New Corporate Cooperation Guidance from the UK Serious Fraud Office: Doubling Down on DPAs

28 May 2025
View Debevoise In Depth
Key Takeaways:
  • The SFO has issued important new guidance on self-reporting and cooperation for companies aiming to obtain a Deferred Prosecution Agreement, which also outlines the SFO’s approach to internal investigation and privilege.
  • As a whole, the guidance does not represent a major shift in the SFO’s approach; however, it provides some further detail and insight into the SFO’s objectives, practices and expectations.
  • The new guidance represents a logical next step for the SFO and goes as far as it realistically can to encourage cooperation by companies, taking a notably more business-friendly position than the SFO has done under previous Directors. It should be viewed against the background of the SFO having almost completed the process of bringing together investigative tools that it has long sought to boost its effectiveness.

On 24 April, the UK Serious Fraud Office (“SFO”) issued important new guidance for companies aiming to obtain a deferred prosecution agreement (“DPA”) to resolve corporate offending rather than face prosecution by the SFO. This guidance, which replaces the corporate cooperation guidance published in 2019 under the previous SFO Director, Lisa Osofsky, outlines when and how a company should self-report, principles of cooperative conduct, and the SFO’s approach to internal investigations and privilege.

The new guidance largely reflects SFO practices with respect to DPAs which have developed since (and even before) the 2019 guidance. However, it also provides some further detail and insight into the SFO’s objectives and expectations of companies under the current Director, Nick Ephgrave QPM. Director Ephgrave has previously explained that a key aim of the new guidance is to help reverse a decline in the number of self-reports that the SFO has received from companies in recent years. Notably, the guidance states that a company that promptly self-reports and fully cooperates with the SFO will be invited to negotiate a DPA unless “exceptional circumstances” apply. In oral remarks made the same day that the guidance was issued, Director Ephgrave described this as “as good a guarantee as you can get”. He also emphasised that he wants to “do business” with cooperative companies and help them survive by settling criminal conduct through DPAs instead of facing highly damaging prosecutions.

Self-Reporting

A significant change to the 2019 guidance is the codification of the existing practice that a corporate that self-reports promptly to the SFO and cooperates fully will be invited to negotiate a DPA rather than be prosecuted, unless there are some (unspecified) “exceptional circumstances”. The SFO’s previous guidance on self-reporting noted that this was a relevant factor tending against prosecution but took a more cautious tone as to whether “reporting properly and fully the true extent of the wrongdoing” within a “reasonable time of the offending coming to light” would ultimately enable companies to avoid prosecution. The new guidance provides a clearer picture for companies of the SFO’s attitude to self-reporting and the likelihood that it will result in a DPA.

The guidance repeats the DPA Code provision that companies should notify the SFO within a “reasonable time” of suspected offending coming to light; what that means depends on the specific circumstances, and companies may investigate suspicions before self-reporting to understand the nature and extent of the issue. However, where there is “direct evidence of corporate offending”, the SFO expects companies to self-report “soon” after learning of that evidence, but it acknowledges that companies may need to conduct some further investigation in less clear-cut cases.

The guidance indicates that a company making a self-report should identify for the SFO:

  • All relevant known facts and evidence concerning the suspected offences;
  • The individuals involved, both inside and outside the organisation;
  • The relevant jurisdictions;
  • The location of key material; and
  • In the questions on the new secure reporting portal — a summary of the allegations, including details of when, where and what suspected offences took place.

Cooperation

Alongside self-reporting, the new guidance emphasises the importance of “genuine” cooperation with the SFO’s investigation as a condition for a company to be invited to negotiate a DPA. The guidance also notes that (as illustrated by the Rolls-Royce DPA in 2017) a company that does not self-report but provides “exemplary” cooperation is still eligible for a DPA. The 2019 guidance again took a more cautious tone on this topic, stating that “cooperation — even full, robust cooperation — does not guarantee any particular outcome”.

