Authors: Virna Di Palma, Head of Global Content & Brand, Ethixbase360, and James Swenson, Managing Director, Ethixbase360
At a recent Ethixbase360 executive roundtable in London, senior compliance, legal and risk leaders joined Michael Leo Gallagher, Chief Investigator at the UK’s Serious Fraud Office (SFO), to discuss the evolving corporate enforcement landscape, including the implementation of the Economic Crime and Corporate Transparency Act (ECCTA), emerging fraud risks, and the SFO’s enforcement priorities.
One overarching message emerged throughout the discussion: organizations are expected to have compliance programmes that are proactive, intelligence-led, and demonstrably effective in practice.
Companies that can evidence meaningful risk assessments, robust due diligence, strong internal reporting mechanisms, and genuine cooperation with enforcement authorities will be significantly better positioned should issues arise.
Below are six key themes that emerged from the discussion.
1. The SFO Is Becoming Faster, More Proactive, and Intelligence-Led
One of the clearest messages from the discussion was that the SFO is becoming a faster, more proactive enforcement agency.
Average investigation times are falling, reflecting significant operational changes aimed at accelerating investigations while maintaining rigorous enforcement. Increased UK government funding has enabled the SFO to significantly expand its intelligence division. The SFO is investing heavily in data analytics, AI-assisted review capabilities and enhanced case management systems, and is increasingly using intelligence to identify and pursue cases proactively rather than waiting for referrals alone.
The agency is also strengthening its international reach. It recently hosted an international anti-corruption conference attended by representatives from 29 agencies, reflecting its continued investment in cross-border cooperation and intelligence sharing. Against the backdrop of reduced FCPA anti-corruption enforcement activity in the United States, the SFO appears to be strengthening its role within the global enforcement landscape by investing in faster investigations, expanded intelligence capabilities, and broader international partnerships.
For organizations considering self-reporting, the SFO also described a more structured engagement process. Companies can expect initial contact within 48 business hours of making a self-report, regular communication throughout the assessment process, and a decision on whether to open a formal investigation within six months.
The broader implication is clear: enforcement is becoming faster, more intelligence-led, and increasingly proactive. Organizations should be prepared to respond just as quickly when issues arise.
2. Cooperation Matters and Trust Can Determine Outcomes
The importance of early self-reporting and meaningful cooperation was a consistent theme throughout the discussion.
To illustrate the point, the SFO discussed the Ultra Electronics Deferred Prosecution Agreement (DPA). The case began in 2018 following the company’s voluntary self-report regarding alleged bribery involving contracts in Algeria. After several years of engagement, the parties were nearing a DPA when the SFO learned that the company had failed to disclose information relating to a separate matter involving airport contracts in Oman. According to the SFO, this fundamentally undermined the trust required for a negotiated resolution, and DPA discussions were stopped.
Following a change in ownership and leadership, however, the new management team returned to the SFO with a more complete disclosure and fully cooperated with the investigation. Within eight months, the parties successfully reached a DPA.
The lesson was straightforward: cooperation must be tangible. The SFO will consider how transparently a company engages, how well evidence is preserved and presented, and whether the facts remain consistent throughout an investigation. Trust can be lost—but it can also be rebuilt through genuine cooperation.
For organizations considering self-reporting, this reinforces the importance of understanding the full scope of an issue before engaging with enforcement authorities. Complete and candid disclosure is likely to be viewed far more favorably than incremental or selective disclosure that emerges later.
3. Technology Is Reshaping Both Enforcement and Compliance
Technology featured prominently throughout the discussion—not only as an enabler of more efficient investigations, but also as a growing source of corporate risk.
The SFO discussed its continued investment in AI-assisted document review, digital forensics, enterprise intelligence systems, and data analytics to improve the speed and effectiveness of investigations. At the same time, the discussion highlighted how rapidly evolving technology is creating new fraud risks for organizations.
One example referenced was the ongoing AOG Technics investigation, in which AI-generated certificates were allegedly used to present used aircraft parts as new. It served as a reminder that AI is creating new opportunities for fraud just as enforcement agencies are increasingly using AI to investigate it.
For compliance teams, the discussion highlighted an important challenge: organizations should be thinking not only about how AI can improve due diligence, monitoring and investigations, but also how it may introduce new forms of fraud and misconduct. As regulators continue investing in technology, expectations around data quality, monitoring and evidence are likely to evolve as well.
4. Failure to Prevent Fraud Raises Expectations for Senior Management
The new Failure to Prevent Fraud offence under ECCTA was one of the central themes of the discussion. While many organizations already have mature anti-bribery compliance programmes, the SFO emphasized that fraud prevention should now receive the same level of attention.
