The Crime and Policing Act 2026: A new era for corporate criminal liability?

The Crime and Policing Act 2026 (CPA) represents the latest - and arguably most significant - step in a series of legislative changes that have made it progressively easier to find companies guilty of criminal offences. What began with targeted offences covering corporate manslaughter and homicide, and then ‘failure to prevent’ certain specific economic crimes, has now culminated, with the CPA, in a wholesale change to the common law that governs the circumstances in which a company can also be guilty of a crime committed by an individual.

Section 250 of the CPA has attracted few, if any, headlines, passing through Parliament quietly and completely unchanged, at the very end of a lengthy piece of legislation.

However, on paper at least, it represents an extraordinary shift in the law. When it comes into force, on 29 June 2026, it will mean that companies and partnerships can be held criminally liable for any offence committed by a senior manager, acting within the actual or apparent scope of their authority. As such, the CPA could materially increase the prosecution risk facing organisations - and does so without any of the safeguards associated with the ‘failure to prevent’ offences.

A history lesson - the old framework

Until recently, the general rule was that a prosecutor would have to show that someone who was the “directing mind and will” of a company had committed a crime, in order for the company to also be guilty of the crime. This was in practice limited to members of the board and, even then, could be difficult to prove depending on the particular facts of the case.

The test was widely criticised for setting too high a bar for prosecutors, particularly in relation to large organisations with complex governance structures and delegated authority. These concerns ultimately drove reform, leading to the introduction of the offence of ‘failure to prevent bribery by an associated person’ in the Bribery Act 2010, followed by the ‘failure to prevent facilitation of tax evasion by an associated person’ in the Criminal Finances Act 2017 and then most recently the ‘failure to prevent fraud by an associated person’ offence in the Economic Crime and Corporate Transparency Act 2023 (ECCTA). These so-called “compliance-based” offences side-stepped the whole question of attribution by making companies responsible for the misconduct of employees and other third parties acting on their behalf on a strict liability basis, subject to the defence of being able to show that they had adequate/reasonable compliance processes in place to prevent the misconduct.

However, and in parallel, a debate on the “directing mind and will” test was under way, which culminated in a revised approach to corporate criminal liability for economic crimes introduced in December 2023 under ECCTA.

ECCTA established a lower attribution test under which an organisation can be held criminally liable for certain economic crimes such as bribery, fraud or money laundering: where a senior manager, acting within the actual or apparent scope of their authority, commits an offence. This marked a significant departure from the traditional “directing mind and will” test by broadening the category of individuals whose conduct can be attributed to a company to include those below, and possibly far below, the board level. Unlike the ‘failure to prevent’ offences, it was concerned with corporate liability for the primary economic offences themselves, not merely a failure to prevent them.

What does the CPA do?

The CPA does not repeal any of the existing ‘failure to prevent’ offences. Those offences will remain a route to prosecution of corporates for the conduct of junior employees and third parties who may meet the definition of ‘associated person’ within those offences.

However, it repeals the new ‘senior manager’ test in ECCTA and replaces it with a law that extends that test to any UK criminal offence, not just economic crimes.  It will apply to conduct after 29 June 2026.

The implications are far-reaching, significantly expanding the range of conduct capable of giving rise to corporate criminal liability.

Who is a ‘senior manager’?

At the centre of the new regime is the concept of the “senior manager”, the definition of which remains unchanged from ECCTA. It captures individuals who play a ‘significant’ role in either the decision-making relating to, or the actual managing or organising of, ‘the whole or a substantial part’ of an organisation’s activities.

The test focuses on the practical reality of managerial influence, rather than formal job titles or reporting lines. In practice, this will require a fact-specific assessment in each case. Depending on the organisation’s structure and operations, it could encompass senior project managers, senior finance and HR personnel, regional managers, and heads of business divisions, among others. For large and decentralised organisations, identifying who is a senior manager is unlikely to be straightforward.

For liability to arise, the conduct must also have been carried out ‘within the senior manager’s actual or apparent authority’. While these are established concepts in the civil law context - particularly in relation to agency and, to some extent, vicarious liability – it cannot be assumed that they will be similarly applied in the criminal law, where the policy rationale for attributing liability may be very different.

Whether an individual qualifies as a “senior manager” and whether they were acting within their “apparent authority” are both inherently flexible concepts. Until these issues are tested in the courts, prosecutors may test the boundaries, creating additional uncertainty for organisations seeking to navigate the new regime. However, despite the senior manager test under ECCTA having been in force since December 2023, prosecutors have yet to bring any proceedings based on that provision, let alone proceedings that test the boundaries of these concepts.

Offences now in-scope

The changes to corporate criminal liability in the CPA apply to  any UK criminal offence. It draws no distinction between ‘business-related’ offences and more ‘personal’ types of offending. In principle, any offence committed by a senior manager acting within the actual or apparent scope of their authority could now give rise to corporate liability. The breadth of this new regime creates some difficult questions at its outer edges.

For example, it creates the uncomfortable result that corporates could, at least in principle, face liability for offences such as harassment or assault committed by senior personnel. Whilst these types of offences may fall outside the scope of a senior manager’s actual or apparent authority in many cases, prosecutors could still seek to argue that the test was met if, for example, the crime occurred in the workplace, is connected to managerial functions, and/or if the offending was made possible by broader organisational culture or systemic failings.

Other examples where new risks have been created for corporates by the CPA include:

• a senior manager who trades on inside information received during the course of their job could expose their employer to criminal liability for insider dealing; or
• a senior manager with responsibility for supply chain operations who knows of – or ignores – modern slavery crimes within subcontractors or labour providers could potentially expose the organisation to criminal liability under the Modern Slavery Act 2015.

