Important new SFO guidance on corporate co-operation published: open the door or wait for the knock?
9 May 2025
8 min read
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-05-09-09-28-57-499-681dcad9e67a921cdfb5aa32.jpg)
Summary
On 24 April 2025, the Serious Fraud Office (SFO) published its updated External Guidance on Corporate Co-Operation and Enforcement in Relation to Criminal Offending.
The new guidance explains the nature of the cooperation the SFO now expects from corporates in order to be invited to negotiations for a Deferred Prosecution Agreement (DPA). At its heart, the SFO guidance reiterates the expectation that a corporate which has identified that it has engaged in suspected criminal conduct proactively reports this to the SFO (known as a “self-report”).
However, in a significant change in emphasis, the SFO now makes clear that: “If a corporate self-reports promptly to the SFO and co-operates fully we will invite it to negotiate a DPA rather than prosecute unless exceptional circumstances apply”. The guidance now indicates that a DPA will be the ‘default’ resolution where there is a self-report and full cooperation; whereas the previous guidance indicated that such behaviours would only be a “relevant consideration” in forming part of a “genuinely proactive approach”, which may amount to a public interest factor tending against prosecution.[1] The SFO has also for the first time set itself specific target timeframes for responding to corporates who self-report.
In this article we consider the key changes in the new guidance and the extent to which they are likely to achieve the SFO’s aim of encouraging more self-reporting by corporates. The changes provide greater clarity compared to the prior version of the guidance, which is to be welcomed. But it is uncertain whether the new guidance will actually increase the prevalence of corporate self-reporting to the SFO. The fact that no DPAs have been entered into by the SFO since 2021 suggests that companies are not self-reporting, and the new guidance does not fundamentally change the balance of matters that the directors of a corporate will need to weigh in considering whether and when to make a self-report.
What is a self-report?
A “self-report” is where a company identifies that it (or any associated persons or subsidiaries) has engaged in suspected criminal conduct and willingly reports this to the SFO (or other authority, where applicable). Making a self-report is considered by the SFO to be the first step in displaying cooperative behaviour to achieve more lenient treatment and/or the avoidance of prosecution.
The SFO expects a self-report to contain enough information to understand the nature and extent of the suspected offending by identifying the relevant:
- facts and evidence concerning the suspected offences;
- individual(s) (both those inside and outside the organisation); and
- jurisdiction(s).
The self-report must be made to the SFO itself (a report to another authority - e.g. a suspicious activity report to the National Crime Agency (NCA) or report to the Financial Conduct Authority - does not count).
On the issue of timing, the SFO now provides a little more guidance and acknowledges that a corporate may need to conduct at least some internal investigation before it is able to self-report. The SFO says that it expects a report to come forward “within a reasonable time of [the suspected criminal conduct] coming to light”, adding that “if there is direct evidence of corporate offending, we would expect a corporate to self-report soon after learning of that evidence” but that “if the position is less clear-cut we recognise that some further investigation may be necessary”.
What is the newly proposed timetable?
Where a company self-reports, the guidance provides that the SFO will seek to comply with the following timelines:
- Contact a self-reporting corporate within 48 business hours of a self-report or other initial contact.
- Decide whether or not to open an investigation within 6 months of a self-report.
- Conclude its investigation “within a reasonably prompt time frame”.
- Conclude any DPA negotiation within 6 months of sending an invitation to a corporate.
Although these timeframes appear pragmatic, it is unclear what they will mean in practice. For instance, suggesting that the SFO will open an investigation within 6 months, and conclude one within a “reasonably prompt time frame” remains uncertain and unclear (respectively), especially given the protracted time it has – to date – taken SFO investigations to be both opened and closed.
What is cooperation?
The degree to which a corporate co-operates with an SFO investigation is stated to be “a key factor when deciding how a case is resolved and the level of penalty”. The guidance asserts that “only a genuinely co-operative corporate will be invited to engage in DPA negotiations”.
In its previous guidance, the SFO stated that “the very nature of cooperation means that no checklist exists that can cover every case”. It has now reconsidered and more helpfully provides a non-exhaustive list of 20 steps which will constitute examples of “cooperative conduct”. In summary, cooperation includes:
- Preserving, collecting and identifying all (our emphasis) material likely to be relevant to the SFO’s investigation (including digital and hard copy material).
- Presenting the facts on the suspected criminal conduct, identifying all (our emphasis) persons involved and disclosing any relevant previous criminal conduct.
- Proactively liaising with the SFO regarding any internal investigation. That may include disclosing non-privileged records of interviews. If the interview records are subject to legal professional privilege, the guidance provides that “a voluntary waiver of privilege over such records will weigh strongly in favour of co-operation”.
- Providing information on any disciplinary action taken and changes to personnel made as a result of the offending.
- Presenting a “thorough analysis” of the corporate’s compliance programme, its procedures at the time of offending and relevant remediation.
- Facilitating the SFO interviewing the corporate’s employees.
