CLIENT ALERT
June 25, 2026
Read time: 19 min
SPEED READ
- From 29 June 2026, companies can be held criminally liable for any UK criminal offence committed by a “senior manager” when “acting within the actual or apparent scope of their authority”. The new law applies to UK and non-UK companies and can capture the conduct of senior managers wherever they are based.
- These aspects of the Crime & Policing Act 2026 replace equivalent provisions of the Economic Crime & Corporate Transparency Act 2023 (ECCTA) which applied only in relation to certain specified economic crimes. The CPA regime is significantly broader than ECCTA and extends corporate criminal liability for senior manager conduct into many new areas.
- By contrast to the separate offence under ECCTA where a company fails to prevent fraud by an “associated person”, there is no “reasonable procedures” defence where offences are committed by a senior manager.
- Given both the breadth of UK criminal offences that fall under the new regime and the uncertainty as to how several key definitions will operate in practice, we discuss the targeted, proportionate steps that companies should take now to identify the risks that are most likely to be relevant to their business.
- Companies can then prioritise areas which would benefit from enhancements to existing controls, the introduction of new controls, or other measures to mitigate the relevant risks.
- These changes substantially increase the ability of law enforcement agencies to prosecute companies under English law. Combined with significant geopolitical, economic and fiscal disruption at present, and a range of anticipated trigger events, a new wave of investigations and enforcement is expected. Now is therefore a good time for companies to focus on the potential impact of these developments.
CONTEXT: CORPORATE CRIMINAL LIABILITY IN THE UK
Historically, establishing corporate criminal liability in the UK was very difficult due to what is known as the ‘Identification Principle’ in English law. Companies could generally only be liable for the criminal acts of their board members (or others with specific authority delegated to them by the board). This presented significant difficulties in prosecuting companies, particularly larger, more complex organisations, where the document trail often stopped short of such individuals or implicated only more junior employees.
The process of circumventing the Identification Principle began with the corporate ‘failure to prevent’ offences under the Bribery Act 2010 (UKBA)[1] and the Criminal Finances Act 2017 (CFA).[2]
These offences are triggered by the conduct of a company’s “associated persons” and do not require the board or senior executives to be involved in, or even know about, the misconduct.
ECCTA went significantly beyond this as a result of two major reforms:
- since 26 December 2023, a range of economic crimes committed by a company’s senior managers could be attributed to the company; and
- on 1 September 2025, a new corporate offence of failing to prevent fraud (FTP Fraud) came into effect. Large organisations are criminally liable for failing to prevent a wide range of fraudulent conduct by their “associated persons”. However, in this instance, a full defence is available where it can be proved that reasonable fraud prevention procedures were in place at the time the conduct took place.[3]
More recently, provisions in the new Crime & Policing Act 2026 (CPA) replace ECCTA’s “senior manager” provisions[4] with an even more expansive route to corporate criminal liability. We will refer to this new regime as the “Senior Manager Regime”.
THE CPA’S EXPANDED ROUTE TO CORPORATE CRIMINAL LIABILITY
The Senior Manager Regime is effective as of 29 June 2026[5]. Under s.250 CPA, companies (wherever incorporated) may be criminally liable where a “senior manager” commits an offence when “acting within the actual or apparent scope of their authority”. The same applies to other corporate bodies (e.g. LLPs) and partnerships (again, wherever incorporated).
The Senior Manager Regime adopts certain key concepts from its predecessor under ECCTA but is materially broader. The ECCTA provisions relate to a range of economic crimes (including – amongst others – bribery, false accounting, forgery, fraud, money laundering, sanctions breaches and tax evasion).[6] By contrast, the provisions of the CPA now extend corporate liability for the acts of senior managers to all UK criminal offences, hugely expanding the scope of the law.
Unlike the separate FTP Fraud offence, no “reasonable procedures” defence is available under the Senior Manager Regime. However, as we discuss below, there are targeted steps that companies can take to assess and mitigate risk – the primary aim being to prevent senior manager wrongdoing in the first place.
If such wrongdoing does occur, the existence of an effective compliance programme will not give rise to a defence. However, it would likely be relevant to a prosecutor’s determination of whether a corporate prosecution satisfies the public interest test (a necessary limb of the ‘Full Code Test’ that prosecutors must satisfy before commencing a prosecution).[7]
It should be noted that many criminal offences attract fines which have no upper limit prescribed by law. This expansion of corporate liability therefore significantly increases the scope for companies to face very substantial, and potentially existential, financial penalties.
