The Crime and Policing Act 2026: What Every Board Needs to Know Before 29 June 2026

Section 250 of the Crime and Policing Act 2026 (CPA) comes into force on 29 June 2026. There is no transitional period, no grace provision, and no ‘reasonable procedures’ defence. Organisations that have not acted before that date will be exposed from day one.

On 29 June 2026, the corporate criminal landscape in the United Kingdom will undergo a transformation. Many boards have treated recent corporate crime reforms primarily as a financial compliance issue. Section 250 is materially broader and fundamentally shifts the parameters of corporate risk. Section 250 replaces the historic ‘directing mind and will’ test with a far broader senior manager attribution model. In practice, companies may now face criminal liability for offending carried out by senior personnel operating within the apparent scope of their authority – even where conduct breached internal policy. The CPA extends a company’s criminal exposure to any criminal offence where a company is capable of being a principal offender.

For CEOs, boards, multinational businesses and professional advisory firms, this legislation introduces materially broader corporate criminal exposure and significant uncertainty around attribution risk.

What has changed

A company can currently only face criminal prosecution if the wrongdoer was its ‘directing mind and will’ – typically a board level executive. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) began to remove this protection, applying a new ‘senior manager’ attribution model to a defined list of economic crimes. Section 250 removes the list entirely, meaning a company can be prosecuted for any criminal offence (where a company is capable of being a principal offender) committed by a ‘senior manager’ acting within the actual or apparent scope of their authority. This could therefore extend to fraud, bribery, health and safety breaches, environmental offences, data protection failures, sexual misconduct, modern slavery and sanctions violations.

The offence

An individual qualifies as a ‘senior manager’ if they play a significant role in making decisions about, or managing, the whole or a substantial part of the organisation’s activities. The focus is on function, not title. ‘Substantial part’ is undefined, and no threshold of revenue, headcount or operational significance is specified. In practice this may bring into scope regional directors, heads of procurement, and divisional leads. How aggressively prosecutors test the boundaries of ‘substantial part’ and apparent authority under the new regime remains uncertain.

Liability can arise even where the senior manager acted outside express authority or in direct breach of corporate policy. If a prosecutor can characterise the conduct as falling within the apparent scope of the manager’s position, the attribution test may be satisfied. International businesses are not exempt and section 250 applies wherever part of the offence, the victim, or the underlying activity has a UK connection.

The defence

Unlike ECCTA, section 250 provides no ‘reasonable procedures’ defence. Companies will not be liable if offending conduct took place wholly outside the UK, or where the underlying criminal conduct cannot properly be attributed to the company. Compliance frameworks nevertheless remain important. In particular, they may influence prosecutorial discretion, public interest assessments and sentencing outcomes. The key question is whether governance structures are genuinely effective in preventing criminal conduct by those with the authority to trigger it.

Consequences – legal and commercial

Companies found guilty face unlimited fines, reputational damage and potentially significant operational disruption. The individual offender would be, on conviction, subject to separate sentencing.

Previously, self-reporting to the SFO combined with a robust compliance programme created a credible pathway to a Deferred Prosecution Agreement (DPA) and, potentially, no conviction. The CPA materially weakens the degree of protection previously associated with voluntary disclosure and compliance remediation.

The CPA also remodels the Proceeds of Crime Act 2002 (POCA) to simplify benefit calculations and ease the deployment of restraint orders – allowing enforcement agencies to freeze assets early in an investigation.

What to do before 29 June 2026

• Map senior manager authority. Go beyond the ECCTA exercise. Identify every individual whose actual function could satisfy the ‘substantial part’ test across all categories of criminal conduct. Where authority is broad and oversight is weak, Section 250 exposure is highest.
• Invest in compliance. Strong compliance programmes remain crucial for sentencing mitigation and avoiding prosecution through public interest arguments. Conduct risk assessments, deploy targeted training and update cross-border regulatory reporting procedures.
• Establish a response protocol. Decide before an incident occurs how potential Section 250 matters will be escalated and when external counsel will be engaged.
• Take early advice on self-reporting strategy. The decision to self-report under Section 250 is different from ECCTA. It is therefore important to establish a position in advance and not under the pressure of an active investigation.
• Obtain legal advice, under privilege, before decisions are made.

Nabeel Osman and Lisa Mckinnon-Lower advise companies on corporate criminal risk and regulatory investigations. They can be contacted directly to discuss your organisation’s specific position before 29 June 2026.