Client Alert

UK Serious Fraud Office Issues Guidance for Evaluating Compliance Programmes, Echoes DOJ Guidance

24 Jan 2020

On 17 January 2020, the UK’s Serious Fraud Office (the “SFO”) released guidance on evaluating compliance programmes (the “SFO Guidance”). This is the first time the SFO has issued guidance on how it will assess the effectiveness of an organisation’s compliance programme. Forming part of the SFO’s internal Operational Handbook, the SFO said it published the guidance in the interests of transparency and with the disclaimer that it should not be relied on as the basis for any legal advice or decision. The SFO Guidance nonetheless serves to assist organisations not only in evaluating the strength of their compliance programmes but also sets out what organisations can expect from the SFO and what remediation measures they should take in relation to their compliance programmes, if they are being investigated by the SFO.

The SFO Guidance, which must be read together with the SFO’s Guidance on Corporate Prosecutions and Code for Crown Prosecutors, covers three key areas:

  • Stages at which the SFO may consider the state of an organisation’s compliance programme;
  • How assessment of a compliance programme will fit within a wider SFO investigation; and
  • The “Six Principles” the SFO will consider when assessing an organisation’s compliance programme.

Stages at which the SFO may consider the state of a compliance programme

The SFO Guidance makes clear that the SFO will consider the state of an organisation’s compliance programme at different points of time. The expectations are different at each stage, and the SFO’s assessment will have an impact on decisions such as the decision to prosecute, the suitability of a deferred prosecution agreement (DPA), sentencing and whether or not a monitor should be appointed. Put simply, the SFO will consider an organisation’s compliance programme in the past, present and future.

  • The state of the compliance programme at the time of offending. When the SFO is deciding whether to prosecute, it will consider whether the company had an effective compliance programme at the time of the offence. There is a public interest factor in favour of prosecution if the company had an ineffective compliance programme in place. Having an effective compliance programme at the time of offending is also relevant to the issue of whether the company has a defence (e.g., the adequate procedures defence under section 7 of the Bribery Act 2010). If such measures are insufficient to amount to a defence, the state of the compliance programme at the time of offending may also be a factor relevant to sentencing (reflecting lesser culpability).
  • The current state of the compliance programme. The fact that an organisation had a previously poor compliance programme but has taken steps to improve its programme may be a relevant consideration for the SFO at the charging stage and may contribute to the SFO determining whether there are public interest factors against prosecution. The prosecutor will also consider the current state of an organisation’s compliance programme when considering the suitability of a DPA. Whether an organisation has reformed and rehabilitated itself by implementing a genuinely proactive and effective corporate compliance programme will be an important consideration for entering into a DPA. The current state of the compliance programme may also be relevant to sentencing (e.g. whether the level of fine impacts the organisation’s ability to implement effective compliance programmes). This approach incentivises companies to continually improve their compliance programmes, including after an SFO investigation has begun.
  • The state of the compliance programme going forward. The SFO Guidance states that a DPA may still be appropriate where an organisation has not yet delivered a fully effective compliance programme, but the SFO may impose further improvements through the DPA. A DPA can include terms requiring an organisation to implement or change its compliance programme provided that such terms are capable of assessment while the DPA is in force. This is likely to include the appointment of a monitor at the organisation’s expense.

SFO investigation of compliance programmes

The SFO Guidance also sets out (in brief terms) how it will assess compliance programmes. It does not prescribe a particular approach, with the SFO acknowledging that individual cases differ. This is particularly true for smaller organisations that the SFO is investigating. The SFO Guidance does, however, stress that prosecutors should consider compliance issues early on in an investigation and ensure that their approach to obtaining information on compliance programmes keeps in mind the aims of the broader investigation. The SFO Guidance states that organisations should have a variety of written records on their compliance programmes and highlights the investigatory tools at the SFO’s disposal for obtaining such information.

Organisations can therefore expect, at a very early stage in the SFO’s investigation, to be required to produce documents such as compliance policies and procedures, gifts and hospitality registers, compliance training records and manuals, risk assessments, and data around the management of whistleblower reports. For organisations with global businesses, such documents may be stored across various countries and/or sit with external vendors, so it will be important for organisations to involve their compliance functions and their vendors at an early stage of the investigation to ensure that such information can be effectively collated, reviewed and produced to the SFO in a timely manner. 

Assessment of compliance programmes through the MoJ’s “Six Principles”

In assessing compliance programmes, the SFO Guidance states that the “Six Principles” in the Ministry of Justice’s guidance on the Bribery Act (the “MoJ Guidance”), published in March 2011, are a good general framework. The SFO Guidance states that the “Six Principles” are not prescriptive and are intended to be flexible, particularly when assessing the compliance programmes of smaller businesses. These “Six Principles” are also previously adopted in the HMRC’s guidance for corporate offences under the Criminal Finances Act 2017.

