Senior managers to be liable for all criminal offences under Crime and Policing Bill 2025

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) made a significant change to corporate liability in the UK when it became law. Before ECCTA, prosecutors had to prove the “directing mind and will” of a company was behind any kind of wrongdoing to hold the corporate entity criminally liable.

After ECCTA, any “senior manager” who has engaged in criminality on certain economic crimes listed under Schedule 12 of ECCTA. These are fraud, tax evasion, sanctions breaches, money laundering, false accounting and bribery. There are also some offences under the Financial Services and Markets Act 2000 such as misleading a regulatory authority like the FCA.

ECCTA means any senior manager can find their actions result in prosecution. A company or partnership commits one of these economic crimes if a ‘senior manager’ is involved. This is defined as a person with a significant role in the decision making process.

 

What changes to the senior manager test does the Crime and Policing Bill propose to make?

Section 130 of the Crime and Policing Bill proposes a significant expansion of the senior manager test, broadening its scope beyond economic crimes to include all criminal offences. If enacted, this change would mean that when a senior manager of a corporate entity commits a criminal offence within the actual or apparent scope of their authority, the organisation itself will also be considered guilty of that offence.

This proposed expansion carries profound implications for corporate liability, compliance obligations, and individual accountability.

 

What will this expansion mean for UK companies?

The proposed expansion of the senior manager test could fundamentally alter corporate liability, exposing organisations to prosecution for a far wider range of criminal acts. Companies may be prosecuted for offences committed by senior managers, even if the offence was not intended to benefit the company. The compliance burden will naturally increase as businesses will need to strengthen internal controls, training, and oversight to mitigate potential risks.

 

What kind of offences could lead to corporate prosecution?

Under the expanded test in the Crime and Policing Bill, corporate liability could arise from a senior manager’s involvement in any crime whatsoever, not just economic offences.

Environmental offences

Example: A senior manager knowingly allows illegal dumping of hazardous waste, violating environmental laws.

Corporate Liability: The company could be prosecuted alongside the manager, even if other executives were unaware.

 

Computer misuse and cybercrime

Example: A senior IT manager unlawfully accesses a competitor’s database to gain a business advantage.

Corporate Liability: The company could be held responsible even if it had compliance policies in place against hacking.

 

Data protection violations

Example: A senior manager instructs employees to ignore GDPR requirements and improperly use customer data for marketing.

Corporate Liability: The company could face prosecution alongside the manager, leading to significant fines.

 

Health & safety breaches

Example: A senior site manager disregards safety regulations, resulting in a fatal workplace accident.

Corporate Liability: Even if the company had safety procedures, it could still face prosecution under the expanded test.

 

Modern slavery and human trafficking

Example: A senior supply chain executive knowingly contracts with a supplier that exploits forced labour.

 

Corporate Liability: The company could be charged under modern slavery laws if the senior manager’s actions fall within their scope of authority.

 

Sexual offences and harassment

Example: A senior manager engages in workplace sexual harassment or assault.

Corporate Liability: This raises legal and ethical questions about whether a company should be criminally liable for such offences.

 

What are the compliance challenges companies will face?

Lack of a ‘reasonable procedures’ defence
Unlike the “failure to prevent” offences related to bribery, fraud, and tax evasion, the senior manager test does not allow companies to defend themselves by demonstrating they had reasonable compliance procedures in place. This could expose well-run businesses to liability even if they took proactive steps to prevent misconduct.

 

No requirement for intent to benefit the company
Unlike some corporate offences like fraud, liability under the senior manager test does not require proof that the offence was intended to benefit the company. This means a business could be prosecuted even when the manager acted solely for personal reasons.

 

The ‘Recklessness’ standard
Some criminal offences can be committed recklessly rather than intentionally. For example an accidental or reckless breach of sanctions is still an offence due to the strict liability nature of sanctions law. If a senior manager is aware of a significant risk and proceeds, such as not undertaking sanctions checks, the company itself could be held liable under the new law.

 

What kind of penalties could be faced?

Many large-scale corporate investigations relating to economic crimes have historically resulted in Deferred Prosecution Agreements (DPAs), allowing companies to avoid full criminal trials by meeting certain compliance conditions. However, the Crime and Policing Bill does not propose expanding DPAs to include the new offences under the widened senior manager test.

Without DPAs, more corporate prosecutions may go to trial. In such cases companies may find themselves settling more cases and being expected to plead guilty and pay a fine.

In addition to corporate prosecution, senior executives could face greater individual liability under “consent and connivance” provisions. These provisions extend criminal liability to directors and managers if they were aware of an offence, consented to it, or negligently allowed it to occur.

The UK Law Commission has identified “well over a thousand” legislative instruments that create personal liability for senior figures. Expanding corporate liability could therefore increase the risk of executives being personally charged with criminal offences.

 

How businesses should prepare

If Section 130 of the Crime and Policing Bill is enacted as we expect it to be, businesses should take proactive steps to manage the increased risk.

Conduct a risk assessment

  • Identify senior managers within the organisation.

     

  • Assess which criminal offences they might realistically commit in the course of their work.

     

  • Map out the most vulnerable areas, such as compliance, HR, IT, and health & safety.

     

Strengthen compliance programmes

  • Implement clear policies and procedures to prevent misconduct.

     

  • Enhance internal reporting mechanisms and whistleblower protections.

     

  • Establish strict oversight and accountability structures.

     

Improve training and awareness

  • Ensure senior managers understand the legal risks associated with their roles.

     

  • Provide targeted training on high-risk offences relevant to the business.

     

  • Regularly update training materials in response to legal developments.

     

Review employment and disciplinary policies

  • Strengthen contractual obligations for senior managers regarding compliance.

     

  • Develop clear disciplinary processes for breaches of legal or ethical standards.

     

  • Ensure due diligence when hiring or promoting individuals to senior roles.

     

The Crime and Policing Bill has passed its second reading in the House of Commons and is currently at the Committee stage. While amendments may still be made, if passed, the changes could come into force quickly. Under ECCTA, the senior manager test was implemented just two months after the Act was passed.

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.