The Crime and Policing Act 2026: From Theory to Exposure

This article provides worked examples and steps your organisation should consider now that the Crime and Policing Act 2026 (the CPA) has come into force. The following case studies illustrate the practical reach of section 250 across three scenarios: a UK technology company whose CTO commits computer misuse and data protection offences; a listed manufacturer whose Head of Procurement engages in cartel conduct; and an overseas fund manager with no UK establishment that nonetheless falls within the attribution test. In each, the absence of any reasonable procedures defence is in play - and in the third, the extraterritorial reach of section 250. The contrast with the failure to prevent framework, where an affirmative defence remains available, runs through all three.

Case Study 1: The Breadth of Relevant Offences

Key takeaway: Section 250 captures the full spectrum of UK criminal offences - not only fraud and bribery. Computer misuse, data protection, and other regulatory offences that have no failure to prevent equivalent now generate automatic corporate liability where a senior manager is the wrongdoer.

Axiver Technologies Ltd is a mid-sized UK-incorporated technology company providing cloud-based HR software. Its Chief Technology Officer (CTO) - a senior manager within the meaning of section 250 - discovered that a competitor had obtained Axiver’s proprietary source code. Without board authorization, the CTO directed a team to access the competitor’s systems remotely and extract commercially sensitive data. The operation involved unauthorized access to the competitor’s servers located in the UK.

The CTO’s conduct constitutes multiple offences: unauthorised access to computer material under section 1 of the Computer Misuse Act 1990, and - where personal data relating to the competitor’s employees is extracted - unlawful obtaining of personal data under section 170 of the Data Protection Act 2018. Neither offence falls within the scope of any failure to prevent regime, but both are criminal offences under the law of England and Wales.

Under section 250, Axiver’s liability is automatic. The CTO was acting within the actual scope of their authority - directing the technical team to investigate a security breach is of a type that a CTO would ordinarily be authorised to undertake. There is no statutory defence: the quality of Axiver’s cyber-security governance and data protection program are irrelevant to guilt, though they will be central to the public interest assessment in determining whether to prosecute and, if the matter proceeds, to sentencing.

Case Study 2: A Range of Senior Managers

Key takeaway: Senior manager status turns on functional responsibility, not board membership. A divisional or function head who controls a substantial part of the business - and whose conduct falls within that mandate, however criminally executed - will satisfy the attribution test. Offences such as cartel conduct, which rarely generated corporate prosecutions under the old regime, now fall squarely within section 250.

Trentholm Group plc is a UK-listed manufacturer and distributor of consumer products. Its Head of UK Procurement - who has no seat on the board but is responsible for managing procurement across a substantial part of the company’s UK operations, with authority to negotiate and execute supply contracts up to a defined value - enters into arrangements with counterparts at two competing distributors to divide geographic markets and fix resale prices for a category of household products in the UK.

The arrangements constitute cartel conduct contrary to section 188 of the Enterprise Act 2002 - a criminal offense carrying up to five years’ imprisonment. The Head of UK Procurement has no board seat, but their role is functional and managerial: they make decisions about how a substantial part of Trentholm’s procurement and distribution activities are managed and organized, with authority to bind the company to supply arrangements. They satisfy the senior manager definition in section 250.

The cartel conduct was carried out within the scope of the Head of UK Procurement’s authority. The authority to negotiate supply arrangements does not extend to price-fixing, but the conduct was of a type ordinarily undertaken by a person in that position - even though the manner of its execution was criminal. The Competition and Markets Authority refers the matter to the Crown Prosecution Service. Trentholm is attributed with criminal liability under section 250 and faces prosecution. No statutory defense is available.

Case Study 3: Overseas Company with a UK Nexus

Key takeaway: Section 250 applies to any body corporate, wherever incorporated. An overseas organisation with no UK subsidiary, branch, or regulatory authorisation is nonetheless within reach where its senior managers commit an offence under UK law in the course of their authority. For foreign-incorporated entities with UK-directed activity, the absence of a deferred prosecution agreement (DPA) pathway for most CPA offences makes early legal advice and coordinated cross-border strategy essential.

Elsinore Capital Partners SA is a private equity fund manager incorporated in Luxembourg, with no UK subsidiary and no UK registration or authorization. However, Elsinore manages a portfolio including three UK-incorporated operating companies, and its senior management team regularly conducts due diligence meetings and investor presentations in London, participates in UK deal processes, and makes investment decisions directly affecting its UK portfolio companies.

Elsinore Capital’s Managing Partner - responsible for all investment decisions and portfolio oversight - approves a private placement memorandum to prospective UK investors containing materially false statements about the fund’s UK portfolio performance, knowing the statements to be false. The conduct constitutes fraud by false representation under section 2 of the Fraud Act 2006. The false representations are made to persons in the UK and intended to induce investment. UK criminal law applies on an established extraterritorial basis.

Elsinore Capital has no UK incorporation, branch, or regulatory authorisation - but that does not place it outside the reach of section 250. The CPA applies to any body corporate, wherever incorporated. The Managing Partner satisfies the senior manager definition, being responsible for the whole of Elsinore Capital’s investment activities. The offence was committed within the actual scope of their authority: approval of investor materials falls squarely within the Managing Partner’s defined role. Section 250 attribution therefore applies to Elsinore Capital.

The Serious Fraud Office commences an investigation. Elsinore Capital faces the full exposure of a UK corporate prosecution - including an unlimited fine on conviction - despite being a foreign-incorporated entity with no formal UK establishment. Elsinore also falls within the failure to prevent fraud regime under section 199 of the Economic Crime and Corporate Transparency Act 2023, but, unlike that regime, section 250 provides no reasonable procedures defence. Parallel regulatory enforcement by the Information Commissioner’s Office, Financial Conduct Authority or other specialist regulators may compound both financial and reputational exposure.

Taken together, these three examples illustrate the full breadth of section 250’s reach: it captures offences across the entire spectrum of UK criminal law; it attributes liability based on a senior manager’s functional role and decision-making responsibility; and it applies to overseas organisations with no UK establishment where their senior managers have UK-law exposure.

For the priority steps your organisation should take - including guidance on senior manager mapping, compliance framework review, and incident response - please contact our London Enforcement and Investigations team.

Read more analysis of the implications of the UK Crime and Policing Act 2026 via the News & Insights tab below.