Companies and partnerships now face wider exposure to corporate criminal liability after section 250 of the Crime and Policing Act 2026 came into force.
The change expands the senior manager attribution model beyond economic crime. Where a senior manager of a body corporate or partnership commits a UK criminal offence while acting within the actual or apparent scope of their authority, the organisation can also commit that offence.
The new provision applies to bodies corporate and partnerships, replacing the narrower framework previously focused on specified economic crimes. Its scope extends across the UK criminal law landscape, including areas such as environmental offences, health and safety, data protection, modern slavery, computer misuse, and regulatory breaches where the facts support attribution.
Section 250 moves the law away from the older “directing mind and will” test, which often made corporate prosecution difficult in large or complex organisations. That test required prosecutors to identify misconduct by someone who embodied the company’s controlling mind, typically someone at or very near the top of the organisation.
The senior manager model broadens the field. A senior manager does not need to be a board director. The definition can extend to people who play a significant role in making decisions about how the whole, or a substantial part, of an organisation’s activities are managed or organised, as well as those who actually manage or organise those activities.
The statutory wording gives prosecutors a wider route into corporate liability. The key issue is whether the individual was acting within the actual or apparent scope of their authority. That does not require proof that the company authorised criminal conduct. It requires analysis of whether the conduct fell within the type of activity the person was authorised, or appeared authorised, to undertake.
The provision is not a failure to prevent offence. That distinction is central. Failure to prevent regimes, such as the Bribery Act and Criminal Finances Act models, are built around corporate liability for failing to stop wrongdoing by associated persons and can include statutory defences based on reasonable or adequate procedures.
Section 250 operates differently. If a senior manager commits the underlying offence within the relevant scope of authority, the company itself can be treated as having committed that offence. There is no standalone statutory defence based simply on having reasonable procedures in place.
Governance controls still carry weight. Prosecutors will need to assess the evidence, the role of the individual, the scope of authority, and whether prosecution is in the public interest. Companies with active oversight, risk assessment, training, reporting routes, and documented escalation processes are likely to be in a stronger position when enforcement decisions are made.
The change lands during a broader tightening of corporate compliance expectations. Recent HMRC policy changes have shown the same pressure for better information, earlier visibility, and stronger internal records, particularly where tax, reporting, and governance controls intersect. Section 250 brings that discipline into a wider criminal liability setting.
The exposure cuts across sectors because it is not confined to financial crime. Manufacturers, logistics companies, technology businesses, care providers, retailers, energy operators, professional services groups, and regulated industries may all need to identify who could be treated as a senior manager and where their authority begins and ends.
That mapping exercise will not always align with formal job titles. Some people with functional responsibility, regional control, operational authority, compliance responsibility, or control over a substantial business unit may fall within the definition. Others with senior-sounding titles but limited decision-making authority may sit outside it.
Delegation also becomes more consequential. Modern companies often operate through matrices, shared services, subsidiaries, outsourced providers, and regional management layers. Criminal attribution risk now requires a clearer understanding of who makes decisions in practice, who approves activity, and who may create exposure through apparent authority.
Board risk registers may need to be updated alongside training programmes, investigation procedures, whistleblowing systems, environmental controls, data handling processes, health and safety governance, and approval thresholds. The question is no longer limited to whether a company can prevent fraud, bribery, or tax evasion. Senior decision-makers may now create criminal exposure across a far wider range of operational activity.
Uncertainty will remain until the courts begin testing the provision. Future cases are likely to examine what counts as a substantial part of a business, how apparent authority operates in practice, and how far companies can be liable where a senior manager acted contrary to internal policy.
Waiting for case law would leave companies exposed. Section 250 makes criminal liability a wider governance concern, requiring immediate attention to senior manager populations, authority structures, supervision records, and control frameworks across the full range of offences that could now carry corporate consequences.
You must be logged in to post a comment.