All Crimes, All Companies: The Expansion of UK Corporate Criminal Liability from 29 June 2026

After a series of legislative changes that have, incrementally, expanded the ways in which a corporate can be liable in the UK for criminal offences, the process is nearly complete. From 29 June 2026, the senior manager attribution test, previously limited to certain economic crimes, will apply to all criminal offences in the UK. This must, conceptually, make it easier for prosecutors to attribute criminal liability to a company for the misconduct of senior managers across a wider range of activities. 

We will need to wait and see how prosecuting agencies apply these reforms in practice. Nonetheless, the development is a salient reminder that businesses should assess their criminal risk profile across the breadth of their operations in light of recent reforms. 

What has changed?

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) replaced the old ‘directing mind and will’ test with a broader ‘senior manager’ threshold for specified economic crimes such as fraud, bribery and false accounting (see our blog here). The Crime and Policing Act 2026 (the Act) has now taken that further: if a senior manager commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation can also be guilty of that offence.

Two features of this model are worth emphasising. First, unlike the failure to prevent offences relating to bribery and fraud, prosecutors do not need to show that the organisation benefitted from the criminal act. The company's liability follows automatically from the senior manager's conduct. Relatedly, there is no broad defence by showing that there were reasonable prevention procedures in place designed to prevent the criminal conduct. 

Secondly, the test covers senior managers acting with apparent as well as actual authority, an evidential area that is likely to be a contested battle ground when the first cases are litigated. This means prosecutors may look beyond job titles and formal reporting lines to examine how individuals actually operate within the business. As we explored in our earlier blog, the definition of ‘senior manager’ is functional rather than title-based, capturing anyone who plays a ‘significant role’ in managing or organising a ‘substantial part’ of the organisation's activities.

Which offences should companies be thinking about?

The ‘all crimes’ expansion means that organisations must look more widely than the typical economic misconduct that immediately comes to mind when thinking about corporate criminal risk. Now, they must consider a more holistic range of potential actions of senior personnel within the business. Categories of particular risk include: 

• Environmental and ESG-related crimes. For example, if a senior manager authorises their business unit to bypass certain environmental controls that could now be directly attributable to the company.
• Health and safety and corporate manslaughter. The Act provides a new, streamlined route for prosecuting workplace fatalities. Rather than needing to prove a systemic, board-level management failure, prosecutors could now attribute a single senior manager's manslaughter by gross negligence to the organisation, if their actions caused a workplace fatality.
• Technology, data protection and computer misuse. A senior manager directing aggressive data practices could expose the company to potential criminal liability, not merely civil fines, under the Data Protection Act or the Computer Misuse Act.

The above are just illustrations as the list is extensive, covering offences relating to modern slavery, perverting the course of justice (for example if an individual destroys evidence during an investigation), or even (albeit rarely) offences against the person. 

A wider enforcement landscape

This expansion also widens the range of agencies that may pursue corporate entities in criminal matters. Beyond the Serious Fraud Office (SFO) and Crown Prosecution Service (CPS), companies could now face renewed attention from agencies such as the Environment Agency, the Health and Safety Executive (HSE), the Information Commissioner's Office (ICO) or the National Crime Agency (NCA). Each of these bodies now has a clearer statutory route to holding companies criminally liable for senior management misconduct, and they may be keen to explore the boundaries of these new powers. 

No statutory defence — but compliance still matters

Unlike the failure to prevent model for liability, the Act provides no adequate procedures defence. There is potentially a broader scope of liability based on attribution. If a senior manager commits the offence within their actual or apparent authority, the company's liability follows as a matter of law. 

That said, companies should not expect a slew of new prosecutions overnight. 

Significant evidential hurdles remain for prosecutors, including establishing that the individual was sufficiently ‘senior’ under the statutory definition, and that they were acting within their actual or apparent authority. These are fact-specific questions that will be contested in individual cases.

Nonetheless, compliance remains essential. A strong compliance culture is directly relevant to the public interest test that prosecuting agencies must apply before bringing charges. A company that can demonstrate robust procedures and a proactive response to misconduct is materially less likely to be prosecuted and, if convicted, will benefit from significant sentencing mitigation. And of course, the real prize of an effective compliance environment is that it can prevent an issue arising in the first place. There is no better mitigation than that.

What should companies be doing now?

Even without an imminent wave of prosecutions, companies should refresh their governance and training procedures. Practical steps include:

• Conducting an organisation-wide criminal risk assessment that looks beyond economic crime to operational safety, environmental controls, data practices and supply chains.
• Reviewing delegation frameworks and escalation protocols to ensure that the reality of decision-making matches the formal governance structure.
• Delivering targeted training to the leadership tier on the scope and implications of the new regime and the range of criminal risks arising.

A note for investors and portfolio companies

The expansion of corporate criminal liability is also relevant for private equity sponsors and listed company boards. Criminal exposure now extends across operational, environmental, health and safety and supply chain risk, which are areas central to the process of investment due diligence and portfolio oversight. Investors and boards should be assessing how these reforms affect their risk appetite and governance expectations. Based on these revised reviews, they may need to coordinate with their corporate and M&A advisers accordingly.

Key takeaways

Overall, the Act redraws the boundaries of corporate criminal liability in the UK. But the most resilient businesses will be those that treat this as a prompt for a considered governance refresh, ensuring that authority, oversight and culture are properly aligned from the board to the operational front line. 

With thanks to Rachel Hewitt in our Knowledge and Information Services team for assistance with this article.