The Crime and Policing Act 2026: Expanding Corporate Criminal Liability Beyond Economic Crime

Section 254 of the CPA ("Section 254") provides that where a senior manager of a body corporate or partnership commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation also commits the offence. It repeals sections 196–198 of the ECCTA, which had established a statutory attribution mechanism for economic crimes only, and replaces it with a single provision applying to all criminal offences. Section 254 will come into force on 29 June 2026.

The provision does not replace or amend the common law identification doctrine (i.e. the mechanism by which English law would generally hold corporates liable – this is highly complex but effectively requires a degree of board level complicity for liability of the corporate to arise) but provides a new statutory route to corporate liability for all offences. The Government confirmed during a Commons debate on 29 April 2025 that the identification doctrine "was never intended as an economic crime-only regime" and that the CPA ensures "businesses cannot continue to avoid liability where senior management have clearly used the business to facilitate or conduct crime."

The precise boundaries of this formulation remain untested, and the development of case law is likely to be significant in determining its scope, including whether offences committed against the organisation by a senior manager (such as theft or fraud targeting the company itself) fall outside its reach.

One of the most striking features of Section 254 is its breadth. The provision is not limited to any defined category of offence, meaning that it could in principle extend corporate liability to any criminal offence in which senior managers are complicit, including those not traditionally capable of being committed by a corporate entity.

Based on the Government's stated policy objectives, the intent appears directed primarily at making it easier to prosecute offences such as manslaughter, or situations where an individual uses the organisation in some way to facilitate criminal conduct, rather than fixing organisations with liability for inherently personal crimes. Organisations should however be alert to the possibility that a wide spectrum of conduct, some of which is not traditionally associated with corporate liability, may give rise to criminal exposure at the organisational level. There can also be a ripple effect of this change, as once a reasonable suspicion of criminal liability being affixed to the corporate arises, then any connected revenues of the corporate may be deemed 'proceeds of crime': causing various additional duties and complications to arise under money laundering regulations (notwithstanding than an enforcement may not have arisen or even be likely).

The defences available to a corporate under Section 254 are much more limited than under previous statutory regimes. Unlike the failure to prevent fraud offence under section 199 of ECCTA, there is no defence for "reasonable procedures" available to a company which is being held liable pursuant to the concept established by Section 254.

The provision is subject to a narrow territorial exclusion only – an organisation will not be liable where both of the following conditions are met:

1. "all the conduct constituting the offence occurs outside the United Kingdom"; and 

2.  "the organisation would not commit the offence if that conduct were the organisation's (rather than the senior manager's)".

This would only apply for crimes that are already subject to extra-territorial jurisdiction. By way of example, if a senior manager of a UK company commits bribery outside the United Kingdom and UK law does not extend to that conduct when attributed to the organisation directly, then the statutory exclusion may operate to prevent prosecution of the company. However, if the individual was a senior manager of a UK company and was involved in bribery in a way which would be a criminal offence under UK law if attributed to the organisation directly, then the defence would not apply to the company, and it may be criminally liable under the CPA.

In practice, this means that where a senior manager commits a criminal offence within the scope of their authority, the organisation may be fixed with liability for that offence – irrespective of any preventive measures the organisation may have had in place. While this is not 'strict liability' in the traditional sense (the underlying offence must still be proved against the senior manager, including where applicable any requisite mental element), the absence of any corporate-level defence is a significant shift.

The CPA does not exist in isolation. It forms part of a broader legislative architecture for corporate criminal liability that now includes:

• Failure to prevent offences – including failure to prevent bribery (Bribery Act 2010), failure to prevent facilitation of tax evasion (Criminal Finances Act 2017), and failure to prevent fraud (ECCTA). These offences are wider in scope as they do not require any senior individual to be involved. However, they carry a 'reasonable procedures' defence which is not available for a Section 254 offence. Please refer to our most recent legal briefing on the failure to prevent fraud offence for more details.
  
  
• The common law identification doctrine – which continues to exist alongside the statutory route.

Prosecutors will be able to choose between these routes depending on the circumstances of the case. For compliance teams, this creates an immediate challenge: the scope of conduct requiring monitoring and mitigation is no longer confined to a statutory schedule.

Businesses should take this opportunity to review their governance structures, policies and procedures in relation to criminal risk – which, following the CPA, will extend well beyond economic crime to encompass areas such as health and safety, environmental and regulatory compliance. In particular, organisations should consider:

• Reviewing management hierarchies to better understand how a wider interpretation of 'senior management' might impact compliance and legal risk generally.
  
  
• Mapping the actual and apparent authority afforded to senior managers, to identify areas where the organisation may be exposed to liability as a result of managerial decision-making, including in operational and regulatory compliance functions, not just financial or commercial roles.
  
  
• Implementing enhanced training and oversight for senior managers, covering the full range of criminal offences for which the organisation could now be held liable under Section 254 and not limited to economic crime.
  
  
• Sector-specific exposure. Organisations in higher-risk sectors (construction, manufacturing, energy, transport) should pay attention to the potential for gross negligence manslaughter and financial crime breaches to be attributed via this route. 
  
  
• Recognising the absence of a reasonable procedures defence. While robust compliance frameworks remain important for demonstrating corporate culture and may be relevant at sentencing, they do not provide a statutory defence to liability under Section 254. But they are of course critical to help prevent the breach from arising in the first place: strong controls around recruitment of senior managers, the training they are given, and the culture in which they operate, will all be critical mitigants to the risk of corporate criminal liability arising.

The CPA represents a step change in the scope of corporate criminal liability in the UK. The absence of a reasonable procedures defence and the breadth of offences now capable of attribution to organisations mean that businesses must act now to understand and manage their exposure.

We will continue to monitor the application of the CPA as case law develops and further guidance is published. If you have any questions about how these changes may affect your organisation, please do not hesitate to contact any of the authors listed below.