Crime and Policing Act 2026, What UK Businesses and Directors Must Do Now to Manage Expanded Corporate Criminal Liability

Last updated: 30 May 2026

Why This Matters Now, Corporate Criminal Liability UK Enters a New Era

The Crime and Policing Act 2026, which received Royal Assent on 29 April 2026, represents the most significant expansion of corporate criminal liability UK law has seen in decades. Where prosecutors previously struggled to attribute criminal conduct to large organisations under the narrow “identification doctrine,” the new senior-manager test means that a far wider range of companies, partnerships and subsidiaries can now be convicted of criminal offences committed, consented to or connived at by their senior management. The reforms follow years of analysis by the Law Commission, which concluded that the existing identification principle was “not fit for purpose” when applied to modern corporate structures with diffuse decision-making.

For directors, compliance officers and in-house counsel, the practical consequence is immediate: governance frameworks, delegation structures and investigation-readiness plans that were adequate last year may no longer provide a defensible position.

This guide delivers three things:

• A plain-English explanation of what the Crime and Policing Act 2026 changes and which entities are affected.
• A six-point compliance checklist with downloadable templates to close governance gaps before enforcement begins.
• A step-by-step investigation-readiness playbook covering the first 24 hours through to self-reporting, Deferred Prosecution Agreements (DPAs) and white collar crime defence strategy.

What the Crime and Policing Act 2026 Changes, Plain-English Summary

Core Legal Changes: Identification Doctrine vs Senior-Manager Test

For more than half a century, English law relied on the identification doctrine to determine corporate criminal liability. Under that principle, a company could only be convicted of a criminal offence if a person who represented its “directing mind and will”, typically a board director or equivalent, personally committed or authorised the offence. As the Law Commission’s Corporate Criminal Liability project documented, this test proved unworkable for large organisations where responsibility is distributed across committees, divisions and subsidiaries.

The Crime and Policing Act 2026 replaces that bottleneck with a broader senior-manager test. The key changes include:

• Attribution through senior managers. A corporate body is guilty of a criminal offence where the conduct constituting the offence is committed, consented to or connived at by a “senior manager” acting within the actual or apparent scope of their authority.
• “Senior manager” defined broadly. The term covers any individual who plays a significant role in the making of decisions about how the whole or a substantial part of the organisation’s activities are managed or organised, or who actually manages or organises a substantial part of those activities.
• All-crimes scope. Industry observers expect the expanded attribution principle to apply across the criminal statute book, not only to economic crime offences, making it relevant to health and safety, environmental, data-protection and regulatory offences alike.
• Applicable to all corporate entities. The Act captures companies, limited liability partnerships and, where relevant, unincorporated associations operating at scale.

Which Offences and Entities Are Affected

The table below summarises the three frameworks now operating in parallel. In-house teams should map their risk exposure against each column.

The likely practical effect of the senior-manager test is that mid-market and large companies, which historically escaped corporate prosecution because no single “directing mind” could be identified, are now squarely within the scope of criminal enforcement. Early indications suggest prosecutors will treat the reform as a green light to pursue corporate charges in cases that would previously have been confined to individual defendants.

Who Can Investigate and Prosecute, SFO, Police, Regulators

Enforcement Bodies and Their Jurisdictions

Multiple agencies can investigate corporate criminal conduct in the UK. Understanding which body is likely to take the lead, and how their approaches differ, is essential to any investigation-readiness plan.

• Serious Fraud Office (SFO). Investigates and prosecutes the most serious or complex cases of fraud, bribery and corruption. The SFO has compulsory powers under the Criminal Justice Act 1987 to require the production of documents and compel witness attendance. It is also the primary body that negotiates Deferred Prosecution Agreements.
• Regional and national police forces. Economic Crime Units (including the City of London Police’s National Fraud Intelligence Bureau) handle fraud and financial crime that falls below SFO thresholds or involves regional actors. They work closely with the Crown Prosecution Service (CPS).
• Crown Prosecution Service (CPS). Provides charging decisions for police-investigated cases and prosecutes in court. The CPS applies the Code for Crown Prosecutors, including the evidential and public-interest tests.
• Sector regulators (FCA, HSE, Environment Agency, ICO). Where criminal powers exist within their governing statutes, regulators can prosecute directly, for example, the FCA for market abuse offences or the Health and Safety Executive for corporate manslaughter-adjacent breaches.

