The Crime and Policing Act 2026 represents the most significant expansion of UK corporate criminal liability in a generation — and Section 250 comes into force on 29 June 2026. From that date, your organisation can face criminal prosecution for any offence committed by a senior manager acting within the scope of their authority, across every area of operations, not just financial crime. If you haven’t reviewed your governance structures yet, you have roughly four weeks.

INFORMD has been tracking this legislation since its Royal Assent on 29 April 2026. What follows is the executive briefing your legal and compliance teams should be walking you through this week.

What Has Actually Changed — and Why Does It Matter Now?

To understand the shift, you need to know where UK law stood before. Under the old common law “identification principle,” prosecutors could only convict a company of a criminal offence if they could prove that the individual who committed it was the company’s “directing mind and will” — typically a board-level director. In practice, this made corporate prosecutions of large, decentralised organisations extremely difficult. Decision-making spread across multiple business units meant there was rarely one person who could be said to embody the company itself.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) began to change this by introducing a “senior manager” attribution test — but only for specified economic crimes such as fraud, bribery, and money laundering. The Crime and Policing Act 2026 (CAPA) removes that limitation entirely. Under Section 250, the senior manager attribution model now applies to all criminal offences. Health and safety, data protection, modern slavery, environmental regulation, competition law, consumer protection, employment-related conduct, sanctions breaches — every operational domain is now in scope.

According to analysis by Ashurst, the new provisions will apply to all organisations regardless of size, and there is no requirement for prosecutors to establish that the criminal conduct actually benefited the company. The threshold for establishing liability has been materially lowered.

Executive Action

• Schedule an emergency governance review before 29 June to map which individuals in your organisation could qualify as “senior managers” under the statutory definition — this extends well beyond your board.
• Brief your General Counsel and Chief Compliance Officer on CAPA’s interaction with ECCTA 2023 — Section 196 of ECCTA is repealed on 29 June and replaced by the broader CAPA regime.
• Ensure any risk assessment exercise is conducted under legal privilege from the outset, given the potential for criminal exposure.

Who Is a “Senior Manager” Under This Law?

The statutory definition of “senior manager” under CAPA is deliberately broad and mirrors the language introduced in ECCTA. An individual qualifies if they play a significant role in decision-making about how the whole or a substantial part of the organisation’s activities are managed or organised — or in actually managing or organising those activities. Job title is irrelevant. What matters is influence and responsibility.

The practical implication is that your criminal exposure does not begin and end at board level. Divisional heads, regional directors, finance leadership, compliance officers, technology and cybersecurity leaders, senior HR personnel, and operational site managers may all fall within scope. In a mid-to-large UK organisation, that could encompass scores of individuals across the business.

The “apparent authority” component of the test adds a further dimension. Even where an individual technically exceeds their internal mandate or breaches an internal policy, the organisation can face criminal liability if they appeared externally to have the authority to act as they did. This is not a technicality — it is a structural governance risk. If your delegation frameworks are unclear or if external counterparties could reasonably believe a senior manager had authority they did not formally possess, your exposure is real.

Garden Court Chambers noted in May 2026 that the breadth of the definition “creates substantial uncertainty for corporates attempting to define where criminal attribution risk begins and ends” — a view widely shared across the legal profession.

Executive Action

• Commission a mapping exercise to identify every individual who may meet the senior manager test — go at least two tiers below board level across all business units.
• Review and tighten delegations of authority documentation to ensure clarity around internal mandates, and consider whether external-facing authority signals match internal governance reality.
• For regulated firms, examine where CAPA exposure overlaps with Senior Managers and Certification Regime (SM&CR) accountability maps — these are not identical, and the gaps matter.

Why Your Compliance Programme Won’t Protect You — and What Will

This is the point that catches many senior executives off-guard. Unlike the “failure to prevent” offences under the Bribery Act 2010 and the Criminal Finances Act 2017 — where a robust compliance programme provides an affirmative statutory defence — CAPA provides no equivalent protection. There is no “adequate procedures” or “reasonable procedures” defence available under the new attribution regime. A CFO commits fraud by making false statements about the company’s financial position. The company is liable. The existence of a comprehensive compliance programme does not prevent that.

