Preparing for the Crime and Policing Act 2026: Expanding Corporate Criminal Liability and the Growing Exposure for UK Businesses

The Crime and Policing Act 2026 will come into force from 29th June 2026 and marks one of the most significant developments in UK corporate criminal law in decades. The legislation substantially broadens the circumstances in which companies, LLPs and other organisations can be prosecuted for criminal offences committed by individuals within their management structures. In practical terms, the Act represents a decisive shift away from the historic limitations of the “directing mind and will” doctrine and towards a broader attribution model focused on senior managers.

For many organisations, the implications extend well beyond traditional financial crime compliance. The reforms increase exposure across operational, regulatory and governance functions and are likely to result in far greater scrutiny of decision-making processes at senior management level.

The previous position: The Identification Principle

Historically, UK prosecutors faced considerable difficulty when attempting to attribute criminal liability to large corporates. Under the common law “identification principle”, a company could generally only be convicted if prosecutors could establish that the offence had been committed by an individual (typically a board-level director or senior executive)who embodied the company’s “directing mind and will”.

The practical effect was that prosecutions against large and decentralised organisations were often difficult to pursue successfully. Decision-making within modern corporates is commonly distributed across multiple business units, committees and management structures, making it challenging to identify a single individual who could properly be said to represent the company itself.

This has led to increasing criticism from enforcement agencies and policymakers, particularly in relation to economic crime.

The Economic Crime and Corporate Transparency Act 2023

A major shift began with the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”). Section 196 of ECCTA introduced a broader “senior manager” attribution test for specified economic crimes, including fraud, false accounting, bribery, money laundering and sanctions breaches.

Under ECCTA, an organisation could be held criminally liable where a senior manager committed a relevant economic offence while acting within the actual or apparent scope of their authority.

Importantly, the definition of “senior manager” was intentionally broad. It focused on the role and influence exercised by the individual rather than their job title. Individuals capable of falling within the definition could include regional directors, divisional heads, compliance leaders, operational executives and others exercising significant managerial responsibility.

At the same time, ECCTA introduced the new “failure to prevent fraud” offence, adding to existing corporate offences under the Bribery Act 2010 and the Criminal Finances Act 2017 relating to failure to prevent bribery and facilitation of tax evasion.

These “failure to prevent” regimes provided companies with a potential statutory defence where they could demonstrate that reasonable or adequate procedures had been implemented to prevent the misconduct.

What the Crime and Policing Act 2026 changes

The Crime and Policing Act 2026 extends the ECCTA senior manager attribution model beyond economic crime and applies it to all criminal offences.

From a prosecutorial perspective, this is a major expansion of corporate criminal exposure.

A company may now face criminal liability where:

• A senior manager commits any criminal offence; and
• The conduct occurs within the actual or apparent scope of that individual’s authority.

The consequences are potentially far-reaching because the legislation is no longer confined to fraud or financial misconduct. The new regime could capture offences arising in areas including:

• Health and safety
• Environmental regulation
• Data protection and cyber incidents
• Competition law
• Employment practices
• Sanctions and export controls
• Consumer protection
• Modern slavery
• Harassment and discrimination-related conduct
• Regulatory reporting failures, and
• Sector-specific criminal offences

The extension of liability is especially significant for heavily regulated industries such as financial services, insurance, healthcare, energy, transport, defence, pharmaceuticals and technology.

Why the new regime creates greater risk for corporate bodies

A lower threshold for attribution

One of the most significant changes is the effective lowering of the threshold required to attribute criminal conduct to the company itself.

Under the old identification doctrine, prosecutors often struggled to establish that the relevant individual represented the “directing mind and will” of the organisation. The new test is materially broader and more flexible. Prosecutors now need only demonstrate that the individual was a senior manager exercising substantial managerial or organisational influence.

In large organisations, this could extend well beyond the boardroom.

