The Serious Fraud Office has updated its guidance on how it will evaluate corporate compliance programmes. This matters for every company, not just those facing investigation. The guidance shows what the SFO expects from businesses seeking to prevent fraud and how it will assess whether a company had “reasonable procedures” in place. It also signals how weaknesses may expose directors and boards to civil claims if things go wrong.
This blog explains the key changes, why they matter for directors and what steps businesses should be taking now. The focus is on civil exposure, including breach-of-duty claims, misfeasance, governance failures and commercial disputes.
What has the SFO changed in its updated guidance on evaluating corporate compliance programmes?
The refreshed SFO guidance places greater emphasis on the quality, consistency and evidence of compliance programmes. It aligns closely with the new “failure to prevent fraud” corporate offence, under which companies will need to demonstrate that they had “reasonable procedures” in place to prevent fraud by associated persons.
Key points from the updated guidance include:
- a focus on risk-based compliance, not generic policies
- the need for clear board oversight and demonstrable leadership
- evidence of effective implementation, not just design
- meaningful training and culture-building across the organisation
- continuous monitoring and adjustment of controls
- proper investigation and escalation mechanisms when issues arise
The SFO also highlights that it will consider how compliance programmes operated in practice, including whether red flags were acted upon and whether senior management took responsibility for oversight.
FWJ Takeaway: The SFO now expects companies to show not just that they had policies, but that those policies were actively used, monitored and enforced.
Why does the SFO’s new approach matter even if your business is not facing a criminal investigation?
The civil consequences of compliance failures often arise long before, or without, any criminal outcome. Investors, creditors, shareholders and contractual partners may bring claims where they believe that:
- governance failures caused them loss
- inadequate oversight allowed wrongdoing to occur
- the company failed to prevent fraudulent behaviour
- the board ignored or mishandled red flags
- internal controls were ineffective
- representations made by the company were misleading
Even where a business is never prosecuted, a weak compliance programme may still be used as evidence of negligence, breach of duty or improper management. This can lead to:
- breach-of-contract claims
- misrepresentation claims
- claims against directors personally
- misfeasance actions from insolvency practitioners
- shareholder disputes or derivative actions
- reputational damage that escalates into litigation
Compliance failures can therefore expose a company and its directors to civil risk, regardless of criminal proceedings.
FWJ Takeaway: Strong compliance is not just about avoiding criminal exposure, it is also a crucial safeguard against civil claims.
What does the SFO expect from a well-designed corporate compliance programme?
The guidance identifies several characteristics of an effective programme. These align closely with directors’ statutory duties and general governance principles.
1. Leadership and tone from the top
Boards must set clear expectations on ethical behaviour and ensure those expectations are communicated across the organisation.
2. Risk assessment tailored to the business
Policies must reflect the company’s actual fraud and compliance risks, not generic templates.
3. Clear, practical procedures
Policies should explain how staff can escalate concerns, seek guidance and report issues.
4. Training and communication
Compliance programmes must be understood by employees, not just documented.
5. Monitoring and review
Companies must assess whether controls are working and adjust them as the business evolves.
6. Evidence of action
The SFO will look for proof that issues were raised, investigated and resolved properly.
These expectations overlap with directors’ duties under the Companies Act 2006 to exercise reasonable care, skill and diligence and to act in the interests of the company.
FWJ Takeaway: A compliance programme must be real, embedded and supported by the board and not a box-ticking exercise.
How can weak compliance expose directors personally to civil claims or breach-of-duty allegations?
Directors may face personal consequences if compliance failures lead to financial loss, stakeholder disputes or insolvency. Civil claims commonly arise where:
- fraud occurred under the board’s supervision
- red flags or audit issues were ignored
- the company’s systems were inadequate for the risks it faced
- directors failed to carry out proper oversight
- there was a conflict of interest or lack of transparency
- customer or investor funds were mismanaged
Civil actions may include:
1. Misfeasance claims under s.212 Insolvency Act 1986
Liquidators may argue that directors failed in their duties or allowed the company to operate in a way that caused loss.
2. Breach of fiduciary duty
Directors may be accused of failing to act in the best interests of the company or to avoid conflicts.
3. Negligent misstatement or breach of contract
If a company makes inaccurate statements about its controls or risk management, this can trigger litigation.
4. Derivative claims or unfair prejudice petitions
Shareholders may argue that poor compliance or oversight amounts to improper management.
Civil claims do not require proof of criminal wrongdoing. They rely on whether the director acted reasonably in the circumstances and complied with their duties.
FWJ Takeaway: Directors can face personal civil claims even in the absence of criminal action and poor compliance is one of the quickest ways to create that risk. Our director services team at FWJ has 25 years’ experience advising and defending directors from all the claims listed above
What should companies do now if they identify compliance weaknesses or emerging risks?
If a company identifies gaps in its compliance programme, taking early steps to assess and resolve them helps prevent issues escalating into civil disputes. Directors should consider:
1. Conducting an internal review
This may be formal or informal, but it should identify where policies are not aligned with actual risks.
2. Documenting remedial action
Regulators, investors and courts look for evidence that issues were addressed promptly.
3. Reviewing contractual and investor obligations
Claims often arise where expectations were not met or representations were inaccurate.
4. Preparing for potential information requests
Even outside a criminal context, stakeholders may seek documents or explanations.
5. Seeking external advice for high-risk areas
Complex sectors including finance, technology and regulated markets, often need specialist support.
6. Managing communications carefully
Public statements or internal messaging must be accurate and considered.
Civil exposure can often be reduced or avoided entirely when companies respond quickly and transparently.
FWJ Takeaway: Identifying weaknesses is not a failure, failing to address them is. Early remediation reduces civil risk.
How can directors and boards strengthen compliance and reduce the risk of future civil claims?
Strengthening compliance is ultimately about embedding good governance. Directors can reduce their own civil exposure by:
- ensuring regular board-level discussion of compliance risks
- providing clear oversight of high-risk areas
- making sure compliance reports are acted upon, not ignored
- improving transparency and internal communication
- reviewing the effectiveness of training and escalation channels
- conducting periodic independent reviews
- ensuring that policies reflect the company’s growth and complexity
- seeking advice early when red flags appear
A robust compliance programme protects not just the company but also its directors. It demonstrates the care, skill and diligence expected under the Companies Act 2006 and provides a strong defence if civil claims arise.
FWJ Takeaway: A strengthened compliance framework is one of the most effective ways to protect both the business and its directors from civil exposure.
Conclusion
The SFO’s updated guidance marks a significant shift in expectations. It is no longer enough to have policies on paper. Companies must show that their compliance programmes are real, active and understood throughout the business. Directors and boards should be alert to the civil consequences if weaknesses go unaddressed.
If you are concerned about compliance gaps, governance issues or potential civil claims, early advice can help you understand your position and take practical steps to reduce risk.
If you would like support reviewing your compliance framework or addressing potential civil exposure, our team can help you protect your business and safeguard your board.
