As the UK's Serious Fraud Office concludes its first deferred prosecution agreement (DPA) in nearly five years, we consider the key practical takeaways from this for companies when assessing their compliance policies and procedures.

On 1 May 2026, the SFO announced that it had entered into a DPA with the British manufacturer Ultra Electronics Holdings Ltd, relating to Ultra's failure to prevent bribery in respect of business dealings in Oman and Algeria.  Under the terms of the DPA, Ultra will pay nearly £15m in fines and costs and be subject to various cooperation and reporting obligations to the SFO for the next three years.

As is well known, if a company has adequate policies and procedures in place, it would have a defence to the criminal offence of failure to prevent bribery (pursuant to section 7 of the Bribery Act 2010). Likewise, having "reasonable" policies and procedures in place is a defence to the other corporate liability offences of failure to prevent tax evasion, and the new corporate offence of failure to prevent fraud.

As it has been almost five years since the SFO last concluded a DPA, this latest case offers a useful opportunity to revisit some of the practical lessons for companies seeking to ensure that their own compliance procedures are appropriately designed and effective in practice.

Some key takeaways from the DPA include:

1. Risk assessments need to be current, documented and practical

Government guidance regarding adequate/reasonable prevention procedures consistently places risk assessment at the centre of an effective compliance framework, whether in relation to bribery, tax evasion or fraud. Businesses should ensure that they carry out periodic, documented risk assessments that are tailored to their operations, markets, counterparties and delivery models, and that those assessments are kept under review as the business evolves.

The DPA is a useful reminder that enforcement authorities will look closely at whether a company had a structured process for identifying and assessing risk in practice, rather than treating risk assessment as a one-off or purely paper-based exercise.

2. It is important to have adequate oversight over joint ventures

For many businesses, joint ventures, consortium arrangements and local partnerships are a commercial necessity. They can, however, create heightened compliance risk, particularly where a third party is acting in whole or in part on the company's behalf, or where the company may benefit from the relationship’s activities.

A key lesson is that companies should have clear governance, diligence and oversight mechanisms for such arrangements, including defined approval processes, contractual protections, escalation routes and ongoing monitoring. The existence of policies alone is unlikely to be sufficient if those policies do not result in real visibility over how higher-risk relationships are established and managed

3. Where policies are in place, they need to be followed and periodically reviewed

Even a policy that looks effective on its face is of little value if, in practice, it is not properly implemented and complied with. Businesses should therefore consider whether key approval steps, sign-offs and record-keeping requirements are actually being complied with consistently, and whether that can be demonstrated through periodic testing, audits or sampling.

The DPA also underlines the importance of keeping policies under review. Compliance policies should be reviewed regularly to ensure that they remain current and fit for purpose and take account of any relevant external or internal changes since first implemented.

4. Engaging agents is a potentially high-risk activity and a company's policies and procedures should reflect this

The engagement of agents, consultants and other intermediaries remains a well-recognised source of financial crime risk, particularly in cross-border and public-facing business.

Companies should ensure they have clear policies and procedures governing the engagement of agents and intermediaries, tailored to the specifics of their business, with records being kept and monitoring performed to demonstrate compliance.

In practice, that means robust due diligence before appointment, clear internal approvals, appropriately tailored contractual protections, transparency around compensation, and ongoing monitoring after engagement. The broader lesson from the DPA is that generic policies are unlikely to be enough where the underlying activity presents a recognised area of heightened risk.

5. Relevant training should be provided, with completion being tracked

Training remains a core component of an effective compliance programme, but it is not enough simply to make training available. Businesses should ensure that training is tailored to relevant risk areas and employee roles, refreshed periodically, and supported by reliable completion records and follow-up where participation is incomplete.

The practical point is that if a company later needs to demonstrate the effectiveness of its procedures, it will need to show not only that relevant training existed, but that it was delivered to the right people, at the right time, and in a way that was capable of influencing behaviour.

Although the Ultra DPA is bribery specific, many of the lessons from it apply to the full range of financial crime risks faced by companies, including in relation to the new corporate criminal offence of failure to prevent fraud.  It therefore provides a timely reminder to companies of some key points that should be considered in any compliance programme, and demonstrates the risks that can crystallise when a compliance programme falls short.