Until now, corporate criminal liability in England and Wales has been notoriously hard to pin on a company itself. Prosecutors had the tough job of proving that the individuals representing the “directing mind and will” of the company intended the wrongdoing. If anything, that meant blame often “rolled downhill”: an individual got charged, the company walked away, and the corporate culture that produced the conduct was never on trial.

As of 29 June 2026, the Crime and Policing Act 2026 will make many organisations, like companies, partnerships and LLPs, liable if a senior manager commits a criminal offence while acting within their actual or apparent authority. There’s no need to prove that the board itself knew or directed the wrongdoing. There’s no corporate defence of ‘we took all reasonable measures’ to stop offences being committed.

Put simply, the offence of the individual becomes the offence of the company (apart from certain offences that can only be committed by companies). And with thousands of criminal offences on the statute book – nobody knows quite how many – the surface area of exposure will increase considerably on that date.

If you run a business, this is a significant governance risk. If you haven’t mapped which of your people qualify as senior managers, and what potential offences attach to their functions, you are carrying liability you cannot yet quantify.

The business exposure

A “senior manager” under the Act isn’t defined by job title. It’s anyone who plays a significant role in making decisions about how the whole or a substantial part of the organisation’s activities are managed or organised or in actually managing or organising those activities. For example, operations directors, heads of technology, regional MDs, and not just the C-suite. The definition is functional and deliberately so: Parliament wanted to stop organisations dodging liability through title engineering.

What this looks like in practice

Consider a few scenarios: a sales director fabricates AI-generated performance data to land a bonus (that’s fraud). A head of technology uses credentials they shouldn’t have, to copy training data (computer misuse). An operations director exports a customer database to fine-tune an internal model without consent (a data protection offence).

If any of those people qualifies as a senior manager, their offence becomes the company’s offence.

A board-level checklist

The good news is that there’s much that organisations can do now:

  • Map your senior managers. Identify everyone whose role (not title) gives them significant decision-making power or authority over a substantial part of the business. Tie this to functions, not organisation charts.
  • Audit authority boundaries. Refresh delegation limits and approval frameworks so that “apparent authority” – the grey zone where someone acts as if authorised – doesn’t drift unchecked.
  • Train by function. Generic compliance training won’t cut it. Senior managers need to understand the specific offence risks attached to their area, whether that’s fraud, bribery, sanctions, data protection, or environmental crime, among others.
  • Document decisions. Take short notes on material calls, setting out the authority relied on and any legal advice taken.
  • Sharpen incident response. Build a fast triage protocol for allegations involving senior managers: preserve evidence early; know when to escalate; and know when to, for example, self-report to any regulators.

Why this matters now

Getting ahead of this new law reduces the chance of a corporate conviction and heavy fines. And it sharpens your position if something does go wrong. It also reassures insurers, lenders, and counterparties that your governance is robust.

Authors