Who is a “senior manager”?
A “senior manager” is an individual who plays a significant role in:
- the making of decisions about how the whole or a substantial part of the activities of the company are managed or organised; or
- the actual managing or organising of the whole or a substantial part of those activities.[8]
The definition is not limited to senior executives and board members. It can capture senior individuals in any function across the business, such as those in those in Sales, Marketing, Operations, Legal, Finance, Human Resources and Compliance roles. The Explanatory Notes to the CPA (the CPA Notes) confirm that the test is one of fact, focusing on the individual’s “roles and responsibilities”[9] within the company, “irrespective of their title, remuneration, qualifications or employment status”.[10]
The CPA Notes further provide that the “substantial part” element of the definition relates to the “importance” of the activity over the operations of the business as a whole.[11] This suggests that qualitative as well as quantitative factors will be relevant, such that roles typically designated as ‘internal-facing’ will still be caught.
The “senior manager” definition aligns with that used in the seldom-prosecuted corporate manslaughter context, and so its precise scope appears ripe for litigation. Whilst there has, to-date, been no judicial consideration of the definition as it applies under ECCTA, the point may be more prone to litigation under the newly expanded Senior Manager Regime.
A key factor in this regard may be the non-availability of Deferred Prosecution Agreements (DPAs) in the UK beyond certain economic crime offences.[12] Accordingly, were a company to be prosecuted in relation to, for example, an environmental offence committed by a person alleged to be a senior manager, the company would naturally take all reasonable points in its defence. That may include challenging the prosecution case on the application of the “senior manager” definition. The outcome of such litigation would, in due course, provide further clarity but companies are no doubt well advised to take a broad approach in the meantime.
Key concept: “acting within the actual or apparent scope of their authority”
The only qualification on corporate liability for senior manager criminality under the CPA is the requirement that the individual was “acting within the actual or apparent scope of their authority”.[13]
In the absence of any official guidance,[14] much will depend (at least initially) on whether prosecutors have the appetite to bring cases based on an expansive view of this language. In the meantime, the CPA Notes provide some helpful colour. They state that the qualification:
“… does not mean that the senior manager must have been authorised to carry out a criminal offence. It would be enough that the act was of a type that the senior manager was authorised to undertake, or which would ordinarily be undertaken by a person in that position.”[15] (emphasis added)
The same qualification featured in ECCTA’s senior manager provisions. However, it is arguably much more relevant now. The economic crime offences captured by the ECCTA regime were, by their very nature, generally more likely to be “of a type” that fell within the actual or apparent authority of a senior manager. For example, ECCTA’s explanatory notes gave the example of a CFO deliberately making false statements about a company’s finances. In that case, the company would be liable, as “the act of making statements” about the company’s finances falls within their authority.[16]
The “type of act” analysis may prove more significant under the CPA’s expanded Senior Manager Regime. Without it, the regime would apply to offences which are less obviously (if at all) connected to anything a senior manager would be authorised to do or would ordinarily be undertaken by them. The point is highly relevant when considering how offences relating to improper workplace conduct might be treated (see further Workplace conduct below).
Jurisdictional reach
There are two key points in relation to jurisdiction and extra-territoriality:
- the Senior Manager Regime applies to all companies, wherever incorporated; and
- companies can be liable for the criminal acts of their senior managers wherever they take place, subject to the jurisdictional reach of the underlying offence. In other words, the new route of corporate attribution tracks the territorial reach of the underlying offence. The position mirrors that which previously applied under ECCTA’s senior manager provisions, although the CPA expresses it in admirably clearer language.[17]
In practice, when suspected senior manager criminality comes to light, determining whether the Senior Manager Regime applies may require careful jurisdictional analysis under English law. This will involve mapping the fact pattern against the specific jurisdictional requirements of the full range of offences relevant to the conduct.
WHAT ADDITIONAL OFFENCES MIGHT BE RELEVANT TO COMPANIES?
