Serious Fraud Office chief Graham McNulty used a speech in New York on 3 June 2026 to deliver a clear message to UK companies: the agency still wants self-reports, but it also wants them earlier, fuller and backed by real cooperation. In remarks published by GOV.UK, he presented the SFO as a practical partner for businesses that come forward quickly and as a firmer enforcer for those that do not. He also defended the SFO's in-house model, where investigators, lawyers, forensic accountants and data specialists work together from the start of a case. For directors, general counsel and compliance teams, that matters more than the conference setting. The speech reads less like a set-piece and more like a warning that the SFO wants to change behaviour. He pointed to faster decision-making, tougher use of intelligence and surveillance, and closer international work with US and European prosecutors. The thread running through all of it is simple: companies should assume the cost of getting this wrong is rising.

The clearest case study was the recently agreed Deferred Prosecution Agreement with Ultra Electronics. The company accepted responsibility for failing to prevent bribery linked to three public sector contracts pursued through agents, and it must pay a £10 million penalty plus £4.8 million in SFO costs. McNulty used the case to show that self-reporting is only the starting point, not the finish line. According to the speech, Ultra first self-reported in 2018 and was invited into DPA talks in 2021. Those negotiations were later abandoned after fresh information emerged about conduct in Oman and the SFO said the conditions for a meaningful agreement were no longer there. Talks only resumed after major changes in ownership, structure and leadership, and once the company came forward with all relevant material the deal was completed within eight months. For advisers, the lesson is uncomfortable but clear: staged disclosure, partial cooperation or a weak remediation plan can cost a company years.

The SFO's revised corporate cooperation guidance, launched in 2025, is meant to make that choice easier for boards. McNulty said companies that report promptly and cooperate fully are now being offered what he called a near-guarantee of an invitation to DPA negotiations, unless exceptional circumstances apply. He also highlighted process targets that businesses have long wanted: contact within 48 business hours, regular updates, a decision on opening an investigation within six months, and DPA negotiations concluded within six months of an invitation. That does not amount to immunity, and companies should not read it that way. A DPA still carries a public statement of wrongdoing, financial penalties and close scrutiny of remediation. Even so, the guidance matters because it reduces one of the biggest blockers to self-reporting: uncertainty over timeline and outcome. For audit committees and external advisers, the decision is becoming less about whether the SFO will engage and more about whether the company can meet the standard of cooperation the agency now says it expects.

This is where governance moves from policy document to evidence trail. A company weighing a self-report needs a board that can act quickly, a management team that preserves documents from day one, and a compliance function that already knows where the highest-risk third parties, agents and overseas contracts sit. The Ultra case, as McNulty framed it, suggests the SFO is looking closely at whether leadership change and cultural reform are real or simply presented that way once trouble arrives. For UK businesses, that raises the bar on preparation. Internal investigations will still need careful handling around legal privilege, employee interviews and market disclosures, but the broader point is more basic. The SFO wants prompt reporting, fuller facts and visible remediation. Companies that spend months arguing internally over whether a problem is material may find the agency has little patience for delay, especially when misconduct touches public contracts, overseas intermediaries or revenue booked through high-risk markets.

McNulty also spent considerable time recasting the SFO as a more active enforcer, and this may prove the most important part of the speech. He said the UK Government has put multi-million pound funding into the agency's intelligence capability, including a new enterprise system designed to connect information across referrals, cases and other data sources. The aim is straightforward: generate more cases without waiting for a company, bank or overseas authority to make the first move. That matters because many UK firms still treat self-reporting as a tactical choice taken only after a problem becomes impossible to contain. McNulty's answer was blunt. In effect, not self-reporting is becoming a worse bet. He pointed to recent dawn raids and arrests in an investigation into suspected fraud linked to an energy efficiency scheme, alongside the forthcoming sentencing of three people convicted over a £70 million investment fraud. The message to boardrooms is that enforcement risk is no longer confined to slow-moving document requests and distant court dates.

His comments on surveillance and whistleblowers pushed that argument further. Drawing on his long policing background, McNulty said economic crime has too often been handled with a degree of politeness not afforded to other offences. He made clear that, where the law allows, the SFO intends to make fuller use of surveillance with law enforcement partners and is pressing for a more efficient route to deploy those powers. On whistleblowers, the SFO is pressing a debate that many UK companies would rather postpone. McNulty backed financial incentives and noted that more than 700 UK nationals used four US whistleblower programmes between 2012 and 2023. That figure, cited in the speech, will catch the attention of compliance officers for a simple reason: if staff believe external reporting is faster, safer or more rewarding than internal escalation, the company loses control of the first account of events. Speak-up systems, investigation protocols and anti-retaliation safeguards now look less like good practice and more like front-line risk control.

The legal backdrop is also shifting. McNulty said the SFO intends to make full use of the new powers available under the Economic Crime and Corporate Transparency Act. For large organisations, the new failure to prevent fraud offence is the headline change. If an associated person commits fraud intending to benefit the organisation, the company may face criminal liability, including where conduct takes place overseas but there is a UK connection. Alongside that sits the senior manager test, which lowers the hurdle for attributing criminal liability to a company. Taken together, those changes should alter the conversation inside finance, legal and risk teams. The old comfort that a case was too remote, too international or too dependent on one bad actor is weaker than it was. Prevention now carries more weight. That means sharper fraud risk assessments, better controls over agents and distributors, clearer ownership at senior level and more disciplined monitoring of how revenue is won.

The international part of the speech was not window dressing. McNulty highlighted close working ties with the US Department of Justice and the anti-corruption prosecutorial taskforce created in 2025 with France's financial prosecutor, the PNF, and Switzerland's Office of the Attorney General. He also pointed to the AOG Technics case, where falsified documents tied to more than 60,000 aircraft parts triggered safety alerts and grounded planes in the UK and abroad. In the SFO's telling, that case showed how quickly fraud can move from balance-sheet issue to public harm, and how much it depends on fast cross-border cooperation. For UK companies and their advisers, the broader read-across is hard to miss. The SFO wants more self-reports, more DPAs and more cases built from its own intelligence. It is signalling that cooperation must be genuine, remediation must be visible and cross-border structures will not shield misconduct from view. Market Pulse UK's reading is that the agency is trying to change the calculation in the boardroom: report early and deal with the consequences, or wait and face a harder, more public fight.