UK corporate criminal liability extended

Companies are used to facing criminal liability for regulatory offences (such as health and safety). The Crime and Policing Act 2026 (CPA) expands ways in the UK, by which corporates (including partnerships) may incur criminal liability, making it easier to prosecute and convict organisations.

What is changing?

From 29 June 2026, if a senior manager of an organisation, acting within the scope of their authority, commits a criminal offence under UK law, then the organisation will also commit an offence. Any criminal offence which may be prosecuted in the UK may now be committed in this way. There is no statutory defence available, were a corporate prosecuted.

Over the last 15 years, the potential for corporate criminal liability in the UK has increased through the introduction of statutory offences, most recently the Economic Crime and Corporate Transparency Act 2023 (ECCTA). ECCTA introduced the failure to prevent fraud offence and provision for attributing criminal liability to corporates for economic offences (sections 199 and 196 respectively). 

The policy behind section 196 was to level the playing field between small, medium and large organisations, simplifying the historic “directing mind” test and updating it to reflect modern, complex governance structures. Ultimately section 196 aimed to make prosecutions of corporates easier. Previously a company could only be held liable if it was proved that an individual who committed a crime was sufficiently senior to be regarded as the “directing mind and will” of the organisation. This was a difficult bar to reach, particularly where organisations had complex, multi-level governance structures and reporting lines.

Section 250 of the CPA replaces section 196 of ECCTA.

While the senior manager path to corporate liability under ECCTA was restricted to economic crimes (like fraud or bribery), section 250 of the CPA means that corporates could now incur liability for any crime. That includes crimes relating to damage and reckless behaviour, dishonesty and sexual crimes; essentially serious fault-based wrongdoing, which organisations were previously shielded from.

The new law is a significant shift in the risk profile for corporates and potential exposure to criminal liability. It is a good reason for organisations to revisit risk registers and compliance arrangements ahead of the law coming into force.

What is the new law?

If a senior manager of an organisation, acting within the scope of their authority, commits a criminal offence under UK law, then the organisation will also commit an offence.

A senior manager is defined as an individual who plays a significant role in:

1. the making of decisions about how the whole or substantial part of the activities of the body corporate or partnership are to be managed or organised; or
2. the managing or organising of the whole or substantial part of those activities.

Whether an individual is a senior manager depends on fact, not title, renumeration or employment status. Senior managers are not limited to directors, C-Suite, or other top-level managers and may include a wide range of people who may not necessarily sit at, or near the top of, any org chart.

For an organisation to be liable for the actions of a senior manager, the individual must be acting within their actual or apparent scope of authority. Actual or apparent authority does not mean that the senior manager must have been authorised to carry out a criminal offence. It would be sufficient that the act was of the type that the senior manager was authorised to take or would ordinarily undertake in their role.

Key points to note are:

• Section 250 applies to organisations regardless of size.
• There is no specific defence available; there is no “reasonable” or “adequate” procedures defence.
• No knowledge of the crime is required for the corporate to be criminally liable
• The organisation need not have received any benefit for them to be guilty.

If the senior manager has committed an offence, and that offence can be prosecuted in the UK, the organisation can also be prosecuted.

Any penalty will involve a criminal conviction for the organisation and a fine, in addition to any sentences imposed on individuals who are also found guilty of the same offence. The maximum level of any financial penalty will depend on the offence, but for most serious cases, unlimited fines will be available.

What is the range of offences corporates could now be liable for?

Organisations in the UK are familiar with regulation in specific areas and the types of offences that can be committed by corporate bodies such as health, safety and environmental offences and the strict liability, failure to prevent offences of fraud and bribery.

This new, broad statutory basis for attributing criminal liability to organisations for any crime that may be committed by an individual and prosecuted in the UK is a significant expansion of the risk of prosecution.

The range of offences that could be committed by senior managers includes economic crimes and non-economic crimes. The extended scope is unfamiliar territory for corporates and could include offence against society and persons such as road traffic offences, hate crimes, assault or sexual crimes.

