Who Is Liable When the SFO Investigates?

2nd Apr 2026
An SFO investigation does not mean a company is liable. By the time liability is decided, the damage is often already done. When a business comes under investigation by the Serious Fraud Office (SFO), it enters a period of uncertainty where exposure builds long before responsibility is formally decided. In many cases, companies, directors, and employees spend years under scrutiny without knowing where liability will ultimately fall. For decision-makers, the real issue is not simply who is liable, but when SFO investigation liability arises—and how it shifts as the case develops. Exposure Before Liability SFO investigations rarely begin with a formal accusation. More often, they are triggered by intelligence—whistleblower reports, regulatory referrals, or cooperation with overseas authorities. In some cases, companies themselves uncover issues through internal reviews and bring them to light. Once an investigation is opened, the SFO can compel documents and require individuals to answer questions. These powers are extensive, but they are investigative—not determinative. At this stage, there is no legal finding of liability. But exposure is already increasing. The way a company responds—how it preserves evidence, how it engages with investigators, and how quickly it understands the risks—can shape the entire trajectory of the case. In practice, the greatest risk is not the final outcome, it is the period where a company is under investigation but does not yet know where liability will fall. How SFO Liability Is Established Liability in SFO cases depends on more than wrongdoing alone. Prosecutors must show that the conduct can be attributed to the company or to specific individuals. Traditionally, this turns on whether senior figures—those representing the “directing mind” of the business—were involved. But modern corporate offences take a broader approach. Under the UK Bribery Act 2010 Section 7, a company may be liable for failing to prevent bribery unless it can demonstrate that it had adequate procedures in place. Government guidance makes clear that this defence requires more than written policies. Organisations must be able to demonstrate active risk management, due diligence, and effective monitoring in practice. This creates a clear dividing line: an investigation creates exposure, but liability only arises once legal thresholds are met and proven. Shifting Responsibility in SFO Cases In SFO investigations, where liability sits often changes as the case develops. At the outset, both the company and individuals may be under scrutiny. As the evidence builds, that picture starts to change. In some cases, attention turns to individuals, particularly where decisions can be traced to specific executives. In others, the focus shifts back to the organisation, especially where the issue is one of systems or controls rather than individual conduct. Those outcomes do not always move together. A company may reach a Deferred Prosecution Agreement, while individuals remain exposed to prosecution. The courts have been clear on this point: corporate resolutions do not shield individuals. In major SFO cases, agreements apply to the company—not to employees who may still face prosecution. The Rolls-Royce case illustrates how this plays out in practice. The investigation ran for years across multiple jurisdictions, with the company facing significant commercial and regulatory consequences long before liability was formally resolved. Cooperation, Time, and Rising Risk Cooperation is often misunderstood as a way to avoid liability. In practice, it changes how liability is enforced—not whether it exists. Companies that self-report, preserve evidence, and assist investigators may be eligible for a Deferred Prosecution Agreement, avoiding a criminal conviction but typically involving substantial financial penalties and long-term compliance obligations. In one of the SFO’s most significant cases, the court described the company’s cooperation as “extraordinary,” highlighting how early and proactive engagement can materially influence outcomes. At the same time, SFO investigations are inherently lengthy. Cross-border evidence gathering, large volumes of data, and complex disclosure obligations mean cases often take years to resolve. During that period, liability remains undecided—but the commercial consequences are already unfolding. The legal framework is also evolving. Reforms under the Economic Crime and Corporate Transparency Act 2023 expand the SFO’s ability to compel information at an earlier stage, strengthening corporate exposure to economic crime enforcement. For businesses, the direction is clear: risk begins earlier, lasts longer, and is becoming easier to establish. The Point of Resolution Liability ultimately crystallises at the point of resolution—when charges are brought, a settlement is reached, or the case is closed. By that stage, the investigation has moved from suspicion to substantiated findings. Legal thresholds have been tested and enforcement decisions made. But in most cases, the business has already experienced the consequences—financial, operational, and reputational—well before that point. This is the defining feature of SFO enforcement: liability is determined late, but its effects begin early. Final Assessment So who is legally responsible when a company is investigated by the Serious Fraud Office? There isn’t a clear answer at the outset. In most cases, liability takes time to emerge—shaped by the evidence, the legal thresholds, and the decisions made as the investigation progresses. For businesses, the important point is this: liability isn’t a single moment, it builds over time. By the time that position is finally settled, the commercial impact is often already being felt. People Also Ask When does an SFO investigation lead to liability?Liability arises when prosecutors determine that legal thresholds are met and bring charges or agree a settlement. Investigations alone do not establish liability. Can a company avoid prosecution by cooperating with the SFO?Cooperation may lead to a Deferred Prosecution Agreement, avoiding conviction, but it does not remove liability or financial penalties. Are directors personally liable in SFO investigations?Directors can be personally liable if misconduct is attributable to them. Liability depends on their role, knowledge, and involvement.