Significant Broadening of UK Corporate Criminal Liability 

Significant Broadening of UK Corporate Criminal Liability 

Client Alert

Authors

Related Solutions

Guiding clients through high-stakes and sensitive investigations.
Multinational companies, corporate executives, high-ranking public officials and in-house counsel rely on our preeminent practice and depth of experience when facing complex and challenging criminal and regulatory investigations.

The Crime and Policing Act 2026 (CPA 2026) passed into UK law on 29 April 2026. With effect from 29 June this year, therefore, the basis on which a corporate organisation can be found criminally liable in the United Kingdom will dramatically broaden.

By extending the “senior manager” attribution test to all UK criminal offences (beyond the current narrow list of specified economic crimes such as bribery, fraud, money laundering and financial sanctions offences), the scope of conduct for which UK law enforcement agencies can pursue a corporate prosecution is materially expanded.

While the change in the law is a watershed moment for UK corporate criminal liability, making it technically easier for UK prosecutors to prosecute corporate organisations for the actions of their senior managers, significant practical and evidential challenges in bringing successful corporate prosecutions remain.

What is changing?

Until recently, UK corporate criminal liability generally turned on the common-law “identification doctrine”, under which an individual’s conduct and state of mind could only be attributed to a corporate organisation if the individual constituted the organisation’s “directing mind and will”.

In large organisations with diffuse and devolved decision‑making, this proved to be a problematically high bar to clear, making it difficult to secure corporate convictions.

Section 196 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) modified the corporate criminal attribution rules for certain economic offences, allowing a corporate organisation to be liable where a senior manager commits an offence while acting “within the actual or apparent scope of their authority”. CPA 2026 extends that senior manager attribution test beyond the list of specified economic offences, applying it to all UK criminal offences.

The statutory concept of “senior manager” is functional rather than title‑based. It captures individuals who play a significant role either in decision‑making about how the whole or a substantial part of an organisation’s activities are managed or organised, or in the actual managing or organising of those activities. In practice, that category can extend beyond the board of directors.

Why this matters

CPA 2026 expands the circumstances in which criminal conduct can be attributed to a corporate organisation by widening both the category of individuals whose conduct may be attributed and the range of offences to which that attribution principle applies. These are the key points for companies to note:

  • Attribution via the senior manager test now applies to all UK criminal offences, not only the specified economic offences captured by ECCTA.
  • Unlike with “failure to prevent” offences, senior manager attribution is not confined to misconduct that benefits the organisation; indeed, there is no legal restriction on a corporate prosecution being brought where the organisation is harmed or is the victim of the offending.
  • There is no equivalent statutory “reasonable procedures” or “adequate procedures” defence available to corporate organisations as there is with the failure to prevent offences.
  • There is no large-company threshold for in-scope organisations as there is with the failure to prevent fraud offence.
  • The reforms target conduct not only within a senior manager’s actual authority but also within their apparent authority. Companies may face difficult questions about how decisions are taken in reality and who is treated as empowered to act, beyond what is formally presented in reporting lines, job descriptions and governance arrangements.
  • No changes have been made to the separate legislative regime governing the availability of deferred prosecution agreements (DPAs), meaning that DPAs are not available to UK law enforcement agencies to resolve criminal investigations into all the same criminal offences that will be covered by the extended senior manager test. The unavailability of a DPA is a significant factor when an organisation is deciding whether voluntarily to self-report and to engage and cooperate fully with the authorities after becoming aware of potential wrongdoing involving the newly in-scope offences.

Why challenges remain in bringing successful corporate prosecutions

CPA 2026 undoubtedly makes it technically easier for UK law enforcement agencies to attribute a much broader range of criminal conduct to organisations.

Among the newly in-scope offences, the increased risk of corporate prosecution under the new senior manager test is most obviously acute in respect of offending under the Data Protection Act 2018 (e.g. unlawful obtaining/disclosure/retention of personal data, and altering or concealing information to prevent disclosure to a data subject) and the Computer Misuse Act 1990 (e.g. unauthorised access to computer material, and unauthorised acts causing or creating risk of serious damage).

However, practical evidential challenges in bringing successful corporate prosecutions under the revised test remain, as below.

  • The new senior manager test remains untried in this context. It still targets a relatively small cohort of individuals, and its application will remain fact-specific, particularly in large, complex organisations. Prosecutors can anticipate significant fact and expert evidence being adduced by corporate defence teams going to the contemporaneous documented evidence of formal authority, governance matrices, and delegation and escalation frameworks.
  • While objectively broader than the previous “directing mind and will” test, the senior manager test retains inherently elastic definitions in respect of both the “seniority” and the “authority” limbs that risk unwelcome uncertainty and evidential difficulty for prosecutors.
    • With regard to the seniority limb, the prosecution is required to establish that the individual played a significant role in making decisions about how the whole or a substantial part of the organisation is to be managed or organised.
    • With regard to the authority limb, there is no settled test for when an employee is acting “within the actual or apparent scope of their authority”. In practice, the analysis is likely to focus on whether the conduct was of a kind the individual was empowered to undertake on the organisation’s behalf, even if carried out unlawfully. That analysis is most naturally engaged in respect of economic offences, where the alleged offending arises out of routine business processes performed dishonestly. By contrast, it will rarely be plausible to characterise conduct that might amount to crimes involving violence, drugs, offences against property or sexual offences as falling within a senior manager’s actual or apparent authority.
  • Even where the evidence presents a realistic prospect of conviction, prosecutors are still bound to satisfy themselves that the second limb of the Full Code Test is met, namely that prosecuting the organisation is in the public interest. Factors such as the absence of any intended or actual benefit to the organisation (or a clear corporate harm-avoidance motive) and individual conduct which is concealed from the organisation and prohibited by corporate policy will weigh against a corporate prosecution’s being in the public interest, particularly where culpability is better characterised as individual misconduct by a rogue employee, for example, rather than organisational failure.

What should organisations be doing?

A measured and thoughtful refresh of an organisation’s compliance, governance, controls and training is essential, guided by an updated risk assessment to identify the areas of the business where senior individuals could commit the newly in-scope offences during the course of their duties. Given the focus on actual and apparent authority, organisations should review delegation matrices, approval rights, committee terms of reference and job descriptions to ensure that they reflect how decisions are taken in practice. Training should not be limited to economic crime risks. Senior managers and those supporting them need to understand that organisational exposure may arise across a broader range of offences, including information management and technology-related misconduct where relevant.

Authors

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel