Cookie Settings

We use cookies and similar technologies to help personalise content, tailor and measure ads, and provide a better experience. By clicking OK or turning an option on in Cookie Preferences, you agree to this, as outlined in our cookie Policy.

Allow AllReject

Customise

Cookie Settings

Cookies are small text that can be used by websites to make the user experience  more efficient. The law states that we may store cookies on your device if they are strictly necessaryfor the operation of this site. For all other types of cookies, we need your  permission. This site uses various types of cookies. Some cookies are placed by third party  services that appear on our pages.

These items required to enable basic website functionality

Cookies used to deliver advertising that is more relevant to you and your interests.

Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).

Cookies helping understand how this website performs, how visitors interact with the site, and weather there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Confirm ChoicesCancel
cookie icon
Need Regulatory Help? Talk to the Experts
0203 371 1064Follow us

Corporate Criminal Liability and the Crime and Policing Act 2026

May 29, 2026

When the Crime and Policing Act 2026[1] (referred to as the PCA 2026) received Royal Assent on 29 April 2026 the headlines were largely about what one might expect: knife crime, antisocial behaviour, public order and a familiar suite of policing powers. What received considerably less attention, however, but which from 29 June 2026 affects every incorporated firm and every limited liability partnership in the country, is a single provision tucked some way into the Act.  Section 250[2] fundamentally widens the circumstances in which an organisation can be convicted of a criminal offence committed by one of its people. Commentators have described it as the most significant change to corporate criminal liability in over a century, and on any sensible reading of what the provision actually does, that may not be an exaggeration.

For a solicitors’ firm the change deserves close and early attention. Firms handle client money, sensitive personal data, regulated activities and a steady stream of transactions in which the conduct of senior people carries real legal weight, and from 29 June 2026 the criminal conduct of a much wider group of individuals within a firm can be treated, in law, as the conduct of the firm itself. For most firms this will never become a practical problem, provided sensible steps are taken to understand the position and to behave as a conscientious professional would in any event. Nevertheless, the change is real, and the gap between firms that have engaged with it and those that have not is likely to become visible quite quickly. This article looks at what section 250 actually does, how it interacts with the existing “failure to prevent” regimes under the Bribery Act 2010, the Criminal Finances Act 2017 and the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023), why it falls particularly heavily on incorporated firms and LLPs, and what firms should be doing now.

For Infolegal subscribers, the full position is set out in Infolegal Factsheet 44, and there is also a training course highlighting the key issues that have arisen.  Contact Infolegal to learn how you could become a subscriber.

From the “Directing Mind” to the Senior Manager

To understand what has happened it helps to remember what came before.

For most of the twentieth century the criminal liability of a company in England and Wales rested on what is known as the “identification doctrine”: a company could only be convicted of an offence requiring proof of a guilty state of mind where the wrongdoing could be attributed to a person who was, in the old phrase, the “directing mind and will” of the company. In practice, that meant the board or the most senior executives at the very top. The doctrine was workable for small companies, but it made the prosecution of larger organisations notoriously difficult. The more spread out the decision-making process, the harder it was to pin criminal intent on any single controlling individual, and so the larger and more complex the firm, the more likely it was to escape conviction altogether.

The first substantial reform came with section 196 of the ECCTA 2023[3]. That provision dispensed with the “directing mind and will” test for a defined list of economic offences such as fraud, false accounting, money laundering and bribery, and replaced it with a new basis of liability. That basis provided that where a senior manager of an organisation, acting within the actual or apparent scope of their authority, committed one of those listed offences, the organisation was also guilty of the offence. The reform was deliberately confined to economic crime, and Parliament signalled that wider reform might follow. The CPA 2026 is Parliament going further.

What Section 250 Does

Section 250 takes the senior manager attribution route from the ECCTA 2023, repeals it, and extends a near-identical mechanism across almost the whole of the criminal law. Where a senior manager of an organisation, acting within the actual or apparent scope of their authority, commits any criminal offence capable of being committed by an organisation, the organisation is also guilty of that offence. The list of relevant offences is no longer confined to economic crime; it now reaches health and safety offences, data protection offences, environmental offences, modern slavery offences, computer misuse and a wide range of regulatory crime besides.

Two features of the new basis of liability deserve emphasis because they are easy to overlook.

First, the firm does not need to have benefited from the senior manager’s conduct. It can be convicted even though it gained nothing, and possibly even though the conduct was contrary to its interests.