The table below sets out some illustrative examples of offences that now fall within the Senior Manager Regime:
| CATEGORY | EXAMPLE OFFENCES[18] | UK AGENCY |
|---|---|---|
| Competition Law | Enterprise Act 2002: price-fixing, market-sharing or bid-rigging arrangements (s.188). | Competition & Markets Authority |
| Competition Act 1998: obstructing investigations by the Competition and Markets Authority, destroying or falsifying documents, and providing false or misleading information (s.42 to s.44). | ||
| Health & Safety | Health and Safety at Work Act 1974 (HSWA): multiple offences related to breaches of health and safety duties and requirements (s.33).[19] | Health & Safety Executive Local Authorities |
| Environmental Law | Environmental Protection Act 1990: offences relating to the unauthorised or harmful deposit, treatment, etc. of controlled waste. | Environment Agency |
| Supply Chain and Employment | Immigration, Asylum & Nationality Act 2006: knowingly employing an adult who lacks the right to work in the UK (s.21). | Fair Work Agency |
| Modern Slavery Act 2015: offences relating to slavery, servitude, forced or compulsory labour, and human trafficking (s.1 to s.4). | National Crime Agency / Local Police Forces | |
| Consumer Protection Law | Digital Markets, Competition & Consumers Act 2024: unfair commercial practices (s.237). | Competition & Markets Authority |
| Data Protection | Data Protection Act 2018: unlawfully obtaining, disclosing, retaining or re-identifying personal data (s.170 to s.173). | Information Commissioner’s Office |
| Intellectual Property Offences | Copyright, Designs & Patents Act 1988: criminal copyright infringement (s.107). | Police Intellectual Property Crime Unit Private Companies |
| Cyber-related offences | Computer Misuse Act 1990: unauthorised access to computer material and related computer hacking-related offences (s.1 to s.3A). | National Crime Agency / Crown Prosecution Service |
| Sector Specific Offences | Offences under the Financial Services & Markets Act 2000, the Food Safety Act 1990 and related regulations.[20] | Financial Conduct Authority / Prudential Regulation Authority |
| Offences relevant to online platforms and search services under the Online Safety Act 2023. | Food Standards Agency | |
| Offences under the Gambling Act 2005 (Part 3) including cheating and safeguarding offences. | Gambling Commission |
Economic Crime offences
It is important that companies continue to be mindful of the range of economic crime offences covered by ECCTA (including bribery, fraud, false accounting, money laundering, sanctions breaches and tax evasion). From 29 June 2026, these offences will fall within the CPA’s much broader Senior Manager Regime.[21] In practice, these offences may continue to be those which pose the most risk for most companies, as compared to some of the less common examples referred to in the table above. Accordingly, conduct since 26 December 2023 (when the senior manager provisions of ECCTA came into force) remains relevant.
Workplace conduct
Companies will no doubt be concerned to understand the risk of being held criminally liable for acts of violence, harassment, assault, and other improper workplace conduct by their senior managers.
The key question is whether the senior manager was “acting within the actual or apparent scope of their authority” and, applying the steer from the CPA Notes in that regard, whether their acts were “of a type that they are authorised to undertake or which would normally be undertaken by them.”[22]
On one view, this might give rise to an assessment that companies will not generally be liable in these circumstances. However, it is possible to conceive of circumstances where this will be tested by an ambitious prosecutor. Whilst doing so might require an expansive application of the regime, a prosecutor might determine that the public interest demands as much in certain circumstances. Consider, for example, where a healthcare professional conducts an inappropriate examination, a surgeon undertakes an unnecessary operation, a care-home worker roughly restrains a resident, or a nightclub bouncer assaults an inebriated customer. An equivalent analysis could apply to other offences in a work context, such as the false and threatening communications offences under the Online Safety Act.[23]
PRACTICAL STEPS FOR COMPANIES TO TAKE NOW
In contrast to the FTP Fraud offences under ECCTA, as there is no general compliance defence under the Senior Manager Regime, there are relatively limited things that companies can do to eliminate risk. This makes it very important that they do as much as they can to identify, assess and mitigate key risks. We suggest a three-stage approach in this regard:
- Identify persons across the organisation who may be senior managers according to the statutory definition, based on an analysis of whether they play a “significant” role in managing or organising the whole or a “substantial” part of the company’s activities.It has been observed in some quarters that it could be risky to create a list of persons who are considered to be senior managers. The theory appears to be that such a list could be used as evidence in a prosecution. We do not consider those concerns to be well founded.The obvious point to make is that senior managers will be identified by prosecutors, based on an analysis of the facts and according to the statutory definition, not according to what the employer or the compliance function thinks or writes down at any point in time.More generally, it will often be prudent to identify a broad range of candidates – not just those who are definitely considered to be senior managers – e.g. those who are possibly or potentially senior managers, those who may soon become senior managers, and those who work closely with them. Identifying such an amorphous group is unlikely to be evidentially dangerous. However, identifying the members of a broader group such as this will certainly make related training and monitoring more impactful.In any event, appropriate steps can be taken to ensure that any work product of this nature is (a) created in a legally privileged environment and (b) framed in an evidentially neutral manner so as to minimise the type of risk that appears to be envisaged by certain commentators.
