Anti-bribery training: meeting UK Bribery Act requirements in 2026

Nine percent. That's what one compliance team's anti-bribery module was hitting last time we checked in. Forty-seven slides, rolled out once a year - and 91% of staff had either not started it or clicked through in 12 minutes.

Meanwhile, the Serious Fraud Office opened two fresh bribery investigations in 2025. In April 2026, defence firm Ultra Electronics paid £15 million to settle a long-running SFO probe. And the Director of the SFO has been unambiguous about what comes next: aggressive corporate enforcement.

There's a gap most compliance teams don't want to acknowledge: "training was available" is not the same as "adequate procedures were in place" under Section 7 of the Bribery Act 2010. If something goes wrong, investigators will not care how well-designed your module was. They will care how many people completed it, whether the content reflected the actual risks your staff faced, and when it was last updated.

This guide covers what the Bribery Act actually requires from training in 2026, how the new ECCTA failure to prevent fraud offence (in force since September 2025) raises the bar further, and what a training programme looks like when it's genuinely built to survive scrutiny.

Why "We Have Training" Is Not Enough

The Bribery Act 2010 is not ambiguous on this. Section 7 creates a strict liability corporate offence: if someone associated with your organisation commits bribery on your behalf, your organisation is criminally liable. Full stop. The only available defence is proving that "adequate procedures" were in place to prevent it.

"Adequate procedures" is assessed against six principles the Ministry of Justice published. Principle Five is communication and training. The government's guidance is explicit: anti-bribery policies must be clearly communicated internally and externally, and continuous training is required. Not occasional training. Not annual training if you get round to it. Continuous training.

The SFO does not just ask "did training exist?" In a bribery investigation, they will look at: whether training reflected the actual risks different staff faced, completion rates and whether the right people actually did it, when it was last updated, whether it covered your specific policies (not just generic legislation), and whether senior leaders participated or were quietly exempted.

Getting training right matters most when things go wrong. By then, it is too late to build the audit trail.

What the penalties look like

For individuals convicted under the Act: up to 10 years in prison, unlimited fine, director disqualification for up to 15 years.

For organisations:

• Unlimited fine, calculated by reference to annual turnover under Sentencing Council guidelines⁹
• Confiscation of all profits traceable to the bribery - not just the value of the bribe paid¹³
• Debarment from government contracts and public procurement tenders¹¹
• Reputational damage that can destroy client relationships, supply chain trust, and share value

Glencore paid £276 million in a 2022 DPA. Ultra Electronics settled in April 2026 for nearly £15 million.⁶ These are not outliers - they are the normal outcome of inadequate compliance programmes.

The Six Principles - and the One Investigators Always Find Lacking

The Ministry of Justice guidance is built around six principles. They are deliberately non-prescriptive - the point is to use them as a framework that can flex to your organisation's actual risk profile. Courts and the SFO use the same framework to assess whether your programme was genuinely adequate or just window dressing.

Principle Five - communication and training - is the one most commonly found wanting when an investigation lands. Rarely because training doesn't exist. Usually because it wasn't proportionate to the risk, it hadn't been updated in three years, completion records couldn't be produced, or the people with the highest bribery exposure had the same training as the receptionist.

Updated SFO guidance: November 2025

The SFO released updated guidance on evaluating compliance programmes in November 2025, replacing its 2020 version. When determining whether to prosecute, investigators now specifically examine programme design, completion rates, version history, and senior leadership participation.⁴

The ECCTA: Why 2026 Is a Different Environment Than 2023

Anti-bribery compliance has always mattered. But September 1, 2025 changed the compliance environment in a concrete way: the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 came into force.³

Large organisations - 250+ employees, over £36m turnover, or more than £18m in assets - are now criminally liable if an associated person (employee, agent, subsidiary, contractor) commits fraud for the organisation's benefit, and the organisation did not have reasonable prevention procedures in place. The defence structure is almost identical to Section 7 of the Bribery Act. Demonstrate reasonable procedures, including training, or face prosecution.

That's not posturing. In April 2025, the SFO announced two fresh anti-corruption investigations. In November 2025, it released updated compliance programme evaluation guidance. In April 2026, it secured the Ultra Electronics DPA for nearly £15 million.⁶ The enforcement pipeline is active.

Bribery Act + ECCTA: the training overlap

Both laws require risk-based proportionate training, documented evidence of completion, role-differentiated content for higher-risk staff, regular review, and demonstrable top-level participation. An anti-bribery programme built correctly already covers most of what ECCTA requires for fraud prevention.

What "Proportionate and Risk-Based" Actually Means in Practice

The Bribery Act does not require a specific training format, duration, or platform. It requires that training be proportionate to the risk that the person receiving it actually faces. Most organisations get this wrong in one of two ways: they run one generic module for everyone (not proportionate), or they rely on that general module to cover both all-staff and higher-risk roles (also not proportionate).

Who needs what

A mailroom operative and a commercial director managing supplier relationships in Southeast Asia do not face the same bribery risk. A defensible programme draws a clear line between at least three groups:

What the content must cover

Beyond the four offences under the Act, training must address the less obvious areas:

• That bribery extends well beyond cash - gifts, hospitality, travel, business opportunities, discounts for family members. Staff need to know what a bribe actually looks like before they can report one.
• Facilitation payments: small payments to expedite routine government actions are not legal under the UK Act, unlike under some other anti-bribery regimes. This trips up staff who have worked in other jurisdictions.
• Your organisation's specific policies - gifts register, hospitality approval thresholds, the process for flagging a suspicious third-party request - not just the general legislative framework.
• How to report concerns, and the protections staff have under the Public Interest Disclosure Act 1998. If people don't feel safe reporting, your whistleblowing channel is decorative.

