Shifting The Dial – New SFO Guidance On Corporate Cooperation

In April [2025] the Serious Fraud Office (SFO) published its “External Guidance on Corporate Cooperation and Enforcement in relation to Corporate Criminal Offending” (the Guidance).¹  The Guidance sets out factors that the SFO will take into account when deciding whether to prosecute a corporate or, alternatively, invite it to negotiate a Deferred Prosecution Agreement (DPA). It provides a clearer picture of the circumstances in which the SFO will offer a DPA, its expectations of corporate cooperation and the timescales around the DPA process.

The Guidance sets these factors out in admirably concise form. However, the question remains as to whether it does enough to encourage corporates to self-report or whether – despite the SFO's exhortations to corporates to do the right thing when they uncover wrongdoing – there might still be an argument for adopting an approach of waiting to see if the SFO uncovers evidence of criminal conduct, even if that means a DPA is off the table.

Is a self-report determinative?

The Guidance makes clear that the SFO will offer a DPA if a corporate self-reports its concerns promptly and fully cooperates with the SFO. Nick Ephgrave, the SFO's Director, has described this “as good as a cast iron guarantee” (notwithstanding that the Guidance contains a caveat that full cooperation and a self-report could still result in prosecution in unspecified “exceptional cases”). This is a notable shift from the previous version of the cooperation guidance², which said that “cooperation – even full, robust cooperation – does not guarantee any particular outcome”.

However, prompt self-reporting is not the only route through which corporates can obtain the offer of a DPA, as the Guidance states that corporates which do not self-report but show “exemplary cooperation” (discussed further below) might also be offered a DPA. Importantly, the Guidance makes it clear that this is within the gift of the SFO, but is not guaranteed (“the SFO will consider….”)

Where a corporate has not self-reported, the SFO will consider whether it was aware of the offending before the investigation was commenced. A “knowing failure to promptly self-report” will impact the SFO's assessment of cooperation and any mitigation, and is a factor the SFO says weighs in favour of prosecution.

The Guidance is clearly intended to remove any doubt in the mind of a corporate which uncovers evidence of criminal conduct that its best interests will be served by self-reporting to the SFO, cooperating fully in the SFO's investigation and securing a DPA – as opposed to facing criminal charges and then the choice between a guilty plea or a contested trial.

What amounts to cooperation?

The Guidance contains a non-exhaustive list of conduct that the SFO considers to be genuine cooperation along with examples of conduct which it deems to be uncooperative.

As mentioned above, the Guidance refers to ‘full' and ‘exemplary' cooperation, the latter being a higher standard. The Guidance notes that if a corporate satisfies all of the points within its list of cooperative conduct (including the following), it is likely to be assessed as providing exemplary cooperation³:

• Proactively preserving all digital and hard copy material likely to be relevant to the investigation.
• Collecting and identifying documents and information likely to be relevant to the investigation.
• Presenting the facts of the suspected criminal conduct, including identifying the persons involved.
• Disclosing relevant previous criminal corporate conduct to the SFO and explaining how it was resolved.
• Providing the SFO with access to employees for the purposes of facilitating interviews and, if appropriate, ensuring that independent legal advice is available to them.
• Where a corporate chooses to undertake an internal investigation:
  • engaging with the SFO at an early stage as to the parameters of the investigation;
  • notifying the SFO before taking proposed steps in regard to any ongoing  investigation; and
  • not taking steps which might prejudice the SFO's investigation (with particular reference to any internal interviews).
• Presenting “a thorough analysis” of the corporate's compliance programme and procedures as they were at the time of the offending.

Conversely, the following are stated to be examples of uncooperative conduct:

• Overloading the SFO with unnecessarily large amounts of material, having not carefully considered their relevance to the underlying investigation.
• Delaying disclosure of material or information for tactical reasons.
• Forum shopping by choosing to report offending in another jurisdiction, unreasonably, for strategic reasons, or seeking to exploit differences between international law enforcement agencies and legal systems.
• Obfuscating the involvement of individuals or withholding information setting out the full extent of the suspected offending. 

One issue that arises for corporates cooperating with the SFO is how they treat documents covered by legal professional privilege (LPP). The Guidance notes that corporates will not be penalised for maintaining a valid claim of LPP, but (by way of incentivisation) also states that waiver of LPP would be a “significant cooperative act”.

What is the SFO's time frame for responding to a self-report?

A key focus for the SFO under the directorship of Mr Ephgrave has been speeding up the pace of its investigations. This focus appears in the Guidance, which contains a list of timelines the SFO hopes to comply with, in particular:

• to make contact with a self-reporting corporate within 48 business hours.
• to regularly update a self-reporting corporate throughout the process.
• to decide whether or not to open an investigation within six months of a self-report.
• to conclude its investigation within a reasonably prompt time frame.
• to conclude DPA negotiations within six months of sending an invitation.

The unspecified time frame is, perhaps unsurprisingly, the time frame within which the SFO intends to “conclude its investigation”. Much will depend on the nature and scale of the conduct under investigation (including whether it is purely domestic or involves multiple jurisdictions). While the DPA Codes of Practice make clear that the SFO does not have to conclude its investigation before deciding whether to offer a DPA, the investigation must necessarily have progressed to a stage where the SFO has a “reasonable suspicion based upon some admissible evidence” that the company has committed an offence and reasonable grounds for believing that continued investigation would result in sufficient evidence to establish a realistic prospect of conviction. What is clear on any view is that even an investigation with full cooperation and culminating in a DPA can (and likely will) take several years.

When to self-report – what is a reasonable time?