Second, the firm does not need to have known of the conduct: there is no requirement to prove a decision at board level or a failure of oversight, because liability attaches because of the individual’s role and authority.

In simple terms, the conduct of the senior manager becomes, in law, the conduct of the firm. There is a narrow territorial exception under section 250(2) where all of the offending conduct occurs outside the United Kingdom, but for everyday purposes the rule should be assumed to apply in full. Section 250(7) is the only consequential amendment the new Act makes to earlier legislation: it omits sections 196 to 198 of, and Schedule 12 to, the ECCTA 2023 — the predecessor senior manager regime that the new provision replaces and widens.

Who Counts as a “Senior Manager”?

Because liability turns on the conduct of a “senior manager”, the meaning of that term is central. The definition is not new; it is drawn from the law on corporate manslaughter and was carried into the ECCTA 2023, and the CPA 2026 Act adopts it without material change. A senior manager, in section 250(3), is an individual who plays a significant role in either the making of decisions about how the whole or a substantial part of the organisation’s activities are managed or organised, or in the actual managing or organising of the whole or a substantial part of those activities — in short, both those who decide and those who run.

The most important point is that the definition is functional rather than formal. It does not depend on a person’s job title, on whether they sit on the board, or on any regulatory designation; it depends on what they actually do. The population of people whose conduct can now expose the firm therefore extends well beyond the boardroom, and in a solicitors’ firm is likely to include the managing partner or chief executive, the heads of practice groups or departments, the managing partners of individual offices, the heads of finance, operations, human resources and information technology, and those holding the formal compliance roles of Compliance Officer for Legal Practice and Compliance Officer for Finance and Administration. The phrase “a substantial part” is important: it means that the head of a single large department or a significant regional office may qualify, because that department or office is itself a substantial part of the firm. The boundaries are genuinely uncertain and will only be settled as cases come before the courts, so for planning purposes the safer course is to err towards inclusion.

Actual and Apparent Authority

It is not enough that a senior manager has committed an offence somewhere: the offence must have been committed within the actual or apparent scope of that person’s authority. That sounds like a restriction that might offer real protection, but in truth it offers much less than one might hope. There are two routes. “Actual” authority is concerned with what the firm in fact permitted the individual to do; “apparent” authority — a concept borrowed from the law of agency — is concerned with how matters reasonably appeared to those dealing with the firm. The test is interpreted broadly: it is enough that the act was of a type the senior manager was authorised to undertake, or which would ordinarily be undertaken by a person in that position. The senior manager plainly does not need to have been authorised to commit the crime; almost no one ever is. The test fixes on the type of act, not on whether the specific, criminal act was sanctioned.

The reference to “apparent” authority is particularly significant, and is likely to be the source of much of the uncertainty in the new regime. It means that a firm may be liable even where the senior manager has acted outside the limits the firm has set internally, provided that, to a third party such as a client or a bank, the individual appeared to be acting within the authority that a person in that role would ordinarily have. A firm cannot, therefore, insulate itself simply by writing internal limits into a delegated authority document if, to the outside world, the individual still looks to be acting on the firm’s behalf — which is why so much of the practical attention now falls on the design of governance, the clarity of delegation, and the way in which the firm presents the authority of its people.

The Bribery Act, the CFA and the Question of Defences

For senior managers and compliance officers, the most counter-intuitive feature of section 250 is the absence of any “adequate procedures” or “reasonable procedures” defence.

Anyone who has worked through the family of “failure to prevent” offences over the last fifteen years will be familiar with the basic deal those regimes offered the firm: build and maintain good systems and controls, and you have a defence if an individual nonetheless offends. The failure to prevent bribery under section 7 of the Bribery Act 2010[4] turns on whether the organisation had adequate procedures in place; the failure to prevent the facilitation of tax evasion under sections 45 and 46 of the Criminal Finances Act 2017[5] turns on whether the relevant body had reasonable prevention procedures; and the failure to prevent fraud under section 199 of the ECCTA 2023 follows the same pattern. In each case the firm’s reward for investing in procedures is a complete defence to a prosecution that would otherwise succeed.

Section 250 is not built on that model. If a senior manager commits a qualifying offence within the actual or apparent scope of their authority, the firm is guilty, however good its compliance arrangements may have been. The careful and well-run firm is, in this narrow sense, in the same position as the careless one once the conditions for liability are met. It is this contrast — long-standing procedures defences in the failure-to-prevent regimes; no defence at all on the new attribution route — that has caused the change to be described as the single most important point in this whole area.

