The Crime and Policing Act 2026 should make law firms look again at how authority is exercised across the partnership. Section 250 of the Crime and Policing Act 2026 replaces section 196 of the Economic Crime and Corporate Transparency Act 2023 and extends the senior manager attribution model beyond listed economic crimes to criminal offences more generally. This means a firm may face criminal liability where a senior manager commits an offence within the actual or apparent scope of their authority. The provision applies from 29 June 2026.
For law firms, the risk is that senior manager authority is often spread across managing partners, heads of department, COLPs, COFAs, MLROs, finance directors, practice managers and senior operational leaders. The question is not who has the most impressive title. It is who actually manages the whole firm, or a substantial part of its activities.
Financial crime remains important, particularly given the SRA’s continued scrutiny of law firm compliance, but the Act potentially brings wider areas into focus: false statements to lenders or insurers, tax-related dishonesty, data misuse, computer misuse, health and safety, outsourced labour risk and the suppression of complaints or reportable issues.
The right response is not to create a rigid list of “senior managers” or ask partners to sign broad attestations. That may create more evidential risk than protection. Firms should instead map where real authority sits, test the controls around those decision points, and make sure concerns about senior people can be escalated independently.
Law firms: senior manager criminal liability in a legal practice
Law firms need a specific approach to the Crime and Policing Act 2026 because authority is often spread across partners, compliance officers, finance leaders, practice heads and operational managers. The statutory test asks what a person actually does, not simply what their title says.
For law firms, the practical question is: Who plays a significant role in managing or organising the whole firm, or a substantial part of the firm’s activities?
That will usually include the managing partner, CEO, COO, CFO or finance director, and heads of substantial departments or practice groups. It may also include the COLP, COFA, MLRO, MLCO, HR director, IT director, risk director or practice manager where those roles carry real authority across the firm or a substantial part of it. A salaried partner, fixed-share partner, consultant or senior associate may also qualify if their actual role meets the statutory test. They do not qualify automatically by title alone.
Why law firms are exposed
Law firms often concentrate risk in individuals who have significant control over client work, money, compliance, supervision and external statements. A partner may run a substantial department. A finance director may control client account processes, PII submissions or lender information. A COLP may control regulatory reporting. A MLRO or MLCO may shape the firm’s AML framework. A practice manager may manage systems, premises and staff across the firm.
If one of those individuals commits a criminal offence within the actual or apparent scope of their authority, the firm may also be exposed. There is no general “reasonable procedures” defence to the attribution rule. Good systems still matter, although they operate by preventing misconduct, supporting public-interest arguments and mitigating sentencing risk rather than automatically defeating liability.
Likely law firm risk areas
The risk should not be seen only as an AML issue. AML remains important, particularly given continuing SRA scrutiny of firm-wide risk assessments, source-of-funds checks, matter risk assessments, training and compliance officer oversight. The broader point is that weaknesses in AML governance may indicate wider weaknesses in how the firm manages regulated risk.
The main areas to review are:
AML and financial crime. A partner, MLRO, MLCO or head of department who knowingly allows weak source-of-funds explanations, ignores red flags, conceals client-risk information, or misleads the regulator may create firm-level exposure.
Fraud and false statements. A finance director or managing partner who knowingly submits misleading information to a lender, insurer, auditor, bank or regulator could expose the firm. This may include inflated turnover figures, misleading PII information, false client-account assurances or manipulated financial records.
Cheating the public revenue. A head of tax, private client partner or senior tax adviser who knowingly causes false tax positions, fabricated losses, misleading HMRC correspondence or sham arrangements to be advanced may create exposure for the firm if the conduct is within their authority.
Data protection and computer misuse. A partner, IT lead or practice head who knowingly discloses client data without lawful basis, instructs deletion of material relevant to a DSAR, accesses former client files improperly, or authorises unauthorised access to employee or client systems may create criminal risk.
Health and safety. A managing partner, COO, practice manager or facilities lead who ignores fire-risk reports, unsafe premises issues or serious staff safety concerns may create exposure where the underlying offence is made out.
Modern slavery and labour supply. This is more likely to arise through outsourced cleaning, facilities, security, catering or document-review labour than through ordinary legal advisory work. The risk is strongest where a senior firm manager has knowledge, proximity or control over exploitative labour arrangements.
Workplace conduct and suppression of complaints. Personal misconduct by a partner is not automatically attributable to the firm. The risk becomes more serious where the conduct is tied to managerial authority, such as retaliation against a whistleblower, coercive use of power, suppression of complaints, intimidation of witnesses, or concealment of reportable issues.
What law firms should do now
Firms should avoid producing a rigid list of “senior managers” for Crime and Policing Act purposes. In a partnership structure, that can be particularly risky because authority may shift by matter, department, committee role or management responsibility. A fixed list may overstate certainty, omit influential people, or create damaging evidence in a later investigation.
A better approach is to map senior authority across the firm. Focus on who controls client money, regulatory reporting, AML, tax advice, data systems, finance, HR, complaints, investigations, premises, supplier management and substantial practice groups.
Then test the controls around those areas. Ask whether one partner or officer can approve, suppress or override a serious issue without independent challenge. Check whether concerns about a powerful partner can bypass that partner. Review whether the COLP, COFA, MLRO and MLCO have genuine authority, direct access to senior leadership, sufficient resource and clear escalation routes.
Training should be practical and role-specific. Partners need scenarios on false statements, client money, source of funds, tax, data, billing and regulatory reporting. Compliance officers need scenarios on escalation, reportable breaches, independence and privilege. Finance and operations leaders need scenarios on PII submissions, client account controls, payroll, supplier risk and safety.
A defensible law firm position to prepare for the Crime and Policing Act
A law firm should aim to be able to say:
✅ We have reviewed where significant authority is exercised across management, compliance, finance, client work, data, people and operations.
✅ We have assessed the offence areas most plausibly connected to those functions.
✅ We have strengthened controls around client money, AML, tax, data, regulatory reporting, whistleblowing and partner conduct.
✅ We have avoided creating artificial senior-manager lists or blanket attestations.
✅ We have ensured that concerns about partners, compliance officers or senior staff can be escalated independently.
