Expanding Corporate Criminal Liability in the UK: Key Impacts and Considerations for Organisations and Investors

The Crime and Policing Act 2026 (CPA) comes into force on 29 June 2026. The CPA significantly expands the criminal liability of a body corporate or partnership (Organisation) in the UK. Under the CPA, an Organisation will be liable for any criminal offence which a “senior manager” commits when acting within the actual or apparent scope of their authority. This will potentially expose Organisations to criminal prosecution in circumstances where liability would not previously have arisen.

The advent of the CPA will increase the legal risk and accountability for those Organisations, their founders, and their existing or potential investors. Although concepts such as “senior managers” will be familiar to those in, or investing in, regulated sectors, the CPA extends these and a general criminal liability to all sectors in the UK. For larger and more complex Organisations, this will require proactive steps. For investors in all Organisations, this will require, at least, a further consideration when conducting due diligence. As ever, the likelihood of criminal convictions may be low, but the economic and reputational impact will be high.

The New Attribution Rule

The CPA builds on the UK government’s existing efforts to strengthen corporate accountability through the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Instead of relying only on the common law test of whether an offence has been committed by the “directing mind and will” of an Organisation, ECCTA introduced a statutory offence of corporate liability which applied where a “senior manager” committed an economic crime offence whilst acting within the actual or apparent scope of their authority.

The CPA goes further and introduces a new basis for attributing criminal liability to bodies corporate and partnerships. This new offence does not replace the common law doctrine but provides an alternative route to corporate liability. Where a senior manager commits any criminal offence while acting within the actual or apparent scope of their authority, the legislation provides that the Organisation also commits the offence.

There is no requirement for the prosecution to demonstrate that the Organisation authorised, encouraged, or was aware of the conduct in question; rather, the act must be the type of act that the senior manager was generally authorised to take or which would ordinarily be carried out by someone in that position.

The Explanatory Notes to the Crime and Policing Bill give the example of a chief financial officer (CFO) who commits fraud by deliberately making false statements about a company’s financial position. In that scenario, the company would be liable for the offence, as the act of making statements regarding the company’s financial position is something that would generally be within the scope of a CFO’s authority.

Definition of a Senior Manager

A key question for Organisations will be who falls within the definition of a senior manager. The CPA defines a senior manager as an individual who plays a significant role in:

• making decisions about how the whole, or a substantial part, of the Organisation’s activities are managed or organised; or
• managing or organising the whole, or a substantial part, of those activities.

The definition is broad and may capture not only directors, board members, and senior officers, such as the CFO or chief operating officer, but also individuals below board level who exercise substantial operational or strategic responsibility.

The Explanatory Notes explain, as an example, that individuals in a human resources function would also be included if they are performing a substantial part of the Organisation’s activity. Organisations should assess which individuals fall within the definition based on the substance of their role rather than job title, remuneration, qualifications, or employment status alone.

Limitations on Liability

There are some limitations on liability. An Organisation will not be liable where:

• all of the conduct constituting the offence takes place outside the United Kingdom; and
• the Organisation itself could not have committed the offence had it carried out the relevant conduct directly.

The Explanatory Notes clarify that “criminal liability will not attach to an organisation based and operating overseas for conduct carried out wholly overseas, simply because the senior manager concerned was subject to the UK’s extraterritorial jurisdiction: for instance, because that manager is a British citizen.”

No Statutory Defences

The CPA does not provide for any statutory defence. This makes it different from, for example, the offence of the failure to prevent fraud (FTPF), noted in our alert, “The UK’s Failure to Prevent Fraud Offence: Private Fund Managers, Portfolio Companies, and Placement Agents,” which provides a “reasonable procedures” defence. That said, and depending on the nature, scale, and complexity of its business as discussed further below, it will be prudent for an Organisation to put in place or develop existing procedures that have the effect that the “reasonable procedures” established in the context of the FTPF or prevention of bribery would have. Organisations will instead need to seek to establish any defence available in relation to the underlying offence.

Key Considerations

The new provisions represent a material shift in the UK’s approach to corporate criminal liability, making it significantly easier for prosecutors to hold Organisations accountable for criminal conduct of senior personnel beyond just economic crimes. This will now include data protection offences, environmental law offences, health and safety offences, modern slavery offences, and many others. The most significant impact is likely to be on larger businesses, where responsibility for key activities is delegated to individuals or committees below board level. It will also likely have an impact on start-up, growth-stage, and other smaller Organisations, where individuals often perform multiple strategic and operational roles.

The most immediate challenge for Organisations will be identifying which individuals fall within the senior manager definition and ensuring that governance, compliance, and risk management frameworks are sufficiently robust. Noting the experience of UK financial services firms that are subject to the Senior Managers and Certification Regime, it will be critical that the areas of the Organisation for which a senior manager is responsible, and the scope of those responsibilities, are clearly and tightly defined. Notwithstanding the absence of a reasonable procedures defence, Organisations should focus on prevention and early detection of potential criminal conduct to mitigate against the legal risk of prosecution and demonstrate that they have been proactive in seeking to prevent criminal conduct. This may include:

• identifying the types of criminal conduct that may arise in the business;
• reviewing and updating risk assessments and matrices in light of likely conduct identified;
• reviewing and updating investigation and escalation procedures for potential criminal conduct;
• reviewing governance structures and identifying individuals who may fall within the definition of senior manager;
• assessing whether existing compliance frameworks adequately address risks arising from senior manager decision-making;
• updating training programs for senior managers and compliance and other staff who support them; and
• confirming that senior managers and staff who support them understand the broader circumstances in which corporate liability may now arise.

The CPA signals a clear intent to hold Organisations to a higher standard of accountability. Organisations that act promptly to strengthen their governance and compliance frameworks will be better placed to manage the risks arising from this expansion of corporate criminal liability.