For decades, corporate criminal law in the UK has substantially relied on the so-called ‘identification doctrine’ which required prosecutors to prove that the "directing mind and will" of a company was itself involved in criminal wrongdoing.
This doctrine made it notoriously difficult to hold large organisations to account for types of offences where this was the only means by which criminal liability could be established.
Parliament has now responded, decisively and in three stages culminating on 29 June, by implementing a complete overhaul and broadened the scope of corporate criminal attribution.
Three-stage law reform
Stage 1 was the Economic Crime and Corporate Transparency Act 2023 (ECCTA) which, with effect from 26 December 2023, lowered the threshold for attributing corporate criminal liability for specific economic crimes committed by senior managers.
Stage 2, also under ECCTA, with effect from 1 September 2025, was the introduction of a corporate failure to prevent offence, for specified economic crimes committed by associated persons, including all employees, agents and service providers, where there was an intention to benefit the organisation and subject to a reasonable procedures defence.
Building on earlier failure to prevent offences established under the Bribery Act 2010 and Criminal Finances Act 2017, ECCTA’s failure to prevent fraud offence dramatically broadened the net for corporate criminal liability, applying it to a wide range of dishonest and related conduct, whereas earlier failure to prevent offences had been tightly contained to underlying conduct involving corruption or the facilitation of tax evasion. The only limiter under stage 2 is that only defined types of large organisations are currently in scope.
Stage 3 under the Crime and Policing Act 2026 (CPA) was the expansion of senior manager attribution to all companies and firms for all crimes. This reform came into effect on 29 June 2026.
The ‘senior manager’ test under stage 1 and stage 3 is short and simple but challenging in application. Section 250 of the CPA provides that where a senior manager of an organisation, “acting within the actual or apparent scope of their authority commits an offence”, the organisation also commits an offence.
The test, when applied to all types of conduct, is seismic because all companies and firms are now criminally liable for any offence by a senior manager when acting within the actual or apparent scope of their authority.
There are two main issues to consider: who is a senior manager and what is meant by actual or apparent authority.
Senior manager
A senior manager is defined as any individual who either plays a significant role in the making of decisions about how the whole or substantial part of the activities of an organisation are to be managed or organised; or plays a significant role in the actual managing or organising of the whole or a substantial part of those activities.
The definition clearly includes a population of employees far wider than statutory directors and officers. Depending on the size, structure and activities of an organisation, it may capture divisional heads, country or regional managers, and other team leaders.
It is worth noting that, unlike the failure to prevent fraud offence under stage 2 – which only applies to large organisations – there is no size qualification for corporate criminal liability for senior managers.
Organisations that wish to mitigate corporate criminal risk need to assess who within their own organisations are senior managers for attributing criminal liability to the business and focus preventative measures on them.
Internal organisational structure charts which define roles as being part of senior management, job titles, and roles and responsibilities documents are relevant considerations, but they are not determinative because it is a functional test.
Regulated entities should be aware that the senior manager test under the CPA is wider than the Senior Managers and Certification Regime (SMCR) under the Financial Services and Markets Act 2000. A regulated firm should not assume that its SMCR population and a senior manager under the CPA are the same because not all senior managers perform a senior management function authorised by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA).
Actual or apparent authority
The explanatory notes to both the Crime and Policing Bill and to ECCTA state: “The senior manager must be acting within the actual or apparent scope of their authority. This does not mean that the senior manager must have been authorised to carry out a criminal offence. It would be enough that the act was of a type that the senior manager was authorised to undertake or which would ordinarily be undertaken by a person in that position.”
They provide an example, if, for instance, a chief financial officer (CFO) commits fraud by deliberately making false statements about a company’s financial position, the company would then be held liable “since the act of making statements about the company’s financial position is within the scope of that person’s authority”.
When applying this in practice, the circumstances of the offending are likely to be critical. For example, was the criminal offence done by the senior manager during a task or activity that the senior manager had actual or apparent authority to do?
An interesting question also arises as to whether a corporate could do something with its compliance response to this law, to expressly prohibit a senior manager from doing certain acts. Such a response will likely only partly mitigate risks and, at its highest, might enable a defence that an act was not within a senior manager’s actual authority.
