In brief

On 29 June 2026, section 250 of the Crime and Policing Act 2026 (CPA) enters into force, significantly expanding the scope of corporate criminal liability in the UK. Under the previous regime1, a corporate could be held liable only for specified economic crimes committed by a “senior manager”. The CPA repeals this limitation and extends attribution for all criminal offences.

As a result, where a senior manager, acting within their actual or apparent authority, commits any criminal offence, that conduct may now be attributed directly to the corporate entity. This represents a material broadening of corporate exposure to criminal liability.

Many corporates will already have in place robust compliance programmes, especially in light of the proliferation of so called “failure to prevent offences” in the UK. The CPA does not provide a statutory “reasonable” or “adequate” procedures defence. However, a focus on compliance is still a corporate’s best response to this new legislation given: (i) good compliance will help reduce the risk of wrongdoing in the first place; and (ii) the strength of a corporate’s compliance programme is likely to be taken into account when prosecutors assess whether it is in the public interest to prosecute the corporate.

Key takeaways for corporates

  • The CPA’s reach extends to all criminal offences, not just economic crimes.
  • “Senior manager” is defined by influence, not just job title or position in the organisational chart.
  • The regime applies to UK and non-UK organisations of any size, including charities.
  • There is no statutory “reasonable procedures” defence and DPAs will not be available for many of the new offences captured.
  • Practical tips: organisations should (i) consider who may sit within their “senior manager” population; (ii) consider what criminal offences may be committed by those individuals in the course of their roles; (iii) raise awareness within the senior manager population of criminal offences that may be committed in the scope of their work; and (iv) refresh relevant policies and training.
      

Background

Section 250 of the CPA is the latest in a series of new legislation which has expanded the scope of corporate criminal liability in the UK. Through the UK Bribery Act 2010, the failure to prevent the facilitation of tax evasion offence, ECCTA, and now the CPA, the UK has, over the past 15 years, progressively broadened the circumstances in which the criminal conduct of individuals can be attributed to corporates.

The CPA repeals the statutory attribution regime introduced by ECCTA, which was intended to address the difficulty of prosecuting companies under the pre-existing common law “identification principle”. Under that identification principle, liability would only be attributable to the corporate if an individual representing the company’s “directing mind and will” could be identified as having commissioned the relevant offence. ECCTA supplemented this framework by introducing a statutory basis for attributing liability in relation to certain economic crimes.

The Government recognised at the time of ECCTA’s enactment that limiting reform to economic crimes was only a partial solution, and that more comprehensive reform of corporate attribution rules would be required to address all crimes.

The new legislation makes it easier to prosecute modern-day multi-jurisdictional corporations where it is harder to pinpoint who is the “directing mind and will” of that corporation. The CPA was also intended to address the inequity between small and large corporates, where it was easier to identify a “directing mind and will” in a smaller company.

That said, the Home Office’s Impact Assessment frames the CPA primarily as a deterrent measure. By making it easier to prosecute corporates when the law is breached, the CPA is intended to reduce crime without necessarily leading to “an increase in new cases”.

What does the new law say?

Section 250 CPA attributes criminal liability to a “body corporate or partnership” where a “senior manager”, acting within their “actual or apparent scope of authority”, commits a criminal offence.

“Senior manager”

The CPA adopts a very similar definition of “senior manager” as was set out in section 196 ECCTA.

A “senior manager” is defined as someone who plays a significant role in (i) the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised; or (ii) the actual managing or organising of the whole or a substantial part of those activities.

As there have been no prosecutions under section 196 so far, there is currently no case law to provide further guidance on where the limits of “senior manager” will be drawn in practice. However, it is clear that whether someone is a “senior manager” does not depend on their job title or place in the organisational structure. What matters is the level of influence they have over how the business (or a substantial part of the business) is run.

The Explanatory Notes to the Crime and Policing Bill confirmed that the term “senior manager” is designed to capture anyone with significant decision-making power over all, or a substantial part, of a business. In practice, this is likely to include:

  • Company directors
  • CEOs and COOs
  • Heads of departments, including HR
  • Data Protection Officers (DPOs)

However, the role is not limited to those in traditional executive positions – others with real influence over key business decisions may also be caught and the net should not be cast too narrowly.

“Body corporate or partnership”

The regime has a deliberately broad reach. It applies to organisations based both inside and outside the UK and covers a wide range of entity types – including public companies, private companies, and charities.

There is also no size threshold, unlike under the failure to prevent fraud offence. Liability under the CPA can attach to organisations of any scale, from large multinationals to smaller entities.