The Guidance states that suspected offending should be reported within a ‘reasonable time' of it coming to light. There is no indication of what might be reasonable, but the Guidance is clear that a knowing failure to promptly self-report suspected criminal conduct would impact the SFO's assessment of cooperation. Whilst the Guidance acknowledges that responsible corporates may wish to investigate suspicions of suspected offending before making a report, the SFO does not expect a corporate to fully investigate a matter before doing so, and the SFO's Director has spoken of the right time to make a report being when there is ‘reasonable suspicion' of wrongdoing. 

Corporates with concerns that criminal conduct may have occurred will inevitably want to understand what they are dealing with before deciding whether to make a self-report and involve the SFO. However, a corporate will need to move quickly to investigate its initial concerns in order to be in a position to self-report promptly (should it choose to do so) once those initial concerns crystallise into something, whether described as reasonable suspicion or otherwise, which is sufficient to satisfy the corporate that its concerns are real and justified.

Other factors for corporates to consider

The Guidance states that the SFO considers self-reporting suspected corporate criminal conduct to be the “mark of a responsible organisation”. But there have only been 12 DPAs concluded by the SFO (and one by the Crown Prosecution Service (CPS)) since DPAs were introduced in 2014 (and the SFO's last DPA was in 2021). In the same period there have been a limited number of prosecutions of corporates by the SFO (albeit those that have occurred have resulted in some significant financial penalties). Combined, these statistics suggest that self-reporting has not become established corporate behaviour, perhaps because corporates may look at the isolated instances of prosecution and decide that the risk of ‘getting caught' is not such as to justify the advantages of a self-report.

But recent changes in the legislative framework are increasing the criminal risk for corporates. The Guidance is clearly intended to re-shape the narrative around enforcement against corporates and to kick-start the DPA regime.

Increased criminal risk for corporates

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) has introduced two notable changes affecting the scope for corporates to be criminally liable, and in recent speeches the SFO's Director has indicated his intention to take advantage of these developments in suitable cases.

First, ECCTA has significantly lowered the barrier for prosecutions of a corporate based on the ‘identification doctrine', i.e. the range of persons whose conduct can be attributed to the corporate, making the corporate liable for the acts of individuals within its organisation. Previously, the person had to be a directing mind and will of the corporate (in practice a director). ECCTA has now extended this so that corporates can be criminally liable for the actions of a “senior manager”, described as “an individual who plays a significant role in the making of decisions about how the whole or a substantial part of the activities of a [company] are to be managed or organised or the actual managing or organising of the whole or a substantial part of those activities”.⁴

Secondly, ECCTA has introduced a corporate criminal offence of failure to prevent fraud, which will come into force on 1 September.⁵ In summary, a corporate which meets the criteria for a “large organisation” will be guilty of an offence if a person associated with the company commits a fraud offence intending to benefit the company. The corporate will have a defence if it had “reasonable prevention procedures”  in place (or alternatively if it can show that it was reasonable to have no prevention procedures in place). This new offence builds upon the ‘failure to prevent' model adopted in respect of bribery and the facilitation of tax evasion and considerably extends the scope for corporates to be criminally liable for the conduct of anybody associated with it, not just a senior manager.

If the lure of a DPA is the ‘carrot', what sticks are the SFO waving to make corporates believe that a self-report is the best option? Alongside increased criminal exposure for corporates, the SFO is emphasising how its intelligence-gathering increases the risk that corporate offending will come to its attention even if the corporate elects to keep quiet. Earlier this year the SFO announced a new international anti-corruption alliance with France's Parquet National Financier, and the Office of the Attorney General of Switzerland [6], increasing the level of intelligence sharing and cooperation between these agencies. The SFO has also been advocating for the financial incentivisation of whistleblowers and the increased use of assisting offenders.⁷ Progressing the reform of whistleblower incentive schemes forms part of the SFO's 25/26 Business Plan.⁸

Conclusion

In a press release published alongside the Guidance, Mr Ephgrave said “if you have knowledge of wrongdoing, the gamble of keeping this to yourself has never been riskier”. That may be right. The question is whether that is a gamble some corporates may still be willing to take. The Guidance makes it clear that, in certain circumstances, a corporate can be certain in the knowledge it will be offered a DPA. But it may well take some rapid examples of corporates being prosecuted in circumstances where they did not come forward for there to be a real change in the approach to self-reporting.

Footnotes

1.  https://www.gov.uk/government/publications/sfo-corporate-guidance

2.  https://webarchive.nationalarchives.gov.uk/ukgwa/20241119161826/https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/corporate-co-operation-guidance/

3. The entire list can be seen at paragraph 22 of the Guidance.

4. Section 196 ECCTA

5. Section 199 ECCTA. For further information, see BCL's previous articles on the topic:  https://www.bcl.com/news/change-on-the-horizon-the-economic-and-corporate-transparency-act-2023-and-failure-to-prevent-fraud-offences;  https://www.bcl.com/news/failure-to-prevent-fraud-statutory-guidance;  https://www.bcl.com/news/govt-fraud-prevention-guide-proves-to-be-a-damp-squib 

6.  https://www.gov.uk/government/news/uk-france-and-switzerland-announce-new-anti-corruption-alliance

7. See also our previous article here:  https://www.bcl.com/news/talk-is-no-longer-cheap-will-the-sfo-follow-the-doj-s-lead-in-offering-financial-incentives-to-whistleblowers

8.  https://assets.publishing.service.gov.uk/media/67ee4e86199d1cd55b48c6e8/SFO_2025-26__Business_Plan.pdf

Originally published by Fraud Intelligence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.