U.K. SFO Guidance on Compliance Programs!

Good news for compliance officers looking for an excuse to avoid awkward family conversation at Thanksgiving: the U.K. Serious Fraud Office just issued new guidance on when and how the agency will evaluate corporate compliance programs. 

The SFO issued the guidance on Wednesday. It outlines six scenarios where SFO prosecutors might decide they need to evaluate the compliance program of a corporate offender, and certainly that’s a helpful window into SFO thinking — but the document doesn’t provide much detail on the questions that prosecutors might ask about your program or the criteria they might evaluate. At least, it’s nothing as extensive and specific as the guidance on compliance programs offered by the U.S. Justice Department. 

Anyway, let’s review what the SFO guidance does say before we speculate about what it means for leaders of corporate compliance programs. 

The guidance lists six scenarios when the SFO might want to do a formal evaluation of a company’s compliance program:

1. To decide whether prosecution of the organisation is in the public interest.
2. To consider whether a deferred-prosecution agreement (DPA) is warranted as part of a settlement.
3. To decide whether to include compliance terms or a monitorship as part of a DPA.
4. To assess whether an organisation has “adequate procedures” to prevent bribery, an affirmative defense under the U.K. Bribery Act.
5. To assess whether an organization has “reasonable procedures” to prevent fraud, a defense for the new “failure to prevent fraud” offense under the Economic Crime and Corporate Transparency Act of 2023.
6. To understand the existence and nature of the compliance programme as a factor for sentencing considerations.

Among all six scenarios, the only one that’s really new is Scenario 5, with the failure to prevent fraud offense. That law went into effect in the United Kingdom on Sept. 1, and I’ve written elsewhere about the internal controls a company should have in place to be sure it can claim that “reasonable procedures” defense. 

Today’s guidance also follows other SFO guidance released earlier this year on cooperation in corporate criminal enforcement and joint guidance from the SFO and the Crown Prosecution Service on corporate prosecutions that the two offices released in August. 

What the Guidance Doesn’t Say

Well, that’s easy. The guidance doesn’t say much about exactly how SFO prosecutors will evaluate a corporate compliance program. As the guidance itself says… 

There is no set of preordained answers that entitle an organisation to (or disqualify it from) a specific result, decision or recommendation that its compliance programme is effective. The SFO’s assessment will be a holistic one, based on the organisation’s individual circumstances.

OK, that’s fair; all resolutions of corporate misconduct depend on the specific facts of each case, which vary enormously. But it’s still a far cry from the U.S. Justice Department guidance, which runs 25 pages long and lists scores of possible questions that prosecutors might ask, grouping them according to the seven elements of an effective compliance program. That U.S. guidance is useful; this U.K. guidance is merely interesting. 

We should pause here to underline an important point about all this guidance, and especially the U.S. version: that prosecutors will apply these evaluation guidelines to fact-specific instances of misconduct — but compliance officers don’t have that luxury. You need to build a program without knowing the facts that might come along and trip up your business. 

Sure, you can make basic deductions about the categories of misconduct you’re likely to encounter, based on the risk profile of your company. Those deductions can in turn help you understand the policies, procedures, and controls that you want to strengthen the most. For example, if your business has high employee turnover, you want to devote lots of resources to training and monitoring. If you have low turnover but extensive dealings with foreign governments, you want to devote more resources to documentation and third-party due diligence. 

Prosecutors will approach your program from a wholly different perspective. They’ll have a specific fact-pattern and statutory violation they want to investigate, which will guide the questions they ask about your program. If you misunderstood your company’s risk profile and invested in the wrong elements of a compliance program, prepare for an awkward experience. 

A Point on Self-Disclosure

The guidance also warns, “The SFO will dig behind generalities and challenge high level assertions. The outcomes or activities that result from the policies and procedures can provide evidence of how effective a compliance programme is (or isn’t).”

It’s the sort of anodyne enforcement language you see from regulators all the time — but consider the implications here. The SFO is reserving the right to crawl all over your compliance program as part of its corporate misconduct investigation. What if more embarrassing or incriminating information comes to light? 

That was the point raised by Judy Krieg, a former SFO official who now does corporate defense work: 

The SFO can and will use its investigatory tools to assess compliance. What does that mean? The SFO will compel details of all prior compliance failings, issues, investigations and whistleblower reports. Tread carefully. If you think self reporting is the route to reaching a resolution, think again. Expect the SFO to revisit history and possibly expand the scope of investigation. And you won’t have a choice in what you reveal.

I still advocate for voluntary self-disclosure because it’s the ethical thing to do, and that should count for something; but Krieg’s not wrong to say that companies have a lot to think about before they do.

Anyway, that’s the SFO guidance. Several officials from the SFO will be at the ACI FCPA and Anti-Corruption Conference happening in Washington next week, so perhaps we’ll get more insight then. Stay tuned.