Taking it all into account - The relevance of a compliance programme for SFO cases

There has been an increasing emphasis in recent years on the duty of commercial organisations across the globe to ensure compliance with their legal, regulatory and in some cases, ethical, duties, through the development of and adherence to appropriate policies and procedures. Such policies are aimed both at preventing wrongdoing by individuals on behalf of the company and at protecting the organisation itself from charges that it has breached its duty to prevent misconduct, with the consequent adverse publicity. New guidance by the UK’s Serious Fraud Office (SFO) stresses that the SFO will consider the effectiveness of an organisation’s compliance policy very carefully as part of any investigation into possible wrongdoing by that organisation. Businesses are reminded yet again, if need be, of the importance of ensuring they implement appropriate procedures to reduce the risk of wrongdoing by their organisation.

New SFO guidance

The SFO has recently published, as part of its operational handbook, new guidance on how it will evaluate an organisation’s compliance policy in any investigation into alleged wrongdoing. The guidance is primarily for the SFO’s internal use and is expressly not to be relied upon as providing legal advice, being published “solely in the interests of transparency”. Those hoping for a line-by-line precedent for an effective compliance policy will be disappointed - the guidance does little more than repeat the Ministry of Justice’s guidance on adequate procedures that accompanies the UK Bribery Act 2010 (UKBA). However, it does set out when and to what extent the SFO will take the existence and contents of a compliance programme into account in its charging decisions. It is likely to be of particular interest to organisations facing potential charges under the UKBA and/or seeking to resolve any misconduct by way of a deferred prosecution agreement (DPA).

Impact on the decision to prosecute

The SFO’s guidance accepts that compliance arrangements will vary considerably from business to business. There is no one-size-fits-all – indeed, policies should be developed to deal with the specific risks a given organisation faces. What is critical, however, is that a compliance policy should be proportionate, risk based and regularly reviewed. The guidance notes that when assessing the state of an organisation’s compliance policy as part of an investigation, the SFO will consider “the past, the present and, in some cases, even the future.” This is because the state of a company’s compliance programme at different times will be relevant to different prosecutorial decisions and potentially lead to differing outcomes.

The past

It is more likely to be in the public interest to prosecute an offence if, at the time the wrongdoing took place, a company’s compliance programme was “ineffective”. This approach emanates from the Guidance on Corporate Prosecutions (GCP), to which the SFO and other prosecutors must adhere when making charging decisions. Conversely, a company will have a full defence to a charge under section 7 UKBA of failing to prevent bribery by associated persons, for example, if it had adequate procedures in place to prevent such misconduct, even if a bribery offence did subsequently occur.

The present

An organisation with a poor compliance policy at the time of the offending may nonetheless have taken steps subsequently to strengthen its procedures. This would be relevant to a charging decision under the GCP as demonstrating “remedial actions”, such that a prosecution would not be in the public interest. The current state of a company’s compliance programme is also an important factor in any decision by the SFO to offer a DPA. When approving the DPA offered to Rolls-Royce plc in January 2017 the judge, Sir Brian Leveson, commented that the company “could not have done more to address the issues that have now been exposed”. The “significant” steps the company had taken included reviewing and auditing its policies and programmes and introducing regular compulsory training on compliance topics for its staff.

The future

Even where an organisation does not yet have an effective compliance programme in place, a DPA may still be appropriate as conditions can be imposed on the organisation to change or improve its procedures, as part of the DPA. These changes will usually be overseen by an independent monitor, who may report back to the court if the conditions are not fulfilled.

Impact on sentencing

The existence or otherwise of an effective compliance programme may also be taken into account on sentencing if a prosecution is ultimately pursued and successful. An effort by an organisation to put some bribery prevention measures in place, even if insufficient to amount to a defence, may still be relevant to sentencing as a reflecting lesser culpability under the Sentencing Guidelines for fraud, bribery and money laundering offences. Similarly, the court may take into account the impact of any fine on a company’s ability to implement an effective compliance programme when assessing the level of any penalty to be imposed.

Evaluating compliance programme in bribery cases

Ever since the UKBA came into force in July 2011, businesses have been requesting official advice on the compliance procedures that would be considered sufficiently “adequate”. Guidance from the Ministry of Justice to accompany the UKBA sets out a list of six key principles that a compliance policy aimed at preventing bribery should follow. However, the adequacy of a specific compliance policy has only been considered once by the courts, in the case of Skansen Interiors Limited. This was a small private company which was found guilty in February 2018 of the section 7 UKBA offence of failing to prevent bribery by an associated person (in this case, a director and several senior managers). Its defence that it had adequate procedures in place failed before the jury. Despite its small size, the company should still have taken steps to assess its risk, develop appropriate policies and ensure all staff were trained on them. Someone at a senior level should have been tasked with ensuring the company’s anti-bribery controls were embedded within the business and complied with, and adequate reporting and approval lines should have been implemented.


The SFO has repeatedly said that it will not give specific advice on what may or may not amount to an effective corporate compliance programme. However, the position is becoming clearer. Put at its simplest, organisations should ensure they develop a programme that is appropriate to their circumstances, taking into account their own exposure to risk. They should make sure their employees know about it and their top management backs it. Above all, they must monitor its operation and keep it under review, adapting and refining it as circumstances change. As the new guidance indicates, the SFO will be looking at the wide variety of circumstances surrounding a company’s compliance policy and taking them all into account.