Crisis Management and Investigations Circular – Issue 2 - June 2026

From 29 June 2026, section 250 of the Crime and Policing Act 2026 ("CPA") extends the reformed identification doctrine to all criminal offences. This means that an organisation can be liable where a "senior manager", acting within the actual or apparent scope of their authority, commits any criminal offence. This builds on, and replaces, sections 196-198 of the Economic Crime and Corporate Transparency Act 2023 ("ECCTA"), which applied this attribution mechanism only to economic crime.

The breadth of the CPA exposes organisations to an elevated risk of criminal liability, effectively rendering them directly liable for the criminal actions of management. Organisations must therefore ensure that their crisis response protocols and investigation and escalation processes reflect this new reality. In particular:

• Identify who constitutes a "senior manager": assess who within the organisation would be deemed a senior manager for the purposes of the CPA (broadly, a person who plays a significant role in the making of decisions about, or the managing or organising of, the whole or a substantial part of the organisation's activities) and ensure that governance, oversight, and compliance controls around those individuals are proportionate to the risk.
  
  
• Speed and scope of investigation: early and thorough internal investigations will be essential. Delayed or inadequate internal investigations increase the risk that misconduct goes unremedied and that the organisation's post-discovery conduct is viewed unfavourably. Think about when you may need assistance from outside counsel with conducting the investigation.
  
  
• Self-reporting and cooperation: how an organisation responds (including the quality of its investigation and engagement with authorities) may influence both the prosecutorial decision (including where relevant the availability of a deferred prosecution agreement, "DPA" ) and the court's approach to sentencing. Self-reporting is a strategic and often delicate decision.
  
  
• Sector-specific exposure: organisations in construction, manufacturing, energy, transport and other higher risk sectors from a health and safety perspective should be particularly alert to gross negligence manslaughter being attributed via this route.
  
  
• No reasonable procedures defence: Unlike the various "failure to prevent" offences, the reformed identification doctrine does not offer a "reasonable procedures" defence. Organisations cannot therefore point to an effective compliance programme to avoid liability (albeit it will be critical to both averting issues in the first place, and as a mitigating factor in any subsequent enforcement decision).

The Government has recently published its Anti-Corruption Strategy, which contains over 100 commitments aimed at reducing the harm caused by corruption, spanning expanded prosecutorial capacity, a crackdown on the enablers of corruption, consolidation of the UK's anti-money laundering supervisory regime, and the integration of AI into investigative processes.

These reforms signal a clear mandate for the UK's regulatory and law enforcement bodies to tackle domestic corruption and fraud, which points towards a more demanding domestic enforcement landscape, particularly for businesses operating in at-risk sectors. Several of the Strategy's specific commitments have direct implications for how organisations should approach compliance, self-reporting, and internal investigations:

• Self-reporting and cooperation: the Strategy includes a commitment to clarify and strengthen incentives for self-reporting by corporates through the implementation of the SFO’s External Guidance on Corporate Co-operation and Enforcement (April 2025) and the Joint SFO-CPS Corporate Prosecution Guidance (August 2025) (Commitment 2.3.5). This signals that the Government views this guidance as integral to its anti-corruption objectives, and early, voluntary disclosure can influence whether a prosecution is brought and whether a DPA is offered.
  
  
• Compliance as a shield, but only if effective: the Strategy commits to "expand[ing] the SFO's crime prevention capability to support companies in strengthening their protections against bribery and corruption" (Commitment 2.3.2). To this end, the SFO has confirmed that it will look behind policies to assess whether procedures translate into "conduct on the ground." A compliance programme that is merely a paper exercise will not satisfy the "reasonable procedures" or "adequate procedures" defence to the failure to prevent fraud and bribery offences respectively, for example.
  
  
• AI-accelerated investigations: the Strategy commits to speeding up the SFO's investigations, through a more efficient investigative process and the use of artificial intelligence and machine learning (Commitment 1.1.9) and to pilot an AI corruption investigation assistant for regional and local forces (Commitment 1.1.10). For businesses, this means that investigations are likely to become faster and more data-intensive, increasing the premium on early cooperation and the maintenance of accessible, well-organised records.