Warning Signs That Trigger Investigation

Businesses should treat the following as red flags requiring immediate legal assessment:

• Whistleblower disclosures, internal or to regulators
• Unexplained regulatory inquiries or dawn-raid indicators (document-production requests, information notices)
• Unusual financial patterns flagged by auditors or anti-money-laundering monitoring
• Adverse press coverage, particularly where journalists have received leaked documents
• Civil litigation or tribunal proceedings that reveal potential underlying criminal conduct

Any of these triggers warrants instructing experienced criminal defence counsel before responding substantively to the regulator or investigator. Premature disclosures, even well-intentioned ones, can compromise privilege and worsen exposure.

Director Personal Liability and Senior Managers, Legal Test and Practical Risk Mapping

Who Is a “Senior Manager” Under the Statute?

The statutory definition of “senior manager” extends well beyond the board of directors. Under the Crime and Policing Act 2026, the test captures anyone who plays a significant role in making decisions about how the whole or a substantial part of the organisation’s activities are managed or organised, or who actually manages or organises those activities. In practice, this means:

• Executive and non-executive directors
• Chief financial officers, chief operating officers and other C-suite roles
• Divisional or regional heads who control a substantial part of operations
• General counsel or compliance officers with decision-making authority over significant business functions
• In some structures, senior partners or members of LLPs

The following matrix helps boards identify who falls within scope and assess exposure levels.

How Prosecutors Assess Individual Culpability

Prosecutors examining director personal liability will scrutinise the evidence trail. Industry observers expect enforcement teams to focus on the following when building cases under the expanded corporate criminal liability framework:

• Board minutes and committee papers. Were risks identified, escalated and addressed? Minutes that record a decision to defer remediation create direct exposure.
• Email and messaging records. Prosecutors routinely obtain internal communications. Messages showing knowledge of wrongdoing, instructions to conceal information or a failure to escalate can establish consent or connivance.
• Delegation and authority matrices. Unclear or undocumented delegation structures make it harder for individuals to demonstrate that a matter fell outside their authority, and easier for prosecutors to argue that the senior manager bore responsibility.
• Training and compliance records. Evidence that a senior manager received training on a risk area but failed to act on it strengthens the prosecution case.
• Whistleblower logs. Where concerns were raised internally and not acted upon, the individual who received them faces acute personal exposure.

Mitigation begins with documentation. Directors should ensure that every material risk decision is recorded in writing, that delegation is clear and that compliance-training attendance is logged and verified.

Six-Point Immediate Compliance Checklist for Businesses

The following corporate compliance checklist sets out the six actions every UK business should take now to prepare for the expanded corporate liability UK framework. Each step is designed to be completed within 30 days by a small cross-functional team.

1. Conduct an enterprise-wide criminal risk assessment. Map every area of the business where criminal liability could arise, from fraud and bribery to health-and-safety, environmental and data-protection offences. Prioritise divisions or functions with the highest regulatory exposure, the largest transaction volumes or the weakest existing controls. Use a risk-assessment matrix that scores likelihood against severity and identifies the senior manager responsible for each risk area.
2. Identify and map senior managers and delegated authorities. Create a register of every individual who meets the statutory definition of “senior manager.” For each person, document their role, the scope of their authority, the decisions they are empowered to make and the functions they oversee. Cross-reference this register against the criminal risk assessment to establish which senior managers carry the highest exposure. This mapping exercise is the single most important preparatory step under the new law.
3. Update policies, procedures and supply-chain contracts. Review anti-bribery, anti-fraud, whistleblowing, data-protection, health-and-safety and environmental policies to ensure they reflect the expanded attribution rules. Insert explicit language into supply-chain and third-party contracts requiring counterparties to maintain their own compliance programmes and to notify you of any criminal investigation or regulatory action.
4. Issue evidence-preservation and legal-hold instructions. Ensure that IT, HR and finance teams understand their obligations to preserve documents and data that may be relevant to any future corporate criminal investigation. Issue a standing legal-hold protocol that can be activated within hours of a trigger event. Cover email archives, messaging platforms, financial records, access logs and CCTV.
5. Draft an internal investigation plan. Before an investigation materialises, prepare a playbook that sets out who will lead the response, how privilege will be maintained, which external forensic and legal advisers will be instructed and how findings will be reported to the board. Privileged notes and communications should be clearly marked and handled in accordance with litigation-privilege principles from the outset.
6. Establish board reporting and minute-taking protocols. Board minutes should record that the criminal risk assessment has been conducted, that senior managers have been identified, that policies have been updated and that an investigation-readiness plan is in place. Minutes serve as contemporaneous evidence that the organisation took reasonable steps, a factor that prosecutors, courts and the SFO explicitly consider when assessing culpability and sentencing.

