If 2025 was the year the Serious Fraud Office (SFO) refreshed its expectations of corporate behaviour, 2026 is when organisations will be judged against them.
On 26 November 2025, the SFO published refreshed guidance on how it evaluates corporate compliance programmes. The headline is simple: having policies and controls does not automatically mean your programme is effective. The SFO will examine how those policies translate into real conduct on the ground.
That matters because compliance is now being assessed in more situations than many organisations assume, including under the Failure to Prevent Fraud regime.
What changed, and why it matters now
The refreshed guidance is part of a broader “suite” of 2025 updates, following the SFO’s Corporate Cooperation Guidance (April 2025) and the Joint SFO-CPS Corporate Prosecution Guidance (August 2025).
With this update the SFO is signalling that “box-ticking” compliance will not protect organisations. Programmes need to be workable, evidenced, and effective in practice, especially with Failure to Prevent Fraud which has been in force ECCTA since September 2025.
When the SFO may assess your compliance programme
The new guidance sets out six scenarios where the SFO may need to evaluate your programme, including decisions on prosecutions, DPAs, monitorships, potential statutory defences, and sentencing.
In the guidance’s own terms, the SFO may assess compliance to determine whether:
- A prosecution is in the public interest (under the Joint SFO-CPS Corporate Prosecution Guidance)
- A Deferred Prosecution Agreement (DPA) should be considered
- A DPA should include compliance terms and or a monitorship
- The organisation has “adequate procedures” for Failure to Prevent Bribery (Bribery Act 2010, section 7)
- The organisation has “reasonable procedures” for Failure to Prevent Fraud (ECCTA, section 199)
- Compliance is relevant for sentencing considerations
Adequate vs reasonable procedures: Do not treat them as interchangeable
The refreshed guidance draws a clear line between two similar-sounding, but different, standards:
Adequate procedures (Failure to Prevent Bribery, Bribery Act 2010)
In practice, this pushes organisations towards a robust, structured anti-bribery framework that is properly embedded, resourced, and enforced.
Reasonable procedures (Failure to Prevent Fraud, ECCTA)
In practice, this is more explicitly proportionate and risk-based. The question becomes: given your size, sector, operating model, and fraud risks, what controls would a sensible organisation put in place, and can you show they actually work? The legislation also allows an argument that, in the circumstances, it was not reasonable to expect procedures at all.
A practical point organisations should not miss is that the burden of proving the reasonable procedures defence sits with the organisation. That makes evidence and documentation central, not optional.
What “effective” looks like in practice
The SFO stresses that evaluation is based on an organisation’s individual circumstances, not a one-size-fits-all checklist. But it also makes a repeated point: policies alone are insufficient.
A simple way to translate that into day-to-day compliance is to ask one question:
Can you show that controls are working, not merely that they exist?
A concrete example:
- Box-ticking: “We have an approval process for high-risk payments.”
- Defensible compliance: You can evidence testing, exception reporting, audit trails, follow-up actions, and consequences when approvals are bypassed, plus programme changes made after incidents or near misses.
Your 90-day compliance programme tune-up for Q1 2026
If you want this guidance to be useful rather than theoretical, these are the actions that make the biggest difference quickly:
Re-run your fraud risk assessment
- Include third parties, incentives, and how fraud could benefit the business (or associated persons).
Map controls to the top risks, then map evidence to the controls
- For each key control, define what proof exists (approvals, monitoring logs, sampling, audit results, exception reports).
Refresh training with a risk and role focus
- Prioritise high-risk roles (finance, sales, procurement, onboarding, third parties) and tailor scenarios to how fraud and bribery risks actually arise in your business.
- Evidence effectiveness beyond completions: knowledge checks, manager sign-off, targeted refreshers where incidents occur, and a clear consequences framework for non-completion.
Stress-test your speak-up and investigations workflow
- Document triage decisions, independence, outcomes, remediation, and trends. If your process works, it should leave a trail.
Check your DPA readiness
- Even if you never expect a DPA, the guidance is explicit that compliance can shape DPA decisions and DPA terms, including monitorships.
Put compliance metrics in front of leadership
- The point is not volume reporting. It is showing effectiveness: issues detected, time to resolve, repeat incidents, control failures, improvements made.
This sits within a wider policy direction. The UK’s Anti-Corruption Strategy 2025 is not a wholesale rewrite of the rules, but it signals a continued focus on stronger enforcement, tighter supervision and better coordination across agencies. That is exactly the backdrop to the SFO’s refreshed approach to assessing whether compliance programmes work in practice.
Scope note for UK-wide organisations
The guidance applies to England, Wales and Northern Ireland. Scotland has a different regime, so UK-wide groups should avoid assuming a single enforcement approach across the whole UK.
What this means for 2026
This guidance does not introduce new law. It clarifies how the SFO will evaluate compliance programmes in real enforcement contexts, including the Failure to Prevent Fraud defence. In 2026, the organisations that fare best will be the ones that can evidence not only training and policies, but how those measures work in practice.
