The Historical Position: The Identification Doctrine
For much of the twentieth century, corporate criminal liability in England and Wales was governed by the common‑law identification doctrine. Under this principle, a company could only be convicted of offences requiring mens rea (i.e., a mental element) where prosecutors could identify an individual who constituted the company’s “directing mind and will” and who personally possessed the requisite mental element. In practice, this usually meant board‑level directors or those exercising ultimate control.
As corporate structures became more complex, the doctrine made it increasingly difficult to attribute criminal liability to companies. Decision‑making authority in modern organisations is frequently delegated across committees, regional management and functional leads, making it exceptionally difficult to attribute criminal intent to a single controlling individual. High‑profile failures to prosecute large corporates reinforced perceptions that the doctrine insulated sizeable organisations from accountability.
The First Step: ECCTA 2023
The first substantive legislative response came through the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”), which modified the attribution rules for specified economic crimes. Section 196 ECCTA introduced a statutory basis for corporate liability where a “senior manager” committed an in-scope offence while acting within the actual or apparent scope of their authority. This reform applied to offences such as fraud, bribery, money laundering and tax evasion, and deliberately moved away from the narrow confines of the identification doctrine.
Crucially, the ECCTA adopted a functional definition of senior manager, focusing on the individual’s role in decision‑making or operational management rather than formal title. While significant, this reform remained limited to a defined list of economic offences, and Parliament signalled that broader reform might follow. In fact, the ink had barely dried on the ECCTA before politicans were debating whether to extend the model.
The Crime and Policing Act 2026: What Has Changed?
Section 254 of the CPA 2026 extends the senior manager attribution model so that it applies to any criminal offence, provided the offence is committed by a senior manager acting within the actual or apparent scope of their authority. In doing so, the Act repeals and replaces the ECCTA regime with a single basis for corporate criminal liability encompassing e.g., health and safety, environmental offences, data protection breaches, modern slavery and workplace misconduct, as well as the economic crimes outlined in the ECCTA, provided the senior manager test is satisfied.
The “Senior Manager” Test
The definition of “senior manager” under the CPA mirrors that in ECCTA and remains deliberately broad. It captures individuals who play a significant role in:
- Decision‑making about how the whole or a substantial part of the organisation’s activities are managed or organised; or
- The actual managing or organising of the whole or a substantial part of those activities.
This functional approach ensures that liability is determined by substance rather than title and may encompass divisional heads, regional leads or operational managers with real decision‑making power. The assessment is inherently fact‑specific and likely to become a key battleground in future prosecutions.
Actual and Apparent Authority
A further important feature is the requirement that the offence be committed within the senior manager’s actual or apparent authority. Apparent authority, in particular, introduces significant uncertainty. Even where a company has internal limits on decision‑making power, liability may still arise if the individual appeared to third parties to be acting on the company’s behalf. This is likely to focus enforcement disputes on governance design, delegation frameworks, and outward‑facing representations of authority.
No Compliance Defence
Unlike the “failure to prevent” offences under the Bribery Act 2010 (bribery), Criminal Finances Act 2017 (tax evasion facilitation), and the ECCTA (fraud), the CPA 2026 does not provide for an adequate or reasonable procedures defence. While robust compliance programmes, training and controls remain critical to good corporate governance and risk mitigation, and may be a powerful factor when prosecuting authorities assess whether criminal proceedings are in the public interest, they do not operate as a defence and do not prevent liability from attaching where the statutory senior‑manager attribution test is met. The absence of a formal defence increases the stakes for organisations whose senior managers are granted wide operational discretion.
Also unlike the ECCTA's failure to prevent fraud offence, the new senior manager attribution model is not restricted to “large organisations”. It applies to all sizes of businesses across all sectors.
Practical and Strategic Implications
The expansion of corporate liability under the CPA 2026 has immediate practical consequences for businesses:
- Risk mapping must widen beyond economic crime to include the full range of criminal exposure arising from senior management decision‑making.
- Senior manager identification exercises will become essential, particularly in complex or matrix‑managed organisations. Although it might be thought that a failure to identify senior managers formally could make corporate attribution more difficult in practice, the statutory test is functional rather than formal. In reality, poor clarity around authority is more likely to increase exposure, particularly given the role of “apparent authority” and the importance of governance standards in a prosecutor's public interest analysis.
- Delegation, escalation, and oversight structures will attract greater scrutiny from regulators, prosecutors, auditors, and acquirers.
- Internal investigations and self‑reporting decisions may become more frequent, as the likelihood of corporate exposure increases even where misconduct is localised.
In regulated sectors, including financial services, these changes will intersect with existing individual accountability regimes, sharpening the focus on governance and record‑keeping at senior management level.
Conclusion
The CPA 2026 marks a decisive shift in the UK’s approach to corporate criminal liability. By extending senior manager attribution to all criminal offences, it removes longstanding structural barriers to prosecution and exposes organisations to materially greater enforcement risk. While the practical application of the new regime will evolve through prosecutorial guidance and case law, corporates would be well advised to treat the reforms as a catalyst for governance and risk management review ahead of their commencement in June 2026.
/Passle/5cc80bfbabdfe80ea0d70502/MediaLibrary/Images/2026-04-22-12-07-46-834-69e8ba12023dab52593d8f82.jpg)
/Passle/5cc80bfbabdfe80ea0d70502/SearchServiceImages/2026-02-20-15-06-55-200-6998788f842a7bc7f01dba28.jpg)
/Passle/5cc80bfbabdfe80ea0d70502/SearchServiceImages/2026-02-20-12-51-28-433-699858d0b51a6f81f2e99a1b.jpg)