Prosecution is most likely to broaden in areas where there is a strong public interest argument to pursue and prosecute organisations, including:

• Sanctions offences, where the senior manager knew or had reasonable cause to suspect they were breaching sanctions.
• Environmental offences, such as a senior manager knowingly causing or permitting discharges.
• Modern slavery offences, involving travel of another person for exploitation by a senior manager.
• Financial services offences around encrypted messaging services if an individual senior manager took part in communications containing disclosures of confidential client information or deletion of information required to be produced in investigations.
• Computer misuse offences, where a senior manager directs or authorises unauthorised access to a computer.
• Data protection offences, such a senior manager unlawfully obtaining or disclosing personal data.
• Money laundering offences if a senior manager was the money laundering reporting officer (MLRO) and failed to report known or suspected money laundering.
• Care sector offences where a senior manager may be involved in safeguarding cases, involving abuse, neglect or mistreatment of service users.
• Assault and sexual offences against persons committed by a senior manager at work.
• Perverting the course of justice, if a senior manager directs or carries out acts intending to pervert the course of justice, including destroying documents or evidence relative to a regulatory investigation.

What does that mean in practice?

Section 250 of the CPA is another powerful tool in the hands of the regulator, aligned with a stronger political appetite for enforcement. 

Section 250 provides an additional tool for regulators to hold corporates to account and potentially close gaps that have been prevalent despite other statutory offences, including corporate murder.

However, given existing legal frameworks for attributing corporate liability there is potential for uncertainty or inconsistency in application of this new law. For example:

• In the event of a death at work, an organisation could find themselves facing an investigation in respect of health and safety failings under the Health and Safety at Work Act 1974 and the Corporate Manslaughter and Corporate Homicide Act 2007. If prosecuted for health and safety failings they may have a defence if they could show that they took all reasonably practicable measures to prevent risks to safety relating to the death. They could avoid a corporate homicide prosecution if they could prove any breach was not gross and that senior management failings were not a substantial part of any offence. However, if the death was caused by wilfully reckless actions of a senior manager, the individual and the organisation could be prosecuted for culpable homicide. Prosecutions for culpable homicide are rare, rarer still against organisations, but section 250 makes that more of a possibility than ever before.
• An organisation could find themselves facing investigation in respect of suspected bribery on the part of a senior manager and the failure to prevent bribery offence. If prosecuted for failure to prevent bribery, a statutory defence would be available. If prosecuted based on the conduct of the senior manager committing bribery under section 250 of the CPA and section 1 of the Bribery Act 2011, no statutory defence is available.

Guidance is to be published in due course under the CPA, but the government has confirmed already that an unlimited fine may be imposed on organisations for the most serious offences, alongside sentences imposed on individuals (which may include custodial sentences).

Any guidance should give clarity to areas where uncertainty or inconsistencies could arise but for now organisations should be aware of the extended scope of attribution of criminal liability and reflect on what that may mean for their business to best mitigate any risks.

What’s next? 

This extension of the attribution of criminal liability is most relevant to highly regulated sectors, including financial services, energy and construction but the lack of restriction in the statutory offence means any corporate could be impacted.

Existing compliance programmes will support corporates in building strong cultures and should, if properly implemented, mitigate the risks of criminal offences being committed. Many organisations have recently reviewed risk assessments and compliance arrangements considering ECCTA. This is a further legal change that needs to be managed and assessed.

Given the wide scope of section 250 there is a risk of significant gaps if organisations are not clear on the relevant criminal offences which could be committed by their people in the actual or apparent scope of their authority. Those in the regulated sectors are already subject to scrutiny and some assurance may be taken from that and tried and tested mitigation frameworks. However, those organisations that are not regulated risk greater exposure.

It is safer not to rely on prosecutorial discretion and instead act now, including identifying your senior managers and training them on these changes in the law and the risks for them and the business associated with their actions. Risk assessments may be required along with reviews of existing policies and procedures affected. Questions may be asked around designations and the extent of any directors and officers (D&O) insurance cover, all of which could be relevant in assessing risks.

Organisations should ensure that any investigations conducted now are broad enough to consider the potential for criminal misconduct by a senior manager and the implications for the organisation, including potential exposure to prosecution. The application of section 250 could affect strategy on self reporting.

It is strongly recommended that appropriate legal advice is taken at an early stage, ideally before commencing any investigation.

You can find details of section 250 here.

We are preparing a series of insights considering the impact of this new legal landscape, focussing on key areas for our corporate clients and will provide further updates once the guidance is available.

You can access “10 things you need to know about…” the new law here.

Contact us

For further information on the upcoming changes, or advice on how your organisation should assess and mitigate relevant risks, please contact our corporate crime team.

Related News, Insights & Events