Overview

The Crime and Policing Act 2026 (CPA) significantly expands the scope for criminal liability to be attributed to companies. Under section 250 of the CPA, which came into force on 29 June 2026, a company can be held liable if a senior manager commits any offence while acting within the actual or apparent scope of their authority.

Previously, a company could only be held liable if the offence was committed by its "directing mind and will", which typically meant board-level directors or those exercising ultimate control. The expansion to "senior managers" was first introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) but only in respect of specified "economic crime" offences. The CPA removes that limitation, extending senior manager attribution to cover all criminal offences.

The CPA's reforms to senior manager attribution have several important implications for companies:

  • Increased exposure to criminal liability: UK prosecuting authorities have an additional means by which to hold companies criminally liable for the actions of their key decision-makers, which now covers all offences. This change is intended to make it easier to prosecute companies where this was not previously possible and to build on other reforms in recent years, such as the introduction of the corporate offence of failure to prevent fraud. 
  • Broad definition of "senior managers": Companies may be held liable for the actions of any individual with meaningful decision-making authority. The concept of a "senior manager" in this context will not necessarily be confined to board-level directors or those within scope of any applicable individual accountability regime, and heads of business units, divisional leads, and senior operational managers may all potentially be caught.
  • All companies within scope: UK prosecuting authorities can use this attribution route in relation to all companies (bodies corporate and partnerships), whatever their size and wherever they are incorporated. 
  • No corporate benefit required: There is no requirement to show that the senior manager's actions benefited the company for liability to be attributed to it.
  • No defence or exemption: There is no corporate defence of "reasonable procedures" where liability is attributed to a company using section 250 of the CPA, and a company may still be held liable even if it was a victim of the offence.

Some uncertainty remains about how UK authorities will use this attribution route in practice. So far, there has been no prosecution using the predecessor provision under ECCTA. In addition, authorities have other 'tools' which can be relied on to hold companies liable, such as specific corporate offences covering particular areas of conduct (sometimes on a strict liability basis) and, where a prosecution is not deemed necessary or appropriate, civil/regulatory penalty frameworks (which can provide a more time and cost-efficient route to enforcement and may still result in substantial financial penalties).

That said, the CPA reflects a clear legislative intention to make it easier to hold companies criminally liable for the conduct of their senior managers across all types of offences, and companies should not underestimate its significance. The CPA's reforms serve as a useful prompt for companies to consider the adequacy of their risk exposure and control frameworks.

We discuss the reforms to senior manager attribution, and practical compliance considerations, below.

Background 

Historically, a company could only be held criminally liable if the individual who committed the offence was sufficiently senior to be regarded as the company's "directing mind and will". In practice, this usually meant board-level directors and senior officers carrying out the functions of management. 

Many argued that this made it too difficult to prosecute companies, particularly large organisations with complex governance structures.

In 2023, reforms were made under ECCTA which sought to address that criticism. Firstly, ECCTA introduced a new corporate offence of failure to prevent fraud, which came into force on 1 September 2025 (see our earlier briefing here). Secondly, it introduced the concept of senior manager attribution, which meant that a company could be held criminally liable if a senior manager commits a specified "economic crime" offence, such as fraud, bribery or money laundering.

Section 250 of the CPA expands the concept of senior manager attribution so that it now covers all offences and is no longer limited to specified "economic crime" offences.

Senior manager attribution under section 250 of the CPA

Under section 250 of the CPA, where a senior manager of a body corporate or partnership (a company) commits an offence while acting within the actual or apparent scope of their authority, the company also commits the offence. For these purposes:

  • A "senior manager" is defined as an individual who plays a significant role in managing or organising the whole, or a substantial part, of a company's affairs. This would likely include directors, in addition to other personnel with decision-making authority and significant strategic or administrative responsibilities, such as heads of divisions, business units or support functions.
  • The senior manager must be acting within the actual or apparent scope of their authority. This does not require the company to have authorised the criminal conduct itself. The key question is whether the senior manager was performing an authorised activity, even if they did so improperly and in breach of internal policy. 
  • The senior manager must commit an offence under the laws of England and Wales, Scotland or Northern Ireland. This can be any offence and is no longer limited to offences of a particular type.
  • The jurisdictional scope of section 250 of the CPA is broad and also captures organisations incorporated outside the UK. Extraterritorial conduct may also be captured, provided the company could itself be liable for the offence. In other words, liability will not attach to an overseas organisation for a senior manager's overseas conduct, simply because the senior manager concerned was subject to the UK's extraterritorial jurisdiction, for example, as a result of their individual British citizenship.

Practical examples

The risks applicable to any company will vary, depending on its activities, sector and personnel. Examples of the circumstances in which a UK prosecutor could seek to attribute criminal liability to a company for the actions of a senior manager include:

  • Knowingly inaccurate regulatory reporting – for example, a senior compliance manager who is responsible for regulatory data submissions discovers that inaccurate information is routinely being submitted to a regulator. The individual does not rectify the issue and continues to sign off on submissions which they know to be false;
  • Unlawful hiring practices – for example, an HR director commits an immigration offence or modern slavery offence when hiring individuals, such as knowingly engaging a provider which uses forced labour;
  • False accounting – for example, a finance director knowingly submits falsified financial statements to the company's lender to secure a favourable credit facility;
  • Misleading statements to consumers – for example, a marketing director authorises an advertising campaign in the knowledge that this contains false statements about a product; and
  • Workplace misconduct – for example, a Head of Sales harasses one of their direct reports (e.g. sending repeated unwanted communications, or engaging in intimidation and humiliation) or the Director of Security authorises the assault of a trespasser in a restricted area.

What can companies do?

All companies should review their risk exposure and control frameworks in light of the increased scope for corporate liability. Some companies (particularly those in highly regulated sectors) may already have robust frameworks in place to identify and manage the risk of criminal liability in areas that are typically subject to close scrutiny by UK authorities and regulatory bodies. However, the intended effect of this development is broad and designed to make it easier to prosecute companies for the actions of their senior managers in relation to all types of offences.

Companies should consider how a wider interpretation of 'senior management' might impact their compliance and legal risk generally. This may include:

  • Considering who could be regarded as a senior manager of the company.
  • Mapping the actual and apparent authority afforded to senior managers to identify areas where the company may be exposed to liability as a result of managerial decision-making, including in operational and regulatory compliance functions, not just financial or commercial roles.
  • Implementing enhanced training and oversight for senior individuals, covering the broader range of criminal offences for which the company could now be held liable and not limited to "economic crime" offences.
  • Reviewing existing compliance systems and controls to ensure these appropriately address applicable risks. 
  • Revisiting policies and procedures, in addition to internal reporting lines in the event of any suspected breach.

If you have any questions about these reforms to corporate criminal liability or their impact, please contact one of the authors of this briefing or your usual HSF Kramer contact.

Kate Meakin Susannah Cogman Robert Hunt Ali Grodzki Serge Durdyyev