Less Tickbox, More Toolbox: 4 Key Takeaways From Latest SFO Guidance on Corporate Compliance Programmes

By Latham & Watkins on December 3, 2025

Internal controls must be tailored, proportionate, and risk-based — not just a “paper exercise”.

By Erin Brown Jones, Clare Nida, and Matthew Unsworth

Last week, the UK Serious Fraud Office (SFO) published its updated “Guidance on Evaluating a Corporate Compliance Programme” (the Guidance). The agency’s previous guidance was published in 2020 as an eight-page segment in the SFO Operational Handbook. The latest iteration is very much public-facing, with a helpful FAQ section and updates to reflect the “failure to prevent fraud” (FTPF) offence, which entered force on 1 September 2025 (see this Latham blog post). These points aside, the Guidance is largely unchanged — it has been refreshed rather than rewritten.

The SFO stated that the Guidance “provides organisations with clear expectations” about the evaluation of their compliance programmes.¹ In practice, the Guidance focuses on when the SFO will assess a compliance programme rather than what or how it will assess. In short, the SFO will assess a corporate’s compliance programme to determine whether:

It is in the public interest to prosecute the corporate;
To enter into a deferred prosecution agreement (DPA) with the corporate;
To include compliance terms or a monitorship as part of any DPA;
The corporate can raise the “adequate” procedures defence to a charge of failure to prevent bribery under the Bribery Act 2010 (UKBA);
The corporate can raise the “reasonable” procedures defence to a charge of FTPF; and/or
The existence and nature of the compliance programme is a relevant factor for sentencing considerations.

The Guidance is certainly far less detailed than the US Department of Justice (DOJ)’s “Evaluation of Corporate Compliance Programmes” (ECCP) guidance,² which is a widely used benchmark for corporate compliance best practices and is cited in the Guidance. Nevertheless, the Guidance reflects the desire of SFO Director, Nick Ephgrave, to be more transparent about how the agency works with corporates, and follows the launch of new Joint SFO-CPS Corporate Prosecution Guidance in August and the SFO Cooperation Guidance in April.

We set out below our four key takeaways from the Guidance:

1. “Reasonable” vs “Adequate” Procedures

An organisation prosecuted for FTPF under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) will have a defence if it can demonstrate that it had “reasonable” fraud-prevention procedures in place at the time the base fraud offence was committed. This is distinct from the “adequate” procedures defence under the UKBA.

The Guidance notes the distinction between “reasonable” and “adequate”, and suggests that “reasonable” is a lower threshold, at least insofar as an organisation could technically argue that it was reasonable not to have any procedures in place at all. However, the Home Office’s specific guidance on FTPF (published in November 2024)³ warns that “it will rarely be considered reasonable not to have even conducted a [fraud] risk assessment”. Furthermore, unlike the UKBA offence, FTPF only applies to “large organisations”,⁴ and it would only be in very limited circumstances that an organisation meeting this threshold could plausibly argue that it had no fraud risk to mitigate.

The Guidance repeats the Home Office’s six key fraud-prevention principles that should inform an organisation’s approach to designing and implementing anti-fraud measures: proportionate procedures; top-level commitment; risk assessment; due diligence; communication; and monitoring and review. The Guidance notes that, although the burden of proof is on the organisation to prove the “reasonable” procedures defence, the likelihood of the defence being raised successfully will be an “important factor” in the decision whether to prosecute. A strong, fully implemented, and demonstrable compliance programme could therefore materially reduce the risk of a corporate prosecution for FTPF.

2. There’s Always Room for Improvement

As noted above, the “reasonable” and “adequate” procedures defences under ECCTA and the UKBA respectively apply when an organisation can demonstrate it had compliance measures in place at the time the base offence took place. However, the Guidance emphasises that prosecutors will take a longer view and will evaluate improvements to a corporate’s compliance programme after the offending took place to determine whether a prosecution is in the public interest. There will be a lesser public interest in prosecuting a corporate that has made a serious effort to bolster inadequacies in its compliance programme.

