SFO Corporate Enforcement in 2025-2026: Signals for ECCTA Compliance Teams

The Serious Fraud Office published its guidance on evaluating a corporate compliance programme in November 2025. The guidance sets out the factors the SFO considers when assessing whether a company's compliance programme was adequate at the time of the relevant conduct. It is the closest thing to an official SFO ECCTA compliance benchmark that currently exists, and compliance teams should treat it as primary source material.

The guidance structures its assessment around four questions: Was the compliance programme well designed? Was the programme applied earnestly and in good faith? Did the programme work in practice? Was the programme continuously updated and improved? These questions reveal the SFO's central concern: not whether an organisation had a compliance programme, but whether that programme was genuine and operational.

The guidance cites specific evidence types as relevant to each question. For 'well designed': whether the risk assessment was specific to the organisation's risk profile rather than generic; whether procedures were tailored to identified risks rather than off-the-shelf. For 'applied earnestly': whether senior leadership communicated the importance of compliance and modelled compliant behaviour; whether compliance failures were addressed. For 'worked in practice': training completion data, investigation outcomes, and the absence of patterns of misconduct in the same area as the offence.

The distinction between paper compliance and operational compliance runs through the SFO guidance. Paper compliance is the documentation layer: a policy exists, a training programme is described, a due-diligence procedure is documented. Operational compliance is the evidence that those things happened: training completion records, due-diligence review records, monitoring reports, and the outcomes of internal investigations where issues were identified.

The SFO's guidance is explicit that a compliance programme which looks good on paper but was not followed in practice provides little mitigation. An organisation that can produce a sophisticated policy document but no evidence that training was delivered, no attestation records, and no monitoring data has a compliance programme that is likely to be characterised as nominal rather than genuine.

The practical implication for ECCTA compliance teams is that the evidence of the programme operating — completion records, review records, monitoring outputs — needs to be collected and maintained contemporaneously, not assembled after the fact. Evidence that exists now of how the programme operated in 2025-2026 is qualitatively more credible than reconstructed evidence assembled in the course of an investigation.

The SFO has concluded deferred prosecution agreements with a number of major companies for bribery-related offences since the Crime and Courts Act 2013 came into force. Those DPAs — while arising from bribery cases rather than fraud — provide the most detailed public account of how the SFO evaluates corporate conduct and compliance programmes. They are the closest available precedent for how ECCTA enforcement is likely to proceed.

Common themes across the DPA cases include: compliance programmes that were inadequate at the time of the conduct (documented but not operational), insufficient due diligence on high-risk third parties, failure to act on red flags that were visible to senior management or the compliance function, and — critically — self-reporting to the SFO combined with full cooperation and a credible remediation programme. The DPA resolutions were available in significant part because of the self-reporting and cooperation that followed the discovery of the misconduct.

For ECCTA compliance, the DPA precedents suggest that the quality of the compliance programme at the time of any offending conduct will be material to the enforcement outcome. Organisations with a well-documented, operational compliance programme — even if fraud nonetheless occurred — are in a materially stronger position than those with inadequate programmes. The difference may be between prosecution and a DPA; in the DPA context, it may affect the terms.

The SFO Director's speech at the Global Anti-Corruption Conference in June 2026 signalled a proactive enforcement posture for economic crime. The Director noted the SFO's intention to use all available tools — including dawn raids, compelled document production, and international cooperation — to pursue economic crime cases, and emphasised the SFO's expectation that organisations would self-report significant financial crime issues rather than waiting to be investigated.

The enforcement posture signal is particularly relevant for ECCTA because the offence is new and the SFO has not yet published any ECCTA-specific enforcement guidance. In the absence of ECCTA precedent, the Director's speeches and the existing corporate enforcement framework provide the best available signal of how the SFO is likely to approach the first cases under the new regime.

Compliance teams should note that the SFO's proactive posture means the first ECCTA cases are unlikely to be driven solely by self-reports. The SFO has the tools to identify potential offences through its existing corporate investigation capabilities, through referrals from other regulators, and through whistleblower reports. An organisation that discovers a potential issue should take qualified legal advice promptly about whether and how to engage with the SFO.

The SFO's guidance and enforcement signals have several practical implications for ECCTA compliance preparation. First, the compliance programme needs to be operational — training delivered, attestations collected, due-diligence reviews completed, monitoring conducted — not just documented. The evidence of operation needs to be maintained contemporaneously so that it is available if the programme is ever subject to scrutiny.

Second, the risk assessment needs to be specific and proportionate: tailored to the organisation's actual risk profile rather than a generic fraud-risk narrative. A risk assessment that shows the organisation has thought carefully about which associated persons could commit which offences, in what circumstances, and what controls exist to prevent or detect that conduct is the foundation of a genuine compliance programme.

Third, the compliance programme needs to be continuously updated. An organisation whose risk assessment, policies, and procedures have not changed since 2025 — regardless of changes in the business, new enforcement signals, or updated official guidance — is unlikely to satisfy the SFO's continuous-improvement criterion. Compliance teams should treat the SFO guidance as a live document and refresh their programmes in response to it.