Tag: SFO

Categories
Blog

The SFO’s New Compliance Program Guidance: Compliance is a Verb

The Serious Fraud Office’s 2025 Guidance on Evaluating a Corporate Compliance Program is more than another regulatory document. It is a bright line in the sand. It says, with unmistakable clarity, that compliance must move beyond paper, policies, and PowerPoints. The era of check-the-box compliance is over. The SFO wants to know whether your program works, whether it is embedded, and whether it actually shapes employee behavior at the moment of risk.

For corporate compliance professionals, this should be welcome news. For years, I have advocated that compliance is effective only when it is operationalized, when it is woven into business processes, incentives, controls, communications, and culture. Indeed, it is the subtitle of my seminal work, The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. The SFO has now said the quiet part out loud: if your program does not function in practice, it will not be credited, and it will not protect the organization in the moments that matter most.

The SFO Is Not Evaluating Paper. It Is Evaluating Performance.

The SFO identifies six scenarios in which it evaluates a company’s compliance program, including charging decisions, DPAs, monitorships, and statutory defenses under the Bribery Act and the ECCTA failure-to-prevent fraud offence. In each scenario, the question is the same: did the program work at the time of the misconduct, and does it work today?

The guidance explicitly flags that a company with an ineffective program at the time of the offence faces a public-interest factor in favor of prosecution. Conversely, proactive remediation and an already-effective program weigh against prosecution. This is a radical shift in emphasis. A policy framework will not suffice. A training slide deck will not suffice. A risk assessment performed once every three years will not suffice.

The SFO wants evidence of operational behavior:

  • Were approvals actually checked, or were they just required?
  • Were red flags escalated in practice, not just in policy?
  • Were third-party risks managed through real due diligence, not just questionnaires?
  • Did employees feel empowered to speak up?
  • Did managers respond appropriately when they did?

The guidance says it plainly: “A key feature of any compliance program is that it needs to be effective and not simply a ‘paper exercise.’” That sentence should be printed above every compliance officer’s door.

Adequate vs. Reasonable vs. Effective: The SFO’s Focus Is on Reality

The legal standards differ across regimes: “adequate procedures” for the Bribery Act and “reasonable procedures” for ECCTA failure to prevent fraud, but the SFO’s approach is consistent across all of them. The prosecutor will examine whether the program operated as designed. A beautifully written policy that sits untouched in a shared drive does nothing for your defense. Under both frameworks, the principles are clear:

  • Top-level commitment must be visible and sustained.
  • Tone-from-the-top is no longer a slogan. Executives must demonstrate operational ownership through resources, messaging, and decisions.
  • Risk assessments must be dynamic and documented.
  • Periodic reviews are insufficient. Companies must revisit risks as business models, markets, and products evolve.
  • Due diligence must be risk-based and enforced.
  • The SFO will look for evidence of follow-through: actual reviews, remediation steps, and periodic refreshes, not just questionnaires.
  • Training must reach the right people, at the right depth, at the right time.
  • If frontline staff cannot articulate how policies apply to real situations, the program is not embedded.
  • Monitoring and review must capture failures and lead to improvements.
  • The SFO expects companies to learn from investigations, whistleblowing incidents, and near misses.

These principles have one common trait: they require action, not intention. Indeed, it is clear that “compliance” is a verb.

How the SFO Looks Behind the Curtain

The SFO’s FAQs section is an important reality check. The agency describes its evaluation process as holistic, evidence-based, and focused on operational activity (pages 10–12). It will use every investigative tool at its disposal.

This includes:

  • voluntary disclosures
  • compelled document production under section 2
  • witness interviews
  • suspect interviews
  • direct questions to the organization

Why is this important? Because the SFO is not taking the company’s word for anything. Assertions are not evidence. The agency will “dig behind generalities and challenge high-level assertions” to determine whether policies translate into conduct. In other words, if the program only exists in policy language, the SFO will know and quickly.

