Key insights from the SFO's updated guidance on corporate co-operation

On 24 April 2025, the UK's Serious Fraud Office (SFO) published its updated guidance (the Guidance) on corporate co-operation and enforcement in relation to corporate criminal offending. 

The Guidance seeks to encourage corporates to self-disclose suspected criminal activity and sets out the SFO's expectations in relation to co-operation with its investigation.  

This briefing summarises the key elements in the Guidance and our thoughts on how it will influence the SFO's approach to corporate prosecutions under the current SFO Director, Nick Ephgrave.

A new dawn for DPAs

The headline message in the Guidance is that corporates that promptly self-report and co-operate fully with the SFO will be invited to negotiate a Deferred Prosecution Agreement (DPA), in all but exceptional circumstances.  This is a notable departure from the SFO's previous guidance on corporate co-operation, which stated that "co-operation – even full, robust co-operation – does not guarantee any particular outcome."

The SFO has negotiated 12 DPAs to date but has not entered into one since 2021.  The Guidance therefore indicates a clear change of emphasis regarding the SFO's intended use of DPAs as the preferred tool in response to corporate criminal offending.       

Corporates will need to consider whether to self-report and their approach to co-operation with the SFO's investigation carefully, in order to benefit from the SFO's commitment to invite corporates that self-report and co-operate to negotiate a DPA.

To self-report or not to self-report?

The Guidance is clear that the SFO does not expect corporates to fully investigate a matter before self-reporting where there is direct evidence of corporate offending.  Further investigation may be required before a self-report is made, where the position is "less clear-cut", but the Guidance is noticeably quiet on how corporates should approach that assessment.

There are a number of factors that corporates should consider when deciding whether to self-report which are not addressed in the Guidance (including business interruption resulting from an investigation, strength of evidence and the corresponding likelihood of prosecution if a DPA is not agreed). 

Corporates will also need to consider self-reporting to the SFO in the context of other mandatory reporting obligations to regulatory and overseas authorities (including, for example, the Principle 11 reporting obligation for regulated firms).  The Guidance expressly notes that reports made to other authorities will not be considered a self-report unless the offending is separately reported to the SFO. 

The challenge for corporates will be ensuring a coordinated approach which avoids the risk that inconsistent information is shared with different authorities.  The Guidance specifically calls out strategic "forum shopping" by reporting to another jurisdiction as unco-operative conduct.  The Director has publicly stated his intention to cultivate the SFO's relationship with domestic intelligence agencies, and forge new alliances with overseas enforcement authorities – which increases the risk of inconsistent reporting being identified and penalised.

Expectations of co-operation

The degree of co-operation provided during an investigation is another key determinant of whether a corporate will be invited to negotiate a DPA and requirements for such co-operation will differ depending on whether a self-report has been made.  Where a corporate does not self-report, a DPA will still be considered if it has provided "exemplary co-operation" with the SFO's investigation.  

Examples in the Guidance of conduct that is likely to be viewed as "exemplary co-operation" include: 

• preserving all digital and hard copy material that is likely to be relevant to the SFO's investigation;
• identifying all persons involved in the suspected criminal conduct when presenting the facts;
• providing financial information regarding the benefit and/or harm the offending has caused; and
• engaging early with the SFO in relation to any internal investigation, including informing the SFO in advance of proposed steps, providing timely updates, providing non-privileged interview records and notifying the SFO of interest or involvement of other regulators or prosecutors.

The Guidance states that corporates that elect not to waive privilege will not be penalised but a waiver of privilege will be considered to be a "significant co-operative act".  Whereas the SFO's previous guidance stated that a corporate that did not waive privilege "does not attain the corresponding factor against prosecution that is found in the DPA Code but will not be penalised by the SFO", the new Guidance reiterates that non-waiver will not be penalised but puts far greater emphasis on the fact that the SFO will regard privilege waiver as a mark of significant co-operation weighing "strongly in favour of co-operation".   

Clarity on process

The Guidance provides much-needed clarity on the SFO's expected process and timescales following receipt of a self-report. Following a self-report, the Guidance notes that the SFO will seek to:

• contact the self-reporting corporate within 48 hours;
• provide regular updates throughout the investigation process;
• decide whether or not to open an investigation within six months of a self-report;
• conclude its investigation with a "reasonably prompt time frame"; and
• conclude DPA negotiations within six months of inviting a corporate to negotiate.

Commitment to these timescales is another clear attempt to incentivise self-reporting. The defined timescales in the Guidance also reflect the SFO's recognition of previous criticisms regarding the speed of case progression.¹ 

Whether the SFO is able to keep to these timescales – in circumstances where it is encouraging more self-reporting at the earliest possible stage of enquiries – will be a litmus test to determine if the SFO has improved its case management processes under the leadership of Nick Ephgrave.

What does this mean for corporate prosecutions?

In quoted remarks included in a press release published alongside the Guidance, the Director stated that for corporates with knowledge of wrongdoing, "the gamble of keeping this to yourself has never been riskier." 

There is no doubt that the Guidance reflects the SFO's increasingly assertive approach under Nick Ephgrave, but whether the Guidance will lead to more self-reports remains to be seen.  Corporates might be persuaded to make an early self-report if – as the Guidance suggests – the SFO will complete its investigation process promptly as a result.  This would provide welcome certainty for corporates that choose to co-operate, while minimising business interruption and allowing the firm to resolve legacy corporate offending issues sooner.  On the other hand, self-reporting issues exposes corporates to the risk of the SFO (and its domestic and international counterparts) taking a wider interest in the affairs of the company – which may prompt tangential but equally disruptive enquiries.  

Corporates should also consider the Guidance in the context of the broader corporate criminal landscape, notably the new test for attributing criminal conduct of senior managers to corporates and the new corporate criminal offence of failing to prevent fraud.  The Director has made clear his intention to use these new enforcement tools and has stated that the SFO is actively seeking cases to investigate once the new failure to prevent offence comes into force on 1 September 2025.   

In practice, corporates will need to commit significant resources in order to demonstrate the full and effective co-operation required to secure credit from the SFO.  Firms will be conscious of the SFO's recent track record which has seen no DPAs in four years and very few convictions of corporates for economic crime.  They may therefore take the view that the risk of enforcement is not sufficiently acute to justify the time and cost of co-operation.  

With Nick Ephgrave's clear statement that the SFO is actively looking for cases to investigate – including, once the offence comes into force, conduct within scope of the new failure to prevent fraud offence – some of the outstanding questions posed by the Guidance may be answered sooner rather than later.