What compliance programmes can do, however, is influence the prosecutorial calculus. The Joint SFO-CPS Corporate Prosecution Guidance sets out public interest factors that weigh against pursuing a prosecution, and these include a genuinely proactive approach by management, a history of self-reporting, effective remedial actions, and the existence of a proactive and effective compliance programme. Compliance cannot insulate you from liability, but it can significantly affect whether enforcement agencies consider prosecution to be in the public interest.

The enforcement landscape will almost certainly become more assertive. The SFO, FCA, ICO, HSE, and CMA all gain new prosecutorial options under CAPA. According to legal analysis from cms.law, the reforms represent a “fundamental recalibration of UK corporate criminal liability” and signal that holding organisations accountable across the full range of criminal offences is an explicit government priority.

Executive Action

• Broaden your compliance risk assessment beyond financial crime to cover health and safety, environmental, data protection, modern slavery, employment, and regulatory reporting risks — all are now within scope.
• Update your incident escalation procedures and internal investigation protocols to quickly identify whether any subject of an investigation meets the senior manager definition — this analysis must happen immediately and under privilege.
• Enhance whistleblowing channels so that criminal risks at senior management level are surfaced and investigated promptly, since self-reporting and remedial action remain key public interest factors against prosecution.

What Boards Should Be Doing in the Next 30 Days

The 29 June commencement date is not a soft deadline. CAPA’s provisions will apply to offences committed from that date, and the regulatory appetite for using the new tools is expected to grow steadily. For FTSE-listed companies and major UK corporates, the reputational and shareholder litigation risks associated with a criminal prosecution — even one that ultimately fails — are severe. The window to act is short.

International businesses with UK operations face comparable exposure. Multinational groups operating through complex matrix structures, shared services, or cross-border reporting lines may find that UK-connected conduct exposes them to criminal liability regardless of where the entity is incorporated. The Act’s reach is broad, and overseas organisations should seek specific UK legal advice as a matter of urgency.

For non-executive directors, the question to put to management now is straightforward: who in this organisation could trigger criminal liability for the company, and what has been done to assess and mitigate that risk before 29 June? If the answer is uncertain, that is itself a governance failing.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Frequently Asked Questions

Does the Crime and Policing Act 2026 apply to my company if we are not in financial services?

Yes. Unlike the ECCTA 2023 provisions it replaces, CAPA applies to all organisations regardless of sector or size, and covers all criminal offences — not just economic crime. Businesses in healthcare, energy, technology, retail, construction, manufacturing, and any other sector face the same exposure as banks and financial firms. The new regime is sector-agnostic.

What criminal offences can now trigger corporate liability under CAPA?

The scope is very wide. Any criminal offence committed by a senior manager within the scope of their authority can now expose the organisation to liability. This includes data protection offences under UK GDPR, health and safety breaches, modern slavery and trafficking offences, environmental regulation breaches, competition law infringements, sanctions violations, employment-related criminal conduct, consumer protection offences, and failures to disclose knowledge of money laundering under the Proceeds of Crime Act 2002. Certain offences that specifically apply only to natural persons — such as some insider dealing provisions — may remain outside scope, but the territory is still being tested.

Can a strong compliance programme protect my organisation from prosecution under CAPA?

Not automatically. Unlike the Bribery Act 2010 and Criminal Finances Act 2017, CAPA provides no statutory “adequate procedures” defence. A strong compliance programme cannot prevent criminal liability from attaching if a senior manager commits an offence within their authority. However, it remains highly relevant: under the Joint SFO-CPS Corporate Prosecution Guidance, a genuinely proactive compliance programme is a factor weighing against prosecution in the public interest assessment. It may also be relevant to sentencing. The message is to maintain strong compliance not because it provides a legal shield, but because it materially reduces enforcement risk.

How does CAPA interact with the Senior Managers and Certification Regime (SM&CR)?

There is meaningful overlap but they are not identical frameworks. SM&CR maps regulatory accountability to named senior managers in regulated firms. CAPA’s definition of “senior manager” is broader and functional — it is about the role played in managing or organising the business, not about FCA approval status. A firm could face CAPA exposure from an individual who is not an FCA Senior Management Function holder but who exercises sufficient managerial authority in practice. Regulated firms should review both frameworks together rather than assuming SM&CR coverage adequately maps criminal exposure under CAPA.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.