All of these represent the approach the SFO has required in practice from cooperating corporates over recent years although cooperation under the new guidance now expressly involves providing more information to the SFO.
The guidance sets out that if a corporate fails to self-report, it must instead provide “exemplary cooperation” to be eligible for a DPA. This reflects the approach previously taken in practice by the SFO, which has agreed DPAs with corporates that did not self-report. Undertaking all the examples of co-operative conduct set out in the guidance is “likely to be assessed as providing exemplary cooperation”.
What isn’t cooperation?
The guidance maintains the SFO’s position that obfuscation, ‘document dumping’ and tactical delay will be seen as uncooperative. It also now specifies that “forum shopping” (“unreasonably reporting offending to another jurisdiction for strategic reasons”) and exploiting differences between international law enforcement agencies or legal systems will qualify as examples of “unco-operative” conduct, which likely reflects the difficulties (some well-publicised) the SFO has faced with multi-jurisdictional investigations in recent years.
Whether to self-report?
The updated guidance and prospect of a DPA on a timetable for a company that self-reports its wrongdoing to the SFO “unless exceptional circumstances apply” is clearly designed to increase self-reporting. On its face, the messaging in the guidance seems clear: corporates who come forward promptly and co-operate fully will be treated fairly, and in all bar exceptional cases, eligible for a DPA.
This change in emphasis appears to reflect an increasingly pragmatic approach by the SFO, under the leadership of its Director, Nick Ephgrave, who, at a recent investigations conference, described himself as “a man you can do business with”. Mr Ephgrave has been public in his support for further measures to incentivise whistleblowing in the UK (by providing whistleblowers with financial reward, as is the practice in the US) and it is clear the SFO is very keen to encourage the reporting of wrongdoing and promote the benefits of doing so. This comes alongside a notable uptick in SFO enforcement activity, with the SFO having recently charged a London insurance firm with failing to prevent bribery and opened an international bribery investigation into a European data centre (with the support of the NCA).[2]
The new messaging in the guidance does not fundamentally change the underlying risk profile of a self-report, however. Corporates will still need to consider carefully how and when they make a self-report. To make a self-report is a step into the unknown. Corporates can expect to lose control over any investigation and be required to implement and evidence remediation. Although the SFO is indicating quicker timelines and ‘business-like’ dealings, an investigator/prosecutor is duty-bound to pursue all reasonable lines of enquiry and any investigation can be lengthy, complex and expensive for the parties involved. The difference now is – in all bar exceptional circumstances – the assured invitation to negotiate a DPA.
Even where a corporate fully co-operates and enters into a DPA, the impact on the corporate can be ongoing. Guralp Systems voluntarily “provided extensive and ongoing cooperation”[3] to the SFO following an investigation into conspiracy to make corrupt payments and failure to prevent bribery and received a DPA in 2019. However, it has since been unable to pay the financial penalty required under its DPA. Attempts to negotiate an extension seem to have petered out and the SFO now appears – with approval from the High Court – to be considering prosecuting Guralp.
Conversely, a number of companies have obtained DPAs with the SFO without self-reporting including. This has included Rolls Royce (2017), Airbus (2020) and Amec Foster Wheeler (2021), albeit whose cooperation was described as “extraordinary”, “to the fullest extent possible” and full (respectively). Entain plc, who agreed a DPA with the Crown Prosecution Service in 2023, also did not self-report, but their subsequent cooperation was described as “akin to self-reporting” and “exemplary” when the Court approved the DPA.[4]
The complexity which remains is that the history of DPAs suggests no substantive difference (our emphasis) between a corporate that self-reports early, and one that doesn’t – but later cooperates. The new SFO guidance alone doesn’t change that reality. Instead, a reality which the SFO will want to avoid going forward is their record of multiple collapsed prosecutions and withdrawn investigations. The SFO will hope that the new (theoretically ‘easier’) route to establishing corporate criminal liability introduced by the Economic Crime and Corporate Transparency Act 2023 will make their task of building and prosecuting cases simpler, although that is as yet untested before the courts.
Any decision to self-report is and must always be a carefully considered and balanced decision, as there remain risks and very good reasons why companies may not wish to do so. That includes, for example: the potential exposure for civil claims emerging from the alleged criminal conduct; the SFO’s ability to disclose information it has received to other government bodies; and the risk – when pursuing all reasonable lines of enquiry – that an investigation becomes multi-jurisdictional.
Although the SFO’s new guidance intends (and hopes) to tip the balance and encourage corporates not to gamble with the risks of delaying, whether it will have that effect remains to be seen.
This article was written by Guy Bastable, Andrew Matheson, Sam Aldous, Thomas Hubbard and Nick Mills.
[1]ARCHIVED CONTENT- Corporate Co-operation Guidance - Serious Fraud Office
[2]In a related and interesting move, the NCA is positioning itself similarly; stating that it currently has more active bribery cases than the SFO, links with international enforcement agencies and is similarly inviting “conversations” from corporates.