Corporate criminal liability just got wider

The UK's Crime and Policing Act 2026 (the CPA) fundamentally expands when a business can be held criminally liable for the acts of its people. The key change: from 29 June 2026, a company or partnership may be liable for any UK criminal offence committed by a senior manager within the business, not just economic crimes.

There is no statutory defence. The focus is now squarely on who holds real decision-making or managerial power in an organisation and whether they commit a crime whilst acting within the actual or apparent scope of their authority. This significantly increases corporate criminal risk for businesses operating in or engaging with the UK market where their people may commit UK criminal offences.

 

The three things businesses need to know

• Any offence can now expose the business. If a senior manager commits a crime while acting within their actual or apparent authority, liability can attach to the corporate - across all offences, not just economic crime.
• “Senior manager” tracks real power, not job titles. Liability turns on who actually makes decisions about how the business is run or actually runs the business - such as divisional heads, regional leaders, senior operational managers, whether or not they sit on the board.
• Controls need to go beyond economic crime. Governance, training, and detection frameworks should account for this enhanced corporate criminal risk across a much broader range of areas, to include health and safety, environmental, data, and workplace misconduct risks, amongst others.

 

Background: from “directing mind” to senior manager attribution

Historically, corporate liability required criminal conduct and intent to be attributed to a company’s “directing mind and will” - a high bar. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) lowered it for specified economic crimes, allowing attribution where a “senior manager” committed the offence while acting within their actual or apparent authority.

 

What the CPA changes

The CPA removes the limitation to economic crime. The senior manager route to corporate liability now applies to any offence capable of being attributed to the entity.

This means additional corporate criminal risk across a whole raft of areas, including environmental matters, data misuse, and employment-related misconduct. Examples could include a regional head authorising unlawful waste disposal; a senior IT lead misusing personal data; a senior manager facilitating workplace harassment; or a senior legal counsel deliberately obstructing a regulatory investigation or destroying evidence.

 

Who is a “senior manager”?

The CPA uses the same functional definition as ECCTA. A senior manager is someone who plays a significant role in:

• making decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised; or
• the actual managing or organising the whole or a substantial part of those activities.

In practice, this may include individuals acting as divisional leaders, regional heads, and senior operational managers, for example, anyone exercising substantial decision-making or managerial power, whether or not they hold a board seat.

 

No statutory defence - but controls still matter

Unlike failure-to-prevent offences, the CPA provides no “reasonable" or "adequate" procedures defence. If a senior manager commits an offence within the scope of their authority, the corporate can be held liable.

That said, strong controls still count: they reduce the likelihood of an offence occurring, may show an individual acted outside their authority, and can support arguments that prosecution is not in the public interest.

 

What to do now

1. Map who really holds decision-making and managerial power.

Identify who may qualify as a senior manager in practice, across functions, business units, and jurisdictions. Test whether delegations of authority reflect how decisions are actually made, and document responsibilities clearly.

2. Expand risk assessments beyond economic crime.

Cover health and safety, regulatory compliance, data handling, environmental management, and workplace misconduct.  Consider what other areas may need to be included. Refresh training accordingly, especially for those who exercise substantial managerial influence.

3. Strengthen vetting for senior roles.

Consider enhanced due diligence, employment history, references, regulatory or disciplinary issues, before appointing or promoting individuals into roles that may amount to senior management.

4. Reinforce speak-up culture and investigation processes.

Conduct once dismissed as a “rogue individual” may now create a direct route to corporate liability if that person falls within the senior manager definition. Early issue-spotting, prompt escalation, well-scoped investigations, and documented remediation are critical.

Bottom line: corporate criminal liability now tracks real managerial power inside the business. Organisations need to respond to this increased risk with considered, proportionate and direct action.