The Problem Most Compliance Teams Already Know But Won't Say Out Loud

The average UK compliance module sees less than 5% completion. Not 50%. Not 20%. Under 5%.⁷ That means the vast majority of your staff - including the sales director who just started managing a distribution partner in a high-risk market - have not actually absorbed your anti-bribery training.

And yet those completion records are what organisations rely on as their primary evidence of "adequate procedures." It does not hold up.

Three structural reasons traditional compliance training fails

This is not a content problem. Better slides will not fix it. The format is the problem:

• Too long. A 60-minute annual module asks staff to hold 40+ new concepts in working memory at once. Research on cognitive load consistently shows working memory can hold 4-7 pieces of new information at a time. Content not revisited within 24 hours starts fading fast.
• Too generic. One module for 3,000 people treats a junior administrator the same as a commercial director operating in Southeast Asia. That is not proportionate training under the Bribery Act.
• Too infrequent. Bribery risks change with new markets, new third-party relationships, and new regulatory guidance. Annual training is stale before the next refresh cycle. And when the SFO asks when your programme was last updated, "January 2023" is not a reassuring answer in 2026.

Traditional Training vs Microlearning: The Numbers

This is what actually changes when you replace the annual module with a microlearning approach to compliance training:

Traditional LMS

Feature		Traditional LMS / Annual module
Completion rate	95%+ on 5Mins platform	<5% industry average
Lesson format	3-5 min bite-sized lessons	45-90 min slide deck
Retention after 1 week	50%+ better retention	20-30% retained
Admin burden	Zero admin - auto-tracked	High - manual tracking
Scenario practice		✕
Training frequency	Daily, in the flow of work	Once a year
CPD accredited		Varies

The compliance question that matters: which approach produces the audit trail that holds up if the SFO comes calling? Not the one that looked better in the procurement pitch.

How to Build a Training Programme the SFO Won't Question

The SFO's November 2025 guidance on evaluating compliance programmes⁴ is the clearest signal yet of what "adequate" actually means in practice. These six steps align directly with that guidance - and with the Bribery Act's six principles.

Step 1: Write down your bribery risk assessment

Not in your head. On paper - or in a documented system that can be produced in an investigation. Cover the markets you operate in and their corruption risk ratings, which roles have third-party or public official contact, which categories of spend are most exposed, and whether local business culture in any of your operating markets creates additional risk. This assessment is what justifies your training design. Without it, you cannot demonstrate proportionality.

Step 2: Define your training tiers in writing

Use the risk assessment to draw a clear line: general awareness for everyone, enhanced training for higher-risk roles. Write down which job titles sit in which tier and why. That documentation evidences proportionality - one of the things the SFO explicitly examines.

Step 3: Use content that is current and accredited

Training content needs to reflect post-ECCTA legislation. That means anything built before September 2025 should be reviewed. CPD accreditation provides independent assurance that the content meets professional standards. If an investigator asks how you know the training was adequate, "it was CPD-accredited" is a better answer than "our compliance manager wrote it in 2021."

Step 4: Track completion automatically

Completion data is evidence. Every instance of training delivered needs to be logged - who completed it, when, what they scored. Manual tracking produces gaps and inconsistencies. Automated platforms produce a clean audit trail that is always available.

Step 5: Review after material changes - not just annually

The SFO guidance requires that procedures be regularly monitored and reviewed. Entry into new markets, acquisition of third parties with different risk profiles, regulatory changes (such as the ECCTA coming into force), and internal incidents should all trigger a review. The November 2025 SFO guidance update itself was a trigger - if you haven't checked your programme against it, now is the time.

Step 6: Make sure the board isn't exempt

Senior leadership participation in anti-bribery training evidences Principle Two: top-level commitment. If your CEO, CFO, and non-executive directors are quietly excluded from the training requirement, that gap is visible. And it sends a clear message to everyone else about how seriously the organisation actually takes this.

How 5Mins Delivers Anti-Bribery Training Differently

5Mins is an AI-powered microlearning platform used by organisations in 80+ countries for compliance, leadership, and role-based training. On anti-bribery specifically, four things matter to compliance officers and HR teams:

• CPD-accredited modules covering the UK Bribery Act 2010 - independent assurance that content meets professional standards.
• Role-based learning pathways - not one module for everyone. Staff in higher-risk roles get targeted content that reflects their actual exposure.
• 95%+ completion rates versus the industry average of under 5% for traditional compliance modules.⁷
• Real-time analytics dashboard - every completion is logged, timestamped, and exportable. When a board member asks for a compliance report, the data is already there.

Staff do not sit through a 60-minute module once a year. They get 3-5 minute lessons, built around a single concept, accessible on mobile, integrated with Slack and Microsoft Teams, in the flow of the working day. Gamification - streaks, leaderboards, skill points, certificates - means people actually come back.

For compliance officers, the value is in the audit trail. Auto-enrolment, smart reminders, and automatic content updates when legislation changes mean the programme stays current without constant manual intervention. When an investigation starts - or when the board asks for a compliance report - you have everything you need, immediately.

Explore the full compliance training catalogue or book a demo to see it in action.