Faster, targeted SFO enquiries: what the board must be ready to evidence

The Serious Fraud Office (SFO) recently launched its Business Plan 2026–-27. The Interim Director, Graham McNulty, speaking at the GIR Live Annual Investigations, said:

“This plan makes clear our ambition and focus on our priorities, including intelligence-led investigations, innovative modern tools and effective disclosure. While the complex nature of our cases means investigations can be lengthy, we are determined to increase the pace and efficiency of our work.”

Boards should take note because this represents a significant shift in the SFO’s approach. For those who have been paying close attention, this will not come as a surprise. Over the last year or so, senior SFO officials have been posting updates on LinkedIn relating to their interactions with their counterparts at the US Department of Justice (DoJ). The DoJ published guidance in September 2024, which is thematically similar to what the SFO is signalling here. Technology and Artificial Intelligence (AI) in particular are being used in unprecedented ways when it comes to the detection and investigation of corporate misconduct.

The significant shift is that enforcement is moving from the traditional reactive approach to a predictive and intelligence-led one. By the time a company first hears from the SFO, it is safe to assume that the regulator will now have a comprehensive picture, having already run its own analytics across the company’s footprint. The most effective way of meeting this new reality is by ensuring that companies mirror this approach in their own detection and management of risk.

The £8.3m investment into proactive intelligence is a modest sum against the SFO’s remit, but it is directional. The SFO is likely to be more selective in its decisions, targeting cases it believes it can win. International cooperation has always been a hallmark of the SFO’s work, and the Airbus and Rolls-Royce DPAs are perhaps the best examples of this working well. The Airbus investigation in 2020 spanned the UK, France, and the US, and delivered £991m to HM Treasury as the UK component of a €3.6bn global settlement. The Rolls-Royce DPA in 2017 spanned the UK, US, and Brazil, and delivered £497.25m to HM Treasury plus costs. It is easy to see why this is a rich seam for the regulator, both in terms of prospects of success and revenue from financial penalties. It is perhaps a surprise that the SFO did not have a case management system of its own until now, but the adoption of an AI roadmap suggests that they are taking advantage of the opportunities presented by LLMs.

What this means operationally for boards

Four consequences follow:

1. Companies will be required to respond to requests for information more quickly and with more precision. There will be an expectation that companies have systems in place that are proportionate to their size and complexity.
2. The new approach is likely to mean that requests will be more specific and targeted. This is likely to be welcome. In the past, criticism has been made of requests that were too generic or sometimes described as fishing expeditions.
3. Boards must ensure that there is a coordinated approach that accounts for the realistic possibility of investigations in multiple jurisdictions and in parallel. At the very least, it is safe to assume that information will be shared across jurisdictions. Questions of legal privilege and managing disclosure obligations will arise, and clarity at the outset is crucial. These are complex considerations that will require General Counsel-level advice internally and, most likely, external counsel.
4. The reasonable procedures defence under the failure to prevent offences will be assessed on evidence of board oversight, and so it is important that your risk management architecture enables the escalation of appropriate information to the correct levels within the company.

How can the board prove the company’s approach actually works?

A solid paper trail is the bedrock of any credible corporate defence. Here is a practical stress test: if a regulator called, could your company pull together the following information within 72 hours?

• A risk register that links major risks such as fraud, bribery, sanctions, and money laundering to specific business lines, and names the executive responsible for each. It needs to be dated and version-controlled, with board minutes to prove it has been reviewed.
• A clear data map, so your legal and compliance teams can instantly tell a regulator where specific types of data are stored, who controls it, and what retention rules apply in different countries. This is what will make or break your ability to meet a tight production deadline.
• Logs of your key compliance decisions. This should document the reasoning behind your “tone from the top” initiatives, training completion rates, how you have handled whistleblower reports, and the basis for signing off on any waivers for third-party due diligence.
• Whistleblowing records, tracking every report from the moment it came in, through triage, to its final resolution. Regulators, including the SFO, put a heavy emphasis on this.
• Board and Audit Committee minutes that show you are actively grappling with financial crime risks, not just a line item noting a report was received. They need to document specific challenges being discussed and the concrete actions being tracked.
• A response or dawn raid plan, agreed in advance. This should be a playbook covering the initial triage process, with a RACI setting out who is Responsible, Accountable, Consulted, and Informed.

The SFO has told the market, in clear terms, that it intends to move faster with better data. The boards that will fare best are those that can produce, on demand, a coherent evidential record of effective risk management. At the very least, companies should be keeping in step with the technological capability of the regulators.

If you have questions or concerns about a SFO enquiry, please contact Jonathan Chibafa.