SFO’s ‘Cast-Iron Guarantee’ on Self-Reporting Comes With Fine Print

The Economic Crime and Corporate Transparency Act (ECCTA), coming into force in September, is set to reshape the UK’s corporate compliance landscape. A key focus of ECCTA is preventing fraud across various underlying offenses and holding organizations accountable for the actions of both their internal teams and external partners. The pivotal aspect of ECCTA is the “failure to prevent fraud” offense, which requires organizations to implement adequate procedures to prevent and detect fraud, including due diligence on third parties, robust internal controls and regular employee training.

Against this backdrop, in April, the UK Serious Fraud Office (SFO), one of the agencies that led the call for the “failure to prevent fraud” offense, issued new guidance on corporate self-reporting. This guidance states, for the first time, that a company can expect an invitation to negotiate a deferred prosecution agreement (DPA) rather than face criminal prosecution if it self-reports suspected wrongdoing and provides full cooperation to the SFO, in line with the guidance. SFO Director Nick Ephgrave described this as a “cast-iron guarantee,” and it is clear that this commitment from the SFO aims to encourage companies to report wrongdoing proactively, a sentiment that aligns with the broader preventive focus of ECCTA.

Ephgrave predicts that DPAs will return “with a bit of a vengeance” after tailing off in recent years. Introduced in 2014, DPAs were designed to radically alter the UK’s checkered record on tackling wrongdoing by companies. The incentive for businesses to self-report, disclose relevant evidence and accept the case against them (together with other conditions) is that they get to draw a line under the matter, avoid criminal sanctions, contain reputational damage and move on. In return, the SFO considers that the company has been held accountable, the investigation is concluded more efficiently and the Treasury benefits from the fine paid.

While DPAs are well-established in the UK, they have not significantly improved enforcement against corporate misconduct. A major issue is the consistent failure to secure convictions against individuals accused of being the “bad actors” in cases where a company has entered into a DPA. These prosecutions often result in “not guilty” verdicts or trial collapses. 

The SFO’s new guidance aims to tackle this by clarifying the benefits to the company of self-reporting, thereby revitalizing the DPA mechanism.

Fraud

The Carrot and the Stick: UK’s SFO Clarifies Self-Reporting Benefits for Corporate Offenders

by Jonathan Armstrong and Vivien Yanni Gan

May 5, 2025

New director promises faster investigations and clearer outcomes for organizations that proactively disclose bribery offenses

Read moreDetails

Key points & uncertainties

The SFO’s new guidance clearly defines the self-reporting process. Once a company has self-reported, the SFO will respond within 48 hours of submission. The SFO then commits to confirming, within six months, whether an investigation will commence, with the DPA agreed upon within a further six months. In principle, the entire process could be completed within a year and two days, offering a more predictable resolution for companies facing a potential SFO investigation, especially considering ECCTA’s broader liability.

A core element of the guidance is the SFO’s guarantee of a DPA offer to companies that self-report and cooperate. This represents a substantial shift in removing ambiguity and reinforces the SFO’s approach to pragmatic outcomes ahead of less certain court-administered justice. One of the prerequisites for access to this more certain approach is that the SFO advises against “forum shopping,” where companies may seek to report through other agencies or jurisdictions. Self-reporting must be made directly, and only, to the SFO, not through another agency.

Despite the clarity on process, some uncertainties remain. One is the extent of an internal investigation expected before self-reporting. The SFO does not require a full investigation, and it notes that failing to self-report within a “reasonable time” (which remains undefined) would be viewed negatively. However, it also recognises that a responsible company may need to investigate to understand the nature and scope of the potential offense. If there is direct evidence of wrongdoing, the expectation is that companies will self-report shortly after discovery. Balancing this timeline will be challenging, especially under ECCTA’s emphasis on prevention.

Another point of ambiguity relates to the disclosure expectations. While the SFO outlines extensive requirements, including potentially privileged material, it also cautions against providing excessive or irrelevant data. Without a complete internal investigation, knowing what to submit may be difficult. A cautious approach of over-disclosure may now be seen as counterproductive and should be evaluated carefully.

Ephgrave’s “cast iron guarantee” is also subject to “exceptional circumstances,” which are not defined. This creates a gray area where companies might overestimate the protection a DPA provides, even in serious cases. The exception could hinder widespread uptake of DPAs.

Finally, the guidance states that companies may still qualify for a DPA even if they do not self-report, provided they offer exemplary cooperation once wrongdoing is uncovered. This could reduce the direct incentive to self-report, encouraging some companies to delay or gamble on not being discovered. It introduces complexity into decision-making at a time when ECCTA creates broader risks for noncompliance.