Resources / Fraud and Financial Crime / Bribery, Corruption and the Modern Compliance Challenge

Introduction

The UK Bribery Act 2010 is now fifteen years old. It has been in force long enough for organisations to have built their anti-bribery programmes, trained their staff, and satisfied themselves that they are compliant. And yet, when you examine those programmes closely, a consistent pattern emerges. Many organisations know they need adequate procedures, but very few have a clear understanding of whether what they have built would actually satisfy that standard if it were tested.

The distinction matters more now than ever. The adequate procedures defence is not a legal technicality. It is the difference between a company that can demonstrate it took its obligations seriously and one that cannot. And with the failure to prevent model now extending to fraud under the Economic Crime and Corporate Transparency Act 2023, with the SFO explicitly stating its intention to prosecute under that offence, the benchmark for what adequate procedures actually means is being set in real time.

At the same time, the international framework around anti-bribery and corruption compliance has been updated. ISO 37001, the international standard for anti-bribery management systems, was revised and reissued in 2025. The UK government published a new Anti-Corruption Strategy in December 2025. And the enforcement environment has become notably more assertive, with faster investigations, cross-agency collaboration, and increased use of data analytics.

This guide covers what the law requires, how the failure to prevent framework has evolved, what ISO 37001:2025 brings to the picture, where programmes most commonly fall short, and what building a genuinely effective anti-bribery and corruption framework looks like in practice.

It reflects the position as of May 2026. The enforcement landscape is active and developing. United Insurance Brokers Ltd (UIBL) was charged by the SFO in April 2025 in relation to an alleged Section 7 Bribery Act offence. As of May 2026, the case is publicly listed by the SFO as ongoing. Readers should monitor current SFO guidance and enforcement developments.

The legislative framework

Before the Bribery Act

Before the Bribery Act 2010 came into force, UK bribery law was fragmented across several nineteenth and early-twentieth-century statutes: the Public Bodies Corrupt Practices Act 1889, and the Prevention of Corruption Acts 1906 and 1916. These laws were widely criticised as inconsistent, anachronistic, and inadequate, particularly in relation to the UK's international obligations under the OECD Anti-Bribery Convention of 1997.

The Law Commission review that preceded the Bribery Act called for a modern, comprehensive framework. The Bribery Act 2010 was the result. When it came into force in July 2011, it was widely regarded as one of the most rigorous pieces of anti-bribery legislation in the world.

The Bribery Act 2010

The Bribery Act creates four offences.

Section 1 is the general offence of bribing another person: offering, promising, or giving a financial or other advantage to induce or reward improper performance of a function or activity.

Section 2 is the offence of being bribed: requesting, agreeing to receive, or accepting a financial or other advantage in exchange for improper performance.

Section 6 is the specific offence of bribing a foreign public official: offering, promising, or giving a financial or other advantage to a foreign public official to obtain or retain business or a business advantage.

Section 7 is the corporate offence of failing to prevent bribery. A commercial organisation commits this offence if a person associated with it bribes another person, intending to obtain or retain business or a business advantage for the organisation. This is the provision that has driven most compliance investment and that carries the most significant implications for how organisations structure their programmes.

The Act applies extraterritorially. It applies to conduct occurring anywhere in the world where the organisation carries on business or is part of a business in the UK, or where the person associated with the organisation has a close connection to the UK. This is a broad reach, and organisations with international operations need to understand it.

The adequate procedures defence

The only defence available to an organisation charged under Section 7 is that it had adequate procedures in place designed to prevent bribery. The burden of proving this sits with the organisation, not the prosecutor.

The Ministry of Justice published guidance in February 2012 setting out six principles that characterise adequate procedures: proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review. These principles have become the architecture not just for anti-bribery compliance but also for the broader failure to prevent framework.

The word adequate is deliberately chosen. It does not mean perfect. It does not mean exhaustive. It means proportionate to the risks the organisation actually faces, properly implemented, and genuinely embedded in the organisation's operations. A small domestic business with limited third-party exposure needs something materially different from a multinational operating in high-corruption markets. The standard is relative to context, not absolute.

