Bold claim: compliance on paper isn’t enough—real-world effectiveness is now the baseline. The Serious Fraud Office (SFO) has released updated guidance clarifying how it will assess corporate compliance programs, urging UK companies to move beyond tick-box policies and demonstrate tangible anti-fraud and anti-bribery practices.
Commentators from Pinsent Menson, Hinesh Shah and Melanie Ryan, noted that the updated guidance comes as the ECCTA’s new failure-to-prevent-fraud offence takes effect, prompting organisations to rethink how their programs actually operate, not just what they say they do on policy documents.
Key takeaways from the guidance include six scenarios where the SFO might review an organisation’s compliance program: to inform prosecutions; in the context of deferred prosecution agreements (DPAs); for monitoring and terms of compliance; when considering potential defences to corporate offences; and in sentencing considerations. The update places particular emphasis on the practical implementation of controls and ongoing monitoring, rather than mere policy creation.
The ECCTA’s failure-to-prevent-fraud provision defines large organisations as those meeting at least two of three thresholds: turnover over £36 million, a balance sheet total exceeding £18 million, and more than 250 employees. Under the offence, a company can be held liable for fraud committed by an associate—such as directors, employees, or agents acting for the benefit of the organisation or another associated person. Penalties can include unlimited fines for the company and separate criminal convictions for individuals involved.
Defensive options exist. A company may defend itself by showing it had reasonable procedures in place at the time of the offence to prevent fraud, or that it would not have been reasonable to expect such procedures given the circumstances. The onus of proof for this defence rests with the organisation.
Shah emphasises that the new guidance signals a strong push for genuine compliance improvement. The guidance stresses that effective compliance requires more than written policies; it requires concrete, real-world controls, resources, culture, and continuous monitoring to reduce risk and satisfy regulatory expectations.
While acknowledging that many organisations already maintain some compliance infrastructure, the SFO makes clear that policies alone are insufficient. The evaluation will be tailored to each organisation’s unique context, with the aim of ensuring that policies and procedures translate into actual conduct. The overarching message is: embed a robust anti-fraud and anti-bribery culture, not a superficial checklist.
The updated guidance complements broader concurrent initiatives, including joint corporate prosecution guidance with the Crown Prosecution Service (CPS) issued in August 2025 and the SFO’s corporate cooperation and enforcement guidance from April 2025. The Home Office also released detailed guidance in November 2024 outlining procedures to prevent fraud by associated persons.
Ryan notes that while the law remains unchanged, the interpretation and application by the SFO are becoming clearer. Companies should prioritise proving that they maintain adequate or reasonable procedures, as this evidence will be critical in defending enforcement actions and shaping decisions on DPAs and other outcomes.
Geographically, the guidance covers England, Northern Ireland, and Wales, with Scotland operating under its own regime via COPFS.
Should businesses revise their programs now? If aiming to reduce enforcement risk, the answer is yes: focus on proving that compliance measures are embedded in daily operations, monitored over time, and culturally integrated throughout the organisation. What are your thoughts on the balance between policy and practice in corporate compliance? Would this shift change how you approach risk management in your own organisation?
