Taxi for “directing mind and will”! A suitable vehicle has arrived: the Crime and Policing Act 2026

From 29 June 2026, the Crime and Policing Act 2026 (“CPA”) significantly expands corporate criminal liability in the UK.

Companies and partnerships may now be held liable for any criminal offence committed by a senior manager acting within the actual or apparent scope of their authority, regardless of where the entity is incorporated.

In practice, as we discuss in this note, application of the attribution test is not as straightforward as advertised and the likelihood of prosecution will depend heavily on the application of public interest factors.

The Identification Doctrine: A Brief Overview

For over a century, corporate criminal liability for offences requiring mens rea has been governed by the identification doctrine, under which a company is only liable for the acts of those who constitute its “directing mind and will”, typically members of the board. The doctrine derives from Lennard’s Carrying Co v Asiatic Petroleum [1915] AC 705 and was affirmed by the House of Lords in Tesco v Nattrass [1972] AC 153.

In modern corporate structures, this approach created real difficulty. Decision-making is often decentralised and exercised through committees and layers of management, making it challenging to identify a single individual whose conduct and knowledge can be attributed to the company.

The failed prosecution of Barclays [2018] EWHC 3055 (QB) (applying Tesco) highlighted this problem. The court held that authority for the relevant capital raising transaction lay with board committees rather than individual executives, meaning the charged CEO and CFO were not the directing mind. The case was widely criticised for setting too high a bar for corporate attribution.

Following the enactment of two failure to prevent offences which worked around reform to the identification doctrine, amendments included in the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) marked the first significant legislative reform in this area. The ECCTA introduced two key developments:

1. Failure to Prevent Fraud
   A new strict liability offence applicable only to “large organisations”, where the company failed to prevent its associated persons from committing specified fraud offences, aimed at improving corporate fraud controls and culture.
2. Statutory Attribution for Economic Crime
   • It created a new attribution test for certain economic offences (such as money laundering, fraud, bribery and tax evasion), under which a company is liable if a senior manager commits an offence within the scope of their authority.
   • This shift moved the analysis away from formal status and towards the functional role of individuals within the business.
   • The Director of the Serious Fraud Office described this reform as the most significant boost to its ability to prosecute economic crime in over a decade.

The Crime and Policing Act 2026: Expansion to All Offences

The Government intended to extend the identification doctrine to all UK offences “when a suitable legislative vehicle arises”. The CPA is that legislative vehicle. Simply put, the attribution provisions in the CPA have replaced the provisions in ECCTA so that the statutory identification doctrine is extended to all UK offences.

The prosecution must show that:

• the offence was committed by a “senior manager”, defined by their role in managing or organising a substantial part of the business; and
• the conduct fell within their actual or apparent authority, concepts drawn from the common law of agency.

Actual authority reflects how authority is genuinely conferred and exercised within the company. Apparent authority extends to what a third party would reasonably understand that authority to be.

These concepts are familiar in civil law but remain largely untested in the criminal context. Their application is therefore likely to generate litigation, particularly in cases involving delegated decision-making. It is also unclear how far reliance on “apparent authority” will overcome the challenges seen in cases such as Barclays, where corporate delegated authority structures were clearly delineated and communicated to the other party.

The reforms will apply most readily to traditional corporate offending (for example, economic crime, regulatory breaches, data protection and computer misuse offences), but they potentially extend further. In principle, liability could arise in relation to non-financial misconduct (such as sexual offences) where sufficiently connected to a senior manager’s function.

Will the reforms lead to more companies being prosecuted?

The extension of the identification doctrine should, in theory, make it easier to prosecute companies – where there is the appetite and it is in the public interest to do so.

Importantly, unlike the failure to prevent offences:

• All organisations are in scope regardless of size;
• There is no statutory compliance procedure defence; and
• There is no requirement to show corporate benefit.

The offences that are available to be settled by a Deferred Prosecution Agreement have not been expanded (remaining those specified in Schedule 17 of the Crime and Courts Act 2013), and therefore there is no means for a company through self-reporting and co-operation to obtain a quicker resolution to an investigation.

While there are good reasons, and plenty of precedent for a company to be prosecuted through the (unreformed) identification doctrine for economic crimes, environmental or health and safety offences – the case for extending corporate attribution into other offences, such as non-financial misconduct type offences, is less obvious.

Should a senior manager commit an offence within the scope of their role, the question arises in what circumstances would a company to be charged with an offence? The CPS and SFO published updated Corporate Prosecution Guidance in August 2025 in the context of the ECCTA reforms (the “Guidance”). The Guidance provides little certainty on how the attribution terms will applied and, for instance, did not deal with how “actual and apparent” authority should be interpreted.

In practice, the likelihood of prosecution will depend heavily on public interest factors. Relevant considerations are likely to include:

• The adequacy of the company’s compliance programme and training especially on conduct and culture at the time of the offending;
• The existence of prior warnings, systemic issues and whether a blind-eye was turned to obvious failings and risks
• The effectiveness of whistleblowing and escalation processes, especially including any retaliation or suppression of warnings;
• Whether misconduct was reported promptly and addressed appropriately;
• A significant level of benefit was obtained or harm was caused, directly or indirectly, to the victims of the wrongdoing or a substantial adverse impact to the integrity or confidence of markets.
• • While attribution has been broadened, prosecutorial discretion remains highly relevant.

What should companies do to protect themselves?

With the coming into force of the Employment Rights Act, April has been a busy time for employers to assess their employment policies and practices (and see the SMB briefing here). In light of these reforms, organisations should reassess governance and risk through a practical lens, with particular focus on senior managers.

Key steps include:

• Mapping senior management roles and delegated authority structures in practice;
• Strengthening training, culture and oversight of conduct;
• Ensuring whistleblowing procedures are effective and acted upon; and
• Responding decisively to identified issues.

Ultimately, a company that is able to point towards an effective compliance programme with a message of “zero tolerance” for workplace misconduct (and which it demonstrably enforces) will be in a better place, if a senior manager commits an offence within the scope of their role, to argue that it would not be in the public interest for it also to be prosecuted.

For in-house legal teams and senior management, the message is clear – the boundary of corporate criminal liability now tracks how authority is exercised in practice, rather than how it is formally structured.