The international framework

The Bribery Act sits within a broader international framework for combating bribery and corruption. The OECD Anti-Bribery Convention, to which the UK is a signatory, requires member countries to criminalise the bribery of foreign public officials. The United Nations Convention against Corruption (UNCAC) establishes broader international standards for prevention, criminalisation, and asset recovery.

The US Foreign Corrupt Practices Act (FCPA) is the other major international anti-bribery law that organisations with US connections need to understand. Enforced by the Department of Justice and the Securities and Exchange Commission, the FCPA prohibits the bribery of foreign government officials and requires publicly traded companies to maintain accurate books and records. For organisations operating across both the UK and US jurisdictions, compliance programmes need to satisfy both frameworks.

The enforcement landscape varies significantly by jurisdiction. The SFO in the UK, the DOJ and SEC in the US, and equivalent agencies in other major economies have all increased their focus on bribery and corruption enforcement. Cross-border cooperation between agencies is now the norm rather than the exception for significant cases.

The expanding failure to prevent framework

The adequate procedures concept introduced by the Bribery Act has since been extended to other forms of economic crime, creating a coherent framework of corporate criminal liability that organisations need to understand in its entirety.

The Criminal Finances Act 2017 introduced two corporate offences of failing to prevent the facilitation of tax evasion, one covering UK tax evasion and one covering foreign tax evasion. The reasonable procedures defence for these offences mirrors the adequate procedures defence under the Bribery Act.

The Economic Crime and Corporate Transparency Act 2023 introduced the offence of failure to prevent fraud, which came into force on 1 September 2025. This offence, currently applicable to large organisations, creates liability when an associated person commits a fraud offence for the organisation's benefit and the organisation did not have reasonable fraud prevention procedures in place.

The underlying principles across all three regimes are consistent: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and monitoring and review. An organisation that has genuinely embedded these principles in its anti-bribery programme is well placed to extend its framework to cover facilitation of tax evasion and fraud without starting from scratch.

The enforcement environment

The SFO and corporate enforcement

The Serious Fraud Office is the primary enforcement agency for serious bribery and corruption cases in England, Wales, and Northern Ireland. Its powers include compulsory document production, search and seizure, and following ECCTA, expanded pre-investigative compulsion via section 2A notices, allowing it to require documents and information before a formal investigation is opened. The SFO investigates and prosecutes both individuals and corporations.

The Crown Prosecution Service handles less complex or lower-value cases. The FCA has enforcement powers over regulated firms. HMRC leads on cases involving tax evasion facilitation.

Deferred prosecution agreements

Since their introduction in 2014, Deferred Prosecution Agreements have become a significant tool in UK corporate enforcement. A DPA allows an organisation to avoid prosecution in exchange for compliance with specific terms, typically including a financial penalty, cooperation with investigations, and remediation of compliance failures.

Notable DPAs under the Bribery Act include Standard Bank in 2015, the first UK DPA, and the Airbus SE agreement in 2020, worth approximately £3 billion and covering bribery offences across multiple jurisdictions. The trend has been towards rewarding organisations that self-report promptly and cooperate fully.

The SFO's updated cooperation guidance, published in April 2025 under Director Nick Ephgrave, emphasises that early, transparent self-reporting and meaningful cooperation are important factors in DPA decision-making. In practice, organisations that self-report promptly after discovery and engage openly with the SFO are better placed to be considered for a DPA. Conversely, where an organisation delays, withholds documents, or fails to assist in identifying relevant individuals, the prospects of a DPA are reduced.

The current enforcement environment

The enforcement environment became notably more assertive in 2025. Key developments include the following.

United Insurance Brokers Ltd (UIBL) was charged by the SFO in April 2025 under Section 7 of the Bribery Act, a notable contested prosecution under that provision. As of May 2026, the matter is publicly listed by the SFO as ongoing. Regardless of the outcome, the fact that the SFO has brought the case demonstrates its willingness to pursue Section 7 prosecutions.

Entain (formerly GVC Holdings) saw former executives charged in connection with alleged bribery and fraud relating to Turkish operations, after the CPS authorised charges in late August 2025, and the first court hearing took place in October 2025. This followed a £585 million DPA concluded in 2023.

