What has changed?

The Crime and Policing Act 2026 (CPA) received Royal Assent on 29 April 2026 and introduces a significant expansion of corporate criminal liability. Section 250 of the CPA, which comes into force on 29 June 2026, provides that where a senior manager of a body corporate or partnership commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation itself also commits that offence. 

This builds on reforms first introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which created a similar attribution mechanism but limited it to specified economic crimes such as fraud and false accounting. The CPA removes that limitation entirely: the senior manager attribution model now applies to all criminal offences. The new section 250 of the CPA repeals and replaces the ECCTA senior manager offence provisions.

Key elements of the offence

There are three core components to the section 250 offence. These mirror (but expand) the structure of the ECCTA senior manager offence.

1. The individual must be a “senior manager”

For the purposes of the offence, a senior manager is defined as a person who plays a significant role in making decisions about how the whole or a substantial part of an organisation’s activities are managed or organised, or who plays a significant role in actually managing or organising those activities. This definition is materially identical to that used in the ECCTA senior manager offence. It is a functional test: it depends on the individual’s actual role and influence, not their job title, remuneration, or employment status. Board members, divisional heads, regional leaders, and de facto decision-makers could all be caught.

2. The senior manager must have committed a criminal offence

The underlying offence must be proved against the individual, including any requisite mental element (such as intent, knowledge, or recklessness).

3. The conduct must fall within the senior manager’s actual or apparent authority

The senior manager need not have been authorised to commit the criminal act itself; it is sufficient that the act was of a type they were authorised to undertake or that would ordinarily be undertaken by someone in their position. For example, a CFO who commits fraud by making false statements about a company’s financial position is acting within the scope of their authority, given this activity is inherently part of their role.

Scope and application

The breadth of section 250 is striking. It is not confined to any defined category of offence, meaning that corporate liability could arise from conduct spanning health and safety, environmental compliance, data protection, sanctions, and modern slavery. Organisations in higher-risk sectors, such as construction, manufacturing, energy, and transport, should be particularly alert to the potential for gross negligence manslaughter to be attributed via this route.

The offence applies to bodies corporate and partnerships, whether incorporated in the UK or elsewhere. A non-UK incorporated company can be liable under section 250 where any relevant conduct constituting the offence takes place within the UK. There is a narrow territorial exclusion: an organisation will not be liable where all the conduct constituting the offence occurs outside the United Kingdom and the organisation would not itself commit the offence if that conduct were directly attributable to it. In practical terms, this means that a non-UK company with senior managers who act, make decisions, or oversee operations within the UK could face criminal liability under this provision, even if the company has no UK-registered presence. Organisations with cross-border operations should therefore assess where their senior managers exercise authority and whether any of that activity has a UK nexus.

Penalties and the absence of a defence

Critically, there is no “reasonable procedures” defence available under section 250. This stands in contrast to the failure to prevent fraud, bribery, and facilitation of tax evasion offences, each of which provides organisations with a defence if they can demonstrate that they had adequate or reasonable preventative procedures in place to prevent the misconduct. Under the CPA, an organisation can be convicted and sentenced for the same offence as the senior manager, regardless of the compliance framework it may have implemented.

That said, robust governance and compliance measures remain highly relevant. They can reduce the risk of offending in the first place and may be considered at sentencing or when prosecutors assess whether a corporate prosecution is in the public interest. 

Practical steps for corporates

With the new regime coming into force on 29 June 2026, organisations have a period in which to assess their risk and prepare for the CPA, and should consider taking steps (on top of those already taken further to the introduction of the senior manager offence contained in the ECCTA) to:

• Map senior managers. Identify all individuals who could fall within the statutory definition, looking beyond formal titles to assess actual decision-making roles and influence across the business.
• Review delegations of authority. Document and scrutinise the actual and apparent authority afforded to senior managers, including in operational and regulatory compliance functions, not just financial or commercial roles.
• Conduct a risk assessment. Extend existing risk assessment and audit programmes beyond economic crime to encompass the full range of criminal risks that could now be attributed to the organisation, including health and safety, environmental, data protection, and workplace conduct-related risks.
• Enhance training. Ensure that all individuals who may qualify as senior managers receive targeted training on the expanded scope of corporate criminal liability, and that new joiners at senior level are briefed accordingly.
• Update policies and reporting channels. Review existing compliance policies, monitoring structures, and whistleblowing processes to ensure they reflect the wider spectrum of potential criminal exposure.
• Review insurance coverage. Assess whether existing D&O and corporate insurance policies provide adequate coverage in light of the expanded liability.

The CPA represents a step change in how corporate criminal liability operates in the United Kingdom. Organisations that take proactive steps now, even in the absence of a statutory defence, will be far better placed to manage the risks this expanded regime presents.

Client Alert 2026-128