The legislation also expands senior management accountability. Following the dismissal of the Barclays prosecution—where the court was not persuaded that the company’s “directing mind and will” had been established—ECCTA broadens the circumstances in which organizations can be held liable for the actions of senior managers. Importantly, this extends beyond board members to individuals who play significant roles in decision-making or manage substantial parts of the business, including regional and functional leaders.
Companies should follow the Home Office guidance which is the framework under which the SFO and other law enforcement agencies will assess compliance. The discussion reinforced that compliance programmes will not be evaluated by the quality of their policies alone. Investigators will look at whether risk assessments drove meaningful resource allocation, whether due diligence reflected actual levels of risk, whether training was tailored to those risks, and whether monitoring identified issues before they became larger problems.
Perhaps most importantly, the effectiveness of a compliance programme is tested when something goes wrong. The SFO will examine whether concerns were escalated quickly, whether controls functioned as intended, and whether the organization learned from the incident by strengthening controls and updating its approach going forward.
5. Third-Party Risk Remains One of the Greatest Areas of Exposure
Third parties, agents, intermediaries, and joint venture partners continue to represent one of the highest corruption and fraud risks facing organizations.
The continued focus on third-party risk is reflected in the SFO’s own enforcement history. Of the 13 Deferred Prosecution Agreements secured by the SFO to date, nine have involved failure to prevent bribery, frequently involving the conduct of third-party intermediaries.
The discussion reinforced the importance of maintaining robust, risk-based due diligence throughout the entire lifecycle of third-party relationships. Organizations should be able to demonstrate a clear commercial rationale for engaging third parties, conduct proportionate due diligence based on risk, periodically reassess existing relationships and monitor for broader corruption indicators, including shell company structures, unusual payment arrangements, government affiliations, and politically exposed persons (PEPs).
As expectations under ECCTA continue to evolve, organizations should also ensure that associated persons and business partners maintain compliance standards consistent with their own.
6. Strong Speak-Up Cultures and Organizational Learning Matter
The discussion concluded with an important reminder that effective compliance programmes depend on more than policies and procedures.
The SFO emphasized the importance of identifying concerns before they become criminal matters. Strong speak-up mechanisms, timely escalation, and well-managed internal investigations all play an important role in achieving that objective. When reviewing a compliance programme, investigators are interested not only in whether concerns were reported, but how quickly they were identified, whether they reached the appropriate level of management and how the organization responded.
Equally important is what happens after an incident. Mature organizations do not simply close investigations—they reassess risks, strengthen controls, update training and ensure lessons learned are shared across the business. The discussion suggested that an organization’s response to misconduct can be just as revealing as the misconduct itself.
Looking Ahead
The discussion reinforced that expectations for corporate compliance continue to evolve.
The SFO is moving faster, investing in technology, strengthening international cooperation, and placing greater emphasis on prevention, intelligence, and meaningful corporate engagement. For compliance leaders, the message was consistent throughout the discussion: regulators are increasingly interested not in whether organizations have compliance policies, but whether those programmes demonstrably work in practice.
Organizations that invest in risk-based compliance, meaningful due diligence, strong speak-up cultures, and constructive engagement with enforcement authorities will be significantly better positioned as the enforcement landscape continues to evolve.
Many of the developments discussed during the roundtable—including ECCTA, the Failure to Prevent Fraud offence and evolving enforcement expectations—will be explored in greater detail in Ethixbase360’s UK Anti-Bribery & Corporate Crime Guide, which will be published later this month.
Further Resources
For readers interested in exploring these topics in more detail, the following resources provide additional guidance and context:
- SFO Cooperation Guidance – Guidance on corporate self-reporting, cooperation with the SFO, and Deferred Prosecution Agreements (DPAs).
- Home Office Guidance: Failure to Prevent Fraud Offence (ECCTA) – Statutory guidance on implementing “reasonable fraud prevention procedures” under the Economic Crime and Corporate Transparency Act 2023.
- Ministry of Justice Guidance: Adequate Procedures under the UK Bribery Act 2010 – The Ministry of Justice’s six principles for designing and maintaining anti-bribery procedures.
- Director Addresses Global Anti-Corruption Conference (New York) – Interim SFO Director Graham McNulty’s June 2026 speech outlining the agency’s priorities around proactive enforcement, corporate cooperation and international collaboration.
- SFO Deferred Prosecution Agreement with Ultra Electronics Holdings Limited – The DPA, Statement of Facts and Approved Judgment referenced during the discussion.