DPAs and Monitorships: Operationalized Compliance Determines Outcomes

When considering whether a DPA is appropriate, the SFO again focuses on whether the program works in practice. A DPA is less likely if the program was ineffective at the time of the offence and has not substantially improved since. If the program failed but is now demonstrably effective, a DPA becomes more viable. If a monitorship is imposed, the SFO expects the monitor to advise on “necessary compliance improvements” that reduce future risk. This language reinforces a core message: compliance must be operational, measurable, and continuously improving.

For companies negotiating a DPA, this means a surge of paper policy updates is not persuasive. What prosecutors want to see is changed behavior, improved controls, and evidence that new measures are taking hold across the organization.

The Shift from Compliance as Documentation to Compliance as a Business System

The guidance mirrors a shift seen globally from the DOJ’s “three questions” to the French AFA’s operational guidance and places the United Kingdom in alignment with international enforcement trends.

Across regimes, regulators are converging on the same model:

  1. A well-designed program.
  2. Adequate resources and authority to operate.
  3. Proof that the program works in practice.

The SFO’s guidance aligns directly with this structure. For compliance officers, that means your influence must go beyond policy drafting. Compliance must embed itself into:

  • procurement workflows
  • HR processes
  • incentives and compensation frameworks
  • approval systems
  • financial controls
  • business-development oversight
  • investigation protocols
  • continuous monitoring and data analytics
  • leadership behavior
  • cultural reinforcement mechanisms

This is what it means to operationalize compliance. A check-the-box program may look good in a binder. But it will not protect the company from enforcement, reputational harm, or sentencing penalties. A program that works in practice. This means real controls, real accountability, real culture, and a real will to do so.

The Message for Compliance Leaders

The SFO is telling companies something essential: The risk is not that you have a compliance failure. The risk is that your compliance program cannot prevent one. Your company can withstand a failure. It cannot withstand a failure in a system that does not exist.

The guidance signals a new enforcement reality: companies that invest in operationalized compliance, which is truly embedded into how people work, will be treated differently, prosecuted differently, and negotiated with differently. For compliance leaders, the priority is clear. This is the moment to shift your program from aspirational to operational. Because when regulators ask whether your program works, the only answer that matters now is evidence.

Categories
Data Driven Compliance

Data Driven Compliance – Understanding the ECCTA and Its Impact with Jonathan Armstrong

Welcome to Season 2 of the award-winning Data Driven Compliance. In this new season, we will look at the new Failure to Prevent Fraud offense. Join host Tom Fox as we explore this new law and how to comply with it through the lens of data-driven compliance. This podcast is sponsored by konaAI. In this episode of Season 2, Tom Fox is joined by Jonathan Armstrong.

Tom and Jonathan explore the historical context of fraud laws in the UK, the specifics and implications of the new legislation, the role of the Serious Fraud Office under the new rules, and its impact on corporations, especially those with international operations. Jonathan also outlines necessary steps corporations need to take to comply with the Act and prevent fraud within their organizations, including the importance of thorough risk assessments, top-level commitment, and effective communication and training programs.

Key highlights:

  • Key Legal Points of the New Law
  • Jurisdiction and Global Impact
  • Fraud Risk Assessment and Prevention
  • Technological and ESG Fraud

Resources:

Jonathan Armstrong on LinkedIn

konaAI, a Covasant company

Click here for konaAI White Paper Rethinking Compliance: Practical Steps for Adapting to the UK’s New Fraud Legislation

Connect with Tom Fox on LinkedIn

Categories
Blog

Cross-Atlantic Fraud & Corruption Enforcement: Intersections and Divergences

In today’s dynamic compliance landscape, navigating the complexities of international corporate wrongdoing requires vigilance, foresight, and strategic action, as highlighted in A recent article entitled “Cross-Atlantic Impact: DOJ and SFO Self-Reporting and Enforcement Priorities,” by lawyers from McDermott, Will & Schulte. The article is an excellent review of areas where the fight against fraud and corruption aligns between the two countries and areas where they diverge. Today, I will review the article and consider what it means for the US company doing business in the UK or with UK companies.

