Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

UK Crime and Policing Act 2026: Implications of Broadened Criminal Liability and Practical Steps

Skadden Publication / White Collar Defense and Investigations

Jonathan Benson Andrew M. Good Vanessa K. McGoldrick Jason Williamson Alexandra Del Mastro

Executive Summary

  • What’s new: The UK government has broadened potential criminal liability for corporates so that they can be held liable for all criminal offences, and not just economic crime offences, committed by “senior managers.”
  • Why it matters: This significantly changes the circumstances in which criminal misconduct can be attributed to a company. Enforcement against companies for a wider range of criminal misconduct is likely, including in relation to environmental, data protection, sanctions, ESG and modern slavery offences.
  • What to do next: Companies should consider reviewing and, where necessary, strengthening existing policies and procedures, such as whistleblowing policies, as well as internal investigation and escalation procedures, to manage the risks associated with potential criminal wrongdoing by senior managers.

__________ 

On 29 April 2026, the Crime and Policing Act 2026 (CPA) received Royal Assent, marking the latest and most significant expansion of corporate criminal liability in the UK in recent years. This change — which will come into force on 29 June 2026 — builds on the reforms introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA) by expanding the basis for attributing criminal liability to companies for all criminal offences committed by “senior managers,” not merely the economic crimes previously in scope.

The change is likely to broaden legal, compliance and governance risk across all industry sectors, falling within the government’s wider agenda to strengthen authorities’ ability to enforce complex financial crime1 and increase accountability for large corporations.2

The Evolution of Corporate Criminal Liability in the UK

Traditionally, in the UK the attribution of criminal liability to a company for the actions of its individuals depended on the common law identification principle. Under this principle, a company could only be held criminally liable if the individual who committed the offence was sufficiently senior to be regarded as the company’s “directing mind and will.” In practice, this applied to board-level directors or those exercising ultimate control and varied case by case.

As corporate structures became larger and more complex, with decision-making spread across multiple layers of management, prosecutors found it increasingly difficult to satisfy this threshold. As a result, and following the collapse of a number of high-profile criminal corporate prosecutions, the narrow scope of the doctrine became widely criticised for being unfit for purpose in the modern corporate context.

Criminal Liability Post-ECCTA: ‘Senior Managers’

Section 196 ECCTA, which came into force in December 2023, expanded the identification principle by introducing a new statutory basis for attributing criminal liability to companies for certain economic crimes (fraud, money laundering, bribery, sanctions violations, etc.) committed by “senior managers” acting within the actual or apparent scope of their authority.

The concept of “senior manager” under ECCTA was deliberately broader than the traditional “directing mind and will” test, capturing any person who played a significant role in:

  • the making of decisions about how the whole or a substantial part of activities of a company are managed or organised, or
  • the actual management or organising of the whole or a substantial part of those activities.3

This broader definition extends beyond board members and could include, for example, divisional heads, regional leaders and senior executives.

The Crime and Policing Act 2026: What Has Changed?

Section 250 of the CPA replaces Section 196 ECCTA and extends the “senior manager” attribution model to all criminal offences, not merely economic crimes specified in ECCTA.4 This change takes effect from 29 June 2026.

Replicating the definition of “senior manager” provided in Section 196 ECCTA, the CPA provides that where such manager commits any criminal offence, the organisation will itself be guilty of that offence. This broadens the range of potential misconduct that corporates could be held accountable for through the misconduct of senior managers, including, for example, environmental, data protection, competition, modern slavery, and sanctions-related offences.

Similarly to ECCTA, in order to establish corporate liability, the relevant senior manager must be acting within the “actual or apparent scope of [their] authority” when committing the relevant offence. This does not mean that the relevant manager has to be authorised to commit a criminal offence, but simply that the act must be of a type which would ordinarily be undertaken by a manager in that position.

For example, if a CFO makes false statements about a company’s accounts, the company would be liable for this offence, as the act of making statements on financial accounts is expected within a CFO’s role.5

There are some key differences between this new offence under the CPA and other offences under which corporates can be held accountable for criminal wrongdoing. For example, unlike the separate “failure to prevent fraud” offence under ECCTA (FTP Fraud),6 the CPA:

  • Applies to companies of all sizes, and not only those that meet certain turnover or head count thresholds.
  • Does not provide a “reasonable procedures” statutory defence, meaning a comprehensive and robust compliance programme will not, on its own, necessarily prevent a company from being held liable for the offence (though it is likely to be a significant mitigating factor in determining whether any corporate prosecution is commenced).
  • Does not require the company to have benefitted from the unlawful conduct, meaning liability arises only from the actions of a senior manager.

