SFO’s long-awaited guidance on corporate cooperation

The Serious Fraud Office (SFO) has today published updated Guidance (the Guidance) on corporate cooperation. It assesses when and how organisations should self-report, the steps that companies subject to investigation by the SFO should follow to enhance the likelihood of securing “cooperation credit” (such as a decision not to prosecute or to be invited to enter into a Deferred Prosecution Agreement (DPA) in lieu of prosecution) and what can be expected when organisations follow the Guidance. 

Overall, our view is that the Guidance is helpful for understanding what the SFO expects from corporates who are willing to self-report in the UK and what those corporates can expect in return. That is a useful part of the calculus for boards that are confronted with making that decision, but it remains the case that the decision itself is complex. There has not been a DPA in the UK since 2021. With some notable exceptions, there has not been a significant track record of corporates otherwise being successfully prosecuted. Allegedly implicated individuals are rarely convicted. The publicly visible roster of major corporate SFO investigations is relatively sparse. The potential changes to whistleblower incentivisation (and the impact that could represent in terms of involuntary surfacing of misconduct) are being heavily debated, but at this point remain only potential changes. The post-resolution civil litigation landscape is increasingly developed and predictable. In contrast, the approach that relevant international agencies might take to the same issues is harder to predict than it has ever been. For all of those reasons, boards that are intent on doing the “right thing” have a delicate judgement to make when evaluating how this may apply in practice.

The final Guidance follows draft guidance published for consultation last year and updates the earlier 2019 guidance. In a shift in tone, the Guidance emphasises that if a corporate self-reports promptly to the SFO and cooperates fully, it will be invited to negotiate a DPA rather than be prosecuted unless exceptional circumstances apply. Departing from the earlier draft guidance, the final version no longer states that even where there are efforts to achieve good cooperation, it may not result in a DPA. The Guidance also concludes by explaining that the SFO anticipates that it will only be in exceptional cases that the combination of a prompt self-report and full cooperation will result in prosecution rather than an invitation to negotiate a DPA. This clearly illustrates that the SFO is now favouring the use of DPAs, provided a corporate promptly reports and fully cooperates. 

Below, we assess the main points covered by the Guidance, offer practical guidance and look at some of the main differences between this and earlier versions. We conclude by considering how the development aligns with wider corporate crime reforms. 

Self-reporting

The Guidance encourages organisations to self-report proactively and emphasises throughout that self-referral will strongly weigh in favour of a DPA over a prosecution. It also warns, on the other hand, that a failure to self-report may result in a more severe penalty. The Guidance clearly sets out what the SFO expects from organisations and what they can expect from the SFO in turn. This provides welcome clarity compared with the 2019 guidance. 

The questions of when to self-report and what initial investigations should be completed before a self-report is made are highly fact-specific and difficult to assess. There is limited further information on this point in the Guidance, but it does state that if there is direct evidence of corporate offending, the SFO would expect a corporate to self-report soon after learning of that evidence. On the other hand, if the position is less clear-cut, the Guidance acknowledges that “some further investigation may be necessary”.

Where an organisation does self-report, the SFO will seek to:

• contact a self-reporting corporate within 48 business hours;
• provide regular updates to a self-reporting corporate throughout the process;
• decide whether or not to open an investigation within six months of a self-report;
• conclude its investigation within a reasonably prompt time frame; and
• conclude DPA negotiations within six months of sending an invite.

The intent is clear: the SFO is strongly incentivising and reinforcing early and pro-active self-reporting of misconduct, which will be recognised by a receptive agency that at least intends to try to ensure that tight timescales for concluding investigations are met. 

Internal investigations 

The SFO has reiterated that it expects organisations to coordinate with the agency when investigating misconduct. A greater level of detail is provided on how this may work in practice and what may be considered full and effective cooperation. This includes:

• ensuring that nothing is done which might prejudice the SFO investigation;
• providing regular and timely updates as to progress;
• ensuring independence of the investigation; 
• preserving material; 
• identifying and removing individuals implicated in the suspected conduct; 
• providing to the SFO the facts gathered during the internal investigation;
• giving rolling disclosure of important information as and when it is identified; 
• informing the SFO in advance of proposed steps and not taking any step which might prejudice the SFO’s investigation, particularly in relation to internal interviews; 
• providing non-privileged records of interviews and where there are privileged records, assessing whether to agree a voluntary limited waiver of privilege over such records; and
• implementing remediation of any identified shortcomings in a corporate body’s compliance programme.

Cooperation

The Guidance continues to include an explanation of the types of behaviour that may be considered “full and effective” cooperation. This will be varied and specific to the situation but, based on the Guidance and in light of our experience, is likely to include:

• reporting misconduct promptly and consistently with the SFO reporting process;
• preserving and producing data in a forensically sound manner;
• providing information to the SFO in a useful, structured way and consistently with clear timelines;
• briefing the SFO on the relevant background, including on the industry, the facts at issue, other actors in the market and other potentially interested authorities;
• assisting in identifying material that might assist any person or entity which has been accused or which might undermine the case of the prosecution;
• creating and maintaining an audit trail of the acquisition and handling of hard copy and physical material, and identifying a person to provide a witness statement covering continuity of evidence;
• providing records that show relevant money flows;
• identifying potential witnesses, including third parties; 
• assisting with provision of access to employees for the purposes of facilitating any interviews and ensuring, where appropriate, independent legal advice is made available to employees (although in practice this may be difficult to achieve in certain cases);
• not asserting privilege “lightly” – this is an especially important issue that businesses will have to manage carefully, as the language of the Guidance continues to be strong on this point, signalling that the SFO is keen to maintain its robust stance on, and willingness to test claims of, privilege over internal investigation materials; and
• providing the SFO with witness accounts and related materials – if doing so involves the waiver of privilege, that will also be an indicator of cooperation.

The Guidance adopts a wider approach to the scope of information that it expects organisations to disclose compared with the 2019 guidance. It explains that organisations should present to the SFO:

• all relevant known facts and evidence concerning the suspected offences;
• the individual(s) involved (both those inside and outside the organisation), and the relevant jurisdiction(s);
• the whereabouts of key material and any risks associated with the destruction of key evidence or the dissipation of relevant assets;
• any previous relevant corporate criminal conduct and how it was resolved;
• any disciplinary action taken and changes to personnel made as a result of the offending; and
• financial information regarding the benefit and/or harm the offending has caused.

It may be that some of this information is not immediately available during the time of the initial self-report, but this should not mitigate against early self-reporting; further information can be provided at a later stage if necessary. The Guidance also explains what the SFO will consider to be uncooperative, which includes failing to respond to information requests, seeking to play enforcement agencies “against each other”, tactical delay, overloading the SFO with irrelevant or unhelpful information and protecting specific individuals.

An effective compliance programme

The final version of the Guidance indicates that any corporate subject to investigation should present a thorough analysis of its compliance programme and procedures in place at the time of offending and how the corporate has remediated, or plans to remediate, any ongoing deficiencies. Given this, it is important for corporates to ensure that they have an effective programme in place to tackle corporate crime. As we have outlined previously, internationally regulators are underscoring the importance of organisations maintaining an effective compliance programme. This not only serves to prevent misconduct but if companies subsequently face criminal or regulatory investigation into misconduct, the existence of an effective compliance management system can have an important impact on the way in which any such investigation is resolved, as well as on the severity of any sanctions imposed.

What can be expected in the event of full cooperation?

The Guidance briefly touches on what corporates can expect if they provide genuine, full and effective cooperation. This can include a decision not to prosecute, an invitation to negotiate a DPA, a reduction in fines and penalties or acceptance of early guilty plea credit. In addition, cooperation will allow the SFO to conclude any investigation within tightly defined timescales (as outlined above). We will need to wait to see whether these timelines are applied in practice. 

Looking forward

Given that corporate crime investigations are often multi-jurisdictional in nature, it will be important to assess how the Guidance compares with guidance published in other relevant jurisdictions. Broadly, the Guidance does align with the approach of other jurisdictions and moves the UK closer to the detailed framework for corporate cooperation in the US. There are, nonetheless, potential areas of divergence. For example, the UK Guidance arguably goes further than many jurisdictions, including the US, by indicating an expectation that a company will identify and seek to preserve data held by third parties and by insisting that organisations should proactively coordinate investigation efforts with the SFO.

This direction of travel fits within the wider framework for corporate crime reform in the UK. The expansion of liability of organisations for the actions of their senior managers and the new failure to prevent fraud offence (FTPF) illustrate that combatting corporate crime is high-priority for the Government and enforcement agencies.  

The SFO’s Director, Nick Ephgrave, has recently indicated the steps the agency is considering to improve its investigations, including focusing on cases that are most likely to lead to worthwhile outcomes. He also notes the greater use of covert techniques and incentivisation of whistleblowers, which feature in the SFO’s 2025-26 Business Plan. The final outcome of the SFO’s Information and Disclosure Review is also set to be announced in 2025-26. With the FTPF coming into force in September 2025 and various other developments being discussed, it will be important for organisations to prepare to be able to respond to a fast-changing corporate crime landscape.