“Actual or apparent scope of their authority”

The senior manager must have been acting within the actual or apparent scope of their authority. Importantly, the senior manager need not have been authorised to commit the criminal act itself. It is enough that the act was of a type they were authorised to perform, even if the specific conduct strayed into criminality.

In practice, this means organisations cannot easily distance themselves from a senior manager’s wrongdoing simply by pointing to internal rules or policies that prohibit the conduct in question.

Jurisdictional Nexus

The CPA places a jurisdictional limit on the new offence. A company cannot be held liable where both (i) the criminal wrongdoing occurs outside the UK, and (ii) the company itself would not have committed an offence had it carried out the conduct directly, rather than through a senior manager.

This jurisdictional limit is designed to prevent criminal liability attaching to conduct carried out wholly overseas, simply because the senior manager involved happens to fall within the UK’s extraterritorial jurisdiction (for example, because they are a British citizen).

Examples of criminal offences covered under CPA

Examples of the wider range of offences committed by senior managers that could now be more easily attributed to corporates include:

  • Data privacy and protection offences
  • Computer misuse offences
  • Modern slavery and human trafficking offences
  • Obstruction of justice and failure to disclose offences
  • Health and safety at work offences
  • Environmental offences
  • Offences against the person
  • Trade and sanction offences
  • Economic offences that were not covered by section 196 ECCTA (for example, section 331 of the Proceeds of Crime Act 2002)
      

Other considerations

Deferred Prosecution Agreements (DPAs)

For many of the new offences captured by the CPA, a company cannot enter into a DPA. DPAs are only available for a defined list of economic crimes, which means that for offences falling outside of that list, the DPA regime will not be available.

Loss of existing statutory defences

Not only does the CPA provide no statutory defence for section 250, but it may also allow prosecutors to bypass existing corporate defences. Although corporate “failure to prevent” type offences (such as section 7 of the Bribery Act 2010) carry a “reasonable” or “adequate procedures” defence, the comparable offence targeting an individual (such as section 1 of the Bribery Act 2010) may not. In such circumstances, prosecutors may seek to pursue the corporate entity via the conduct of an individual who does not benefit from a defence, relying on section 250 of the CPA.

Prosecution of individual

It is currently unclear whether a prosecutor would have to first successfully prosecute the senior manager for a criminal offence, before being able to bring a charge against the company under section 250. It would appear logical that this should be the case (or at the very least, that they must prove to the criminal standard that the senior manager committed the offence), but this has not yet been confirmed. It may also be open to prosecutors to charge the individual and the corporate as co-defendants in the same trial.

What practical steps should companies consider?

Many of the practical challenges that have historically made corporate prosecutions difficult – such as gathering sufficient evidence, identifying the right individuals, and navigating complex cross-border investigations – will remain. The CPA changes the legal test, but it does not change the realities of how these cases are built and run by prosecutors.

Companies should remain proactive in assessing their exposure to the CPA, and consider taking the following steps:

  • Map where the risk sits: Consider which roles may meet the “senior manager” test, so that potential liability hotspots can be pinpointed. Legal counsel should be involved from the outset to ensure the work is covered by legal professional privilege in the UK. Companies should ensure that due diligence processes around appointing individuals to senior manager positions are robust, either when hired laterally or promoted internally.
  • Focus on the offences most likely to arise: While any offence committed by a senior manager could in theory be attributed to the organisation, efforts should be targeted at those offences most relevant to the roles identified - and policies and controls tailored accordingly. For example, an organisation in the Food and Beverage industry, may want to focus on the criminal offences set out under the Food Safety Act 1990, and for organisations with a lengthy or complex supply chain, it may be sensible to focus on criminal offences under the Modern Slavery Act 2015.
  • Strengthen policies, messaging and training: Although no statutory defence is available, well-designed policies and effective training programmes will help reduce the risk of wrongdoing and may weigh in the organisation’s favour when prosecutors consider the public interest in pursuing a case. It is likely that policies will already be in place to address the pre-existing “failure to prevent” offences, as well as other non-economic crime offences, such as data privacy-related offences, and these should be reviewed and updated as necessary.
  • Review your information governance: Alongside having robust policies, clear messaging, and effective training in place, organisations should be able to evidence the existence of those measures and any steps taken to review and update them. Organisations should also consider how and where their data is stored, as well as their document retention policies. Accessible, well-organised, and understandable data can be invaluable if the organisation is ever subject to an investigation.

* * * * *

Reuben Shahidullah, Trainee Solicitor, has contributed to this alert.


1 Section 196 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

Explore More Insight