The Serious Fraud Office (SFO) in the United Kingdom has made clear its expectations regarding self-reporting corporate misconduct, mainly aligning in philosophy, if not always in exact details, with its U.S. counterpart, the Department of Justice (DOJ). American companies must understand these nuances and adapt their compliance programs accordingly. Here are five critical reasons why U.S. businesses must closely monitor and adhere to the UK’s evolving fraud and bribery enforcement regime.

Prompt Self-Reporting Weighs Heavily in Favor of DPAs

The SFO guidance unequivocally states that companies demonstrating prompt self-reporting of corporate wrongdoing significantly increase their chances of obtaining a Deferred Prosecution Agreement (DPA). Conversely, any delay in self-reporting suspected wrongdoing “within a reasonable time of it coming to light” adversely impacts the company’s standing with the SFO.

Much like the DOJ, the SFO does not insist on complete internal investigations before self-reporting. Indeed, in many ways, both sets of prosecutors want companies to step forward as soon as possible. The degree of the inquiry expected depends on the clarity and strength of evidence. Where evidence indicates wrongdoing, companies are expected to self-report swiftly. Ambiguities may permit a more extensive preliminary investigation, but American companies should note that delays can risk losing the advantages offered by early disclosure.

Jurisdictional Triggers Demand Simultaneous Reporting

For American companies dealing with potential misconduct spanning jurisdictions, awareness and agility become paramount. According to SFO guidance, companies reporting suspected misconduct to another agency, such as the DOJ, should also inform the SFO simultaneously or immediately thereafter. Failure to do so negates any potential credit for self-reporting.

Consider a scenario where a company seeks a declination from the DOJ through prompt self-disclosure. Identifying a UK jurisdictional nexus, such as conduct occurring partly in the UK or financial impact felt within the UK, is crucial. The UK’s “failure to prevent bribery” and new “failure to prevent fraud” offenses can impose liability based on international conduct linked to a business presence or financial repercussions in the UK. Understanding and navigating these jurisdictional nuances quickly is imperative to safeguard against regulatory pitfalls and secure favorable treatment.

Increasingly Aggressive Fraud Enforcement

Fraud has emerged as a prominent enforcement priority for both the DOJ and SFO. American companies should pay particular attention to the UK’s new “failure to prevent fraud” (FTPF) offense, effective from September 1, 2025. This robust enforcement tool targets UK and non-UK entities whose associates engage in fraudulent conduct impacting UK interests.

American companies operating internationally must proactively establish “reasonable fraud prevention procedures” to counteract potential liability under this legislation. The urgency conveyed by the SFO, highlighted by senior officials expressing eagerness to utilize these new powers aggressively, cannot be overstated. Companies that neglect preparation risk being among the first prosecuted examples of this powerful legislation.

Coordination Between DOJ and SFO Enhances Risk Exposure

With the DOJ emphasizing fraud in areas affecting U.S. interests, ranging from healthcare and procurement fraud to investment scams, there is considerable overlap with misconduct addressed by the UK’s FTP fraud offense. The authors note that the US Supreme Court held in Kousisis v. United States that a defendant may be convicted of wire fraud for inducing a victim to enter a contract under material pretenses, even if there was no economic loss to the victim. This ruling may allow US prosecutors to pursue a broader range of fraud cases.”

A cross-jurisdictional approach is therefore essential. American companies uncovering fraud that victimizes both U.S. and UK entities or markets must carefully assess reporting obligations to both jurisdictions. The simultaneous or nearly simultaneous reporting requirements heighten the stakes and complexity, demanding robust internal mechanisms for rapid assessment and disclosure.