The overall effect is a substantial expansion of corporate criminal risk. It is unlikely that prosecutors will seek to pursue corporates for offences where imprisonment is the only possible sentence (because a company cannot be imprisoned), so prosecutorial action under the CPA is likely to focus on offences where financial penalties are an available sanction. Accordingly, although some applications of the regime may remain more theoretical than practical, there are many areas of offending where corporate prosecution may now be viewed as materially more achievable than under the previous framework.

Absence of safeguards for corporates

Importantly, and unlike for the ‘failure to prevent’ offences, it is not necessary under the CPA for the offence of the senior manager to be carried out for the benefit of the company or its client. This approach stands in contrast to the approach to corporate criminal liability in the United States. It has long been said that the ‘respondeat superior’ rule under US law makes it particularly straightforward to find a company guilty of its employees’ crimes. However, under US law it must be shown that the crime was intended to benefit the company, which is seen as an important pillar of the policy argument for holding a company criminally responsible. There is no such requirement under the CPA.

This might lead to striking results. For example, if a senior manager fraudulently diverts the company’s funds into their own account, the company could potentially face liability for fraud under the CPA model, even though the company is the victim of the crime. Whether prosecutors would pursue such cases in practice is another question, but the example illustrates the potentially expansive reach of the regime.

In addition, under the CPA model, it is no defence for a company to show that it had reasonable or adequate prevention procedures in place, which means, in theory at least, a company may face criminal guilt for a rogue senior manager’s crime even if it has exemplary compliance frameworks in place.

These features make the CPA a route to full corporate liability where senior personnel are involved, and we expect to see prosecutors using it in those circumstances instead of, or in addition to, the ‘failure to prevent’ offences.

No extension of the DPA-eligible offences

It is also notable that the list of offences for which deferred prosecution agreements (DPAs) are a possible resolution route for corporates has not been expanded to reflect the broader range of offences now captured by the CPA. DPAs remain largely limited to economic crimes such as fraud, bribery and money laundering. Unless further legislative reform follows, prosecutors considering offences that are not on this list may face a starker choice: prosecute or take no action at all, without the middle ground of a DPA. That may prove significant in practice. Corporate prosecutions remain complex, resource-intensive and uncertain, and prosecutors have favoured DPAs in recent years because they avoid the litigation risk of contested prosecutions while still delivering financial penalties and compliance outcomes. The absence of a DPA option may make some prosecutors more cautious about pursuing corporates at all. It may also influence how organisations approach decisions to self-report and cooperate with law enforcement when wrongdoing is identified.

The role of prosecutorial discretion

It remains to be seen what appetite there will be amongst prosecutors to bring charges against companies under these expanded powers. Prosecutors must satisfy the Full Code Test before bringing a prosecution, which includes determining that the prosecution is in the public interest.

In practice, cases involving crime by rogue senior managers may present a number of factors that would weigh against corporate prosecution being in the public interest. These might include, for example, limited harm, no intended benefit to the organisation (or where it is in fact the victim), misconduct concealed from the company, conduct clearly prohibited by corporate policy, no prior offending, effective whistleblowing and escalation procedures, and/or an appropriate corporate response once the issue came to light, including prompt investigation and cooperation with authorities. While these factors do not provide a formal defence under the CPA, they may be highly relevant to prosecutorial decision-making in practice.

The upshot is that prosecutorial discretion and resourcing may become one of the most important practical limits on how far the CPA regime is tested. However, there is limited comfort in a regime where protection against liability depends less on statutory safeguards and more on how aggressively prosecutors choose to exercise their powers in practice. Corporates can expect that activists/NGOs with special interests may seek to put pressure on investigators and prosecutors to push the boundaries of this new area of law.

The cost of liability

For many organisations, a key question will be the extent of the additional financial exposure created by the new regime. The answer here will depend on the nature of the underlying offence. In some cases, the increase in direct financial exposure may be relatively limited. Many of the newly in-scope offences carry comparatively modest penalties, are subject to statutory caps, or involve conduct that could already expose organisations to civil liability, or to criminal penalties under existing strict liability offences (e.g. certain environmental or health and safety crimes).

However, even where the potential quantum of additional financial exposure is relatively modest, the practical significance of expanded corporate liability may lie less in the immediate monetary sanction and more in the wider consequences that accompany a criminal conviction. Reputational damage, heightened regulatory scrutiny, potential shareholder litigation, increased compliance costs, and management disruption may prove more burdensome than the fine itself. In some sectors, there is also the risk of debarment from public procurement processes, which may be particularly significant where a company is convicted of a primary offence under the CPA model rather than a strict liability offence, such as a “failure to prevent” offence.

What should organisations do now?

The practical impact of the CPA will take time to become clear, through prosecutorial decisions and judicial interpretation, but organisations should treat the reforms as a catalyst to review governance and compliance frameworks now.

While the CPA does not provide a “reasonable procedures” defence, robust controls, governance, training and oversight remain crucial. Effective compliance frameworks will continue to play an important role in preventing misconduct in the first place and shaping prosecutorial discretion if issues arise.

• A key starting point will be reviewing risk registers and risk assessment processes to assess what additional risks this change exposes a company to, and how those risks are identified, escalated and managed in practice. 
• Training should move beyond economic crime and reflect the broader range of offences now capable of giving rise to corporate liability.
• Governance structures, delegation frameworks, approval processes and committee terms of reference should likewise be reviewed to ensure they reflect how decisions are actually made in practice.
• A further priority should be strengthening due diligence processes in relation to senior personnel. This includes not only appropriate vetting at the point of recruitment or appointment, but also ongoing monitoring of individuals in senior management roles to identify potential behavioural, regulatory or integrity risks.
• Culture and speak-up procedures will remain critical. Organisations should ensure employees feel able to raise concerns and that issues are properly investigated and addressed when they arise.