ISO 37001:2025

ISO 37001 is the international standard for anti-bribery management systems. Published by the International Organisation for Standardisation, it provides a framework for organisations to establish, implement, maintain, and improve systems designed to prevent, detect, and respond to bribery. The standard was first published in 2016 and substantially revised and reissued in 2025.

What ISO 37001 is and is not

ISO 37001 is a voluntary standard, not a law. Compliance with it does not guarantee legal compliance, and non-compliance is not itself a criminal offence. What it does is provide a structured, internationally recognised framework for demonstrating that an organisation has taken its anti-bribery obligations seriously.

Certification to ISO 37001 by an accredited body provides evidence that an independent party has assessed the organisation's anti-bribery management system against the requirements of the standard. This is valuable as mitigation evidence in the event of a bribery incident or regulatory investigation. It is not, however, a complete defence on its own. The courts and regulators will look at whether the system was genuinely implemented and effective, not just whether a certificate exists.

ISO 37001 is focused specifically on bribery. It does not address fraud, money laundering, or other forms of corruption, though organisations may choose to extend the scope of their management system to cover additional areas.

What changed in ISO 37001:2025

The 2025 revision represents a meaningful update to the standard, reflecting developments in how organisations understand and manage bribery risk over the nine years since the original publication.

Key changes in the 2025 edition include an increased emphasis on compliance culture rather than just compliance systems, recognising that documentation and procedures are only effective when the organisation's culture supports them. The revision also includes explicit consideration of climate change and related issues where relevant to bribery risk, reflecting the growing intersection between ESG obligations and financial crime risk.

The standard strengthens expectations around due diligence, monitoring, and the integration of anti-bribery management into the organisation's broader governance framework. It aligns more closely with the structure of other ISO management system standards, making it easier to integrate into existing quality management or compliance frameworks.

Certification bodies expect organisations to apply the updated practices even though many were certified to the 2016 version. Organisations with existing ISO 37001 certification should review their programmes against the 2025 requirements.

The six core elements of ISO 37001

ISO 37001:2025 is built around six core elements that map closely to the MoJ's six principles for adequate procedures under the Bribery Act.

Context and leadership. The standard requires the organisation to understand its context, identify internal and external issues that are relevant to bribery risk, and ensure that the anti-bribery management system has visible and committed leadership at the top.

Planning. The organisation must conduct a bribery risk assessment, set objectives for its anti-bribery programme, and plan the controls needed to address the identified risks.

Support. Resources, competence, awareness, communication, and documented information all need to be in place to support the programme.

Operation. The standard sets specific requirements for due diligence on third parties and personnel, financial and non-financial controls, gifts and hospitality controls, and reporting and investigation processes.

Performance evaluation. The organisation must monitor, measure, and review the effectiveness of its programme, including through internal audit and management review.

Improvement. Where weaknesses are identified, the organisation must take action to correct them and continually improve its system.

What adequate procedures actually require

Understanding the legal framework and the ISO standard is necessary, but it is not sufficient. The harder question is what adequate procedures look like when translated into an actual programme that a real organisation operates day to day.

Top-level commitment

Top-level commitment is not a statement from the CEO in the policy document. It is the willingness of the board and executive team to support difficult decisions: refusing a contract because due diligence on an agent raises concerns, walking away from a market because the corruption risk cannot be adequately managed, and enforcing the policy even when the commercial consequences are significant.

Boards that receive an annual update on the anti-bribery programme but never discuss it in the context of strategic decisions have not demonstrated top-level commitment in any meaningful sense. The test is whether risk considerations actually influence what the organisation does.

Risk assessment

The Bribery Act requires organisations to assess the nature and extent of their exposure to bribery risk. In practice, many organisations complete this as a desk exercise, identifying theoretical risk categories without genuinely engaging with the specific characteristics of their business.

A meaningful risk assessment considers the markets and jurisdictions in which the organisation operates and their corruption risk profiles, the third parties the organisation uses and the nature of those relationships, the sectors in which it operates and the characteristics of its customers and counterparties, the products and services it provides and whether any create particular bribery risk, and any specific historical incidents or concerns.