- For each category of individual identified at stage 1, identify the types of offences they are realistically at risk of committing when “acting within the actual or apparent scope of their authority”. Whilst certain offences are potentially relevant to all companies, others may be industry or sector-specific. The analysis may also be role-specific (i.e. a senior manager in the Human Resources function will have a different exposure to a senior manager in Finance; and specific individuals may be responsible for ensuring compliance with environmental or health and safety laws, for example). Care should be taken not to overlook the economic crime offences previously covered under ECCTA’s senior manager provisions.
- Apply a risk analysis in relation to the offences identified. In each case, that analysis might consider factors such as, e.g.:
- the jurisdictional triggers relevant to the offence;
- any existing, offence-specific routes (beyond the Identification Principle) to establishing corporate liability. For example, certain offences already operate on a form of strict liability[24] or impute knowledge to the company automatically in certain circumstances;[25]
- any statutory defences;[26]
- any existing policies, procedures and controls relevant to the types of conduct each offence is concerned with. This should include considering how effectively such measures are implemented in practice, by reference to matters such as training, monitoring, and, more broadly, whether the company has an existing ‘culture of compliance’ in the relevant area; and
- data from the company’s whistleblowing and investigation functions. For example, a concentration of allegations of wrongdoing in a specific area may point to unaddressed, or heightened, risk.
As a practical matter, the exercise is likely to benefit from cross-functional input, as the Senior Manager Regime may extend beyond the traditional perimeter of the compliance function (e.g. environmental compliance, employment-related issues, international supply chain issues, or health and safety).
The output would ultimately be a form of risk matrix tailored to the Senior Manager Regime. This could be used to prioritise areas which may benefit from enhancements to existing controls, the introduction of new controls, or other risk mitigation measures. Depending on the risk profile, this could involve tailored training and compliance certifications for specific senior manager populations, enhanced controls monitoring, additional scrutiny by Internal Audit, and ‘two sets of eyes’ on senior manager decisions relating to things such as expenditure, procurement, financial reporting, engagement with third parties, etc. Naturally, such an exercise may also help a company to identify and mitigate areas in which it is vulnerable to falling victim of a crime.
When rolling out new measures to any senior manager cohort, consideration should also be given to including their direct reports and others they work closely with. These individuals can act as the ‘eyes and ears’ of the company and provide an early warning of potential issues. They may also become senior managers in due course.
CONCLUSION
Extraordinary geopolitical pressures and the proliferation of AI are undoubtedly giving rise to more sophisticated incidents of organised crime such as sanctions breaches and money laundering, whilst tariffs, inflated oil prices, tax rises and the increased cost of borrowing have placed considerable strain on ordinary businesses across the globe.
As a result, managers are increasingly under pressure to meet budgets, bolster the balance sheet, win market share, secure investment, earn bonuses and conceal mistakes. Experience shows that times such as the present give rise to higher levels of economic crime and more ingenious methods of concealment. Insolvencies, litigation, investigations, whistleblowers, class action lawyers, NGOs and investigative journalists are not far behind, and a new wave of trigger events and enforcement is expected.
Company restructuring, M&A activity, redundancies and changes in management often give rise to disgruntled employees who then approach the authorities with complaints. Auditors, banks, insurers, joint venture partners and investment committees are also intensely focused on fraud risk at present.
Recent changes in the law mean that prosecutors now have: (i) a dual-track route to corporate attribution for criminal conduct falling within the FTP Fraud offence; and (ii) an entirely new route in respect of a very broad range of “senior manager” offending. Whilst there is some uncertainty as to how several key definitions will operate in practice, it is clear that a host of agencies with prosecution powers are newly empowered to target corporates[27].
