Beyond the Directing Mind – How the UK Crime and Policing Act 2026 Rewrites Corporate Criminal Liability

On June 29, 2026, the Crime and Policing Act 2026 (the CPA) came into force. Its central reform, in section 250, is clear and far-reaching: if a senior manager of your organisation commits any criminal offence under UK law within the scope of their authority, the organisation commits that offence too. There is no defence of having reasonable prevention procedures in place.

The CPA repeals sections 196 to 198 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA), removing the earlier senior manager attribution test which was limited to a defined list of economic crime offences. The new regime is unrestricted as to offence category: fraud, bribery, data protection, health and safety, environmental law, modern slavery, competition law - and any other offence under UK criminal law - now fall within its scope. Section 250 does not repeal the common law identification doctrine, which continues to operate as a parallel route to corporate liability.

The practical consequences extend to corporate resolutions under the deferred prosecution agreement (DPA) regime, which remain available only for offences specifically listed in Schedule 17 to the Crime and Courts Act 2013. For the many offences newly captured by section 250 that do not appear on that list, an organisation faces a binary outcome - conviction or acquittal, with no middle path. There is one statutory exception: an organisation is not liable where all the conduct constituting the offence occurs outside the United Kingdom and the organisation would not itself commit that offence.

This article explains how the law changed, who is caught, and what your organisation needs to do. Organisations with senior managers operating under UK law should treat a review of their compliance frameworks, senior manager mapping, and incident response protocols as an immediate priority.  

Traditional Position: The Identification Doctrine

Historically, English law attributed criminal liability to an organization only where the offending person was the “directing mind and will” - established in Tesco Supermarkets Ltd v Nattrass [1972] AC 153 - meaning only individuals at the very apex of the corporate hierarchy could render the company criminally liable. In Serious Fraud Office v Barclays [2018] EWHC 3055 (QB), both Jay J and Davis LJ declined to attribute the conduct of individual executives to Barclays, holding that those executives lacked authority to act independently of the board. The case exposed the doctrine’s inadequacy in large, complex organizations and generated sustained pressure for reform.

ECCTA: Senior Manager Test for Economic Crime

Section 196 of ECCTA introduced a senior manager attribution test for specified economic crime offences. A company was criminally liable where a “senior manager” - defined as an individual who plays a significant role in managing or organizing the whole or a substantial part of the body corporate’s activities - acting within the actual or apparent scope of their authority, committed a relevant offence. The test captured a wider pool than the directing mind doctrine, including divisional heads, regional directors, and chief compliance officers, but was limited to bribery, fraud, money laundering, and financial sanctions. The CPA repealed sections 196 to 198 of ECCTA and replaced them with a universal regime from June 29, 2026. Conduct prior to that date continues to be assessed under the ECCTA framework.

The New Universal Test: What Section 250 of the CPA Actually Does

The Central Reform

Section 250 extends corporate criminal liability further than any preceding reform. Where a senior manager of a body corporate or partnership commits any criminal offence under the law of England and Wales, Scotland, or Northern Ireland within the actual or apparent scope of their authority, the organisation also commits that offence. Section 250 operates alongside the common law identification doctrine. Subject to the territorial exception in section 250(2), it covers the full spectrum of UK criminal law: fraud, bribery, money laundering, data protection offences under the Data Protection Act 2018, computer misuse under the Computer Misuse Act 1990, health and safety violations, environmental offences, modern slavery and human trafficking, and competition law breaches.

The Senior Manager Concept

The CPA retains the functional, role-based definition of “senior manager” from ECCTA, capturing those responsible for key operational areas – finance, legal, technology, operations, compliance, risk – regardless of board membership. Job titles are not determinative: a “Head”, “Director”, or “Vice President” of a major function may satisfy the test. The definition's application to large matrix-managed groups will be tested in the courts, but organizations should not wait for judicial clarification — the sensible course is to map senior manager exposure now, based on actual functional scope, and document the analysis.

For multinational groups, the mapping exercise must extend beyond the UK entity. A senior manager of an overseas parent who plays a significant role in managing UK operations may satisfy the definition even if employed by and located outside the UK — for example, a regional chief executive in continental Europe controlling UK compliance protocols, a global head of finance approving UK accounts from New York, or a Singapore-based chief data officer setting data processing policy for the whole group. Each may, depending on the facts, bring their employing or parent organization within section 250.

Actual or Apparent Scope of Authority

The senior manager must be acting within the actual or apparent scope of their authority when the offence is committed. It is not necessary that the specific wrongful act was itself authorised - it is sufficient that the act was of a type that the senior manager was authorised to undertake, or which would ordinarily be undertaken by someone in that position. The “apparent” limb extends liability beyond formally sanctioned conduct: a finance director who falsifies accounts, a data officer who unlawfully processes personal data, or a commercial director who makes corrupt payments may each satisfy the test. Conduct with no connection to the senior manager’s responsibilities is less likely to be captured. There is no requirement that the offence be committed to benefit the organisation, in contrast to the failure to prevent fraud offence under ECCTA.

No “Reasonable Prevention Procedures” Defence

Under the failure to prevent offences of bribery, facilitation of tax evasion and fraud, set out respectively in the Bribery Act 2010, Criminal Finances Act 2017 and ECCTA, an organisation can avoid conviction by demonstrating it had “adequate” or “reasonable” prevention procedures. As the CPA does not introduce an extension of the failure to prevent model, no equivalent defence exists under section 250. The only statutory exception is territorial: an organisation does not commit the offence where all relevant conduct occurs outside the United Kingdom and the organisation would not itself commit the offence if that conduct were attributed to it rather than to the senior manager.

Compliance is not irrelevant. Prosecutors must apply the public interest test before charging, and an organisation that demonstrates genuine commitment to preventing criminal conduct will be better placed to argue prosecution is not in the public interest. At sentencing, an unlimited fine applies calibrated by culpability - from A (systemic offending) to C (controls in place but the individual acted in breach) - and harm under the Sentencing Council’s Definitive Guideline. An organisation with a genuine and effective compliance framework will be in a materially stronger position on both assessments.

For the priority steps your organisation should take - including guidance on senior manager mapping, compliance framework review, and incident response - please contact our London Enforcement and Investigations team.

Read more analysis of the implications of the UK Crime and Policing Act 2026 via the News & Insights tab below.