Corporate Fraud: will your compliance processes satisfy the SFO following a self-report?
Now that the new ‘failure to prevent fraud’ offence is in force and SFO guidance continues to come out, it seems timely at the start the new year to remind all organisations to implement adequate and effective anti-fraud measures.
On 1 September 2025, the failure to prevent fraud offence came into effect (this is found in ss199 to 206 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA)). It means that any organisation within scope will be criminally liable if:
· an employee, agent, subsidiary or other associated person commits a specified fraud offence for the organisation's benefit, and
· the organisation does not have reasonable fraud prevention procedures in place
Businesses must implement anti-fraud measures to prevent corporate fraud, otherwise they risk prosecution. While the new offence applies to large organisations (including subsidiaries) - SMEs and other small businesses, charities and other organisations must also comply with anti-fraud measures, anti-money laundering and the Bribery Act 2010.
Indeed, the government is actively encouraging smaller organisations to view SFO Guidance as best practice.
In its latest guidance document1 (published November 2025), the SFO sets out its guidance on corporate compliance. It sets out six specific scenarios the SFO says it may evaluate, to determine whether:
· a prosecution is in the public interest
· to consider a deferred prosecution agreement (DPA)
· to include compliance terms and/or a monitorship as part of any DPA
· an organisation has a defence of “adequate procedures” to a charge of failure of a commercial organisation to prevent bribery (s7 Bribery Act 2010)
· it has a defence of “reasonable procedures” to a charge of failure of a commercial organisation to prevent fraud (s199 ECCTA)
· the existence and nature of the compliance programme is a relevant factor for sentencing considerations
Organisations will find the SFO’s discussion of these factors invaluable when reviewing and implementing their compliance systems, policies and staff training. It’s a classic example of a ’prevention is better than cure’ approach, which benefits all concerned.
Self-reporting
It is, therefore, vital to remember the importance of self-reporting. This is the focus of the SFO’s April 2025 guidance for companies on self-reporting, co-operation and DPAs. By way of reminder, self-reporting can easily be done via a secure reporting portal to the SFO intelligence division.
A company that self-reports, and genuinely and fully co-operates with investigators, will likely be invited to negotiate a DPA instead of facing prosecution (subject to exceptional circumstances).
Following a self-report, the SFO will get in touch within 48 hours and decide next steps. Reassuringly, the SFO’s overarching approach is that an organisation who self-reports suspected fraud or other criminal conduct is considered a responsible organisation; and it will take that – and genuine cooperation - into account when deciding what (if any) action to take.
All companies and other organisations, including charities, must act now to ensure they have proper fraud prevention systems in place.
1SFO Guidance on Evaluating a Corporate Compliance Programme - https://www.gov.uk/government/publications/sfo-guidance-on-evaluating-a-corporate-compliance-programme/sfo-guidance-on-evaluating-a-corporate-compliance-programme#legal-background-and-guidance
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you