SFO’s updated guidance on corporate cooperation

The Serious Fraud Office (SFO) has recently published updated guidance on corporate cooperation. It assesses when and how the SFO would like organisations to self-report, the steps companies subject to investigation should follow to enhance the likelihood of securing ‘cooperation credit’ (such as a decision not to prosecute or to be invited to negotiate a Deferred Prosecution Agreement (DPA) in lieu of prosecution) and what can be expected when organisations follow the guidance. In this article, we summarise the guidance, as well as offering insight on how it may apply in practice.

The potential risk of corporate criminal liability has increased due to recent reforms. Most notably, the extended attribution doctrine to hold corporates liable for the a wider class of senior managers and the introduction of a new failure to prevent fraud offence (FTPF) that will come into force on 1 September 2025 that have moved the dial. In this context, there is even greater impetus for businesses to understand what might happen if they become aware of misconduct, and what their options are for addressing it.

Self-reporting

The guidance encourages organisations to self-report proactively and emphasises that self-referral will strongly weigh in favour of a DPA rather than a prosecution. It also warns, on the other hand, that a failure to self-report may result in a more severe penalty. Where an organisation does self-report, the SFO will aim to:

• contact a self-reporting corporate within 48 business hours;
• provide regular updates;
• decide whether or not to open an investigation within six months;
• conclude its investigation within a reasonably prompt time frame; and
• conclude DPA negotiations within six months of sending an invite.

With evident awareness of some of the factors that have been problematic for corporates in the past, the SFO is trying to incentivise early and pro-active self-reporting of misconduct, by presenting itself as a receptive agency that will attempt to ensure that tight timescales for concluding investigations are met. There are other features of the DPA regime that perhaps warrant similar attention (for example, overall financial penalty / discount, scale and nature of forward looking obligations).

But the overall time taken in SFO cases (whether resolved by a DPA, or otherwise), and the corresponding lack of certainty for corporates that have multiple other impacts to manage when misconduct occurs, has been an unsatisfactory part of the experience some businesses have had. Efforts to address this are welcome.

Internal investigations

The SFO has reiterated that it expects organisations to coordinate with the agency when investigating misconduct. A greater level of detail is provided on how this should be applied including:

• providing regular updates on progress;
• ensuring independence of the investigation;
• preserving material;
• identifying and removing individuals implicated in the suspected conduct; and
• implementing remediation of identified shortcomings.

Cooperation

The guidance includes an explanation of the types of behaviour that may be considered full and effective cooperation. This will be specific to the situation but, based on the guidance and in light of our experience, is likely to include:

• reporting misconduct promptly and consistently with the SFO reporting process;
• preserving and producing data and documents in a forensically sound manner;
• identifying potential witnesses, including third parties;
• assisting with provision of access to employees; and
• careful assertion of privilege.

The guidance adopts a wide approach to the scope of information that it expects organisations to disclose. This includes presenting all relevant evidence concerning the suspected offences; the whereabouts of key material; and, any disciplinary action taken and changes to personnel made as a result of the offending. It may be that some of this information is not immediately available at the time of an initial self-report, but this should not mitigate against early self-reporting; further information can be provided at a later stage if necessary.

The guidance emphasises that if a corporate self-reports promptly to the SFO and cooperates fully, if the evidence ultimately indicates that there has been wrongdoing by the corporate, it will be invited to negotiate a DPA rather than face prosecution unless exceptional circumstances arise.

An effective compliance programme

The guidance indicates that any corporate subject to investigation should present a thorough analysis of its compliance programme. Given this, it is important for corporates to have an effective programme in place to tackle corporate crime, and to be able to demonstrate this if necessary. As we have outlined previously, internationally regulators are underscoring the importance of organisations maintaining an effective compliance programme. This not only serves to prevent misconduct but can reduce the severity of any sanctions imposed if an investigation does arise, both in terms of penalty and in terms of potential compliance remediation steps that might be required.

Looking forward

Overall, the guidance is a positive step towards greater clarity on the SFO’s expectations of corporate cooperation, enabling decision makers to understand what is expected, what apparent benefit that might represent and to weigh that against other options they have when misconduct arises.

However, even with greater clarity, deciding whether to self-report and what other steps to take in the context of a corporate investigation is very complex and inevitably difficult. Evaluating the relative benefit of engaging with the SFO in the way that it is inviting, as compared to not doing so, is difficult to quantify. The lack of recent prosecutions by the SFO leaves a gap in understanding what we can expect in practice when a different choice is made. And of course, when misconduct arises the risk of criminal enforcement is a major issue that needs to be addressed, but it is not the only one. Corporates have multiple stakeholders and multiple other risks that can spin out of that misconduct and so the overall exercise of judging what is in the best interests of the company (as a director must) is a sophisticated one.

Those responsible for making that judgment will inevitably be guided by intending to do the “right thing”. What is difficult is being confident what, taking everything into account, that amounts to, and the guidance that the SFO has released forms part but not all of the relevant equation.

It is also worth noting that there are anticipated reforms in this area that will likely influence the level of risk that businesses are exposed to. The SFO’s director, Nick Ephgrave, has recently indicated the steps the agency is considering to improve its investigations, including focusing on cases that are most likely to lead to worthwhile outcomes and arguing for reform of the UK position on whistleblower incentivisation. With the FTPF coming into force in September 2025 and various other developments under discussion, it will be important for organisations to keep a clear eye on what will be a fast-changing corporate crime landscape in the coming months.