June 2026 saw a fundamental change to the way in which prosecutions can be pursued against organisations and large corporates. Prosecutors can more readily attribute criminal conduct to organisations where offences are committed by senior managers acting within the scope of their authority.

This significantly increases the risk of corporate prosecution across a wide range of regulatory offences, including health and safety, environmental and data protection. Here, we examine the changes introduced by the Crime and Policing Act 2026 and what organisations must do to mitigate the associated risks.

  • What is the Crime and Policing Act 2026?

    Receiving Royal Assent on 29 April and enacted on 29 June 2026, the Crime and Policing Act 2026 (‘the CPA 2026’) has been established to rebuild public trust in policing and ensure that the police and the courts have the powers necessary to tackle serious and organised crime.

    Whilst the CPA 2026 includes provisions on numerous types of crimes, including sexual offences, criminal exploitation and stalking, its “provision about the criminal liability of bodies” is particularly relevant for organisations, as it represents a fundamental change to how corporate conduct will be regulated in the UK.

    This is largely due to its reform of the ‘identification doctrine’, the mechanism by which the actions of an individual contribute to the criminal liability of a corporate entity.

  • What is the identification doctrine?

    Historically, corporate criminal liability has often depended on the common law “identification doctrine”. Under that doctrine, prosecutors generally had to show that the individual who committed the offence represented the company’s “directing mind and will”.

    Whilst this is relatively straightforward to establish in small or micro businesses with simple hierarchical structures, it becomes more problematic when applied to modern, complex corporate structures, such as those of large, multi-national organisations. This is because decision-making and direction are often shared across business units, committees and management structures.

    As a result, prosecutors could face real difficulty attributing criminal conduct to a large corporate, even if an individual has significant authority within one unit or department of that organisation. This creates an uneven playing field between large organisations and small businesses, as it is often easier to pursue prosecutions for corporate criminal liability against the latter.

  • How did ECCTA change the identification doctrine?

    The introduction of the Economic Crime and Corporate Transparency Act 2023 (‘ECCTA’) began to address that issue by introducing a broader attribution test for certain economic crimes.

    Under section 196 of ECCTA, an organisation could now be held criminally liable for certain offences committed by a senior manager whilst acting within their actual or apparent authority. Those offences included areas such as fraud, bribery, false accounting, money laundering and sanctions related offences. 

    The key development was the move away from the narrower “directing mind and will” test towards a broader “senior manager” test. That test focuses on the substance of an individual’s role and influence within the organisation, rather than their job title alone.

    However, ECCTA was limited. It only applied to specific economic crime offences. The Crime and Policing Act 2026 now goes considerably further.

    You can read more in-depth discussions on ECCTA and its implications for businesses via our dedicated web page here.

  • What does the CPA 2026 change?

    The CPA 2026 aims to extends the senior manager attribution model across the wider criminal law.

    Section 250 of the CPA 2026 introduces this change, stating that, “where a senior manager of a body corporate or partnership (“the organisation”) acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence.” This means that the circumstances in which organisations may face criminal liability has been significantly widened. 

  • What is a ‘senior manager’?

    The CPA 2026 adopts the definition of a senior manager as set out in the Corporate Manslaughter and Corporate Homicide Act 2007.

    This covers anyone who has a significant role in “the making of decisions about how the whole or a substantial part of its activities are to be managed or organised” or who is responsible for “the actual managing or organising of the whole or a substantial part of those activities.”

    Importantly, this is a functional test. It is not limited to statutory directors, board members or those with ‘chief’ in their job title. The assessment will be fact specific, with key questions being what the individual actually does, the authority they exercise, and the significance of the area of the business they manage.

    The senior manager does not need to have been authorised to commit a criminal offence. The relevant question is whether the conduct was carried out while the individual was acting within the actual or apparent scope of their role.

    Unlike the ‘failure to prevent’ offences under the Bribery Act 2010 and ECCTA, s.250 of the CPA does not create a defence based on having “reasonable” or “adequate” procedures in place.

    Under section 250 of the CPA 2026, an organisation can only avoid corporate criminal liability if “all of the conduct constituting the offence occurs outside the United Kingdom” and “the organisation would not commit the offence if that conduct were the organisation’s (rather than the senior manager’s).”

What should businesses do now?

Although demonstrating that procedures are in place to prevent offences is not a formal defence under the CPA 2026, it is still important to assess the risks and identify policies and procedures that can help to mitigate these risks at both an individual and an organisational level.

Organisations should start by:

  • identifying individuals within the business who may meet the definition of a senior manager and ensuring they are fully aware of their roles and responsibilities;
  • examining how authority is delegated within teams and units, as well as assessing the effectiveness and clarity of reporting and governance structures;
  • reviewing whether any policies, procedures and compliance frameworks established under ECCTA can be extended or applied to other kinds of offences, beyond economic crime;
  • updating training for all senior managers, covering the new threshold and how this impacts their role, as well as highlighting relevant company policies;
  • reviewing and strengthening internal reporting procedures, such as whistleblowing policies, internal investigations, and record-keeping.

Under the CPA 2026, organisations could face liability even if a senior manager exceeded their actual or apparent authority, or breached internal policies and procedures, when committing the offence.

Nevertheless, clear and comprehensive training, record-keeping, documentation and due diligence remain crucial to reducing the risk of illegal activity by individuals within the organisation. They may also help to reduce the severity of sentencing where an organisation is found criminally liable, which could include an unlimited fine in the most serious cases.

Proactivity is the key to meeting these challenges. Our regulatory specialists can help organisations to assess their risk profile, identify individuals who may fall under the definition of a ‘senior manager’ and examine current policies and procedures to ensure they effectively manage the new risks introduced by the CPA 2026.

Contact an expert

To discuss any of the issues in this article, get in touch with a member of our expert team.

Read more about Contact an expert