5 key points on the SFO’s new compliance programme guidance

A clearer picture of how the SFO evaluates compliance

The SFO's refreshed guidance brings together and builds on concepts previously set out in a range of sources, including the SFO's 2020 Operational Handbook, the Ministry of Justice's "adequate procedures" guidance under the Bribery Act 2010, Home Office materials under ECCTA, and case-by-case commentary in DPA judgments.

For the first time, corporates now have a single document explaining how the SFO approaches compliance: what it will examine, how it assesses effectiveness and how its findings influence decisions on prosecution and resolution. While the guidance does not introduce new legal thresholds, it offers a more structured, transparent framework for understanding how the SFO evaluates corporate compliance programmes in practice.

Below are our five key takeaways from the new guidance.

1. The elements are familiar, but the SFO's lens is clearer

The SFO is not redefining the established components of a compliance programme. The themes it highlights: tone from the top, proportionate procedures, governance, training, risk-based controls, and monitoring - reflect concepts already embedded in the Bribery Act and ECCTA guidance.

What the guidance does provide is greater clarity on how these elements are evaluated in practice, including the SFO's focus on:

• whether the programme is genuinely implemented

• whether it operates effectively in practice

• challenging unsupported high-level assertions.

This emphasis on operational scrutiny provides corporates with a better understanding of how the SFO examines compliance in real-world settings.

2. Stronger emphasis on real-world effectiveness

Building on existing guidance, the SFO explicitly underscores that compliance programmes must work in practice. The SFO's refreshed guidance goes further by emphasising demonstrable effectiveness as the defining test.

The SFO notes that a programme may look comprehensive on "paper" but still fail to operate effectively. It will therefore consider:

• whether staff understand and follow procedures

• how culture and leadership shape compliance behaviour

• how weaknesses are detected and addressed

• whether controls operate in reality in the way the organisation claims.

Our experience preparing large-scale, demonstration-style compliance presentations for UK enforcement authorities also reflects this shift in emphasis. These exercises reflect that the SFO increasingly tests how controls operate in practice, how decisions are escalated, how staff apply procedures day-to-day, and how compliance is evidenced through actual behaviour rather than policy statements. This type of practical scrutiny underlines the importance of being able to demonstrate effectiveness, not merely assert it.

3. A clearer expectation that programmes are reviewed and updated

The guidance reiterates the importance of keeping compliance programmes under review. While not a new requirement, the SFO's presentation is more explicit: periodic assessment and refresh are essential to maintaining an effective programme.

The SFO will consider whether corporates take steps to ensure procedures remain proportionate to current risks. Although the guidance does not prescribe specific triggers for review (such as acquisitions or restructurings), it reinforces the broader expectation of ongoing reassessment.

4. More visible alignment with international practice

Unlike previous SFO publications, the new guidance expressly refers to comparator regimes, including the U.S. Department of Justice's Evaluation of Corporate Compliance Programs (available here) and France's AFA guidance (available here). Both these guidance notes remain considerably more extensive and granular as regards compliance expectations than the SFO's new guidelines.

This reference does not import foreign legal standards, but it does acknowledge the international compliance landscape and suggests that references to these "external sources may assist the determination of what constitutes an effective compliance programme". Importantly, the SFO notes that "references to external sources may assist the determination of what constitutes an effective compliance programme". On that basis, it may be prudent for corporates to take account of these foreign guidelines when designing, monitoring or reforming their compliance programmes - even where there is no direct US or French connection - simply because they are more detailed and therefore more informative when considering what an effective compliance programme looks like.

More broadly, the guidance reflects the SFO's ongoing approach of collaborating with international counterparts on enforcement and compliance matters. It also signals an intention to present UK expectations in a way that is more recognisable to global organisations used to working within those frameworks.

5. Clarifying "reasonable" vs "adequate" procedures

The FAQs notes, for the first time, the distinction between:

• The "adequate procedures" defence under the Bribery Act 2010

• The "reasonable procedures" defence under the ECCTA failure-to-prevent fraud offence

The guidance emphasises that for either offence, a compliance programme must be effective, proportionate and risk-based in practice.

In line with the wider guidance, assessment of this will consider (emphasis added):

• whether procedures were applied at the time of the alleged misconduct

• how procedures were monitored and enforced

• whether the programme addresses the specific risks faced by the organisation

While there are similarities between the two standards, each statutory defence is assessed on its own facts. The guidance does not explicitly state whether a programme designed to meet one standard would automatically satisfy the other, but it does imply that the SFO will assess compliance against the specific statutory threshold relevant to the alleged misconduct.

The SFO's refreshed guidance does not create new legal obligations. Its value lies in bringing clarity and consolidation, providing a single reference point for corporates to understand how compliance programmes are evaluated, what "effective" compliance looks like, and how assessments feed into prosecutorial and DPA decisions.

For corporates reviewing systems in light of the new ECCTA failure-to-prevent fraud offence, the guidance offers practical direction on how the SFO will approach compliance assessments in practice and a clearer benchmark for maintaining robust, risk-based programmes.