Although the MoJ Guidance specifically discusses these principles within the context of the prevention of bribery, the “Six Principles” in the MoJ Guidance set out detailed considerations that can be applied by organisations when devising and reviewing their compliance programmes. It will remain to be seen how the SFO will apply the MoJ Guidance when assessing compliance programmes more broadly for non-bribery offences. For example, it is unclear whether such principles will be applied for policies and procedures around financial controls for offences such as false accounting or other offences in relation to which DPAs may be entered into.

Echoing DOJ Guidance

The U.S. Department of Justice (the “DOJ”) issued guidance on the evaluation of corporate compliance programmes (the “DOJ Guidance”) in March 2017 and updated the guidance in April 2019. Like the SFO, the DOJ reinforces the need for a compliance policy to be effective, and not simply a “paper program” (the SFO uses the phrase “paper exercise”), and also recognises that compliance programmes must be evaluated in the specific context of the criminal investigation undertaken and that prosecutors ought not to use a rigid formula when conducting that evaluation.

The DOJ Guidance states that prosecutors should ask three “fundamental questions”:

1. “Is the corporation’s compliance program well designed?”

2. “Is the program being applied earnestly and in good faith?”  In other words, is the program being implemented effectively? 

3. “Does the corporation’s compliance program work” in practice? 

To expand on these three questions, the DOJ Guidance lays out 12 criteria upon which an organisation’s compliance policy will be assessed, although the DOJ expressly states that these form neither a checklist nor a formula and their relevance ought to be considered in the circumstances of each case. The table below compares the criteria from the MoJ Guidance, applied by the SFO Guidance, and DOJ.

SFO Guidance

(applying the six principles in the MoJ Guidance)

DOJ Guidance

(Evaluation of Corporate Compliance Programs)

  • Principle 1: Proportionate Procedures
  • Principle 2: Top Level Commitment
  • Principle 3: Risk Assessment
  • Principle 4: Due Diligence
  • Principle 5: Communication (including training)
  • Principle 6: Monitoring and Review  


I. Is the Corporation's Program Well Designed?

A. Risk Assessment

B. Policies and Procedures

C. Training and Communications

D. Confidential Reporting Structure and Investigation Process

E. Third-Party Management F. Mergers and Acquisitions

II. Is the Corporation's Compliance Program Being Implemented Effectively?

A. Commitment by Senior and Middle Management

B. Autonomy and Resources

C. Incentives and Disciplinary Measures

III. Does the Corporation's Compliance Program Work in Practice?

A. Continuous Improvement, Periodic Testing and Review

B. Investigation of Misconduct

C. Analysis and Remediation of Any Underlying Misconduct


Like the SFO Guidance, the DOJ Guidance, referring to the Principles of Federal Prosecution of Business Organizations in the Justice Manual, states that factors prosecutors should consider, when investigating an organisation include the adequacy and effectiveness of the company’s compliance programme at the time of the offence and at the time of a charging decision, as well as the company’s remedial efforts to implement or improve an existing compliance programme. The DOJ Guidance states that the existence and effectiveness of an organisation’s compliance programme will also be taken into account during sentencing and when prosecutors are determining whether the appointment of a monitor is appropriate.

Although crafted differently and even though the DOJ Guidance is much more detailed, the SFO Guidance and DOJ Guidance use overlapping and consistent principles and have the same purpose, namely, to steer prosecutors in their evaluation of corporate compliance programmes. For example, in the area of risk assessment, both the SFO and DOJ call for a tailored, periodic and evolving risk assessment approach, and in mergers and acquisitions, stress the importance of due diligence into acquired companies. This consistency allows organisations faced with concurrent investigations by the DOJ and the SFO to align their approach to responding to investigators’ queries in relation to compliance programmes. With transatlantic cooperation between the SFO and DOJ (e.g., in the investigations of Rolls-Royce Plc, Standard Bank Plc and Guralp Systems Ltd) set to continue, such alignment is helpful to organisations in understanding and meeting the expectations of prosecutors on both sides of the Atlantic.   

Organisations Must Ensure Compliance Programmes Are Fit for Purpose

The SFO Guidance is an excellent addition to the growing library of guidance related to corporate prosecutions issued under SFO Director Lisa Osofsky since she took office in August 2018. It not only provides transparency on what the SFO looks for when it is investigating organisations’ compliance programmes but serves to reassure smaller businesses that prosecutors will consider proportionality when evaluating their compliance programmes.

That said, the SFO Guidance makes clear that all businesses, no matter their size, must have internal systems and procedures for ensuring that they comply with legal requirements. While the scope of those arrangements will vary depending on the size and nature of each business, it is clear from the SFO Guidance that there is no “one-size-fits-all” compliance programme and organisations must ensure that they undertake regular and proportionate risk assessments to ensure that their compliance programmes are tailored to address the particular risks that they face and are adequately communicated within their organisations.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.