Corporate crime and the house of cards: how one senior manager can bring the house down

Very quietly and without fanfare, the Crime and Policing Act 2026 (CPA) is about to radically reform corporate criminal risk in the UK. CPA creates the possibility that UK companies and partnerships (Organisations) will face prosecution where their senior managers commit a criminal offence. CPA both broadens the offences for which Organisations can be prosecuted to all UK criminal offences and facilitates successful prosecutions in the absence of an available statutory defence for Organisations.

A new gateway for corporate wrongdoing and the key changes and risks

From 29 June 2026, under s.250 CPA, an Organisation will commit an offence where a senior manager (someone playing a significant role in managing or organising the whole or a substantial part of the business, or in making decisions about it) commits any criminal offence under UK law within their actual (express) or apparent authority (as could reasonably be inferred from their role and the scope of their authority).

Three points are highly significant:

1. This applies to all criminal offences. CPA draws no distinction between ‘business-related’ offences and more ‘personal’ offences. It is not limited to economic crime offences (e.g. fraud, bribery, money laundering), as was the case under the Economic Crime and Corporate Transparency Act 2023.
2.  The decision as to who is a senior manager will be fact-specific, looking beyond job titles to assess managerial authority. This will not be limited to boards and statutory directors and might include: finance/HR directors, heads of legal, regional/area managers, senior account managers/project managers, and heads of business divisions. The definition is also broader than that of “senior management” under the Corporate Manslaughter and Corporate Homicide Act 2007.
3. There is no statutory defence for an Organisation, and there is no requirement for intent, reckless or negligence by the Organisation. If the senior manager commits an offence within the scope of their authority, the company commits an offence and there is no defence.

Lower threshold for prosecutions

The major risk is that, in relation to other corporate crime or “regulatory” offences, Organisations can typically rely on defences of adequate or reasonable procedures (financial crime), reasonable practicability (health and safety), or reasonable procedures and due diligence (consumer and trading law offences).

This may also lead to inconsistency of approach by regulators. By way of example, where a “senior manager” bribes another person, a company would have an adequate procedures defence if prosecuted under s.7 of Bribery Act 2010 (BA 2010), but would not have this defence if prosecuted under s.250 of CPA in respect of the same conduct by the senior manager and the relevant personal offence under s.1 of BA 2010.

Are policies and procedures still important?

It is right that the usual foundations for a legal defence, namely a suite of proportionate measures (e.g. policies, training, supervision, auditing and monitoring), will no longer provide the basis of a legal defence for offences under s.250 CPA, albeit they would still assist with defences to other regulatory offences not involving senior management.

Moreover, as a practical matter, the suite of control measures remains helpful in the face of a prosecution involving an offence by a senior manager. It is anticipated that prosecutions will be less likely where the Organisation can point to relevant policies and systems, as there will be a more limited public interest in bringing such cases. Other public-interest factors weighing against prosecution include limited harm, no benefit to the Organisation, good character, co-operation  and an effective response.

Wider range of offences

Under the CPA, Organisations could potentially face criminal liability for more “personal” individual offences by senior managers. Whilst some offences may fall outside the scope of a senior manager’s actual or apparent authority, prosecutors may be able to argue that conduct was within scope where a crime takes place in the workplace or is connected to a senior manager’s managerial function.

Prosecutions under the CPA are likely to focus on offences where (unlimited) financial penalties are possible for the individual offence; where there is significant harm, and where there were deficiencies in the company’s overarching management of the risk.

Realistic routes for corporate liability may include instances where senior managers (in their respective domains):

• trade on inside information received during the course of their job.
• ignore modern slavery crimes within subcontractors or labour providers and/or engage agents who facilitate trafficking.
• engage in bid rigging or other competition law offences.
• misuse computers or personal data.
• engage in harassment or offences against the person (e.g. assault) in the workplace or at work-related events.
• commit offences against the administration of justice, e.g. contempt of court by failing to comply with a court order or by obstructing investigators or regulators.
• commit road traffic offences when driving in connection with work (e.g. to a client event with colleagues).

What should Organisations do?

In light of the new changes, it would be advisable for Organisations to:

1. Refresh risk assessments/registers in light of the scope of CPA and map “senior managers.”
2. Ensure Directors &Officers insurance coverage is appropriate.
3. Review role descriptions, delegations of authority and governance documents to provide clarity on actual and apparent authority.
4. Enhance pre-appointment vetting and monitoring for management roles.
5. Refresh policies, training and codes of conduct to ensure those in senior positions understand both the personal and corporate risks and the mandatory behaviours.
6. Prepare/refresh internal reporting, whistleblowing and escalation policies/procedures.

If you would like to discuss further, get in touch with the regulatory team.