UK Crime and Policing Act 2026: Section 250 and the New Era of Corporate Criminal Liability

Introduction

The UK Crime and Policing Act 2026 (CPA 2026) introduces a seismic shift in corporate criminal liability through Section 250, effective June 29, 2026. This provision extends liability to any criminal offence committed by a senior manager acting within their actual or apparent scope of authority, replacing the narrower Economic Crime and Corporate Transparency Act 2023 (ECCTA) provisions that only covered listed economic crimes. The new law applies to all UK employers, regardless of sector, and requires urgent compliance action.

In this guide, you will learn:

• What Section 250 CPA 2026 covers and how it differs from previous laws
• Which industries are most affected
• Practical steps for building a compliance program, including risk assessments, senior manager identification, training, and whistleblowing enhancements
• How continuous monitoring tools can help maintain compliance

Prerequisites

Before diving into compliance steps, ensure your organisation has:

• An understanding of your existing corporate governance structure
• Access to legal counsel familiar with UK criminal law
• A baseline compliance program (e.g., for bribery, fraud, or data protection)
• Board-level commitment to compliance resourcing

Understanding Section 250 CPA 2026

Scope of the New Offence

Section 250 creates a failure to prevent offence model, but with a twist: it applies to any criminal offence committed by a senior manager acting within their actual or apparent authority. This is a dramatic expansion from ECCTA 2023, which only covered fraud, false accounting, and money laundering. Now, offences ranging from bribery and corruption to health and safety violations, data breaches, and environmental crimes can trigger corporate liability.

Definition of Senior Manager

The Act defines a senior manager broadly as any individual who plays a significant role in:

• The making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised; or
• The actual management or organisation of the whole or a substantial part of those activities.

This includes individuals regardless of title, employment status, or whether they are formally appointed. It can capture directors, heads of department, regional managers, and even de facto decision-makers. The broad definition means organisations must identify all individuals who exercise significant influence, not just those with official senior titles.

Key Differences from ECCTA 2023

Limited Defences

The only defence available under Section 250 is where all conduct constituting the offence occurred outside the UK and the organisation would not be liable for that conduct if it were its own. This is a narrow defence, meaning organisations face near-strict liability for senior manager misconduct. Even if the senior manager was not authorised to commit the offence, liability attaches if they acted within their apparent authority.

Industries Most Affected

While Section 250 applies to all UK employers, certain sectors face heightened risk due to the nature of their operations and regulatory scrutiny:

• Financial Services: Already subject to extensive AML and conduct regulation, but now face liability for any senior manager offence, including market abuse, insider trading, or bribery.
• Pharmaceuticals and Healthcare: High risk of bribery, data privacy breaches (e.g., GDPR), and health and safety violations. Senior managers in R&D, sales, and clinical trials are particularly exposed.
• Technology: Rapid innovation cycles, complex supply chains, and global operations increase risks of IP theft, bribery, and data breaches. AI governance failures could also trigger liability.
• Construction and Engineering: Health and safety offences, environmental violations, and bribery in procurement are common risks.
• Energy and Natural Resources: Environmental crimes, bribery for permits, and safety breaches in high-risk operations.

Practical Compliance Steps

Organisations should act now to implement a robust compliance program. Below is a step-by-step guide.

Step 1: Conduct a Risk Assessment

Identify the specific criminal offences your organisation is most exposed to. Consider:

• Industry-specific risks (e.g., bribery in pharma, data breaches in tech)
• Geographic locations (high-corruption countries, strict environmental laws)
• Business activities (e.g., public procurement, cross-border transactions)
• Historical incidents or enforcement actions

Document the assessment and update it regularly.

Step 2: Identify Senior Managers

Map all individuals who meet the broad definition of senior manager. This includes:

• Board members and C-suite
• Heads of business units, regions, or functions
• Project directors, country managers, and other de facto leaders
• Individuals with significant decision-making authority, even without formal titles

Create a register and review it at least annually.

Step 3: Implement Internal Controls

Design controls to prevent and detect offences by senior managers. Key areas:

• Delegation of authority: Clear limits on spending, contracting, and decision-making
• Segregation of duties: Separate approval, execution, and recording functions
• Monitoring and surveillance: Automated monitoring of transactions, communications, and access logs
• Whistleblowing channels: Confidential, accessible reporting mechanisms with non-retaliation policies

For continuous monitoring of internal controls, consider platforms like AIGovHub's CCM Module, which connects to ERP systems (SAP, Dynamics 365, Workday, Oracle, NetSuite) to automate controls testing and evidence collection.

Step 4: Provide Training

Train all senior managers on:

• The scope of Section 250 and their personal liability
• Organisation-specific risks and red flags
• How to escalate concerns
• Consequences of non-compliance

Tailor training to roles and refresh annually. Document attendance and understanding.

Step 5: Strengthen Whistleblowing and Reporting

Enhance whistleblowing channels to ensure:

• Confidentiality and anonymity options
• Multiple reporting avenues (online, phone, email)
• Protection from retaliation
• Prompt investigation and feedback to reporters

Publicise the channels regularly.

Step 6: Board Oversight and Governance

The board must:

• Approve the compliance program and risk appetite
• Receive regular reports on compliance performance and incidents
• Ensure adequate resourcing for compliance functions
• Review and challenge risk assessments and internal controls

Consider appointing a senior manager as compliance champion.

Step 7: Conduct Due Diligence on Third Parties

Senior managers may interact with agents, distributors, joint venture partners, and other third parties. Conduct due diligence to ensure they do not facilitate offences. Key steps:

• Screen against sanctions lists (OFAC, EU, UN) and adverse media
• Assess corruption risk based on country and industry
• Include contractual clauses requiring compliance with UK law
• Monitor ongoing relationships

Geopolitical intelligence tools like AIGovHub's SENTINEL Module can automate sanctions screening and supply chain risk monitoring across 435+ intelligence sources.

Compliance Checklist

• ☐ Risk assessment completed and documented
• ☐ Senior manager register created and reviewed
• ☐ Internal controls designed and implemented
• ☐ Continuous monitoring tools deployed (e.g., AIGovHub CCM)
• ☐ Training delivered to all senior managers
• ☐ Whistleblowing channels enhanced and publicised
• ☐ Board oversight framework established
• ☐ Third-party due diligence procedures in place
• ☐ Incident response plan tested
• ☐ Compliance program reviewed annually

Common Pitfalls

1. Narrow interpretation of senior manager: Failing to include de facto decision-makers can leave gaps.
2. One-size-fits-all training: Generic training may not address specific risks relevant to each senior manager's role.
3. Inadequate whistleblowing protection: Fear of retaliation silences reporters.
4. Neglecting third-party risks: Senior managers may use intermediaries to commit offences.
5. Lack of board engagement: Without board buy-in, compliance programs lack authority.

Frequently Asked Questions

Does Section 250 apply to overseas conduct?

Yes, if the offence has a UK nexus (e.g., committed by a UK senior manager or affecting UK interests). The defence only applies if all conduct occurs outside the UK and the organisation would not be liable if it were its own conduct.

What is the penalty for a conviction under Section 250?

Penalties vary by underlying offence but can include unlimited fines, confiscation orders, and reputational damage. Directors may face disqualification.

How does Section 250 interact with existing failure to prevent offences?

Section 250 is a separate offence that does not replace existing failure to prevent regimes (e.g., bribery, tax evasion). Organisations must comply with both.

Can a senior manager be personally liable?

Yes. Section 250 does not shield individuals; senior managers can still be prosecuted for their own criminal conduct.

When should we start implementing compliance measures?

Immediately. The law takes effect June 29, 2026, but building a robust program takes time. Early action reduces risk.

Next Steps

Section 250 CPA 2026 represents a paradigm shift in UK corporate criminal liability. Organisations that fail to act face significant legal, financial, and reputational consequences. Start by conducting a risk assessment and identifying senior managers. Then, implement controls, training, and monitoring.

To streamline continuous compliance monitoring, explore AIGovHub's CCM Module for automated controls testing and evidence collection, and the SENTINEL Module for geopolitical risk intelligence and sanctions screening. These tools integrate with your existing systems to provide real-time oversight.

For a deeper dive into related compliance topics, see our guides on EU AI Act compliance and AI governance for emerging technologies.

This content is for informational purposes only and does not constitute legal advice.