The new guidance contains a non-exhaustive list of exemplary cooperative conduct. These range from straightforward, practical measures and steps that are familiar from the 2019 guidance (such as producing relevant overseas documents within the company’s control and making employees available to the SFO for interviews) to significant new expectations. Examples of the latter include:

  • Presenting the facts on the suspected criminal conduct, including identifying all persons involved;
  • Providing information regarding any previous relevant corporate criminal conduct and how this was resolved; and
  • Presenting a “thorough analysis” of the company’s compliance programme and procedures at the time of offending and how the company has remediated (or plans to remediate) any deficiencies. This is aimed at probing whether the corporate may be able to rely on the ‘adequate procedures’ defence for failure to prevent bribery under section 7(2) of the Bribery Act 2010 or the ‘reasonable procedures’ defence for failure to prevent fraud under section 199(4) of the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”).

Internal Investigations and Privilege

Where a company conducts an internal investigation, the guidance indicates that the SFO expects the company to: engage with it at an early stage regarding the parameters of the investigation, inform it in advance of proposed steps, not take any steps that might prejudice the SFO’s investigation, refrain from interviewing employees when requested to do so, and provide timely updates and key findings. The extent to which the SFO may influence the internal investigation beyond asserting certain steps that the company should not take is unsurprisingly not addressed, but this is likely to vary depending on the SFO’s interest in the case and its assessment of the company’s conduct during the investigation.

The 2019 guidance indicated that the SFO would treat waiving privilege over records of witness interviews and other internal investigation materials as a factor weighing against prosecution (although a company deciding not to waive privilege would not be penalised) and that a company claiming privilege was expected to provide certification by independent counsel that the material in question was in fact privileged. The new guidance does not explicitly refer to the independent certification requirement and is more explicit on the positive consequences of voluntary waivers of privilege, stating that this will be viewed as a “significant cooperative act” and will “weigh strongly in favour of cooperation”. This largely mirrors the SFO’s approach in practice over the last few years.

SFO Timeline

An interesting addition in the new guidance is the SFO outlining its goals for handling a self-report. Once it receives a self-report, it aims to:

  • Contact the company within 48 business hours;
  • Provide regular status updates;
  • Decide whether to open an investigation within six months;
  • Finalise its investigation within a “reasonably prompt” timeframe; and
  • Conclude DPA negotiations within six months of sending an invitation to negotiate.

This provides a useful indication of the SFO’s investigative timeline, particularly early in the process, although of course it leaves plenty of scope for flexibility. It also signals the SFO’s intention to bring a renewed focus to how long it takes to open and complete investigations and avoid the significant delays it faced in handling some historical cases. By way of example, the SFO closed its investigation into ENRC after more than a decade due to “insufficient admissible evidence to prosecute” and closed its investigation into Rio Tinto after six years after determining that a prosecution would not be in the public interest.

Commentary

The new guidance represents a logical next step for the SFO and goes as far as the SFO realistically can to encourage self-reporting and cooperation by companies. As a whole, it does not represent a paradigm shift in the SFO’s approach, though the codification of its practices and expectations is a welcome development.

The guidance takes a notably more business-friendly position than the SFO has done under previous Directors, signalling a retreat from the more expansive warnings about companies ‘trampling on the crime scene’ through conducting internal investigations and asserting that internal investigation witness interviews should be recorded. Interestingly, new points in the guidance seem to hint that, at least in appropriate cases, the SFO may place more reliance on companies running their internal investigations (subject to the SFO’s deconfliction approach) and turning over their findings and evidence, rather than the SFO commencing its own investigations from scratch. Director Ephgrave’s statements stressing the SFO’s increasing focus on receiving self-reports and resolving cases through DPAs instead of prosecution are likely aimed at striking a delicate balance between the SFO’s fundamental objective of combatting corporate wrongdoing and the UK Government’s agenda of encouraging business and economic growth. Notwithstanding this shift towards greater leniency for self-reporters, the SFO’s new approach remains some way behind the revised Corporate Enforcement and Voluntary Self-Disclosure Policy recently announced by the U.S. Department of Justice (“DOJ”), which states that a company that voluntarily self-discloses misconduct, fully cooperates, implements timely and appropriate remediation, and has no aggravating circumstances will be guaranteed not merely a DPA but a non-criminal resolution in the form of a declination (subject to payment of any applicable disgorgement, forfeiture or restitution). Needless to say, there is a significant gulf between a DOJ declination and an SFO-led court-approved DPA in the UK.