It is important, however, to be precise about what the CPA 2026 does and does not do to that existing framework. The Act does not amend or repeal the Bribery Act 2010, the Criminal Finances Act 2017 or the failure to prevent fraud offence in the ECCTA 2023.  Each of those, with its respective procedures defence, remains in force exactly as before. The only consequential amendment is at section 250(7), which omits the predecessor senior manager regime in the ECCTA 2023. The failure-to-prevent regimes themselves are entirely untouched.

The practical consequence is therefore more nuanced than the bare contrast suggests, because the two routes do different work and target different populations. The failure-to-prevent offences make the firm liable for an offence committed by an “associated person” — typically an employee, agent or third party acting on the firm’s behalf — and offer a complete procedures defence. The attribution route under section 250 makes the firm liable for a substantive offence committed by one of its senior managers, with no procedures defence at all. The protective reach of the procedures defences has therefore not been weakened so much as outflanked: they continue to do their work for the wider population of associated persons, but they do not protect the firm against its own senior managers. And for the economic crimes already on the predecessor list under section 196 — bribery, fraud, money laundering and the facilitation of tax evasion — the position is in substance unchanged: a firm could already be convicted of those offences where a senior manager committed them, and there was no procedures defence on that route then any more than there is now. The real significance of the CPA 2026, therefore, is not that it weakens the existing failure-to-prevent defences — it does not touch them — but that it brings the same no-defence attribution model to bear on the very large body of offences that were never on the economic crime list in the first place. It is in that extension, rather than in any change to the way bribery, fraud or tax evasion are treated, that the increased burden on firms is to be found.

None of this means that systems and controls have ceased to matter. They remain a complete defence to the failure-to-prevent offences where the wrongdoer is an associated person rather than a senior manager, so the incentive to invest in them is undiminished across that part of a firm’s exposure. And even where the attribution route applies, and no defence is available, strong governance, clear lines of authority, effective investigations and a culture in which concerns are raised remain highly relevant — both as to whether a firm is prosecuted in the first place, including whether a case is taken forward or resolved through a deferred prosecution agreement, as well as to any potential mitigation of penalty imposed on the firm.

In other words, good procedures no longer prevent the door from opening in every case, but they remain the firm’s best protection against the most serious consequences once it has.

Why Incorporated Firms and LLPs Are Most Affected

The new rules apply to an “organisation”, defined as a body corporate or a partnership. On the face of the legislation the regime therefore reaches partnerships as well as companies, but in practice the change matters far more to firms that are incorporated or established as limited liability partnerships, and the reason lies in the nature of legal personality. A traditional, unincorporated partnership has no separate legal personality distinct from its partners; the partners are the firm, and the law has long had ways of fixing them personally with responsibility for criminal acts.

A sole practitioner is in an even simpler position: he or she is personally and directly responsible for his or her own conduct. For these firms the new attribution mechanism adds comparatively little, because the individuals concerned already carry the criminal responsibility that the legislation is designed to capture.

The position is quite different for a firm that has a separate legal personality of its own. A limited company has a legal existence distinct from its directors, members and employees, and a limited liability partnership, although described as a partnership, is in law a body corporate under the Limited Liability Partnerships Act 2000 and likewise has its own separate personality. It is precisely this separation that the identification doctrine struggled with, and precisely this separation that the new regime is designed to bridge.

The Range of Offences Now in View

Section 250 reaches any criminal offence capable of being committed by an organisation where a senior manager commits it within the actual or apparent scope of their authority, and the realistic field is therefore wide. For a law firm the offences most likely to be in contemplation fall into five broad areas:

  1. financial crime, including money laundering under the Proceeds of Crime Act 2002, the failure-to-disclose offence by the firm’s MLRO under section 331, breaches of UK financial sanctions, and the substantive bribery offences;
  2. fraud and dishonesty more broadly, including offences involving client money or accounting records;
  3. data, technology and confidentiality, including unlawful obtaining or disclosure of personal data under section 170 of the Data Protection Act 2018, computer misuse offences, and the misuse of encrypted or ephemeral messaging channels to share or delete things which ought to be preserved;
  4. offences connected with investigations and the administration of justice, including the destruction or concealment of documents and the common law offence of perverting the course of justice; and
  5. offences connected with premises and people, including health and safety, modern slavery and the right-to-work rules.