Each of these steps should be completed within 30 days of publication and revisited quarterly. Businesses that cannot evidence completion of these actions before enforcement begins will find it materially harder to advance a defence or secure a favourable outcome in any subsequent corporate criminal investigation.

Preparing for a Corporate Criminal Investigation, Step-by-Step Timeline

How to prepare for an SFO or police investigation is a question that demands a pre-planned response, not a reactive one. The timeline below provides a framework for corporate criminal investigations UK businesses can adapt to their size and sector.

First 24–72 Hours: Secure, Preserve, Instruct

The initial hours after a trigger event, whether a dawn raid, document-production notice, arrest of an employee or whistleblower disclosure, determine the trajectory of the entire case. Immediate priorities include:

• Activate the evidence-preservation and legal-hold protocol. Suspend automatic deletion of emails, messages and logs.
• Instruct experienced criminal defence counsel. Do not rely solely on in-house legal or civil litigation solicitors, white collar crime defence requires specialist expertise.
• Notify the board chair, CEO and company secretary. Record the notification in a privileged memo.
• Suspend access for any employee suspected of involvement, but do so proportionately to avoid constructive dismissal claims.
• Do not conduct substantive interviews with employees without counsel present and a clear privilege strategy.

First 7–14 Days: Forensic Triage and Privilege Strategy

With counsel instructed, the focus shifts to understanding the scope of exposure:

• Commission forensic IT review of relevant systems, devices and communications.
• Identify which documents and communications are protected by legal professional privilege and which are not.
• Begin a preliminary fact-find, interview key witnesses under controlled, privileged conditions.
• Assess whether any regulatory notifications are required (e.g., to the FCA, ICO or HSE).
• Prepare a holding statement for internal and, if necessary, external use.

1–3 Months: Internal Report, Remediation, Self-Reporting Decision

Within three months, the internal investigation should produce a privileged preliminary report to the board. This report should address the nature and extent of the suspected conduct, the individuals involved, the organisation’s exposure and recommended remediation steps. At this stage, the board, advised by specialist counsel, must also decide whether to self-report to the SFO, police or relevant regulator.

Defences, Mitigation and Self-Reporting, DPAs, Admissions and Sentence Reduction

Practical Mitigation Options

Once corporate criminal liability UK exposure has been identified, the focus shifts to reducing the consequences. Prosecutors and sentencing courts in England and Wales give explicit credit for:

• Early and genuine cooperation with the investigating authority, including the voluntary provision of material not yet requested.
• Remediation. Demonstrable steps taken to address the root cause of the offending, such as dismissing culpable individuals, redesigning controls and commissioning independent audits.
• Guilty pleas. An early guilty plea can attract a sentence reduction of up to one-third under the Sentencing Council guidelines.
• Compensation. Voluntary compensation to victims before sentencing is a recognised mitigating factor.

Deferred Prosecution Agreements, When They Help and How to Prepare

A Deferred Prosecution Agreement is a judicially approved agreement between a prosecutor (currently the SFO or CPS) and an organisation, under which criminal proceedings are suspended provided the organisation meets agreed conditions, typically a financial penalty, cooperation obligations, compliance reforms and independent monitoring. DPAs were introduced by the Crime and Courts Act 2013 and are available only to organisations, not individuals.

Industry observers expect DPAs to become an increasingly important tool under the expanded corporate liability UK framework, given that more organisations will now face credible prosecution risk. Key preparation steps include:

• Engaging with the SFO or CPS proactively, via counsel, to signal willingness to cooperate.
• Preparing a comprehensive self-investigation report that demonstrates the scope and thoroughness of the internal review.
• Proposing concrete remediation measures, not vague commitments, but costed, time-bound reforms.
• Ensuring the board has formally authorised the negotiation and that any admissions are carefully controlled by counsel.