The CPA limits the scope of the new offence, so that a company cannot be held liable where (i) the entirety of the criminal wrongdoing occurs outside the UK, and (ii) the company itself would not be deemed to have committed a criminal offence if the misconduct were its own, rather than that of a senior manager.

The Explanatory Notes accompanying the CPA make clear that this carve-out is intended to ensure that criminal liability will not attach to a company based and operating overseas for conduct carried out wholly overseas “simply because the senior manager concerned was subject to the UK’s extraterritorial jurisdiction: for instance, because that manager is a British citizen.”7

In practice, this limitation on the extraterritorial scope of the CPA offence is narrower than first appears, given that there are a number of offences that companies can be prosecuted for where the wrongdoing takes place outside the UK but there is a close connection to the UK or a UK nexus (for example, a UK-incorporated company operating overseas that is involved in a bribery or sanctions offence that takes place entirely outside the UK).

If found guilty of the CPA offence, the company will receive a criminal conviction and a fine. This will be separate and in addition to any action against the individual “senior manager” who may have also been prosecuted for the wrongdoing.

From a practical perspective, it is also relevant that for many of the new offence categories caught by the CPA, deferred prosecution agreements (DPAs) will not be available (as their use is limited to specific economic crimes),8 limiting the options for negotiated resolution and increasing the stakes of potential investigations.

The legislative expansion is a significant change to the corporate criminal liability landscape in the UK. Whilst this change expands the ability under which authorities can pursue companies, it will not necessarily resolve some of the typical challenges prosecutors face in successfully bringing a corporate prosecution.

How Can Companies Prepare?

The toolbox available to prosecutors to hold companies accountable for criminal wrongdoing has expanded: They will be able to choose between the identification principle, failure to prevent offences and updated “senior manager” offence under the CPA to tackle wrongdoing.

As the CPA has materially expanded the scope of conduct for which UK authorities can pursue a corporate prosecution, companies should consider taking proactive steps to reassess their exposure and strengthen their governance frameworks.

These steps include, amongst others:

  • Conducting updated risk assessments. Risk assessments should be updated and conducted to go beyond economic crime and cover all areas where senior managers exercise meaningful operational authority, such as environmental, data protection and supply chain risks.
  • Updating policy and procedures. Policies should be reviewed to address gaps identified in updated risk assessments based on the expanded CPA regime. In particular, companies should ensure that whistleblowing, internal investigation and escalation procedures are sufficiently robust, so as to identify potentially problematic conduct early on. Companies may also wish to revisit M&A due diligence processes, including the scope of the contractual protections sought. Governance documents, such as delegation matrices, decision-making procedures and authority frameworks, should be reviewed to ensure appropriate checks and balances are in place to mitigate against the risk of wrongdoing.
  • Strengthening staff vetting and training. As liability attaches to the conduct of senior managers, companies should enhance pre-appointment screening for senior roles and maintain ongoing monitoring. Training programmes should also be updated to ensure those in high-risk positions understand the personal and corporate risks involved.
_______________

1 Serious Fraud Office Business Plan 2026-27, page 3.

2 Policy paper, “Crime and Policing Bill: Serious Crime Factsheet,” updated 12 May 2026, page 3.

3 Under Section 196(4) of ECCTA.

4 Under Section 196(2) of ECCTA.

5 Explanatory Notes of the Crime and Policing Bill (as introduced in the House of Commons on 19 June 2025 (Bill 187)), paragraph 1444.

6 Under Sections 45 and 46 of the Criminal Finances Act 2017, which entered into force on 30 September 2017.

7 Explanatory Notes of the Crime and Policing Bill (as introduced in the House of Commons on 19 June 2025 (Bill 187)), paragraph 1446.

8 The full list of offences for which DPAs are available is specified under Part 2 of Schedule 17 of the Crime and Courts Act 2013.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP