Crime and Policing Act 2026 — Expansion of Corporate Criminal Liability

Executive Summary

• The Crime and Policing Act 2026 (CPA) received Royal Assent on 29 April 2026 and introduces a fundamental expansion of corporate criminal liability.
• From 29 June 2026, organisations may be criminally liable for any offence committed by a senior manager acting within the scope of their authority, not just economic crimes.
• Key Board Message: This is a step-change risk. Liability is broader, defences are limited, and exposure now extends across all areas of operations, not just financial misconduct.

What Has Changed

Under the Act, an organisation commits an offence where:

• A senior manager commits a criminal offence; and
• They act within the actual or apparent scope of their authority.

Critical shift: The regime now applies to all criminal offences and replaces the previous economic crime-only attribution model.

Who is a “Senior Manager”?

• The definition is broad and functional, not title-based.
• Includes individuals who make decisions about a substantial part of the business, or manage or organise a substantial part of operations.
• Likely in scope are Directors and C-suite, Divisional and regional heads, Functional leads (HR, Finance, Operations, IT) and Senior risk and compliance leaders.
• Exposure extends well below board level into operational leadership.

Limited Defences

• There is no “reasonable procedures” defence under this regime.
• This contrasts with failure to prevent bribery and failure to prevent fraud
• A narrow exception exists only where all conduct occurs outside the UK, and the organisation would not itself commit the offence

Strategic Risk Implications

This reform creates four key risks for organisations:

• Attribution Risk — actions of senior operational leaders can directly attach to the organisation
• Control Risk — authority exercised informally or through matrix structures may still trigger liability
• Blind Spot Risk — exposure extends beyond traditional financial crime into operational, regulatory and conduct risks

Priority Actions for the Board

Immediate (Pre–29 June 2026)

• Map senior manager population — identify decision-makers across the business
• Review governance and delegated authority — focus on “actual and apparent authority”

Short-Term

• Enhance training for senior leaders and broaden beyond financial crime
• Undertake risk mapping across all offence categories

Medium-Term

• Strengthen oversight frameworks, escalation processes and decision-making audit trails
• Embed accountability clarity — who is making decisions and under what authority?

Board-Level Questions

Boards should be asking:

• Do we know who qualifies as a senior manager in practice?
• Where does real decision-making authority sit?
• Are we comfortable with oversight of those individuals?
• Do our controls extend beyond financial crime into operational risk?
• Consider review of key existing WLLP Policies to include CPA 2026?
• Could we defend our governance model in a criminal investigation?
• Does our current indemnity policy fit for purpose?
• Consideration for staff CPA awareness?