A major shift in corporate criminal liability is now underway following the enactment of the Crime and Policing Act 2026, which received Royal Assent in April 2026. Although the Act is extensive – containing 257 sections and 27 schedules and addressing a wide range of criminal justice and policing issues – one provision is of particular significance to businesses.  

Section 250 of the Act introduces a new basis for attributing criminal liability to bodies corporate and partnerships where a senior manager commits an offence. 

Section 250 came into force on 29th June 2026. It provides that where a senior manager commits a criminal offence while acting within the actual or apparent scope of their authority, the company or partnership may also be treated as having committed that offence.

The reform applies across all criminal offences capable of being committed by a corporate body or partnership, rather than being limited to fraud or other economic crime offences and significantly expands the circumstances in which criminal liability can be attributed to a company or partnership. 

 

Actual vs apparent authority 

Under the Act, liability will arise if the individual is acting within their actual authority (meaning they are explicitly authorised to carry out the action) and also where they act within their apparent authority – that is, where a reasonable third party would believe the individual had the authority to act as they did.  

This extends the senior manager attribution model introduced by the Economic Crime and Corporate Transparency Act 2023 from specified economic crime offences to all criminal offences capable of being committed by a company or partnership. 

Under the new Act, when it comes to enforcement and litigation, there is likely to be a renewed focus on: 

  • delegations of authority 
  • governance structures 
  • internal and external communications about roles and decisionmaking power 

 

What is the definition of ‘senior manager’? 

The definition of ‘senior manager’ under paragraph 3 of Section 250 is wide. ‘Senior manager’, in relation to a body corporate or partnership, is defined as:  

“an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities.” 

Anyone covered by this definition will be classed as a senior manager under the Act. This includes not simply directors and senior officers but those who shape, manage or organise key functions, no matter their official job title.  

 

What types of risk are now in scope? 

The expansion under the Act now brings in offences far beyond traditional whitecollar crime, including: 

  • health and safety offences 
  • environmental and pollution breaches 
  • data protection and cyber offences 
  • modern slavery and labour law offences 
  • harassment and workplace misconduct 
  • consumer protection and regulatory offences 

This is not an exhaustive list.  

This means that any criminal offence capable of being committed by a body corporate or partnership may be attributed to the organisation, where committed by a qualifying senior manager acting within the actual or apparent scope of their authority. Therefore, an offence of murder, would – for example – be excluded as murder cannot be committed by a body corporate or partnership.  

The scope of the law also extends well beyond the boardroom. It could include:  

  • regional heads  
  • heads of function (for example, finance, operations, HR and compliance) 
  • business unit leaders  
  • senior project leads 

Whilst job title, seniority and regulatory status will matter when considering whether someone fits the definition of ‘senior manager’, anyone who fits the definition – having regard to their level of influence and authority within the company or partnership – will be in scope of the Act. 

 

Application of the Act and the UK nexus 

The new regime is not limited to UK-based companies or partnerships. Overseas companies and partnerships may also be affected where the conduct in question falls within the reach of UK criminal law. However, Section 250 contains an important limitation: it will not apply where all of the relevant conduct takes place outside the UK and the company or partnership would not otherwise be liable for an offence under UK law. 

 

No “reasonable procedures” defence 

Unlike ‘failure to prevent’ offences, such as bribery, tax evasion and fraud, there is no statutory defence based on having adequate or reasonable procedures in place. While strong compliance frameworks may mitigate penalties or prosecutorial discretion, they do not prevent liability from attaching if a qualifying senior manager commits an offence. This means that rogue senior managers acting in breach of internal procedures represent a real risk of prosecution for the company or partnership if they acted within the actual or apparent scope of their authority. 

 

Action points for companies or partnerships 

Since the Act means companies and partnerships can now face criminal investigation or prosecution even when serious misconduct occurs outside the boardroom, you will need to consider the following steps when safeguarding your company or partnership and embedding accountability across all levels. 

1. Map senior manager roles

Carry out a functional review that analyses actual authority within your company or partnership rather than just job titles. Ensure that you understand who can make exercise significant decision-making or managerial control – regardless of title or contract status. 

2. Update and expand risk assessments

The chances are that your risk frameworks are out of date if they only cover ‘traditional’ white collar and economic crimes. They will need to be widened so that they include all areas of criminal exposure, as outlined above, including for example criminal liability for health and safety law breaches. The assessment should cover operations, supply chains and decision-making functions at all points and all levels. 

3. Revise governance and delegations

Look again at who has what authority delegated to them, and make sure those delegations are clear, documented, consistent across the company or partnership and up to date. Clarify if there is any ambiguity and rectify it. Make sure that ‘apparent authority’ risks are understood and addressed. Formal delegation should reflect the actual power structure and, importantly, include mechanisms for ensuring appropriate oversight. 

4. Train and obtain acknowledgment

While some senior managers may already be aware of what the Act says, many will not, so you will need to provide targeted training on the new responsibilities and potential liabilities. That training should cover personal and corporate exposure, the breadth of offences now in scope, and the practical consequences of acting outside (or ambiguously within) authority. 

5. Strengthen governance, escalation and oversight

Boards should ensure that decision-making structures, challenge mechanisms and escalation pathways are sufficiently robust, particularly in decentralised or matrixed companies or partnerships (i.e. a workplace structure where employees report to multiple leaders – this is typically the case where there is both a functional department manager and a product or project manager), and for high-risk decision- making departments. Further supervision and oversight may be required of senior managers to guard against acting outside the scope of their actual authority. 

6. Engage legal safeguards

Consider whether existing governance, disclosure and risk-management frameworks adequately address the expanded criminal attribution risks. Consider tailored internal legal reviews, especially in high-risk sectors. 

7. Board and risk committees

Ensure governance forums are fully briefed on the law’s implications and actively review compliance effectiveness and remediation measures.

8. Engage insurers and advisers early

Directors’ and officers’ (D&O) insurance, corporate legal expenses cover, risk strategies and crisismanagement planning should be reviewed in light of the significantly increased prosecution risk. Determine whether your existing corporate and D&O policies cover the new criminal exposures under the Act and speak with your insurer if you identify any gaps in policy cover. Criminal fines themselves are generally uninsurable as a matter of public policy, therefore creating increased risk.  

9. Revisit incident response and investigation protocols

Internal investigations must quickly identify whether senior managers are implicated, as this now directly affects corporate exposure, disclosure obligations and selfreporting decisio