The Crime and Policing Act 2026: Widening the Gateway to Corporate Criminal Liability

The Crime and Policing Act 2026 (CPA) received Royal Assent on 29 April 2026.

With effect from 29 June 2026, companies have become liable for any criminal offence committed by a senior manager acting within their actual or apparent authority.

The legislation significantly extends corporate criminal liability in the UK and pushes further the already important change introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) just three years ago.

Development of Corporate Criminal Liability

Historically, criminal liability in the UK could generally only be attributed to corporate entities through the common law “identification doctrine”. Broadly, an individual’s criminal conduct could be attributed to a corporate organisation if the individual represented that organisation’s “directing mind and will” and committed the offence with the requisite mental state. 

Aside from some growth in corporate criminal liability under health and safety legislation, the first important change came with the introduction of the failure to prevent offences from 2010. These created a criminal liability for corporates not by the commission of the underlying offence, but for failing to prevent one of their associated persons (typically an employee or agent) from doing so. The first of these offences was the failure to prevent bribery under Section 7 of the 2010 Bribery Act (BA), followed by the failure to prevent the facilitation of tax evasion and the failure to prevent fraud (in 2017 and 2023 respectively); albeit the last of these could only be committed by a large organisation.

The Previous Position Under the ECCTA 2023

In addition to these developments in corporate criminal liability, ECCTA brought a more direct response to criticism that the identification doctrine made it difficult to prosecute large organisations. Section 196 of ECCTA introduced a new statutory rule to attribute criminal liability to a corporate organisation where a “senior manager” commits a “relevant offence”, provided they are acting within the actual or apparent scope of their authority. A relevant offence was one of the economic crime offences listed in Schedule 12 of the Act.

The definition of senior manager in ECCTA was drawn from the Corporate Manslaughter and Corporate Homicide Act 2007 (CMCH). There are, however, some nuanced differences in the way it is applied, reflecting the CMCH’s roots in health and safety legislation rather than criminal liability. The most notable distinction is that under the CMCH, an organisation can be guilty if the manner in which it is managed by senior management caused a substantial part of the offending act. By contrast, under ECCTA, the act itself must be committed by a senior manager.

Under ECCTA, “senior manager” means an individual who plays a significant role in either: (1) the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised; or (2) the actual managing or organising of the whole or a substantial part of those activities.

Importantly, the ECCTA reforms were confined to “relevant offences”, namely a list of specified economic crimes such as fraud, money laundering and bribery.

(You can read our previous article on the expansion of corporate criminal liability under the ECCTA here.)

The New Position Under the CPA 2026

Although the changes made by ECCTA only came into force in December 2023, they have already been repealed and replaced. Section 250 of the CPA introduces a major change by making corporates criminally liable for all offences committed by their senior managers acting within the actual or apparent scope of their authority.

When Will Corporate Criminal Liability Arise?

The following factors are relevant to understanding the scope and operation of the new attribution rule under the CPA:

1. Corporate Bodies: The rule under Section 250 applies to all bodies corporate wherever incorporated, excluding a corporation sole, or a partnership that is not regarded as a body corporate under the law by which it is governed. While the failure to prevent fraud offence introduced under the ECCTA is limited to “large” organisations only, no such threshold applies under the CPA.
2. Senior Managers: The definition of a “senior manager” under the ECCTA has been retained under the CPA. This is not limited to directors or those in other executive roles. Whether someone is a “senior manager” will be a fact-specific assessment. A senior manager’s roles and responsibilities will be assessed, rather than their formal job title.
3. Offences: There is no limit to the categories of offences under the laws of England and Wales, Scotland or Northern Ireland that may be committed by senior managers.
4. Actual or Apparent Authority: There is no statutory test to determine when a senior manager commits an offence while acting within “the actual or apparent scope of their authority”. There will need to be an assessment of whether the act was of a type that the senior manager was authorised to undertake, or which would ordinarily be undertaken by a person in that position. There is no requirement for the employee to have been authorised to carry out the criminal offence in question.
5. No Corporate Gain: It is not necessary to demonstrate that the senior manager intended the organisation to benefit from their misconduct. This contrasts with the requirement under the failure to prevent bribery offence under the BA and the failure to prevent fraud offence under the ECCTA.
6. Defences: The CPA does not provide any statutory defence for affected organisations. Notably, the CPA contains no equivalent to the “adequate procedures” or “reasonable procedures” defences that are available to corporate organisations in respect of the “failure to prevent” offences. A rigorous corporate compliance programme may reduce risk and mitigate enforcement outcomes, but a company cannot protect itself from CPA liability by demonstrating the existence of such a programme designed to prevent the criminal act in question.
7. Territoriality Exception: An organisation is not liable for an offence if all of the conduct constituting the offence occurs outside the UK, and the organisation would not commit the offence if that conduct were the organisation’s (rather than the senior manager’s).

Key Implications for Organisations

The changes brought by the CPA give rise to two important considerations for businesses:

1. Increased Risk: The CPA materially increases corporate exposure to criminal liability in a broad spectrum of areas beyond economic crime. Likely areas where potential liability could arise include environmental protection, modern slavery and human trafficking, supply chains, human rights, data protection and computer misuse.
2. Increased Enforcement: The expanded range of offences attracting corporate liability under the CPA increases the scope for prosecutions and the range of relevant authorities interested in the potential misconduct.

Practical Steps

In order to manage their exposure, organisations should consider taking the following practical steps in response to the changes made by the CPA and on an ongoing basis:

1. Identify “Senior Managers”: Identify all individuals who could potentially be captured by the statutory definition of “senior manager” under Section 250 of the CPA. This mapping exercise should not be limited to formal job titles; it should include, for example, “functional” decision-makers whose activities and responsibilities in substance do not strictly match their titles, and individuals whose decisions in practice bind the organisation. This identification exercise should be continuous and should capture promotions.
2. Conduct Expanded Risk Assessments: Risk assessments should extend beyond traditional economic crime risks such as fraud and bribery to potential criminal offences in a broader range of areas. Organisations should take appropriate steps to address any areas of vulnerability.
3. Review Existing Compliance, Governance and Controls Frameworks: Consider whether the existing framework is sufficient to mitigate against the increased risk created by the new CPA regime and evaluate whether the framework reflects operational reality.
4. Strengthen the Code of Conduct and Policies: Revise the code of conduct and applicable policies to ensure they adequately reflect the updated legal framework. These should be communicated across the organisation.
5. Strengthen Monitoring and Reporting: Enhance monitoring and oversight of higher risk decisions made by senior managers and consider early-detection mechanisms and stress-test crime prevention controls against senior manager conduct. This may include enhancements to whistleblowing channels for raising concerns about the actions of senior managers.
6. Implement Enhanced Training: Arrange regular, targeted training beyond economic crime risks to cover the new liability risks for senior managers under the CPA. Board members should also be trained on the changes introduced by the CPA.
7. Plan for Incident Response: Review escalation procedures for legal issues, robust investigation protocols and suitable HR disciplinary processes, as well as existing directors’ and officers’ insurance, to consider coverage of the expanded scope of liability.