On 29 June 2026 — 22 days from now — Section 250 of the Crime and Policing Act 2026 comes into force. It passed through Parliament almost without comment, buried at the end of a lengthy piece of legislation. That silence was deceptive. This is the most significant expansion of corporate criminal liability in a generation, and if you are a CFO or finance director, it lands squarely on your desk.
Here is the core shift: previously, to prosecute a company for a criminal offence, the Crown had to show that the person who committed the crime was the “directing mind and will” of the organisation — effectively a board-level director whose acts could be identified with the company itself. That test was widely criticised as too narrow. Large organisations, with complex governance and delegated authority, could shield themselves from corporate prosecution even when serious wrongdoing had occurred at a senior level.
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) took a first step, introducing a “senior manager” attribution test for a defined list of economic crimes — bribery, fraud, money laundering. The Crime and Policing Act 2026 tears up that limited list. From 29 June, the senior manager attribution model applies to every UK criminal offence.
What the New Regime Actually Says
The mechanism is straightforward, and its simplicity is part of what makes it so far-reaching. If a senior manager of a company or partnership commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation is also guilty of that offence.
No carve-outs. No safe harbours. No “reasonable procedures” defence of the kind available under the failure-to-prevent regimes in the Bribery Act 2010 and the Criminal Finances Act 2017. Under those regimes, a company could defend itself by demonstrating that it had adequate procedures to prevent the misconduct. The Crime and Policing Act provides no equivalent exit. Even a company with exemplary compliance frameworks can be found guilty if a senior manager commits an offence within the scope of their authority.
As Slaughter and May’s analysis puts it bluntly: “It will mean that companies and partnerships can be held criminally liable for any offence committed by a senior manager, acting within the actual or apparent scope of their authority — and does so without any of the safeguards associated with the ‘failure to prevent’ offences.”
Who Counts as a “Senior Manager”?
The definition is unchanged from ECCTA, which is deliberate — but that does not make it simple. A senior manager is someone who plays a “significant” role in either the decision-making relating to, or the actual managing or organising of, the whole or a substantial part of an organisation’s activities.
This is a functional test, not a title-based one. CFOs are squarely in scope. So are heads of finance, senior finance directors, regional managing directors, and heads of substantial business divisions. As Pinsent Masons notes, in practice this could extend well below the board in decentralised organisations.
The critical implication: the wider and more complex your organisation, the harder it is to map who is a “senior manager” with confidence — and the harder it is to control every action they take within their apparent authority.
The Scope of Offences Is Genuinely Unlimited
This is where the legislation gets uncomfortable. The Act draws no distinction between business-related offences and more personal types of wrongdoing. Travers Smith’s commentary identifies specific new corporate exposure scenarios:
- A CFO who makes false statements about a company’s accounts exposes the company to corporate criminal liability for that act — it falls squarely within a CFO’s actual authority.
- A senior manager who trades on inside information received in the course of their role could expose the company to insider dealing liability under the Criminal Justice Act 1993.
- A supply chain director who knowingly overlooks modern slavery violations in a subcontractor could expose the company under the Modern Slavery Act 2015.
- Workplace harassment or assault by a senior manager, occurring in the context of their managerial role, could in principle trigger corporate liability.
Prosecutors are not required to show that the offence was committed for the company’s benefit. As Skadden’s analysis highlights, even where the company is the victim of a senior manager’s fraud, the company could theoretically face criminal exposure under the new model. This contrasts starkly with the US “respondeat superior” doctrine, which at least requires intent to benefit the organisation.
The CFO Exposure Is Direct and Specific
For CFOs specifically, the risk profile changes materially from 29 June. Consider these scenarios:
Financial reporting: A CFO who signs off on misleading accounts — whether involving revenue recognition, asset valuation, or off-balance sheet treatment — commits an offence under the Companies Act 2006. From 29 June, that act within the CFO’s authority is also the company’s act.
Tax positions: Deliberate misrepresentation in a tax return, or knowingly facilitating tax evasion, by a senior finance manager triggers corporate liability without any need to show board awareness. HMRC already has extensive powers; the Act adds a new prosecutorial route.
Regulatory filings: False or misleading statements to regulators — the FCA, the Pensions Regulator, Companies House — made by a senior manager within their role now expose the company directly.
The key point is not that these risks are new in substance. They existed before. What changes is that the prosecution route becomes markedly simpler. Prosecutors no longer need to trace conduct to the very top of the organisation.
The Deferred Prosecution Agreement Gap
One practical complication deserves attention. Freshfields’ commentary flags that the list of offences eligible for Deferred Prosecution Agreements (DPAs) has not been expanded alongside the new regime. DPAs remain largely confined to economic crimes — fraud, bribery, money laundering. For the many new offences now in scope under the CPA, there is no DPA option.
That matters because DPAs have been the preferred resolution mechanism for corporate criminal conduct in recent years. Prosecutors and companies alike favoured them: they avoid contested prosecution while delivering financial penalties and compliance outcomes. Without that middle ground for newly in-scope offences, prosecutors face a binary choice — full prosecution or no action. This cuts both ways. Some prosecutors may be more cautious. Others, particularly where reputational or public interest considerations weigh heavily, may press forward. It would be unwise to assume the latter.
What Boards and CFOs Must Do Before 29 June
Robust compliance frameworks do not provide a legal defence under this Act. But they remain essential — both to prevent misconduct arising in the first place, and because prosecutorial discretion (the Full Code Test) will weigh heavily the quality of a company’s governance when deciding whether to prosecute. Eversheds Sutherland’s guidance sets out a practical approach:
- Map your senior managers. Identify, functionally and honestly, every individual who falls within the definition. Err on the side of inclusion. For finance functions, that means finance directors, heads of reporting, heads of treasury, and regional finance leads in decentralised structures.
- Expand your risk register. Risk assessments previously focused on economic crime now need to cover the full spectrum of criminal conduct capable of being committed within managerial authority — including regulatory filings, environmental obligations, supply chain obligations, and data protection.
- Review governance and delegation frameworks. Document how decisions are actually made, not how they are supposed to be made on paper. Apparent authority matters — if a senior manager regularly acts outside their formal remit without challenge, that becomes relevant to scope of authority.
- Strengthen senior management due diligence. Vetting at appointment is not enough. The Act creates an incentive for ongoing monitoring of senior personnel — behavioural, regulatory and integrity indicators.
- Brief your board and audit committee now. The June 29 date is fixed. Boards need to understand the shift before it happens, not after an incident.
The Bottom Line
The Crime and Policing Act 2026 is not a theoretical shift. It fundamentally changes the calculus for corporate prosecution in the UK, and it does so in a way that makes CFOs and senior finance leaders a direct point of exposure. The message to prosecutors is: you no longer need to prove that the board directed the conduct. If a senior manager did it, and it was within their authority, the company is in the frame.
Twenty-two days is not a long time to reconfigure governance frameworks, risk registers and compliance training. But it is enough time to start — and the cost of inaction, as always in criminal law, is asymmetric. The downside of a criminal conviction includes not just fines, but reputational damage, regulatory scrutiny, shareholder litigation, and in some sectors, debarment from public procurement.
If you want to understand how the Crime and Policing Act 2026 affects your organisation’s governance structure, tax positions, or financial reporting obligations, contact Mark Hendy at Tanous for a direct assessment.