The SFO cites the Joint SFO-CPS Corporate Prosecution Guidance, which states that a public interest factor against prosecution is where “a genuinely proactive approach [is] adopted by the corporate management team when the offending is brought to their notice”.⁵ There is also a reference to the DPA Code of Practice (Code), which sets out factors that prosecutors should consider when negotiating a DPA with a corporate. The Code provides that, if “the offence was committed at a time when [the organisation] had no or an ineffective compliance programme and it has not been able to demonstrate a significant improvement in its compliance programme since then”, that is to be considered a public interest factor in favour of prosecution.⁶

Prevention is better than cure. However, the Guidance indicates that the SFO will look more favourably on organisations that try to shape up their compliance programmes in the face of reported issues, compared to those that turn a blind eye. There is a parallel here with the approach of the DOJ. In determining whether to charge a corporate, one of the factors that DOJ prosecutors will consider is the “adequacy and effectiveness” of the corporate’s compliance programme, not only at the time the offending took place, but also at the time of a charging decision.⁷

3. Ongoing Testing Is Essential

The SFO says that it will seek to get behind high-level assertions about corporate compliance programmes and assess whether they are actually being implemented in practice, or whether they are merely a “tick box” exercise. As part of this, prosecutors will consider what controls are in place against circumvention, whether those controls have been tested, and how they have been tweaked over time in response to any issues identified.

For example, an organisation may, on paper, have a clearly defined approvals process for corporate gifts, hospitality, and entertainment, but the SFO may want to see how that system is being stress-tested in practice. Are expenses records and registers diligently maintained, or are there missing, incomplete, or inaccurate entries? Are those records and registers periodically audited? Have “dummy” expenses been submitted to test whether the relevant finance, accounting, or compliance function is picking up suspicious activity? Can the organisation leverage AI and other emerging technologies to assist with controls testing? Have there been any historic issues with the approvals process and how has it been updated in response?

Like the SFO, the DOJ will also seek to understand how a compliance programme works on the ground, and one of the three core questions in the ECCP guidance is “Does the corporation’s compliance program work in practice?” Periodic testing and continuous improvement were a key focus of the 2024 updates to the ECCP. The DOJ emphasised that corporates should be “learning lessons” from their own prior misconduct to update their compliance programmes,⁸ and that one of the hallmarks of an effective compliance programme is “its capacity to improve and evolve”.⁹

There is no one-size-fits-all approach to how a programme should be tested and iterated. However, the SFO (and DOJ) expects that corporates will find ways to monitor the effectiveness of their internal controls and strengthen them where necessary.

4. The SFO Will Use Its Powers to Compel Information

The Guidance states that the SFO will leverage its full suite of information-gathering tools to obtain information about a corporate’s compliance programme, including compelled requests for information and documents under Section 2 of the Criminal Justice Act 1987.

Corporates should be mindful that, as part of its review of a compliance programme, the SFO may dig back through the archives of past reports and allegations of wrongdoing, how they were investigated, and what remedial measures were taken. SFO investigators may also compel production of past audit reports and records of effectiveness testing. As and when issues arise, it is important to have a paper trail to show that those issues were robustly investigated and all necessary steps were taken to remedy them (while taking care to preserve privilege where applicable). If the SFO discovers skeletons in the closet, the scope of its investigation could broaden.

Conclusion

In short, the Guidance reinforces that “reasonable” or “adequate” procedures is a live, evidence-tested defence. Large organisations should pressure‑test internal compliance controls, document remediation, and be ready to demonstrate effectiveness. Put simply, proactive risk assessment, proportionate uplift, and credible monitoring will be decisive in both the evidential and public‑interest calculus.

Latham has extensive experience advising on uplifts to corporate compliance programmes across a wide range of sectors, as well as defending organisations in enforcement proceedings by all major UK regulators and prosecuting bodies. If you have questions about this blog post, please contact one of the authors or the Latham lawyer with whom you normally consult.

This post was prepared with the assistance of Greer Clarke in the London office of Latham & Watkins.