However, this does not deal with the risk of criminal acts being committed during a senior manager’s otherwise authorised activities: in other words, their day-to-day role. Further steps will also be needed to address the apparent authority limb of the test, which does not turn on what a senior manager has been expressly authorised to do or not.
Enforcement risk
The UK’s Serious Fraud Office (SFO) and the Crown Office and Procurator Fiscal Service (COPFS) in Scotland have published new policies aimed at corporate cooperation and self-reporting.
Over the past 12 months, the SFO has announced several investigations of companies and has made multiple public remarks about the significance of these new offences to its ability to prosecute companies.
At the Global Anti-Corruption, Ethics and Compliance Conference held in New York in June, SFO director Graham McNulty identified the failure to prevent fraud and corporate criminal liability for senior managers as key enforcement priorities.
The challenge now for those in compliance roles is to secure management time and immediate budget to address the increased corporate risk. This is not helped by the time delay between law reform and enforcement.
As we saw with the Bribery Act 2010, there can be a significant lag of around five years between law reform and corporate criminal enforcement, other than in self-reported cases. However, businesses, boards and their compliance officers should take note of the multi-million-pound penalties for the corporate bribery cases that have resulted from the Bribery Act and corporate enforcement. This is a trend that will only continue to develop in favour of corporate enforcement and significant penalties.
Reasonable procedures and their relevance to the new, expanded liability risk
Unlike the failure to prevent fraud offence – and the other failure to prevent offences that preceded it –there is no reasonable or adequate procedures defence for senior manager attribution. However, reasonable procedures, or an effective compliance programme, are still relevant in three ways.
First, and most obviously, corporate compliance programmes help to prevent offending by individuals, reducing the corporate criminal risk at source. Well thought through reasonable procedures may also lend some support to arguments that a corporate had sought to limit a senior manager’s actual or apparent authority, to protect both the corporate and others from a risk of criminal act by the manager.
Publication of compliance policies and procedures and obtaining compliance certification or attestations from relevant managers are also likely to be helpful steps to safeguard an organisation from criminal liability and to mitigate a potential conclusion that a senior manager was acting within their actual or apparent authority.
Secondly, enhancing existing compliance programmes may be an important factor in dissuading a prosecution agency from charging a corporate in cases involving senior manager attribution – even where the compliance programme does not constitute a statutory defence.
While prosecution guidance has not been updated to reflect the latest law changes, one of the public interest factors against a prosecution of a corporate in the most recent August 2025 version of the Joint SFO-CPS Corporate Prosecution Guidance is the “existence of a genuinely proactive and effective corporate compliance programme”.
Finally, while it offers limited comfort to any corporate convicted of an offence attributed to it by a senior manager, demonstrating the corporate’s effective compliance programme – notwithstanding the wrongful acts of the senior manager – is likely to remain an important mitigating factor in the eventual corporate sentencing process, reducing the culpability level of the corporate and the ensuing fines and other penalties imposed.
Business sentiment and challenges
In a recent Pinsent Masons webinar series on corporate criminal law reform, 83% of 322 attendees polled said their organisations had carried out an ECCTA risk assessment, but 17% reported they had not.
Of those organisations that had carried out an ECCTA risk assessment, 98% considered their risk assessment needed further development and 65% said this would be a priority task to be taken forward within the next two years.
Throughout the webinar series, which took place in June, our speakers discussed moving to a more holistic approach to the conduct of financial crime risk assessments, identifying the senior manager population and enhancing controls on them, and considering criminal law risk mapping to identify the areas of greatest criminal law risk relevant to the specific organisation ranging from financial crime, sexual harassment through to road traffic offences, and modern slavery.
Attendees were also asked to complete a word mapping exercise to state their priorities for the year ahead. The three strongest responses were “risk assessment”; “senior managers”, and “controls”. These findings may help organisations when undertaking internal discussions about the importance of conducting risk assessments and what resources they need to dedicate to implementing additional controls focussed on senior managers in light of the recent reforms.
Where an organisation can benchmark its response to these corporate criminal law changes to what other corporates are doing, this can help inform and enrich the planning, design and delivery of enhancements to its compliance programme.