New UK law makes it easier to prosecute organisations in the UK for any criminal offence

The Crime and Policing Act 2026 will soon make it easier to prosecute organisations in the UK.  From 29 June 2026, if a senior manager of an organisation (a body corporate or partnership) acting within the “actual or apparent scope of their authority” commits a criminal offence under UK law, the organisation will also commit the offence.  Any criminal offence for which an organisation may be prosecuted may now be committed in this way, and there is no defence for the organisation in these circumstances.

These developments build on recent, related changes to the law, and (again) make the compliance and enforcement landscape more strenuous and complex for organisations to navigate. Organisations should revisit their risk assessments and related controls now, to ensure that they protect against these increased risks. We discuss below (1) what is changing, (2) what this means and (3) what organisations should be doing now.

What is changing?

The Crime and Policing Act 2026 (“CAPA”) received Royal Assent on 29 April 2026 and further widens the means by which organisations may incur criminal liability in the UK. Under section 254 of CAPA, from 29 June 2026, if a “senior manager” of an organisation (a body corporate or partnership) acting within the “actual or apparent scope of their authority” commits a criminal offence under UK law, the organisation also commits the offence.

A “senior manager” is defined as an individual who plays a significant role in:

• the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised; or
• the managing or organising of the whole or a substantial part of those activities. 

Whether an individual is a senior manager is a question of fact, not title, and the scope of this as-yet-untested definition is likely to be the subject of much legal argument, although it is expected to encompass far more junior roles than the previous identification doctrine (discussed below).

What does this mean?

These changes will make it easier to prosecute organisations (including those incorporated outside the UK) for a wide range of offences committed in the UK for which they have previously not commonly been pursued.[1] 

UK legislation already expressly provides for offences that can only be committed by organisations. These are often strict liability offences in the sphere of ‘regulatory crime’ that do not require proof of any particular state of mind (mens rea).[2]

However, historically, where an organisation was prosecuted for a criminal offence which requires proof of a specific state of mind (for example, intent or dishonesty), the prosecution first needed to prove the offence was committed by the organisation’s ‘directing mind’; only then could the guilt of the ‘directing mind’ be attributed to the organisation such that the organisation was also guilty of the offence. This is known as the ‘identification doctrine’. The ‘directing mind’ has historically been understood to be officials at statutory director or board level. Modern businesses are often large, however, with complex governance and management structures. As a result, it has been notoriously difficult to prove all the elements of an offence against an individual ‘directing mind’ of large organisations in order to secure the conviction of the organisation.

The Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) created a new statutory basis for attributing criminal liability to organisations for certain “economic crime offences” (including fraud, bribery, customs and revenue, and money laundering offences).  Since 26 December 2023, if a “senior manager” of an organisation (a body corporate or partnership), acting within the “actual or apparent scope of their authority” commits a relevant offence, the organisation is also guilty of that offence. See further detail here. 

Section 254 of CAPA will extend this statutory basis for attributing criminal liability to organisations beyond “economic crime offences” to all criminal offences. Organisations now face risk of prosecution for a wider range of offences committed by their “senior managers”, including:

• Modern slavery and human trafficking offences under the Modern Slavery Act 2015.
• Offences against the person, including assault and sexual assault, subject to the interpretation of “actual or apparent scope of their authority”.
• Offences under the Computer Misuse Act 1990.
• Offences against public justice, including contempt of court - an organisation could conceivably be criminally liable, for example, for the actions of a “senior manager” in failing to comply with a court order, such as an order for the production of documents.
• Offences relating to personal data under the Data Protection Act 2018.
• Offences related to the obstruction of investigators and regulators, and the making of false/misleading statements in respect of investigations by the SFO, the FCA, HMRC, the HSE, the EA, etc.
• “Economic crime offences” not covered by the attribution of criminal liability to organisations under ECCTA. For example, an organisation could now conceivably be criminally liable for a failure by its “nominated officer” (e.g. Money Laundering Reporting Officer) to disclose suspicion of money laundering under sections 331 or 332 of the Proceeds of Crime Act 2002 (“POCA”) if the nominated officer is a “senior manager” acting within the “actual or apparent scope of their authority”. 

Further, it appears that an organisation may become criminally liable for offences via the new senior manager test under CAPA that cannot be attributed to it under the identification principle. Taking the final example above, by way of illustration, the offences under sections 331 or 332 of POCA can only be committed by a nominated officer (who is ordinarily an individual) but it appears that, under the new senior manager test, if the nominated officer commits the offence and is a senior manager acting within the actual or apparent scope of their authority, the organisation will also be guilty of the offence.

In addition to making it easier to prosecute the above offences, the changes in ECCTA/CAPA have the potential to create inconsistency, most obviously in respect of the ‘failure to prevent’ offences where a statutory defence is available. For example, in the event that a “senior manager” bribed another person:

• If prosecuted for failure to prevent bribery under section 7 of the Bribery Act 2010, the organisation would have a statutory defence if it had “adequate” prevention procedures in place.
• However, the organisation could also be prosecuted for bribing another person under section 1 of the Bribery Act 2010 in respect of the same conduct by the “senior manager”, but would not have any such statutory defence. 

It remains to be seen how authorities will approach investigations and prosecutions of organisations, but it is clear that there is political appetite for increased enforcement.

What should organisations be doing now?

Many organisations will have undertaken relatively recent exercises to review and update their risk assessments and compliance procedures following the changes brought about by ECCTA. The changes effected by CAPA mean that now is the time to revisit those arrangements. That will include:

• Identifying/reviewing those individuals in your business who may be deemed a “senior manager”. Regulated entities will wish to consider the designation of functions under the Senior Managers and Certification Regime as part of this exercise.
• Reviewing internal arrangements for training of senior managers and others, to raise awareness of the changing landscape related to corporate criminal liability, and the risks for the business associated with their acts or omissions.
• Risk assessment to identify areas of potential exposure, including potential civil liability in relation to representations to auditors, investors and counterparties regarding an organisation’s compliance with laws (where conduct by senior managers may affect the accuracy of those representations).
• Review of existing policies, procedures and systems to detect and prevent fraud by senior managers or others.
• Review of the existing approach to internal investigations, financial provision for litigation involving the organisation and reporting of corporate/employee wrongdoing to the authorities.

If you would like to discuss the implications of these developments and the steps your business might take to mitigate the consequent risks, please contact Guy Bastable, Andrew Matheson, Sam Aldous or Thomas Hubbard in Burges Salmon’s Corporate Crime & Investigations team.