The two key developments to flag in this edition are, first, the SFO's Business Plan for 2026-27, which signals continuity but with a sharper operational focus,  and, secondly, the SFO's first DPA in four years.

2026-27 Business Plan

In the inaugural edition of the Crisis Management and Investigations Circular, we reflected on the uncertainty surrounding the SFO following Nick Ephgrave's unexpected resignation and considered what might come next for the agency. The SFO's Business Plan for 2026-27, published in April, provides some early answers.

Graham McNulty, the SFO's interim Director, confirms in the Foreword to the Business Plan that the agency will continue to "build on the firm foundations Nick leaves behind" and maintain focus on "intelligence-led investigations, innovative, modern tools and effective disclosure".

The Business Plan contains three themes which signal a sharpening of the SFO's approach:

• Proactive intelligence and earlier intervention: the SFO will invest in proactive intelligence capabilities to "strike earlier", using automation, AI and big data to track suspects and suspicious activity.
  
  
• Leveraging technology: the Business Plan commits to "mainstreaming" Technology Assisted Review, launching an "AI roadmap", implementing the SFO's first case management system, and developing cryptoasset investigation capabilities. The emphasis on eDiscovery reform is unsurprising given the disclosure failures that plagued Ephgrave's tenure. This aligns with the emphasis placed on AI in the Government's wider anti-corruption strategy, discussed above.
  
  
• International ambition: the SFO will host an international economic crime conference bringing together law enforcement and prosecution agencies "from across the world for the first time".

So, what does this mean for businesses? The Business Plan's commitment to a "prevention programme" – providing businesses with "the tools and incentive to prevent bribery and corruption" – echoes the carrot-and-stick approach familiar from the DPA regime. Corporates should take note: an SFO that moves faster, leverages technology, and invests in intelligence could lead to a more active and aggressive enforcement landscape, which in turn means it will be even more important for companies to keep pace with their own compliance frameworks.

DPA with Ultra Electronics

On 1 May 2026, the SFO entered into a DPA with Ultra Electronics Holdings Ltd (UEH) – a British defence company – in relation to failure to prevent bribery in connection with three public sector contracts where local agents engaged by UEH to help secure the contracts were suspected of having paid bribes to public officials. These included a contract worth up to £200 million awarded by the Omani Ministry of Transport and Communications. UEH has agreed to pay a fine of £10m, plus £4.8m in respect of the SFO's investigation costs, and to enhance and report annually to the regulator on the effectiveness of its anti-bribery and compliance programme throughout the term of the DPA.

The UEH agreement may be the SFO's first DPA in four years, but it follows a familiar playbook established across the 13 DPAs agreed since the regime's introduction in 2014.

• No individuals charged: no individuals were prosecuted in connection with the underlying bribery. This is the norm rather than the exception – to date, only one individual has been convicted in the UK in connection with conduct subject to a DPA.
  
  
• Defence and aerospace in focus: UEH follows Rolls Royce, Airbus and Airline Services Limited onto the list of defence and aerospace companies subject to DPAs, confirming that the sector remains an enforcement priority for the SFO.
  
  
• Cooperation rewarded: the DPA underscores the importance of "exemplary" cooperation. While UEH had self-reported to the SFO, the agency had previously withdrawn from negotiations when it concluded the conditions for a meaningful agreement were not in place. It was only following significant changes to UEH's ownership, structure and leadership that negotiations resumed. The SFO satisfied itself that UEH's new leadership had both the willingness and the capacity to engage in good faith before talks resumed. As a result, UEH secured a 45% discount to its financial penalty.

The CMA has published its Annual Plan for 2026-27, setting out its strategic priorities and workplan for the coming year.

The Plan makes clear that the CMA, like the SFO, is investing heavily in artificial intelligence to detect and to assist with investigations into potential breaches of competition and consumer law across industries in the UK.

The CMA plans to use tech capabilities to spot potential unlawful conduct

The CMA intends to make further investment into data analytics and AI-powered detection tools designed to flag suspicious activity at scale. The CMA will therefore be increasingly capable of uncovering potential issues itself, rather than waiting for them to be self-reported through leniency applications or disclosed by whistleblowers. This will enable the CMA to identify and start to investigate a potential competition issue before the relevant businesses are even aware that they are on the regulator's radar.