The risk assessment must be a living document. It needs to be updated when the business changes, entering a new market, acquiring a business, changing the distribution model, or launching a new product. It also needs to reflect changes in the external environment. Countries move up and down the corruption risk spectrum, and typologies evolve.

Proportionate procedures

Controls should be proportionate to the identified risks. A small domestic business with limited third-party exposure needs something materially different from a multinational operating in high-corruption markets. Both need to demonstrate adequate procedures, but what is adequate depends on their specific risk profile.

Due diligence on third parties

The Bribery Act's concept of an associated person is broad. It extends to employees, agents, subsidiaries, consultants, joint venture partners, and anyone else who performs services for or on behalf of the organisation.

The most significant bribery risks for many businesses arise in their supply chains and third-party relationships, particularly in international markets where agents and intermediaries are used to access customers or government officials. A programme that focuses on internal controls while treating third-party due diligence as a box-ticking exercise is missing the point.

Due diligence must be proportionate to risk. For low-risk, domestic suppliers, a basic check may be sufficient. For high-value agents operating in high-corruption markets, particularly those who interact with government officials, due diligence needs to go much further: understanding the nature of the relationship, the services being provided, whether the remuneration is commercially reasonable, who the agent actually is, and whether there are any red flags. And it needs to be revisited periodically, not just completed at onboarding.

Communication and training

Training that consists of a slide deck and a multiple-choice quiz is unlikely to change behaviour. Employees need to understand what bribery looks like in their specific role, what to do if they are offered something inappropriate, and how to raise a concern without fear of reprisal.

The most effective training is specific to the role and scenario. A salesperson working in an emerging market faces different situations than a finance professional in a domestic function. Training should reflect that difference. Generic awareness training may satisfy a training record requirement, but it does not build the judgment people need to handle real situations.

Monitoring and review

Gift and hospitality registers, red flag reporting, whistleblowing channels, and internal audit coverage all contribute to monitoring. But the test is whether the organisation is actually using these mechanisms to identify problems and address them, not just to demonstrate that they exist.

An audit that confirms the anti-bribery policy exists and training has been completed is not the same as an audit that assesses whether the programme is effective. The latter asks whether controls are being followed, whether the risk assessment is current, whether due diligence is genuinely proportionate to risk, and whether concerns that have been raised have been properly addressed.

Where programmes commonly fall short

In practice, anti-bribery programmes most commonly fail in three areas. None of them is difficult to understand. Most of them are difficult to fix without genuine organisational commitment.

The risk assessment is superficial

A risk assessment that could belong to any organisation in the industry is unlikely to be adequate for any specific one. Generic assessments that identify the same categories of risk regardless of the organisation's specific characteristics, business model, or geographic footprint are not engaging with the actual question.

The risk assessment needs to ask and answer questions that are specific to this organisation. Which of the markets we operate in present a meaningful corruption risk? Which of our third-party relationships carries the most significant exposure? Do any of our products or services create particular bribery risk? Are there any historical incidents or near-misses that suggest weaknesses in our controls? Have we engaged with the business units that actually manage these relationships, or is this a compliance function exercise?

A risk assessment completed quickly as a regulatory obligation, without genuine input from business units and senior management, is unlikely to identify the risks that actually matter.

The programme exists on paper but not in practice

Policies are in place, training has been completed, and a gift register is in place. But the policy is not well understood by the people who need to apply it. The training does not address the real scenarios employees face. The register is maintained inconsistently. When the programme is tested, either by a regulator or by an actual incident, the gap between what the documentation says and what actually happens becomes visible.

The Skansen Interiors case remains instructive. In February 2018, Skansen was found guilty of the Section 7 offence. It was a small business with fewer than 30 employees. It had no corruption training, no compliance officer, no bribery-specific risk assessment, and no meaningful controls. The court was clear that, even given its size and complexity, the programme it had was inadequate. The message was explicit: good intentions are not a defence. Size does not exempt an organisation. What matters is whether genuine, proportionate steps were taken.

