Briefing

From boardroom to business‑wide risk: Corporate criminal liability now covers all offences

On 29 June 2026, the Crime and Police Act 2026 (“CPA 2026”) comes into force, fundamentally overhauling the UK’s approach to corporate criminal liability. Corporates, regardless of size, can now be prosecuted for almost any criminal offence committed by their senior managers. Organisations have until 29 June to get their houses in order.

The identification doctrine

Historically, corporate criminal liability relied on the applicability of the ‘identification doctrine’, which only held a company criminally liable for actions taken by a person who represented its ‘directing mind and will’. In practice, this made it very difficult to hold companies to account. Indeed, on occasion, even the CEO of a large company could not be said to have exercised directing mind and will.¹

Evolution of the principle

Successive governments have considered how and whether to address this apparent iniquity, particularly in the context of economic crimes. However, rather than addressing the identification doctrine itself, they chose to introduce the ‘failure to prevent’ offences; firstly in 2010 for bribery, and then in 2017 for facilitating tax evasion.

That was until the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) was passed. Not only did this introduce the failure to prevent fraud offence but it also took the crucial first step in addressing the difficulties encountered when prosecuting a company under the identification doctrine by introducing a statutory definition of the identification doctrine for certain criminal offences. This widened the category of people whose acts could be attributed to a corporate, to include senior managers. We addressed this change in our previous article.

Crucially, however, this was limited to economic crimes only. Section 250 of the CPA 2026 will expand the scope to include almost all criminal offences, meaning that senior managers who commit any crime when “acting within the actual or apparent scope of their authority”, will also put their corporate at risk of prosecution.

Who is a senior manager?

A senior manager is defined as an individual who plays a significant role in “the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised”, or “the managing or organising of the whole or a substantial part of those activities”.²

When assessing who falls within the definition of a senior manager, it is important to remember that it is a matter of function over form, and it is not limited to ‘senior management’ (i.e. C-suite and/or Board members). It is not defined by job title, remuneration or employment status. For example, this would include senior members in HR or compliance functions, given their significant roles in a substantial part of an organisation’s activity.³ This is especially the case in modern businesses where management structures are complex and decision-making is decentralised.

What crimes are covered?

Economic crimes remain in scope but from 29 June 2026, other crimes will also be in scope. In practice, where corporate offending does occur, it is likely to be in relation to an economic crime offence but other offences, including those relating to modern slavery (which recent reports put at record levels in the UK⁴) will be in scope as well as offences relating to environmental, data protection and health and safety breaches.

Offences in relation to aiding and abetting a crime are also in scope. This means that if a senior manager encouraged or assisted a junior employee in the commission of an offence, the corporate could also be liable.

Is there a defence?

As with the previous provisions in the ECCTA, section 250 of the CPA 2026 does not create a new offence; it simply extends the reach of existing offences to a wider group of people within an organisation. As such, unless there is a defence for the relevant predicate offence, there is no statutory defence for the ‘failure to prevent’ variation of the offence. However, the charging guidance for prosecutors requires them to consider, as part of the public interest aspect, whether there was an effective compliance programme in place at the time of the offending. In the event of conviction, this may be a mitigating factor when considering sentence.

Top tips

The new approach to corporate criminal liability does not do away with the identification doctrine but rather is intended to lower the evidential threshold for prosecutors to attribute such corporate criminal liability. Certainly, in the case of economic crime, the Interim Director of the UK’s Serious Fraud Office has recently emphasised that these changes strengthen the agency’s ability to hold companies to account,⁵ and, as with any new toy, they will be keen to make use of these new provisions. With that in mind, we can expect a marked increase in enforcement activity, in the medium to long-term.

To get prepared, before the changes come into force on 29 June 2026, businesses should:

Conduct mapping and risk assessments of senior managers. Give specific consideration to business unit leaders, regional heads, operational leaders and those in procurement roles.
Clarify scope of roles and reporting lines. In modern businesses, decision-making can be decentralised but often also overlapping. Ensure that there is clear delineation of who has real decision-making authority in the business and make sure that the individuals are aware of their decision-making authority and the risks that come with this.
Document risk assessments conducted at all levels. Risk has moved down the chain from just the Board level. It should be a priority for the business to show that it has considered the risk of corporate criminal liability arising from all levels of the business and will make it easier to defend.
Ensure that there are strong compliance frameworks. While there is no defence of having ‘adequate procedures’ like there is for the failure to prevent fraud offence, having proper compliance programmes which reflect the renewed risk may be a mitigating factor.
Pay special attention to areas which involve overseas operations. This is undoubtedly going to be a key area of focus for enforcement, and unless the activity takes place wholly outside of the UK (rare for global companies which often have some sort of UK nexus), often, a corporate will fall within the scope of the CPA 2026. Procurement and third-party supplier governance are exposure areas to prioritise.

We would be pleased to assist in getting businesses up to speed and preparing for when the CPA 2026 comes into force. Get in touch with a member of our team to see how we can help.

Footnotes