Similar AI-enabled tools have already been deployed by other competition regulators. The European Commission ("EC") recently used AI-screening tools to analyse hundreds of thousands of public statements and earnings calls to gather sufficient evidence of potential infringements to justify conducting dawn raids in the tyre sector. This case sent a clear message in the European Union, which may become increasingly relevant in the UK: public statements are potential evidence. Executives speaking on earnings calls, issuing press releases, or even signalling pricing intentions are now, in effect, providing data directly to regulators to consider. Regulators are also better placed than ever to efficiently analyse this information using their tech-forward toolkits.

While the EC deployed AI tools reactively to investigate existing concerns about competition law compliance in the tyres sector, the CMA's Annual Plan suggests that it wants to go further and use AI as a proactive detection mechanism across markets. Company competition and consumer law compliance programmes and mechanisms that focus solely on internal communications and cartel "red flags" may therefore prove to be missing crucial aspects, depending on the particularities of the relevant market and how successful the CMA's detection strategy is.

The CMA has given specific examples of where it will deploy its capabilities

The CMA has identified bid-rigging in public procurement as a priority area. The CMA will use AI and data science tools to scan bidding data at scale, identifying patterns consistent with illegal cartel activity. For this same purpose, the Spanish competition authority has deployed an AI tool known as BRAVA (Bid Rigging Algorithm for Vigilance in Antitrust) and this idea is increasingly being adopted by competition authorities worldwide.

Under the Procurement Act 2023, in addition to other penalties and consequences for breach of UK competition law, businesses found to have engaged in bid-rigging can now be placed on a central debarment register and excluded from future public tenders for up to five years. So, the stakes are high in ensuring that compliance processes for participation in public procurements are in place and effective.

The CMA has also recently confirmed that:

• it has expertise and tooling to interrogate algorithmic pricing systems, including detailed review of source code; and 
  
  
• it is using "agentic AI to identify potential infringements of consumer protection law across the economy".

Ensuring that compliance policies are keeping pace with technological change at the CMA

While the CMA is yet, from publicly available information, to formally launch a case detected in this way (without a disgruntled employee or customer coming forward or reporting through leniency applications), it is important that UK competition and consumer law compliance programmes be reviewed to ensure they reflect the CMA's evolving capabilities. This is particularly relevant for businesses that participate in public tenders, use algorithmic pricing tools, supply direct to consumers or operate in markets with a small number of active competitors.

Product recalls are among the most operationally and legally demanding events a business can face. Failure to (where appropriate) rapidly react to, investigate and understand, and mitigate against defects or concerns with a product can result in serious consequences. The following Q&A addresses a few of the core legal and practical questions that companies, directors, and in-house counsel frequently encounter when navigating a recall situation.

Q1. Something went wrong with one of my products. Does that mean I need to recall that product line?

A: Not necessarily. The fact that a product has malfunctioned, caused injury, or generated a complaint does not automatically trigger a legal obligation to recall. The key question is whether the product presents a risk to safety that is sufficiently serious to warrant recall action under the applicable regulatory framework. That question will depend on all the facts. Getting it right is critical, because placing unsafe products on the market in the UK is a criminal offence. Acting swiftly is also crucial – regulators take a dim view of any delays where the risks are reasonably apparent.

Q2. What are the main legal obligations that arise during a product recall?

A: This will depend on the facts, but key obligations are likely to include the following:

• Notify the regulator, which may be local trading standards, or could be the Office for Product Safety and Standards, or a specialist regulator depending on the product in question.
  
  
• Notify consumers, which can mean tracing sales through distributors and retailers and posting on social media, and providing means for consumers to contact the business.
  
  
• Provide a remedy, which, depending on the nature of what's gone wrong with the product, may include refund, replacement or repair, or more than one of these options.

Q3. Are there any contractual considerations?