Continuing Vigorous Anti-Bribery Efforts Globally

Despite temporary uncertainties in the DOJ’s stance toward anti-bribery enforcement, global initiatives indicate relentless international focus. The SFO has intensified anti-bribery efforts through initiatives like the International Anti-Corruption Prosecutorial Taskforce, collaborating closely with French and Swiss authorities. The SFO’s involvement in the International Anti-Corruption Coordination Centre (IACCC) further underscores its commitment. The authors report that “the IACCC aims to facilitate international cooperation on ‘grand corruption’ investigations, including concerning intelligence and evidence gathering.”

In addition to the IACCC, “In March 2025, the SFO established an ‘International Anti-Corruption Prosecutorial Taskforce’ with the French Parquet National Financier (PNF) and the Office of the Attorney General of Switzerland (OAG) (Taskforce). Through the Taskforce, the SFO, PNF, and OAG commit to strengthening their existing cooperation and collaborating to deploy their wide-reaching anti-bribery legislation to prosecute overseas conduct.”

The DOJ’s recent reaffirmation of anti-bribery efforts through its White-Collar Enforcement Plan, highlighting bribery and money laundering harming U.S. interests, may complement these international initiatives. American companies must remain vigilant regarding potential liabilities under both the FCPA and the UK Bribery Act, carefully calibrating their compliance programs to meet rigorous enforcement expectations across jurisdictions.

Practical Steps for American Companies

Given these compelling reasons to pay close attention to the SFO guidance and evolving UK legislation, American companies must take proactive steps to fortify their compliance efforts:

  • Enhance Internal Controls: Companies must quickly develop comprehensive “reasonable fraud prevention procedures,” supported by thorough risk assessments and regularly updated policies.
  • Cross-Jurisdictional Risk Assessments: Implement rigorous processes for promptly assessing jurisdictional ties when misconduct emerges, allowing immediate and coordinated reporting where necessary.
  • Integrated Compliance Training: Ensure global compliance teams, legal counsel, and executive management understand SFO and DOJ expectations clearly, fostering prompt, informed responses.
  • Monitoring International Developments: Maintain continuous awareness of evolving enforcement policies and initiatives, particularly regarding fraud and bribery, to swiftly adapt compliance programs accordingly.
  • Preparedness and Responsiveness: Establish clear protocols for internal investigations and self-reporting decisions, emphasizing speed and comprehensiveness to maximize potential cooperation credit.

Conclusion

Navigating the intricate and often intersecting expectations of the SFO and DOJ presents ongoing challenges for American companies. However, understanding the strategic implications of prompt self-reporting, jurisdictional coordination, aggressive fraud enforcement, international collaboration, and robust anti-bribery efforts is vital.

Proactive compliance management, aligned closely with evolving international regulatory landscapes, is not merely advisable but something that every multinational needs to put in place. American corporations should approach compliance with the understanding that today’s oversight environment demands swift and strategic decision-making to mitigate risks effectively and position themselves favorably in the face of potential regulatory scrutiny.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending,July 27, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • United Health says it is ‘cooperating’ after reports of a DOJ criminal investigation. (NYT)
  • BCG refuses to release the results of the external investigation. (FT)
  • New ABC sheriff in town. (Reuters)
  • Morgan Stanley screening draws scrutiny. (WSJ)
  • Carlos Ghosn finally faces justice. (Bloomberg)
  • What is the cost of the culture of silence at NASA? (WSJ)
  • Corruption tainting Milan skyline. (Bloomberg)
  • Companies are stuck in the ‘I-9 hell’ of paperwork. (FT)
  • Credit Suisse flagged Sanjeev Gupta for corruption, but the bank ignored it. (Bloomberg)
  • Megadeals are in the offing. (Reuters)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

You can purchase a copy of my new book, Upping Your Game, on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: July 25, 2025, The New Sheriff in Town Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including those related to compliance, ethics, risk management, leadership, or general interest, that are relevant to the compliance professional.

Top stories include:

  • Heathrow boss ‘slept through’ the March fire emergency. (BBC)
  • United Health says it is ‘cooperating’ after reports of a DOJ criminal investigation. (NYT)
  • BCG refuses to release the results of the external investigation. (FT)
  • New ABC sheriff in town. (Reuters)

You can donate to flood relief for victims of the Kerr County flooding by going to the Hill Country Flood Relief here.