Individuals potentially capable of exposing the company to criminal liability may include:

• Heads of business divisions
• Regional managing directors
• Operational executives
• Compliance officers
• Senior HR personnel
• Finance leadership
• Technology and cyber-security leaders, and
• Senior project or site managers

This creates substantial uncertainty for corporates attempting to define where criminal attribution risk begins and ends.

“Apparent Authority” broadens exposure further

The legislation also extends liability to conduct occurring within a senior manager’s “apparent” authority. This creates additional uncertainty because liability may arise even where the individual technically exceeded internal mandates or breached internal policies.

For example, if a senior executive appears externally to possess authority to make representations, approve transactions or direct operational conduct, the organisation may still face criminal exposure even if the conduct internally breached governance rules.

This significantly increases the importance of:

• Clearly defined delegation frameworks
• Robust escalation protocols
• Documented oversight processes, and
• Effective challenge and supervision mechanisms

No “Adequate Procedures” defence

Unlike failure-to-prevent offences, the new attribution regime does not provide organisations with a statutory defence based on reasonable or adequate procedures.

This is a critical distinction.

Even where a company has implemented sophisticated compliance programmes, comprehensive training and strong governance controls, liability may still attach if a senior manager commits an offence within the scope of their authority.

While strong compliance frameworks may assist in mitigation, charging decisions or sentencing, they will not necessarily prevent prosecution.

Increased enforcement and investigatory risk

The reforms are also likely to encourage more aggressive enforcement strategies by agencies including the Serious Fraud Office, the Financial Conduct Authority, the Health and Safety Executive, the Information Commissioner’s Office and the Competition and Markets Authority.

Organisations may increasingly face:

• Criminal investigations arising from regulatory incidents
• Parallel civil and criminal proceedings
• Deferred Prosecution Agreement negotiations
• Expanded disclosure obligations
• Increased director scrutiny, and
• Reputational and shareholder litigation risk

The broader attribution model may also make it easier for prosecutors to pursue corporates in circumstances where criminal enforcement would previously have been considered impractical.

Greater exposure for international organisations

The impact is not confined to UK-incorporated companies. International businesses with UK operations, UK customers and UK-facing activities may also fall within scope.

This is particularly relevant for multinational groups operating through complex matrices of delegated authority, shared services, and cross-border reporting structures.

Overseas entities may find themselves exposed to UK criminal liability where part of the conduct, the victim, or the relevant business activity has a UK connection.

Governance implications for boards and senior management

The legislation is likely to place significant pressure on boards to reassess governance frameworks and accountability structures.

Areas likely to require urgent review include:

• Identification of individuals who may qualify as senior managers
• Delegation of authority arrangements
• Management information and reporting lines
• Escalation and incident reporting procedures
• Decision-making documentation
• Compliance oversight structures
• Whistleblowing arrangements
• Internal investigation protocols, and
• Senior leadership training

For regulated firms, the interaction with the UK Senior Managers and Certification Regime (“SMCR”) is likely to attract particular attention, especially where regulatory responsibilities overlap with potential criminal exposure.

Practical steps for organisations

In light of the reforms, organisations should consider taking proactive measures now, including:

• Conducting enterprise-wide criminal risk assessments extending beyond financial crime
• Identifying individuals who may fall within the statutory definition of “senior manager”
• Reviewing governance and delegation frameworks
• Strengthening documentation of oversight and challenge
• Updating training for boards and senior leadership
• Stress-testing incident escalation procedures
• Reviewing internal investigation capability, and
• Ensuring coordination between legal, compliance, HR, operational and risk functions

The widening of corporate criminal liability under the Crime and Policing Act 2026 represents a fundamental recalibration of the UK enforcement landscape. Organisations that previously viewed corporate criminal exposure as largely confined to fraud or bribery now face materially broader risk across the entirety of their operations. The practical challenge for businesses will be adapting governance, oversight and compliance structures quickly enough to meet an enforcement environment that is likely to become significantly more assertive in the years ahead.

To instruct Mark Robinson, please contact: crimeclerksmailbox@gclaw.co.uk