The gap between paper and practice tends to widen over time unless it is actively managed. Annual policy reviews, testing of controls, and honest internal audit challenges are all necessary to keep the programme genuinely alive.

Third-party risk is managed inadequately

This is the most common and the most significant failure. The Bribery Act was designed specifically to address the use of agents and intermediaries to pay bribes on behalf of organisations, at arm's length and with plausible deniability. The associated person concept closes that gap. But many organisations have not fully absorbed its implications.

A due diligence process that sends a questionnaire to a third party and files the response is not adequate for a high-risk relationship. A process that relies on the third party's self-certification is not adequate for an agent operating in a high-corruption market. And a process that completes due diligence at onboarding without revisiting it is not adequate where the relationship continues over time and the risk environment changes.

Building an effective programme

Building a programme that genuinely meets the adequate procedures standard requires more than implementing the six principles as items on a checklist. It requires those principles to be alive in how the organisation actually operates.

Culture is the foundation

No set of controls will prevent bribery in an organisation where the culture tolerates it, rewards behaviour that risks it, or where people do not feel safe raising concerns. Culture is the environment that determines whether work succeeds or fails.

Building a culture of integrity requires sustained effort from senior leadership. It means leadership demonstrating through real decisions that the anti-bribery policy will be enforced even when the commercial consequences are uncomfortable. It means making clear that raising concerns is expected and protected, not discouraged. And it means being honest when things go wrong rather than minimising or concealing problems.

The ISO 37001:2025 revision's increased emphasis on compliance culture reflects a growing recognition across the compliance profession that systems and documentation are necessary but not sufficient. The culture question is harder to measure and harder to evidence to a regulator, but it is ultimately what determines whether a programme is effective.

Connecting anti-bribery to the broader framework

As the failure to prevent framework expands to cover bribery, tax evasion facilitation, and fraud, organisations have an opportunity to build an integrated economic crime compliance framework rather than managing three separate programmes.

The architecture is consistent: risk assessment, top-level commitment, proportionate controls, third-party due diligence, communication and training, and monitoring and review. The specific controls and risk considerations differ by offence type, but the governance framework, ownership structure, and monitoring approach can be shared.

An organisation that has properly built its anti-bribery programme, with a genuine risk assessment, meaningful third-party due diligence, and tested controls, is well placed to extend it to address broader economic crime obligations. One that has treated anti-bribery compliance as a paper exercise is likely to face the same challenges across all three regimes.

ISO 37001 as a practical tool

For organisations that want a structured framework for building or reviewing their anti-bribery programme, ISO 37001:2025 provides a useful architecture. Certification is not necessary to benefit from the standard. Many organisations use it as a reference framework, mapping their existing controls against its requirements and identifying gaps.

For organisations in sectors or markets where demonstrating robust anti-bribery compliance is commercially important, such as those seeking government contracts or operating in high-corruption jurisdictions, certification provides independent external validation that has tangible value. It is evidence that an accredited body has reviewed the programme and found it meets the standard's requirements.

Whether an organisation pursues certification or not, the discipline of mapping its programme against a structured framework and having that assessment challenged by an external party is a useful exercise. It surfaces gaps that internal teams may not see, and forces the kind of evidence-based review that internal audits sometimes do not deliver.

Implementation checklist

The following checklist covers the core elements of an effective anti-bribery and corruption compliance programme, structured around the six MoJ principles for adequate procedures and the requirements of ISO 37001:2025.

A final note

The adequate procedures defence exists because the law recognises that organisations cannot guarantee that no bribery will ever occur within their operations. What they can do, and what the law requires, is take genuine, proportionate steps to prevent it.

The organisations that are best placed when things go wrong are the ones that treated that obligation seriously before they needed to rely on it. They built programmes that reflected their actual risks, embedded them genuinely in their operations, and maintained them over time. Not because they were expecting to be prosecuted, but because they understood that preventing bribery and corruption is both a legal obligation and the right thing to do.

As the failure to prevent model expands into fraud and potentially further, the investment in getting this right becomes more valuable, not less. The principles are consistent, the architecture is transferable, and the organisations that have built it properly are already ahead.