While the guidance provides a helpful framework for companies assessing how they should handle potential criminal conduct, determining a company’s approach to key strategic issues and implementing this in practice — particularly regarding whether and when to self-report, how much to cooperate with the SFO and when to push back on its requests, and how to manage (and protect) privilege — is highly complex and will always need to be weighed carefully on a case-by-case basis. In this context, it should be borne in mind that the SFO applies an exacting standard when evaluating the content and quality of any self-report: specifically, the SFO has tended to take the view that a genuine self-report requires a company to identify its own criminal conduct, not merely the criminal conduct of others (such as employees or third parties). This is reinforced by the requirement in the new reporting portal to provide details of the “suspected offences”.

In relation to the timing of a self-report, Director Ephgrave’s comments that “As soon as you have … just reasonable suspicion you’ve got some offending going on – that’s the point at which you stop, that’s the point at which you talk to us” indicates that the SFO is expecting companies to apply a relatively low threshold for suspicion when self-reporting. This potentially muddies the waters further and may be at odds with the guidance itself, which allows companies a “reasonable time” to notify the SFO and room to investigate suspected offending first. This test of “reasonable suspicion” should not be confused with the very low threshold for filing an anti-money laundering Suspicious Activity Report under the Proceeds of Crime Act 2002 (“a possibility, which is more than fanciful”). But it is still a low bar and, importantly, the SFO is certainly asking companies to self-report before they uncover evidence establishing an offence on the ‘balance of probabilities’ civil standard.

The new guidance should be viewed against the background of the SFO having almost completed the process of bringing together investigative tools that it has long sought in order to boost its effectiveness. Companies should consider several other recent (and anticipated future) developments when dealing with the SFO:

  • The SFO is expected shortly to introduce guidance and incentives for whistleblowers, which may include financial rewards along the lines of the U.S. model. This could be the ‘game-changer’ that the SFO is looking for and affect whether and when company decides to self-report suspected wrongdoing, to avoid a whistleblower being first to notify SFO. The DOJ’s newly-expanded whistleblower awards programme is a tool that the SFO currently views with great envy.
  • In December 2023, the ECCTA expanded corporate liability for a wide range of offences to the actions of a “senior manager” acting on behalf of the company, replacing the much more restrictive “directing mind and will” test.
  • In March 2025, the SFO announced a joint prosecutorial taskforce with French and Swiss authorities to tackle international bribery and corruption, strengthening cooperation and coordination among the three countries.
  • In September 2025, the ‘failure to prevent fraud’ corporate offence in the ECCTA will enter into force. Directive Ephgrave has previously signalled that the SFO seeks to be the first agency to prosecute a company using this new offence as soon as it identifies an appropriate case.
Given the likely current slowing of the referral pipeline from traditionally valuable sources such as the DOJ during its current pause of Foreign Corrupt Practices Act enforcement, the SFO appears to be trying to seize the moment and ensure that it gathers self-reports — and thus new cases — from companies directly. More broadly, Director Ephgrave has made it clear that the SFO intends to take a more proactive approach to enforcement than has been the case in recent years, including by looking for cross-border cases that might previously have been led by the DOJ. All indications are that the SFO is seeking to re-assert its role as a leading international enforcement agency after an extended period of turmoil, mixed enforcement success and having largely cleared a backlog of historic cases.

 

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.