When to Self-Report vs When to Wait

Self-reporting is not always advantageous. Early disclosure to the SFO attracts cooperation credit, but premature admissions, particularly before the facts are fully understood, can lock the organisation into a narrative that later proves inaccurate or incomplete. The decision to self-report should be taken only after:

• The internal investigation has reached at least a preliminary factual understanding.
• Privilege has been properly established and maintained throughout.
• Specialist criminal counsel has assessed the risks, benefits and likely prosecutorial response.
• The board has been briefed and has formally approved the approach.

The cost of getting this decision wrong is severe. Organisations that self-report but then fail to cooperate fully, or that make admissions they later seek to withdraw, face worse outcomes than those that never self-reported at all.

Compliance Programme Design: What a Defensible System Looks Like

Key Elements of an Effective Corporate Compliance Programme

A defensible compliance programme is the single most important long-term investment a business can make to manage corporate criminal liability in the UK. Prosecutors, the SFO and sentencing courts all assess whether the organisation had “adequate procedures” in place at the time of the offence. The essential components are:

• Risk assessment. A documented, regularly updated assessment of criminal and regulatory risk across all business functions and geographies.
• Policies and procedures. Written policies that translate risk-assessment findings into clear rules, covering bribery, fraud, money laundering, data protection, competition, health and safety and environmental compliance.
• Training. Role-specific training for all employees, with enhanced modules for senior managers and high-risk functions. Training must be recorded and tested for comprehension.
• Monitoring and auditing. Ongoing transaction monitoring, periodic compliance audits and data-analytics tools that detect anomalies before they become enforcement triggers.
• Reporting channels. Confidential whistleblowing mechanisms that employees trust, supported by a non-retaliation policy and prompt, documented investigation of every report.
• Incentives and discipline. Compliance performance embedded in bonus structures, promotion criteria and performance reviews, not treated as a bolt-on.

Measuring Effectiveness, KPIs and Audit Frequency

A programme that exists on paper but is never tested will not satisfy prosecutors. The table below sets out minimum recommended reporting obligations and audit frequencies, scaled by entity size.

Actionable Templates and Annexes

Practical preparation requires more than policy statements. The following templates are designed to be adapted to your organisation’s size, sector and risk profile. Each template supports the six-point corporate compliance checklist set out above.

• Quick criminal risk assessment template. A two-page matrix mapping business functions against criminal offence categories, with a scoring methodology for likelihood and impact. Designed for completion in a single workshop.
• Senior manager mapping spreadsheet. A structured register listing every individual who may meet the statutory “senior manager” definition, cross-referenced to their decision-making authority, risk-area exposure and training record.
• Evidence-preservation memo and legal-hold checklist. A pre-drafted instruction to IT, HR and finance teams that can be issued within hours of a trigger event, covering email archives, messaging platforms, financial systems, access logs and physical documents.
• Board minute language for reporting investigations. Model wording for recording that the board has received a report on investigation readiness, approved the compliance programme, and noted the identity of senior managers with criminal-risk exposure.

These templates are available for download. Organisations requiring bespoke versions tailored to specific sectors or group structures should seek specialist criminal and compliance counsel through the Global Law Experts directory.

Conclusion and Next Steps, Corporate Criminal Liability UK Demands Action Now

The Crime and Policing Act 2026 has fundamentally expanded corporate criminal liability UK-wide. Businesses that delay preparation risk facing investigations without the governance frameworks, evidence trails or privileged advice needed to mount an effective defence. The six-point checklist and investigation-readiness timeline set out in this guide provide a clear starting point. Directors and in-house counsel should prioritise completing these steps within 30 days and retaining specialist criminal defence counsel for a one-day readiness review without delay.

Sources

1. Crime and Policing Act 2026, legislation.gov.uk
2. Law Commission, Corporate Criminal Liability Project
3. UK Parliament / House of Commons Library, Research Briefing
4. Ministry of Justice, Corporate Criminal Liability Options Paper
5. White & Case, UK Corporate Criminal Liability Insight
6. Norton Rose Fulbright, Expansion of Corporate Criminal Liability
7. Freshfields, All Crimes, All Companies
8. Practical Law / Thomson Reuters, Identification Principle