There are inevitably going to be questions as to the boundaries of the legislation which no doubt the courts will be called upon to resolve. These may, for example, relate to offences which can only be committed by an individual (for example insider dealing under section 52 of the Criminal Justice Act 1993) and possibly also offences committed against the firm by a senior manager, rather than on its behalf.  Inevitably there will be others.

Practical Steps for Firms

The right reaction for firms to take is neither alarm nor inaction, but proportionate preparation. The work falls naturally into three phases, each building on the one before, and the effort devoted to each should be scaled to the size and nature of the firm.

The first phase is scoping and risk assessment: establishing the basic facts about the firm’s business model, group structure and jurisdictions; mapping the senior managers, including those who sit close enough to the boundary to be sensibly treated as within it; and taking a high-level view of how current governance and controls measure up against the new basis of liability. Most firms already hold a good deal of relevant material in their AML, conduct, health and safety, whistleblowing and disciplinary policies, and the exercise is largely about taking stock of what exists.

The second phase is policy and documentation. There is no need for a thick new manual: the most effective course will usually be either to prepare a short, focused policy dealing with corporate criminal liability and senior manager accountability, or to embed the new regime within the firm’s existing code of conduct and compliance materials. Delegated authority matrices, role descriptions for senior posts and induction materials for senior hires should be reviewed and aligned, so that responsibilities and the limits of authority are clearly recorded and capable of being explained — both internally and, if necessary, to a prosecutor or a court.  Infolegal subscribers will be able to access a short additional standalone policy covering the various issues and there will be a corresponding update to the template Office Procedures Manual.

The third phase is training and awareness. Those within the senior manager definition, and those who sit close to it, should receive focused training that explains how senior manager attribution works and what is expected of them in their day-to-day exercise of authority, oversight of their teams, escalation of concerns, and engagement with investigations and with the firm’s whistleblowing arrangements. The wider management population can sensibly receive shorter awareness training, and the topic should be built into induction for new senior hires and into refresher cycles thereafter.  The Infolegal training course on the topic should assist subscriber firms with this.

Looking Ahead

The regime is new and untested, and it is too soon to know how vigorously the new powers will be used or how the courts will interpret the central concepts of “senior manager” and “actual or apparent authority”. There were no prosecutions under the narrower economic crime version of senior manager attribution between its commencement in December 2023 and its repeal by section 250 — though that is by no means a guarantee that the wider regime will be approached with similar restraint. The picture will develop through prosecutorial guidance, deferred prosecution agreements and, in due course, the first decided cases. The sensible course for a firm is to understand the position, take proportionate steps to manage it, and not to wait and see.

As mentioned earlier for Infolegal InfoHub subscribers, our Factsheet 44 sets out the full position, the Office Procedures Manual has been updated to include a short policy on corporate criminal liability and senior manager accountability, and the issues addressed form the basis of a 25-minute training course aimed at senior managers and those in near-senior roles. Subscribers will find the revised materials on the InfoHub, and firms wishing to find out more about our services should contact us at enquiries@infolegal.co.uk.

[1] Crime and Policing Act 2026 — https://www.legislation.gov.uk/ukpga/2026/20

[2] Section 250 (enacted text) — https://www.legislation.gov.uk/ukpga/2026/20/section/250/enacted

[3] Economic Crime and Corporate Transparency Act 2023 (section 196, now repealed by section 250(7) of the 2026 Act) — https://www.legislation.gov.uk/ukpga/2023/56/section/196

[4] Bribery Act 2010, section 7 — https://www.legislation.gov.uk/ukpga/2010/23/section/7

[5] Criminal Finances Act 2017, sections 45 and 46 — https://www.legislation.gov.uk/ukpga/2017/22/section/45

Search
Recent Posts
Corporate Criminal Liability and the Crime and Policing Act 2026
CQS Audits: Why Conveyancing Firms Should Take Them Seriously
Digital Identity Verification for AML: A New Compliance Landscape
Sign up to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Registered Office
2 Crown Lane
Sutton Coldfield
West Midlands B74 4SU

Terms & Conditions Privacy Policy
Infolegal Limited, incorporated in England & Wales (7851850). VAT: 128009728. 2 Crown Lane, Four Oaks, Sutton Coldfield, West Midlands, B74 4SU