On April 24, 2025, the UK Serious Fraud Office (SFO) issued new guidance outlining key factors its prosecutors must weigh as they consider corporate enforcement actions, including whether to criminally charge companies or enter into Deferred Prosecution Agreements (DPAs). The “External Guidance on Corporate Cooperation and Enforcement in relation to Corporate Criminal Offending” (the “Guidance”), which replaces the SFO’s 2019 “Cooperation Guidance” (the “Prior Guidance”), places an emphasis on prompt self-reporting and full cooperation with SFO investigations as key considerations for prosecutors when contemplating resolving a corporate investigation through a DPA and forgoing formal charges, unless “exceptional circumstances” apply. The Guidance does not foreclose the possibility of a DPA where a company does not self-report if the company has “provided exemplary cooperation” with the SFO’s investigation.
DPAs have been used in the United States for over 30 years as a corporate pre-trial diversion option along with non-prosecution agreements (“NPAs”), with federal authorities entering into an estimated 327 corporate DPAs between 1992 and the present.[1] As part of a growing, global trend in favor of adopting alternatives to criminal trials for corporate offenders, UK regulators first introduced DPAs in 2014 through the Crime and Courts Act 2013[2] (“CCA”) and appear to have entered into approximately a dozen DPAs since the passage of that legislation, with more than half the cases involving UK Bribery Act 2010 offenses.[3] In contrast, companies entered into an estimated 172 DPAs with U.S. authorities over the same period, 51 of which appear to involve U.S. Foreign Corrupt Practices Act or other bribery offenses.[4]
The same day that the Guidance was issued, Nick Ephgrave, Director of the SFO, publicly acknowledged the United States as an important partner in corporate enforcement and stated that, in light of the pause in U.S. FCPA enforcement and the preparation of new enforcement policies, the SFO is “seeing if there are opportunities where we can pick up investigations in this country.”[5] Thus, in light of the shifting federal enforcement landscape in the United States, regulators in other countries may look to seize the opportunity to play a heightened role in regulating corporate misconduct by U.S. companies with a global presence, particularly over the next few years. However, companies should remain vigilant about conduct that could lead to future corporate enforcements in the United States, given the typical five-year statute of limitations period for most federal crimes, as well as the continued possibility of state-level enforcement.
The Public Interest Favors a DPA Where There Is a Self-Report
The Guidance provides that “[w]hether, when and how” a company self-reports is a key consideration in determining whether the public interest weighs in favor of a DPA. Specifically, the SFO considers self-reporting as a signal of a “responsible organization,” while a failure to self-report within a reasonable time is treated as a public interest factor weighing in favor of prosecution. A “reasonable time” is not defined in the Guidance, but rather depends on the specific circumstances, including the timing and progress of the company’s own internal investigation of the suspected offending conduct. However, where a company engages in its own investigation, the SFO expects the company to self-report soon after learning of direct evidence of the suspected offending conduct. This position recognizes that the company’s investigation may not be complete at the time of the self-report to the SFO. If a company does not self-report prior to the start of the SFO’s own investigation, the SFO will take into consideration whether the company was aware of the suspected offending conduct.
Defined Timelines for SFO Engagement Following a Self-Report
The Guidance lays out the SFO’s expectations for engagement following a self-report. In particular, the SFO will:
-
Contact the self-reporting company within 48 business hours of a self-report or other initial contact;
-
Decide whether to open an investigation within six months of a self-report;
-
Conclude the investigation within a “reasonably prompt” timeframe; and
-
Conclude DPA negotiations within six months of sending an invitation to resolve the matter by a DPA.
In assessing a company’s eligibility for a DPA and the calculation of penalties, the SFO will treat cooperation with its investigation as a key consideration. The SFO will only engage in DPA negotiations with a “genuinely cooperative” company. While a company’s prompt self-report is a strong factor demonstrating cooperation, the Guidance draws a distinction between self-reporting and cooperation. This distinction provides leeway for a company that fails to self-report, but nevertheless the company may be determined to have provided “exemplary cooperation” with the SFO’s investigation, and thus, remain eligible for a DPA.
