial services, organisations are expected to have a compliance unit, and effective systems and controls.

A key feature of any compliance programme is that it needs to be effective and not simply a ‘paper exercise’. A compliance programme must work for each specific organisation, and organisations need to determine what is appropriate for the field in which they operate. It is critical that the compliance programme is proportionate, risk-based and regularly reviewed. Compliance arrangements for any particular organisation need to be specific to and effective for that organization.

References to external sources may assist the determination of what constitutes an effective compliance programme.

For organisations with a US link, the US Department of Justice has issued guidance on the Evaluation of Corporate Compliance Programs (“DOJ Guidance”), which applies across all industries and types of organisations and centres on three key questions:

1. Is the corporations’ compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

For organisations with a French link, the French Anti-Corruption Agency (“Agence Francaise Anticorruption” or “AFA”) has issued guidance specific to anti-bribery compliance programmes (“The AFA Guidance”).

3.2 Q: What sources of evidence will the SFO obtain to conduct the evaluation of a compliance programme?

A: The SFO will need to obtain information from a variety of sources about the organisation’s compliance programme. It is important to note that co-operation includes the prosecutor assessing whether sufficient information about the operation of the organisation has been supplied. The sources of this information – in particular, sources of information concerning failures of a compliance programme – are also likely to be sources of information on wider questions such as direct or circumstantial evidence of criminality. Compliance issues will be considered early in the investigation, and it is likely to involve using a variety of the SFO’s investigatory ‘tools’, including:

• voluntary disclosures and interviews

• section 2 compelled disclosure of documents or information

• section 2 witness interviews

• suspect interviews under PACE (compliance material is considered to be “relevant information” for the purposes of offences under s.2 (16) of the Criminal Justice Act 1987.)

• questions put directly to the organisation

3.3 Q: What makes a compliance programme effective or not?

A: There is no set of preordained answers that entitle an organisation to (or disqualify it from) a specific result, decision or recommendation that its compliance programme is effective. The SFO’s assessment will be a holistic one, based on the organisation’s individual circumstances.

The fact an organisation has in place policies, procedures and controls does not necessarily mean that the compliance programme is effective. Many organisations have some level of policies in place. The SFO will seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground.
Isolated compliance failures do not inevitably mean that a compliance programme is ineffective or anti-bribery and anti-fraud procedures were inadequate. The SFO will consider whether the compliance measures had sufficient systems and controls against circumvention (e.g. having an approval process as well as a system for checking that necessary approvals are in place and adhered to, for example through periodic audits).

The SFO will dig behind generalities and challenge high level assertions. The outcomes or activities that result from the policies and procedures can provide evidence of how effective a compliance programme is (or isn’t).

4. External Links

Joint CPS-SFO Corporate Prosecution Guidance (August 2025)

Criminal Justice Act 1987

Bribery Act 2010

Economic Crime and Corporate Transparency Act 2023

Ministry of Justice, The Bribery Act 2010: Guidance (March 2011)

The Home Office, ECCTA Failure to Prevent Fraud Guidance (November 2024)

Sentencing Council, Fraud, Bribery and Money Laundering Offences: Definitive Guideline (October 2014)

Serious Fraud Office and Crown Prosecution Service, Deferred Prosecution Agreements Code of Practice, Crime and Courts Act 2013 (February 2014)

U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated September 2024)

French Anticorruption Agency, Guidelines to help private and public sector entities prevent and detect corruption, influence peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism (December 2020)