Podcast: Crime and Policing Act 2026 – A new era of corporate criminal liability

Transcript

Jacqui Bickerton: Hello and welcome to the podcast.
 
Today we are looking at one of the biggest changes to UK corporate criminal liability in decades — the Crime and Policing Act 2026 — and, in particular, the new expanded “senior manager” attribution rules that could fundamentally change how organisations and insurers think about governance, compliance, and risk.

We will cover:

• What the new law does
• Why it matters
• The new corporate responsibility for senior managers
• What organisations should be doing now
• What insurers should be preparing for
• And crucially, when the new rules come into force.
   

So Mike, can you talk us through what has changed?

Mike Brown: Thanks Jacqui, & hello everyone.
 
The Crime and Policing Act 2026 received Royal Assent on 29 April 2026 and introduces a major expansion of corporate criminal liability in the UK. 
 
Historically, prosecutors faced a major obstacle when trying to prosecute large companies.
 
Under the old “directing mind and will” doctrine, prosecutors generally had to prove that the criminal conduct was committed by someone at the very top of the organisation — effectively the board or controlling officers of the company.
  
That worked reasonably well for small businesses. But in large and complex organisations, where authority is spread across executives, divisions, and operational leaders, prosecutions became extremely difficult.
  
The government’s response began with the Economic Crime and Corporate Transparency Act 2023 — commonly called ECCTA — which introduced a broader “senior manager” test for economic crimes such as fraud and money laundering. 
  
Now, the Crime and Policing Act 2026 goes much further. Section 250 extends that senior manager attribution model to virtually all criminal offences under UK law. 
  
In simple terms:
 
If a senior manager commits a criminal offence while acting within the actual or apparent scope of their authority, the organisation itself can also be criminally liable. 
  
Jacqui: Is this limited to financial crime?

Mike: Good question - Importantly, the Act is not limited to financial crime. It could potentially apply to:

• Health and safety offences
• Environmental crime
• Data protection breaches
• Competition offences
• Sanctions breaches
• Modern slavery offences
• Misleading ESG statements
• Corporate manslaughter-related conduct
• Fraud and bribery

Jacqui: I understand that the definition of a senior manager is a bit of grey area, Mike. Does this include non-board members who are senior and make decisions?

Mike: One of the most important — and potentially controversial — aspects of the legislation is the definition of “senior manager”.

The law does not focus on job title. Instead, it focuses on function and influence.

A senior manager is someone who plays a significant role in:

• decision-making about how all or a substantial part of the business is managed, or
• actually managing or organising substantial parts of the business.
   

Jacqui: So this can include:

• CEOs
• CFOs
• Chief Operating Officers
• Executive directors.

Mike: Yes, that’s right but it might also include:

• Regional leaders
• Divisional heads
• Operations managers
• Senior underwriting or claims managers
• Compliance leaders
• Functional heads with delegated authority.

The courts are likely to look at what the individual actually does — not what appears on an organisational chart. That creates uncertainty, particularly in large matrix organisations where authority is heavily delegated.
 
Jacqui: This is all so interesting. The level of change is significant. Mike, why does this matter then?

Mike: This is arguably one of the most significant changes to UK corporate criminal law in over a century.

The key shift is this: The question is no longer simply: “Did the board know?”

Instead, prosecutors will ask: “Was this individual acting as a senior manager within the scope of their authority?”

That dramatically lowers the evidential hurdle for prosecutors. And unlike some “failure to prevent” offences, there is no statutory “reasonable procedures” defence under Section 250. So even organisations with strong compliance programmes may still face exposure if a senior manager commits an offence.

Good governance may reduce enforcement risk or mitigate penalties — but it will not automatically prevent liability.

Jacqui: Thanks, Mike. The expanded senior manager attribution regime comes into force on 29 June 2026.

That means organisations have very limited time to prepare. It also sits alongside the separate ECCTA “failure to prevent fraud” offence, which came into force on 1 September 2025 for large organisations.

Together, these reforms represent a major escalation in UK corporate accountability.

So, what should organisations do now?

Mike: There are several immediate priorities.

First – identify who your senior managers really are. Not just by title.

Organisations should map decision-making authority across the business and identify individuals who could realistically fall within the statutory definition.

That may require a much broader assessment than many firms initially expect.

Second – revisit governance structures. Boards should review:

• Delegation frameworks
• Oversight processes
• Reporting lines
• Escalation protocols
• Committee structures.

The key issue is whether governance arrangements properly identify and control criminal risk across the organisation.

Jacqui: I would say that it is important to expand compliance thinking beyond financial crime. Many firms already focus heavily on bribery and fraud risk, but the new regime potentially captures all criminal exposure. That means organisations may need broader risk assessments covering:

• Environmental obligations
• Data handling
• AI governance
• Workplace safety
• Competition law
• ESG disclosures
• Supply chain misconduct.

Mike: That’s right, Jacqui. I also suggest that training should be strengthened. Senior managers themselves may not fully understand the extent of the new exposure.

Training should therefore focus on:

• personal accountability
• delegated authority
• decision-making documentation
• escalation expectations
• governance responsibilities.

Fifth? – This would also include a review of whistleblowing and investigations frameworks

One of the fastest ways organisations can mitigate harm is by identifying issues early.

Internal reporting systems, investigation capabilities, and escalation protocols are likely to become increasingly important in demonstrating good corporate culture and proactive governance.

Jacqui: This is so useful, Mike. I think for insurers this development is highly significant, both from an underwriting perspective and from their own internal governance exposure.

From an underwriting standpoint insurers may see increased demand for:

• D&O insurance
• Corporate legal liability protection
• Investigation costs cover
• Regulatory response products
• Crime and cyber extensions.

But underwriters are also likely to scrutinise governance maturity much more closely.

Questions may increasingly include:

• How is authority delegated?
• Who qualifies as a senior manager?
• How robust are escalation structures?
• Are compliance controls enterprise-wide or siloed?
• Are fraud and misconduct risks actively monitored?

Mike: That’s right, Jacqui. We may also see an evolution in claims trends.

We may see:

• More internal investigations
• More deferred prosecution negotiations
• Greater regulatory cooperation
• Increased defence costs
• More disputes around policy triggers and exclusions.

There may also be difficult questions around coverage where criminal conduct is ultimately attributed to the corporate entity itself.

Insurers must also consider their own exposure. Insurers are themselves large regulated organisations with substantial delegated authority structures.

That means claims directors, underwriting leaders, operational executives, and regional business heads could potentially fall within the definition of senior manager.

Insurers therefore need to review their own governance frameworks just as carefully as their insureds.

Jacqui: Thanks, Mike. So before we sign off on today’s podcast, could you share your overall thoughts?

Mike: The Crime and Policing Act 2026 represents a profound expansion of UK corporate criminal liability.

From 29 June 2026, organisations may face criminal liability for virtually any offence committed by a senior manager acting within the scope of their authority.

This is a major shift away from the historic “directing mind and will” doctrine and reflects a much more aggressive approach to corporate accountability.

For organisations, the message is clear:

This is no longer simply a legal or compliance issue.

It is a governance issue, a risk management issue, and increasingly, an insurance issue.

The businesses best placed to respond will be those that:

• understand where real authority sits;
• strengthen oversight and escalation;
• broaden compliance thinking across operational risks; and
• embed accountability across senior leadership structures.

For insurers, this is likely to become an increasingly important underwriting and claims trend over the next several years.

And for boards and senior management teams, the clock is already ticking!