Compliance evaluation scenarios

The Compliance Guidance confirms that the SFO may need to evaluate a corporate compliance programme in six scenarios – namely to determine whether:

• a prosecution is in the public interest;
• a deferred prosecution agreement (DPA) is in the public interest;
• a DPA should include compliance terms and/or a monitorship;
• an organisation has a defence of ‘adequate procedures’ for the purposes of the ‘failure to prevent bribery’ (FTP Bribery) offence under the UK Bribery Act 2010 (UKBA);
• an organisation has a defence of ‘reasonable procedures’ for the purposes of the FTP Fraud offence under ECCTA; and
• the compliance programme presents aggravating or mitigating factors relevant to sentencing considerations.

Taken as a whole, this means that organisations can expect scrutiny of their compliance programmes at various stages: (i) at the time of any offending, (ii) early in an SFO investigation, and (iii) at the time the SFO determines the appropriate disposal (i.e. prosecution, DPA, or otherwise).

The SFO will deploy multiple aspects of its investigative armoury to evaluate compliance, including: (i) seeking voluntary disclosures (e.g. in the context of a company seeking cooperation credit); (ii) using its powers to compel the disclosure of documents or information; (iii) interviews of relevant individuals (whether on a voluntary basis, a compelled interview, or a suspect interview); and (iv) putting questions directly to the organisation (e.g. through correspondence or in meetings).

‘Reasonable’ and ‘adequate’ procedures defences

The Compliance Guidance confirms that:

• the SFO will evaluate the likelihood of an organisation successfully raising the ‘adequate procedures’ defence to the FTP Bribery offence. The SFO will do so proactively and from an early stage in its investigation; and
• the same approach will be taken in relation to the FTP Fraud offence and the ‘reasonable procedures’ defence. In other words, the SFO will undertake an early ‘assessment of any potential defences of reasonable procedures’.⁶

Specifically, the guidance recognises that evaluating the prospect of either defence being raised successfully is a key factor when considering the evidential limb of the Full Code Test (FCT) in the Code for Crown Prosecutors. In short, a prosecutor must be satisfied that there is sufficient evidence to provide a realistic prospect of conviction, based on the evidence and including the impact of any defence which may be relied on.

A case which does not pass the evidential stage must not proceed to prosecution, no matter how serious or sensitive it may be.⁷

This means that the Compliance Guidance envisages a scenario where the SFO is investigating a potential FTP Fraud offence, deploys its investigative tools to obtain information on the reasonableness of the organisation’s anti-fraud procedures (as at the time of the suspected offending), and concludes that there is no realistic prospect of conviction because the organisation would be able to successfully rely on the reasonable procedures defence. In that case, the evidential limb of the FCT would not be satisfied and the SFO would be precluded from prosecuting (or pursuing a DPA).⁸ In essence, this means that effective anti-fraud procedures are capable of disposing of an investigation at an early stage, rather than being deployed as a defence much further down the line. This provides a powerful incentive to invest in proper anti-fraud compliance now.

What is ‘reasonable’ or ‘adequate’ or ‘effective’?

All the above begs the question of what makes a compliance programme ‘reasonable’ or ‘adequate’ or ‘effective’. In this respect, the Compliance Guidance acknowledges that there is no formal guidance beyond that set out in the UKBA guidance⁹ and the ECCTA guidance.¹⁰ Both documents were issued by other government departments in specific contexts and the SFO simply summarises the six key principles from each.¹¹ However, stepping back, the SFO does offer some additional colour on the issues it will probe when evaluating a compliance programme in any of the six scenarios:

• Programme design: The SFO emphasises on multiple occasions that it expects compliance programmes to be tailored to the specifics of each organisation. Corporates are expected to adopt a risk-based approach, tailoring controls to sector-specific risks and geographic exposure.
• Substance over form: It is not enough for a programme to exist on paper or in corporate messaging; it must be properly implemented, and demonstrably effective. In this respect, the SFO will ‘seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground’.
• Focus on outcomes: Perhaps above all, the guidance indicates that the SFO will focus on outcomes. In this respect, the SFO will look to ‘outcomes or activities that result from the policies and procedures’ as evidence – beyond high level assertions – of whether a compliance programme is effective. This will include considering whether there are sufficient anti-circumvention systems and controls.

