From today, 29 June 2026, UK corporate criminal liability has changed significantly. Section 250 of the Crime and Policing Act 2026 is now in force. It means that where a senior manager of a body corporate or partnership commits a criminal offence while acting within the actual or apparent scope of their authority, the organisation can also be treated as having committed that offence.
This is a major widening of the senior manager liability model introduced by the Economic Crime and Corporate Transparency Act 2023. Under ECCTA, senior manager attribution was largely focused on specified economic crimes, including fraud, money laundering and bribery. The Crime and Policing Act removes that limit. The model now applies to any offence under the law of England and Wales, Scotland or Northern Ireland, subject to a limited territorial carve-out.
What the law said before
Historically, prosecutors often had to rely on the “identification doctrine” to attribute criminal conduct to a company. In practice, that meant proving that the individual who committed the offence represented the organisation’s “directing mind and will”. That was often difficult in large or complex organisations, where decision-making may be dispersed across regional, divisional or functional leadership.
ECCTA created a broader statutory route to liability, allowing organisations to be prosecuted where a senior manager committed certain economic crime offences within the actual or apparent scope of their authority. That was a significant reform, yet its reach was deliberately confined to specified offences.
The Crime and Policing Act takes the same senior manager attribution model and applies it much more widely.
Who is a senior manager?
A senior manager is someone who plays a significant role in either making decisions about how the whole, or a substantial part, of the organisation’s activities are managed or organised, or in actually managing or organising those activities.
That definition is not limited to directors, board members or C-suite executives. A head of department, regional lead, divisional manager, senior compliance officer, operations lead or other influential decision-maker could potentially fall within scope, depending on what they actually do.
This is likely to be one of the first areas tested in contested cases. Job titles will matter less than the person’s real authority, responsibilities, decision-making power and practical influence inside the organisation.
Why “apparent authority” matters
The Act applies where the senior manager acts within the actual or apparent scope of their authority. That does not mean the organisation must have authorised the criminal conduct itself. The more important question is whether the senior manager was doing something of a type they were authorised, or appeared authorised, to do as part of their role.
This is likely to become a key battleground. Organisations will need to understand who can bind the business in practice, who can instruct others, who can approve high-risk activity, and where informal authority has developed outside the formal governance structure.
Where exposure could broaden
The immediate risk of prosecution for most organisations may remain low. Senior managers rarely commit criminal offences in the course of business. However, where incidents do occur, the consequences can be serious, public and difficult to contain.
The removal of the economic crime limit means corporate exposure could now arise in areas far beyond fraud and bribery. Potential examples include:
Environmental offences: where a senior manager authorises, directs or knowingly permits conduct that breaches environmental law.
Computer misuse offences: where senior leadership directs unauthorised access to systems, data or competitor information.
Modern slavery and human trafficking offences: where senior managers are involved in exploitative labour practices or high-risk supply chain arrangements.
Data protection offences: including criminal offences involving the unlawful obtaining, disclosure or misuse of personal data.
Perverting the course of justice: where a senior manager directs the destruction, concealment or alteration of documents relevant to an investigation.
Health and safety offences: particularly in operational businesses where senior management decisions directly affect workplace safety.
Workplace misconduct offences: including harassment or offences against the person, where the conduct is closely connected to the senior manager’s role, authority or control over others.
Not every offence committed by a senior person will create corporate liability. The conduct still has to be linked to the senior manager’s actual or apparent authority. That link will be highly fact-specific and dependent on the context of each case. Nevertheless, this could significantly impact on businesses.
No “reasonable procedures” defence
The new rule is not a failure to prevent offence. For offences such as failure to prevent bribery, tax evasion or fraud, organisations can still rely on an adequate or reasonable procedures defence. What is significant is that Section 250 of the Crime and Policing Act does not contain an equivalent statutory defence.
Strong governance, training, controls, whistleblowing processes and documented escalation routes can reduce the risk of misconduct, support early intervention and influence enforcement or sentencing outcomes. They do not automatically prevent liability if the statutory test is met.
What organisations should do now
The immediate priority is to understand who could qualify as a senior manager. This should go beyond job titles and formal reporting lines. Organisations should be able to identify individuals whose decisions bind the business in practice, who manage substantial activities, or who exercise meaningful operational or regulatory authority. This doesn’t necessarily mean creating a specific list, but having an understanding of who in the business may be covered by this.
Risk assessments should also be expanded since corporate liability is no longer just an economic crime issue. Potential exposure will be broad and may arise in areas such as health and safety, environmental compliance, data protection, workplace misconduct, and regulated sector obligations.
Policies and authority frameworks should be reviewed to ensure they reflect operational reality. If a senior manager can make high-risk decisions without oversight, escalation or challenge, that may create a more serious exposure than the written policy suggests.
Training should also be updated. Senior managers need to understand that their conduct can now create criminal exposure for the organisation itself. Board members and compliance teams should be briefed on the wider risk landscape, and organisations should ensure that reporting channels allow concerns about senior decision-makers to be raised safely and independently.
