ARTICLE
30 June 2026

Corporate Criminal Liability Just Got Broader: What The Crime And Policing Act 2026 Means For Your Business

WT
Winston Taylor

Contributor

Winston Taylor logo

Whether you're leading the way, disrupting an industry, entering a new phase of growth, or launching a defining product—we're in the room with you. In the action. Sleeves rolled up.

With a rich history spanning both sides of the Atlantic, we are present in the major commercial centers that matter to our clients: the U.S., the U.K., Europe, Latin America, and the Middle East. Combining scale with the speed clients demand, our defining capabilities include major litigation, critical transactions, strategic IP, and private wealth.

Our team of over 1,400 lawyers works hand-in-hand across markets, sectors, practice areas, and client teams. All-in problem solvers, we bring the creativity to think differently, and the pragmatism to get things done when it counts the most.

Embedded in your business and sharing your ambition, we take the work personally. Shaping what we do and how we do it around your goals and needs, always one step ahead of the moment.

Explore Firm Details
A new U.K. law fundamentally expands corporate criminal liability by allowing prosecution when senior managers commit offenses within their authority. Section 250 of the Crime and Policing Act 2026 applies to all criminal offenses and offers no adequate procedures defense, creating unprecedented exposure for organizations operating in the U.K.
United Kingdom Criminal Law
David de Ferrars,Natalia Faekova, and Lorraine Smith

A new law in the U.K. coming into force on June 29, 2026, fundamentally expands when a company can face criminal prosecution. Here's what you need to know. 

The old rules 

Under the traditional “identification doctrine,” a company could only be convicted of a crime if a sufficiently senior individual—its “directing mind and will”—committed it. In practice, that made prosecuting large, complex organizations almost impossible: the more diffuse the decision-making, the easier it was to escape accountability.

UK Parliament chipped away at the problem over the years with “failure to prevent” offenses: bribery (Bribery Act 2010), facilitation of tax evasion (Criminal Finances Act 2017), and fraud (Economic Crime and Corporate Transparency Act 2023 (ECCTA)). ECCTA also introduced a new attribution route based on the actions of “senior managers”—but only for specific economic crimes.

The Crime and Policing Act 2026 (the CPA) represents the latest and, by far, the most far-reaching step the U.K. Government has taken to bring large corporates to account.

What section 250 does

Section 250 of the CPA—which comes into force on June 29, 2026—creates a single, sweeping provision: an organization commits a criminal offense if a senior manager commits that offense within the scope of their actual or apparent authority.

It covers all criminal offenses. Section 250 replaces ECCTA's senior manager attribution provisions—which applied only to economic crimes—with a provision of universal application.

The identification doctrine and failure to prevent offenses still exist. Section 250 doesn't abolish the old regime; it adds a new, easier-to-use statutory route alongside it.

Who counts as a “senior manager”?

The definition is carried across from ECCTA, though there is no decided case law under that Act. It's a functional test: it looks at what someone actually does, not their job title. A senior manager is anyone who plays a significant role in making decisions about, or managing, the whole or a substantial part of the organization's activities.

That's a deliberately broad definition. It will likely reach well below board level, capturing divisional heads, regional managing directors, operational executives, compliance officers, and leaders in finance, HR, technology, and cyber security, as well as senior project managers.

The regime applies to all sizes of business. 

The “apparent authority” trap

One of the most significant features of section 250 is its “actual or apparent” authority wording. The senior manager does not need to have been authorized to commit the specific offense. What matters is whether the act was of a type ordinarily within their authority—and whether it appeared that way externally. A company may therefore be exposed even where the individual exceeded their internal mandate.

No defense 

This is where section 250 departs sharply from the failure to prevent model. Under those offenses, a company has a defense if it had adequate or reasonable procedures in place to address the issue. Section 250 offers no such defense, nor any requirement to show the company benefited from the crime. Liability is fixed by the senior manager's actions alone.

That said, this isn't strict liability. Prosecutors must still prove the underlying offense against the individual senior manager.

Compliance programs still matter. Strong preventive measures won't provide a defense, but they can support an argument that a prosecution isn't in the public interest or offer grounds for mitigation on any sentencing or plea negotiation.

What offenses are now in scope?

From June 29, 2026, corporate liability under section 250 can arise across a wide range of areas. Examples of conduct that may trigger liability include:

  • Modern slavery and human trafficking: A senior procurement manager who ignores the signs that a subcontractor is exploiting workers through forced labor.

  • Gross negligence manslaughter and health and safety offenses:A senior site manager who overrides safety protocols, where that conduct contributes to a fatal accident. Section 250 provides a simpler route to prosecution than the Corporate Manslaughter and Corporate Homicide Act 2007.

  • Environmental offenses: A senior operations manager who knowingly permits the unlawful disposal of waste.

  • Computer misuse: A senior IT or cyber security manager who authorizes improper access to your systems or the deployment of software to impair a third party's systems.

  • Offenses against the person: Although offenses such as assault may be harder to bring within “actual or apparent authority,” it could be arguable that a company is liable where a senior manager commits assault or harassment in the workplace, particularly where broader organizational culture or systemic failings made the conduct possible.

  • Data protection offenses: A senior manager in IT, HR, or marketing who deliberately accesses or discloses personal data. 

  • Perverting the course of justice: A senior manager who orders the deletion or concealment of documents in anticipation of a regulatory investigation.

Section 250 also creates a secondary exposure: once reasonable suspicion of corporate liability arises, connected revenues may be treated as proceeds of crime under money laundering legislation.

What you should do now

Companies should:

  • Map your senior managers. Focus on function, not job title. 

  • Review and document the scope of their authority. Clarify what senior managers are—and aren't—authorized to do.

  • Strengthen due diligence at the hiring and promotion stage for senior manager roles.

  • Update training. Senior manager training needs to extend well beyond economic crimes to reflect the full scope of section 250.

  • Reinforce speak-up channels. Ensure the whistleblower procedures are adequate.

  • Check your insurance. Review directors and officers cover to make sure relevant senior managers are within scope, as well as HR processes for handling senior leadership misconduct.

The bottom line

Section 250 represents a fundamental shift in corporate criminal exposure in the U.K. There is no adequate procedures defense, coverage extends across virtually all criminal offenses, and the functional test for senior manager status reaches deep into organizational structures. It applies to overseas organizations where relevant conduct takes place in the U.K. or has operations in the U.K. overseen by a senior manager.

While the risk should not be overstated—most senior managers do not commit criminal offenses, and prosecutors must still consider the public interest before bringing a case—robust frameworks, policies, and reporting mechanisms will matter both in limiting exposure and in how any failure is assessed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of David de Ferrars
David de Ferrars
Photo of Natalia Faekova
Natalia Faekova
Photo of Lorraine Smith
Lorraine Smith
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More