Categories
Innovation in Compliance

Staying the Course in Compliance: Insights from Kristy Grant-Hart

Innovation comes in many areas, and compliance professionals must be ready for and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. Today, we begin a 3-part podcast series sponsored by Diligent with Clint Palermo, Kristy Grant-Hart, and Stephanie Font. In Part 3, Tom is joined by Kristy Grant-Hart, Vice President and Head of Compliance Advisory Services at Spark Compliance Consulting, a Diligent brand, about the state of compliance in the wake of recent changes to FCPA enforcement.

They discuss the importance of staying consistent with compliance programs, the role of regulatory bodies worldwide, and the practical implications of modern slavery and trade sanctions. Kristy emphasizes the need for a strategic focus on forward-looking risks and the benefits of combining Diligent’s software capabilities with expertise in compliance services. They also underscore the importance of maintaining psychological safety and a speak-up culture within organizations.

Key highlights:

  • The Importance of Consistency in Compliance
  • The Power of Combining Compliance Services with Technology
  • Strategic Focus for Compliance Officers

Resources:

Kristy Grant-Hart on LinkedIn

Spark Compliance

Visit Diligent Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance: Episode 153, The CW 25 Edition

Welcome to this edition of the award-winning Everything Compliance. In this episode, the quartet of Matt Kelly, Jonathan Armstrong, Karen Moore, and Karen Woody is hosted by Tom Fox, the Compliance Evangelist.

  1. Karen Moore looks at state, international, and private prosecutions of various ABC laws. She rants at the Department of Education for setting up a 1984-style anonymous reporting line for students to report on their teachers.
  2. Matt Kelly reviews the Glencore DPA record. He has a shout-out to Microsoft for picking up Jenner & Block as counsel and rants about the GOP effort to abolish the PCAOB.
  3. Jonathan Armstrong reviews changes at the UK SFO. He shouts out to the compliance community for their support of Diana Trevley and encourages her continuing recovery now that she is back in the US.
  4. Karen Woody considers tariffs as a new source for FCA claims and shouts out to the movie Conclave.
  5. Tom Fox shouts out to former San Antonio Spurs coach Gregg Popovich, who announced his retirement on May 1.

The members of Everything Compliance are:

Tom Fox, the Voice of Compliance, is the host, producer, and sometimes panelist of Everything Compliance. He can be reached at tfox@tfoxlaw.com. The award-winning Everything Compliance is part of the Compliance Podcast Network.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending, May 3, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

You can check out the Daily Compliance News for four curated compliance- and ethics-related stories each day here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

You can purchase a copy of my new book, Upping Your Game, on Amazon.com.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 51 – The Compliance Week at 20 Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

 

Stories this week include:

  • SFO plans to explore whistleblower rewards in fraud crackdown (Scottish Financial News)
  • Power Shift: What Happens When America Steps Back From Global AML Enforcement? (Corporate Compliance Insights)
  • AI Is Enabling an Always-On Economy. Companies Need to Pick Up the Pace. (WSJ)
  • Knife-wielding Florida man with last name ‘Cocaine’ arrested after allegedly attacking Subway employees with ‘bad attitudes’ (New York Post)
  • CW 25 Wrap-Up (Compliance Week)
  • Elizabeth Warren with 100 days of Trump corruption. (HuffPost)
  • House wants to strip FTC of antitrust work. (Reuters)
  • SFO issues corporate cooperation guidance. (SFO Press Release)
  • The man who posed as CCO was found guilty of fraud.    (Bloomberg)

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: April 30, 2025, The 4 AM Wake-Up Call Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy morning coffee, and listen to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • China will support ‘normal’ business relations with US companies. (WSJ)
  • Don’t yell at your staff. (FT)
  • SFO issues corporate cooperation guidance. (SFO Press Release)
  • Waking up at 4 AM gains traction. (WSJ)