There is also the possibility that third parties such as disaffected employees, competitors and NGOs will seek to weaponise the new regime – either through making public calls for action or leaking information to the media. In certain cases, they may even seek to initiate private prosecutions.
Against this complex and uncertain backdrop, taking proportionate steps now to identify, assess and mitigate real (as opposed to merely theoretical) risks under the Senior Manager Regime will be time very well spent.
In the meantime, it should be remembered that there is no limitation period in English law relating to criminal offences, some of which may have been committed by senior managers over the past two and a half years since ECCTA introduced the initial changes in December 2023. It should also be noted that the absence of a “reasonable procedures” defence makes this route to prosecution significantly more attractive to law enforcement agencies, who will therefore specifically look for evidence of senior management involvement when matters come to their attention.
The expansion introduced by the CPA on 29 June 2026 provides a timely opportunity for legal and compliance professionals to re-assert the importance of these provisions and re-engage the attention of senior management, while the opportunity to take appropriate action still exists.
[1] s.7 UKBA (failure to prevent bribery).
[2] s.45 CFA (failure to prevent facilitation of UK tax evasion) and s.46 CFA (failure to prevent facilitation of foreign tax evasion).
[3] Broadly equivalent defences of “adequate procedures” and “reasonable procedures” apply, respectively, to the failure to prevent offences under the UKBA and CFA.
[4] s.196 to s.198 and Schedule 12.
[5] s.255(3) CPA.
[6] Schedule 12 ECCTA.
[7] See, for example, the UK Serious Fraud Office guidance in relation to corporate compliance programmes (26 November 2025). See also our alert for further details.
[8] s.250(3) CPA – the definition is the same as in ECCTA.
[9] Explanatory Notes relate to the Crime and Policing Bill as brought from the House of Commons on 19 June 2025, paragraph 230, at https://bills.parliament.uk/publications/61563/documents/6712
[10] CPA Notes, paragraph 1444.
[11] CPA Notes, paragraph 1443.
[12] As listed in Part 2 of Schedule 17 to the Crime & Courts Act 2013, which includes offences relating to bribery, fraud, money laundering, and sanctions.
[13] s.250(1) CPA.
[14] For example, such as that published in relation to the FTP Fraud offence under ECCTA.
[15] CPA Notes, paragraph 1445.
[16] CPA Notes, paragraph 1445 (the same example appeared in the ECCTA explanatory notes).
[17] s.250(2) CPA states: “An organisation does not commit an offence by virtue of subsection (1) if – (a) all of the conduct constituting the offence occurs outside the United Kingdom, and (b) the organisation would not commit the offence if that conduct were the organisation’s (rather than the senior manager’s).”
s.196(3) ECCTA stated: “Where no act or omission forming part of the relevant offence took place in the United Kingdom, the organisation is not guilty of an offence under subsection (1) unless it would be guilty of the relevant offence had it carried out the acts that constituted that offence (in the location where the acts took place).”
[18] Non-exhaustive examples of offences under the specified legislation.
[19] Including contravention of specific regulations made under the HSWA, e.g. the (Construction (Design and Management) Regulations 2015) and harmful substances (Control of Substances Hazardous to Health Regulations 2002)).
[20] Such as the General Food Regulations 2004 and Food Hygiene (England) Regulations 2013.
[21] ECCTA’s senior manager provisions will be repealed when the new CPA provisions come into effect.
[22] Notes, paragraph 1445.
[23] Various offences under Part 10, Online Safety Act.
[24] e.g. for prosecutions for breach of the employers’ duty under s.2 or s.3 HSWA. In R v. British Steel plc [1995] 1 WLR 1356 CA, the Court of Appeal held that a corporate employer could not avoid liability on the basis of the Identification Principle (i.e. that the company’s “directing mind” was not involved in the offence).
[25] e.g. for the purposes of the s.21 right to work offence, s. 22(1) IANA imputes knowledge of relevant facts to a company where “a person who has responsibility” within the company “for an aspect of the employment knows the fact”.
[26] e.g. certain offences under the HSWA have a defence of “reasonable practicality” (s.3(1)), and certain offences under the Food Safety Act have a defence of “due diligence” (s.21).
[27] Such as, for example, the Competition & Markets Authority, the Information Commissioner’s Office, Ofcom, the Health & Safety Executive, the Environment Agency, and the Food Standards Agency.