A: Businesses involved in a recall should review their contractual arrangements across the supply chain at an early stage. Relevant considerations include:

• Indemnity provisions. Supply contracts may contain indemnities that allocate recall costs between parties. The scope and limitations of any such indemnity should be assessed promptly.
  
  
• Insurance obligations. Many product liability and recall insurance policies impose notification obligations that must be complied with within defined timeframes. Failure to notify insurers promptly may prejudice coverage.
  
  
• Retailer and distributor obligations. Contracts with retailers and distributors may impose specific requirements regarding the handling of recalled stock, consumer communications, and cost recovery.
  
  
• Supplier obligations. Where the defect originates with a component supplier or manufacturer, the business will need to consider its rights of recourse against that party.

Q4. What can the business do to prepare?

A: Even if the business never needs it, it pays to be prepared and put a Product Safety Incident Plan in place. Best practice in the UK can be found in a free, publicly available standard, PAS 7100:2018, a government-backed Code of Practice for product safety recalls. Note that other jurisdictions may have specific requirements; for example, the EU generally requires that consumers be given a choice of remedy, whereas in the UK a single remedy will often suffice.  

Though not a fast-moving area of law, the EU has recently updated its 2001 General Product Safety Directive (now a Regulation) after more than 20 years. The UK is in the process of doing the same. Businesses should ensure that they are aware of the latest rules before the crisis hits.

Two key developments under the Employment Rights Act 2025 ("ERA") will impact how businesses – and their legal and compliance teams – manage crises and investigations.

Fair Work Agency: open for business

As flagged in our last edition, the Fair Work Agency (FWA) officially launched on 7 April 2026 as a new consolidated enforcement body for workers' rights in the UK. The FWA brings together enforcement functions previously spread across several bodies, including national minimum wage enforcement and labour market abuse, with its remit being introduced in phases over 2026 and 2027.

The FWA signals a more proactive approach to labour market enforcement that no longer depends on complaints from individual workers. It has broad powers to investigate businesses, to enter premises, access records and request information.

On 7 April 2026, the FWA published:

• an enforcement policy statement setting out its approach to investigations and inspections, and the enforcement actions available to it; and
  
  
• a code of practice on labour market enforcement undertakings and orders, one of the enforcement options available where the FWA believes an offence has been or is being committed.

In-house legal and compliance teams should put in place a protocol for responding to FWA inquiries and for training staff. Businesses should consider auditing their employment law compliance processes, including matters such as minimum wage and holiday pay compliance. Internal grievance and speak up channels should also be made accessible and visible to workers, to ensure issues are raised and can be dealt with at the earliest opportunity.  

Cracking down on NDAs and confidentiality

The Government is pressing ahead with plans to restrict the use of confidentiality provisions and non-disclosure agreements (NDAs) in harassment and discrimination cases. Under the ERA, any confidentiality provision or NDA that prevents a worker from discussing allegations of discrimination or harassment with anyone – including the employer's response – will be void. These restrictions are expected to come into effect in 2027.

The Government has launched a consultation (closing 8 July 2026) on proposed exceptions where confidentiality provisions or NDAs would be allowed, e.g. where the worker has received independent advice, has expressed their preference to enter into such obligations and there is a 'cooling off' period during which the worker can change their mind. The Government is also considering whether employers should be permitted to suggest confidentiality, or whether the initiative must come from the worker – the latter could be difficult to operate in practice.

While the proposed framework adds process to settlement negotiations, it should broadly be workable. That said, if confidentiality can no longer be readily assured, some employers may be less willing to settle discrimination and harassment allegations, placing even greater emphasis on the quality and thoroughness of any internal investigation.

These reforms should also be seen in the context of existing regulatory guidance. The SRA's Warning Notice on the use of NDAs has for some years reminded lawyers (both in-house and external advisers) of their obligations when dealing with confidentiality provisions. The SRA's 2023 Thematic Review also highlighted specific concerns about the use of NDAs in workplace complaints – including the power imbalance between employers and employees, the risk of oppressive time limits, and inadequate advice being given to workers.

Businesses, including their in-house legal and compliance teams, should maintain a close eye on developments in this area and keep their approach to confidentiality provisions and NDAs under review.