Skip to content Skip to menu Skip to footer
Cart
Image related to UK Serious Fraud Office shifts focus on compliance: From paperwork to performance

UK Serious Fraud Office shifts focus on compliance: From paperwork to performance

By Alon Kohalny, 30 March 2026

A few months after the precedent-setting Failure to Prevent Fraud offence came into force in the UK on 1 September 2025, the Serious Fraud Office (SFO) substantially updated its guidance for evaluating corporate compliance programmes.[1] This development is widely regarded as one of the most significant regulatory steps in recent years, reshaping expectations placed on companies operating in the UK and internationally.

The new offence created by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) profoundly alters the traditional boundaries of corporate criminal liability. For the first time, companies may be held criminally responsible not for acts they committed, but for failing to put in place reasonable preventative mechanisms to stop fraud carried out by employees or associated persons. 

Against this backdrop, prosecutors required a coherent and operational framework for assessing the effectiveness of compliance structures. The new SFO guidance aims to fill this gap.

End of the 'tick-box' era

The guidance marks a clear shift from a formalistic evaluation of compliance to a performance-based model. A corporate compliance programme will no longer be assessed simply by the existence of documented policies or a “procedures file”. Rather, prosecutors are instructed to evaluate the actual operation of the programme. 

There is renewed focus on how the organisation identifies risks, responds to incidents, supervises employees, trains its workforce, manages whistleblowing channels, embeds controls into business processes, and crucially, whether the programme demonstrably influences behaviour within the organisation.

The SFO guidance emphasises that compliance should not be a “tick-box exercise”. Instead, it is defined as a sophisticated managerial ecosystem which must support integrity, accountability and risk mitigation. 

The programme must be dynamic, regularly reviewed, and capable of adapting to changes in the company’s risk profile, operational environment or regulatory landscape. 

This approach is consistent with broader global trends, including the US Department of Justice’s repeated updates to its own Evaluation of Corporate Compliance Programs, which similarly emphasise implementation, testing and continuous improvement.

Harmonising fraud and bribery standards

A central innovation is the alignment of expectations across fraud-related and bribery-related obligations. Under the Bribery Act 2010, corporations have long been required to demonstrate “Adequate Procedures”[2] to prevent bribery. 

The new Failure to Prevent Fraud offence adopts “Reasonable Procedures”[3] as its standard – slightly different wording that allows for a more tailored and proportional approach, while still imposing meaningful obligations on organisations to demonstrate active fraud-risk mitigation.

The guidance harmonises the expectations under these two offences and provides a unified conceptual framework for what compliance should look like in practice. 

Although the legal standards differ, the underlying principles remain aligned: proportionate risk assessment, clearly articulated policies, effective training, robust oversight, meaningful investigation of red flags, and a strong ethical culture led by senior management.

When is a compliance programme assessed?

For the first time, the guidance sets out explicitly the circumstances in which prosecutors will assess the adequacy and effectiveness of a compliance programme:

  1. Charging decisions: When determining whether prosecution is in the public interest.
  2. Deferred Prosecution Agreements (DPAs): When assessing the suitability of a company for a DPA and determining whether alternative resolutions may be appropriate.[4]
  3. Setting DPA conditions: When defining the compliance conditions, obligations, or external monitoring requirements within a DPA.
  4. Assessment during internal investigation: When evaluating how the company responded to the misconduct once it became aware of it.
  5. Sentencing considerations: When determining aggravating and mitigating factors in the final penalty.

This structured approach positions the compliance programme as a decisive factor in determining corporate liability. It confirms that organisations must demonstrate that their programme existed before the misconduct occurred and that it was operated meaningfully and consistently.

Remediation: An indicator of organisational integrity

The guidance places significant emphasis on remediation. Prosecutors are instructed to examine whether senior management has taken meaningful corrective steps, for example:

  • Conducting a thorough internal investigation
  • Making structural or procedural changes
  • Replacing managers responsible for failings
  • Updating policies and procedures
  • Implementing technological or control improvements
  • Enhancing training or whistleblowing channels
  • Cooperating fully and transparently with the SFO

Meaningful remediation is considered a strong indicator of organisational integrity and an essential component of demonstrating an authentic compliance culture. The SFO emphasises that superficial or symbolic measures will not suffice.

Implications for compliance officers

The guidance significantly increases expectations for compliance professionals. Within the updated framework, the Chief Compliance Officer (CCO) is positioned as a central actor in ensuring that the compliance programme is not merely conceptual but functions effectively in practice. The CCO must demonstrate professional competency, independence, adequate resourcing, and operational authority within their organisation.

The SFO implicitly indicates that organisations lacking a professionally qualified, internationally recognised compliance officer – or those who assign the function to individuals without appropriate experience or training – may find it difficult to prove that their procedures meet the “Adequate” or “Reasonable Procedures” tests. The guidance therefore increases the CCO’s responsibilities and requires:

  • Documented risk assessments
  • Evidence of training effectiveness
  • Clear reporting lines and independence from commercial pressures
  • Control testing and audit trails
  • Consistent incident management
  • Demonstrated influence on organisational behaviour

For compliance professionals, this shift represents both a challenge and an opportunity: a challenge because the expectations are now higher, but an opportunity because the centrality of the compliance function is more formally recognised than ever before.

A broader regulatory movement

By adopting a structured and transparent framework, the UK’s SFO aligns itself with developments in the US, Canada, Australia, and the EU, where enforcement agencies increasingly demand evidence-based compliance, rather than formal statements of intent.

This global trend reflects growing recognition that effective compliance programmes are not administrative burdens, but essential mechanisms for preventing corporate misconduct and safeguarding market integrity. 

Evolving evaluations

The SFO’s updated guidance represents a substantial evolution in assessment of corporate compliance. Compliance programmes will no longer be viewed as symbolic declarations or collections of policies, but as operational systems embedded within an organisation’s behavioural DNA. The guidance makes clear that prevention, detection, governance and ethical culture are inseparable components of a functioning compliance framework.

For companies operating within the UK, and increasingly for multinational corporations engaged in cross-border activities, the implications are far-reaching. Firms must strengthen their governance structures, ensure that their compliance personnel meet recognised international standards, allocate adequate resources, invest in technology and control testing, and maintain dynamic compliance processes capable of meeting the heightened expectations of modern enforcement authorities.

The guidance reflects a decisive regulatory shift from principle-based to evidence-based scrutiny. As fraud and bribery risks continue to evolve, so too must the compliance frameworks designed to mitigate them. 
Companies that adapt proactively will be best positioned to navigate the new enforcement landscape and demonstrate genuine commitment to integrity and responsible corporate conduct.

You may also be interested in:

About the author

Alon Kohalny

Alon Kohalny Adv. CCO is a lawyer and compliance expert, member of the editorial board of inCOMPLIANCE and a member of the ICA’s Global Practitioner Advisory Board.