Expansion of Corporate Criminal Liability under the Crime and Policing Act 2026 – What You Need to Know

The Previous Legal Position

Under English law, a company was generally only liable for criminal offences where the conduct was committed by its “directing mind and will” – namely, by the senior individuals, or groups of individuals, who effectively spoke and acted as the company and could therefore be identified as the company (known as the identification principle). In practice, this limited corporate liability to the actions of the board of directors, managing directors and other very senior officers. In the context of large, modern corporates, identifying the ‘directing mind and will’ is not a straightforward exercise. As such, for a number of years now, the identification principle has been criticised for its limitations and there have been persistent calls for its reform. 

In response, in December 2023, the landmark Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a more direct model for attributing liability for financial crimes to corporates. Section 196 ECCTA dispensed with the ‘directing mind and will’ test, only requiring in its place that the offences be committed by a “senior manager” who is “acting within the actual or apparent scope of their authority”. For the purposes of ECCTA:

• A “senior manager” is “an individual who plays a significant role” in either: (a) “the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised”; or (b) “the managing or organising of the whole or a substantial part of those activities”.
• The “actual or apparent scope of their authority” does not mean that the senior manager was authorised to commit the criminal offence – “it would be enough that the act was of a type the manager was authorised to undertake or which would be ordinarily undertaken by a person in that position”.

The practical outcome of the introduction of this mode of liability under ECCTA was that it significantly lowered the burden for prosecuting companies by: (1) broadly defining the range of individuals whose actions can bind the organisation; and (2) shifting the focus to the substance of a role rather than a job title. The senior manager route under section 196 ECCTA, however, was deliberately limited to certain economic crimes (including bribery, fraud, tax evasion and money laundering). As such, until recently, the ‘directing mind and will’ test remained applicable for attributing any other type of offending to a corporate.

The New Position under the Crime and Policing Act 2026

The Crime and Policing Act 2026, however, goes significantly further in terms of scope and impact. From 29 June 2026, it will replace section 196 ECCTA and extend the same senior manager attribution model to all criminal offences. As such, under the Act, a company can therefore be held liable for any criminal offence committed by a senior manager, provided they were acting within the actual or apparent scope of their authority. Critically:

1. There is no requirement that the company benefitted from the unlawful conduct: Unlike the Failure to Prevent model (where companies are held liable for having failed to prevent tax evasion, bribery and, more recently, fraud from which they have benefitted directly or indirectly), there is no requirement of corporate gain. Instead, liability arises solely from the actions of the senior manager.
2. There is no reasonable or adequate procedures defence: While it is a full defence to the Failure to Prevent offences for the corporate to show that it had reasonable or adequate procedures in place to prevent the unlawful conduct from occurring, no such defence exists to the senior manager mode of liability. As such, even a well-designed and effectively implemented compliance programme will not shield a company from liability.

The Act limits the extraterritorial scope of the expanded senior manager model: a company will not be liable for an offence if all of the unlawful conduct occurred outside of the United Kingdom, and the organisation would not be liable for the offence if the conduct were its own. For certain offences committed abroad, however, liability can nonetheless be engaged under English law, such as:

• Offence where a “substantial measure” of the activities took place in England or Wales, except for where it can be reasonably argued that these activities should be dealt with by another country. Critically, there is no requirement that the criminal offence be completed in England or Wales. 
• Theft, fraud and document offences, if any act or omission required to prove the unlawful conduct took place in England or Wales.
• Fraud offences, if the intended gain or loss occurred in England or Wales.
• Offences with a “close connection to the United Kingdom” requirement. These are offences where jurisdiction is established over individuals or companies based abroad due to their link to the United Kingdom, usually through citizenship, nationality or incorporation. For example, under section 14 Bribery Act 2020, a senior company officer who ‘consents’ or ‘connives’ to their company committing a bribery offence that entirely takes place abroad may still be held liable in the English courts, provided the senior officer has “a close connection with the United Kingdom”.

Next Steps for Companies

The risk for corporates will soon extend well beyond economic crime, with many companies now potentially exposed in areas as distinct as environmental protection, public safety, and supply chain and human rights. Further, given the functional definition of “senior manager”, companies will likely find that they have many more “senior managers” than they think, in roles as wide-ranging as HR, legal/compliance and regional/divisional management. Although there is no statutory defence, companies should consider the following steps at a minimum to mitigate exposure:

• Refresh the Code of Conduct: Include the new legislation in the Code of Conduct and ensure the entire workforce is aware.
• Map Your “Senior Managers”: Identify every individual within the organisation that meets the statutory definition of “senior manager”, including the ‘functional’ “senior managers” whose actual responsibilities do not align with their roles. Ensure you are able to ‘catch’ promotions and involve HR in an ongoing mapping exercise. This is fundamental to understanding precisely where risk lies within the organisation.
• Broaden Your Risk Assessments: Move beyond fraud and bribery risk assessments and more holistically assess key areas of vulnerability across the business instead. This expanded regime means that risk now potentially lies across the whole organisation and across a broad range of conduct. It is therefore critical that the business is cognisant of where it is particularly exposed and is able to take appropriate measures to remedy any gaps identified.
• Implement Targeted Senior Manager Training: Train “senior managers” on a regular basis on the scope of the statutory definition and on the risk and implications as it pertains to their specific role. Training remains a cornerstone of any credible compliance response, both for its role in prevention and what it signals about the organisation’s culture and seriousness of its intent.