The Guidance provides a list of cooperative conduct, which includes, but is not limited to, proactively preserving all digital and hard copy material relevant to the SFO’s investigation; collecting and identifying relevant documents and information; and presenting a thorough analysis of the company’s compliance program and procedures at the time of the offending conduct, as well as remediation steps and ongoing deficiencies. Moreover, the Guidance outlines certain steps a company can take when it engages in an internal investigation that also signal cooperative conduct to the SFO.
While this list is non-exhaustive, the Guidance explains that a company that takes all these steps is likely to be assessed as providing “exemplary cooperation.”
In contrast, a list of uncooperative conduct includes, but is not limited to, seeking to exploit differences between international law enforcement agencies or legal systems; tactically delaying the provision of information or material; and overloading the SFO’s investigation with unnecessarily large amounts of material.
Key Takeaways
In light of this Guidance, where suspected offending conduct exists, there are several practical steps a company can take to maximize its opportunity to avoid prosecution and resolve the case through a DPA, whether the company ultimately elects to self-report or not. These steps include:
-
Establishing clear internal reporting mechanisms by ensuring that the company has robust internal mechanisms for identifying and reporting suspected offending conduct;
-
Conducting preliminary investigations to understand the nature and extent of any suspected offending conduct, but doing so swiftly to avoid delays in deciding whether to self-report, and then self-reporting if the company decides to do so;
-
Proactively preserving and collecting relevant documents, and establishing clear protocols for the collection and identification of documents and information that may be relevant to any SFO investigation that may be undertaken;
-
If the company is disposed to self-report, engaging with the SFO early, particularly regarding the parameters of any internal investigation, as well as with respect to progress and key findings;
-
Preparing for swift SFO engagement following a self-report, should one be made;
-
Regular monitoring and reviewing of compliance programs to ensure the programs are effective in preventing and detecting corporate crime; and
-
Ensuring transparency and cooperation with any SFO investigation by providing the SFO with all relevant facts, identifying all individuals involved, assisting with access to employees for interviews and avoiding any conduct that could be perceived as obstructive or uncooperative.
By following these practical steps, legal and compliance professionals can better navigate the SFO’s new Guidance and position their organizations for favorable treatment in the event of a self-report of suspected offending conduct. The new Guidance offers a clearer and possibly more efficient pathway to DPAs, but it also sets high expectations for cooperation and transparency. In considering whether to make a self-report to the SFO, any company that has identified suspected offending conduct now has, under the Guidance, a clearer indication of the SFO’s requirements for consideration of DPA treatment, and can factor those requirements into its decision-making.
Companies that face the risk of parallel enforcement by UK and U.S. regulators should consider the possibility that an SFO investigation could ultimately catch the attention of the U.S. Department of Justice or the U.S. Securities and Exchange Commission – whether as a result of a public disclosure or corporate resolution or UK-U.S. regulator coordination. As a result, the self-disclosure calculus should consider the risk of enforcement in all relevant jurisdictions, and companies should consider a coordinated disclosure to both UK and U.S. regulators if they intend to make a voluntary disclosure to the SFO.
* * *
[1] “Corporate Prosecution Registry,” University of Virginia Arthur J. Morris Law Library (2025), available at https://corporate-prosecution-registry.com/browse/.
[2] “Deferred Prosecution Agreements,” Crime and Courts Act of 2013 (2013), available at https://www.legislation.gov.uk/ukpga/2013/22/schedule/17.
[3] “SFO Deferred Prosecution Agreements,” SFO (Feb. 27, 2025), available at https://www.gov.uk/government/collections/sfo-deferred-prosecution-agreements.
[4] “Corporate Prosecution Registry,” University of Virginia Arthur J. Morris Law Library (2025), available at https://corporate-prosecution-registry.com/browse/.
[5] Malavika Devaya, “’Look at me as the Mikhail Gorbachev of the SFO’: Nick Ephgrave,” Global Investigations Review (Apr. 24, 2025), available at https://globalinvestigationsreview.com/article/look-me-the-mikhail-gorbachev-of-the-sfo-nick-ephgrave.