Nevertheless, the discussion is at a relatively high level and the SFO provides little in the way of concrete suggestions on what corporates might do to translate the above principles into practice. Rather, the SFO points towards two non-UK sources which provide some additional meat on the bones – the US Department of Justice (DOJ) guidance on the Evaluation of Corporate Compliance Programs ¹² and two documents issued by the French Anti-Corruption Agency in relation to anti-bribery compliance.¹³

Many practitioners in multinational organisations will be familiar with the DOJ guidance in particular as representing something of a global ‘gold standard’. The DOJ guidance merits review on its own terms, but its contents chime with the SFO’s focus on outcomes and flesh this out in a practical sense, in most cases in greater depth than the UKBA or ECCTA guidance. This includes, for example, heightened focus on the use of data as a powerful tool to (i) prevent and detect misconduct and (ii) empower corporates to measure the success and effectiveness of their compliance programmes.¹⁴

Takeaways

The Compliance Guidance provides a good opportunity for corporates to take stock of the design and implementation of their compliance programmes and to consider whether they measure up to the SFO’s expectations. In doing so, the following aspects may be particularly relevant:

1. Prepare for scrutiny in investigations: Corporates should anticipate detailed SFO inquiries into compliance programmes at an early stage of (and throughout) an investigation. This means maintaining comprehensive records of things like programme design, implementation, and effectiveness. Evidence such as training logs, monitoring reports, data on internal investigation outcomes, and documented remedial actions will be critical in demonstrating substance over form.
2. Embed compliance as a living framework: Corporates should ensure that compliance programmes are not static documents but dynamic frameworks that evolve with the business and its risk profile. Regular risk assessments are essential, particularly in light of legislative developments such as the FTP Fraud offence. These assessments should be documented (with appropriate consideration of privilege risk¹⁵ ) and demonstrably linked to programme enhancements.
3. Monitoring and review: Dynamic monitoring is another priority. Programmes should be regularly reviewed and adapted to reflect evolving risks, with documented evidence of updates. The growing role of technology is particularly relevant in this context: organisations should leverage data analytics and monitoring tools to prevent and detect misconduct and test the effectiveness of their compliance measures.
4. Demonstrate senior leadership commitment: Visible and sustained engagement from senior management is critical. Boards and executives should actively champion compliance initiatives, allocate adequate and proportionate resources, and maintain clear lines of accountability. Evidence of leadership involvement, such as minutes of compliance-focused board discussions, will be relevant in any SFO evaluation. In this respect, it is notable that the SFO’s press release highlights culture as a cornerstone of compliance:

   ‘[e]ffective compliance is not a tick-box exercise – it’s about creating genuine cultures that prevent fraud, bribery and corruption’.¹⁶

Conclusion

The SFO signals a clear expectation: compliance must be embedded, demonstrable, and outcome driven. It must not be seen as a box-ticking exercise – as the guidance makes clear, compliance is a strategic imperative that can influence prosecutorial decisions, the negotiation of DPAs, and sentencing outcomes.

It is also evident from the guidance that there is a clear alignment with global standards and expectations. However, the SFO has emphasised that it requires tailored and proactively effective compliance programmes for the purposes of the relevant UK law offences, and that it will scrutinise them through a UK lens using all the powers at its disposal.

Bearing in mind the broad ambit of the offences under the relevant legislation and their extensive extra-territorial application, combined with a clear appetite for prosecution, companies that under-invest in compliance do so at their peril. Only robust, properly designed and implemented compliance programmes will pass muster. Without that, there is no entitlement to the corporate defence and a prosecution is considerably more likely. It is also clear that the proper resourcing and supervision of compliance is considered to be an issue of governance, which both starts and ends in the boardroom. Indeed, it is highly likely that initial subpoenas and investigations will focus on board deliberations and the actions (or inaction) of board members and executives.¹⁷