What Is Changing Under the Crime and Policing Act

The Independent has described the Crime and Policing Act 2026 as “the largest criminal justice Bill in a generation”.

Containing more than 70 separate measures, the legislation introduces changes across areas ranging from retail crime and anti-social behaviour to stalking, online harms, and policing powers. For governance professionals, however, one provision stands out above all others: the expansion of corporate criminal liability.

The Crime and Policing Act 2026 marks a significant shift in how regulators, prosecutors, and courts may assess organisational accountability, board oversight responsibilities, and corporate governance compliance.

From 29 June 2026, organisations can face criminal liability for offences committed by a much wider group of senior managers acting within the actual or apparent scope of their authority. In practice, this means businesses may be exposed to criminal liability for conduct that previously would not have been attributed to the organisation itself.

As Jeri-Lea Brown, founder of Sage Governance, explains: "The organisations most exposed under the new regime may not be those with weak intentions, but those with unclear governance structures, inconsistent oversight, or gaps between formal authority and actual decision-making."

For boards, company secretaries, and compliance leaders, the question is whether existing governance frameworks are robust enough to withstand the increased scrutiny that comes with expanded corporate liability.

At a Glance: What Has Changed?

Behind the headlines about crime and policing sits a set of reforms that could have far-reaching implications for businesses. In particular, the Act expands the circumstances in which organisations may be held accountable for criminal conduct and places greater emphasis on effective governance and oversight. The table below highlights the key changes that boards and governance professionals should be paying attention to. 

What Is the Crime and Policing Act?

The Crime and Policing Act 2026 received Royal Assent on 29 April 2026 and introduces a broad package of reforms designed to strengthen law enforcement powers, address anti-social behaviour, improve protections for victims, and modernise aspects of criminal law.

While much public attention has focused on retail crime measures, stalking protections, and public order provisions, the legislation contains one of the most significant changes to corporate criminal liability seen in decades.

At the centre of those changes sits Section 250, which expands the circumstances in which criminal liability can be attributed to a business. Rather than focusing solely on board-level decision-makers, the Act extends liability to a broader group of individuals exercising significant management responsibility. 

That change has implications for corporate governance compliance, governance risk and compliance programmes, director responsibilities UK, and broader organisational accountability.

What Are the Biggest Changes Introduced by the Act?

Not all of the measures in the Crime and Policing Act 2026 carry the same implications for organisations. From a governance and compliance perspective, three changes stand out: the expansion of corporate criminal liability, a broader definition of senior managers, and a significant increase in the circumstances under which organisations may be held accountable for criminal conduct. 

The Expansion of Corporate Criminal Liability

The headline change is the expansion of corporate criminal liability. Previously, prosecutors often needed to demonstrate that an offence was committed by someone representing the directing mind of the organisation, typically a board member, managing director, or equivalent executive.

The Crime and Policing Act 2026 significantly broadens that position. Now, organisations may become criminally liable where a senior manager commits an offence while acting within the actual or apparent scope of their authority.

A Broader Senior Manager Definition

Another critical change is the senior manager definition itself. The legislation focuses less on job titles and more on actual influence and decision-making authority. 

A regional director, operational leader, divisional manager, compliance executive, or functional head may all fall within the definition if they play a significant role in managing a substantial part of the organisation's activities.

In other words, liability follows authority rather than hierarchy. This creates a much wider pool of individuals capable of exposing an organisation to criminal liability.

“Many organisations will discover that the people creating the greatest governance exposure are not necessarily the people sitting around the board table,” says Jeri-Lea Brown.

How Corporate Criminal Liability Has Expanded

For many years, prosecutors faced significant challenges when attempting to hold large organisations criminally responsible. The legal threshold often required demonstrating that the offence could be attributed to the company's most senior decision-makers. The Crime and Policing Act 2026 fundamentally changes that.

The End of the Traditional Attribution Model

The traditional approach to criminal liability for businesses often created practical barriers for prosecutors. Large organisations could avoid prosecution because decision-making authority was distributed across multiple levels of management rather than concentrated in a single individual.

The Crime and Policing Act removes much of that as corporate criminal liability now follows a functional test based on who exercises significant managerial responsibility.

Why This Matters in Practice

Consider a divisional manager overseeing a major operational function. Under previous rules, misconduct committed within that function might not necessarily have been attributed to the company itself.

Under the new Act, that same conduct could potentially trigger corporate liability if the individual meets the senior manager definition and was acting within their authority.

This dramatically increases organisational risk exposure. It also means governance frameworks need to reflect how decisions are actually made rather than how reporting lines appear on an organisational chart.

The Challenge of Apparent Authority

One of the most important aspects of the legislation is the concept of apparent authority. An organisation may face exposure even where an individual exceeded internal instructions if they appeared to possess the authority to act.

This places greater emphasis on governance documentation, delegated authority frameworks, compliance controls, and audit and compliance oversight.

What Risks Could Organisations Face Under the Crime and Policing Act

While much of the expansion of corporate criminal liability has focused on governance and compliance, the practical implications extend into operational decision-making, reporting structures, investigations, and risk management processes. Organisations must now consider whether controls exist and whether those controls are sufficient to prevent conduct that could expose the business to criminal liability. 

Liability Beyond Financial Crime

Most governance teams have historically focused on fraud, bribery and money laundering. The Crime and Policing Act 2026 extends exposure far beyond those areas.

Organisations may now face criminal liability arising from health and safety incidents, environmental breaches, operational misconduct, regulatory failures, and other criminal offences committed by qualifying senior managers acting within the scope of their authority.

That dramatically widens the range of scenarios that boards need to consider when conducting compliance risk management and governance risk and compliance reviews.

The Risk of Hidden Senior Managers

One of the most challenging aspects of the legislation is identifying who actually falls within the senior manager definition. Many organisations focus on titles when assessing accountability. The legislation focuses on influence.

A regional operations director overseeing multiple sites, a head of compliance responsible for regulatory oversight, or a divisional manager controlling a significant business unit may all fall within scope. In practice, identifying who falls within scope may require organisations to look beyond formal job descriptions and assess where meaningful authority is exercised on a day-to-day basis. 

As Partner at BCL, Richard Reichman, commented: "The reform goes significantly beyond targeting genuinely culpable corporates and risks exposing companies to liability in unjust circumstances."

How to Assess Your Organisation's Compliance Readiness

A recent survey of over 2,000 UK firms found that 26% may already be at risk of breaching newer corporate compliance obligations, while 62% of organisations say keeping up with regulatory requirements has become significantly more challenging over the past five years.

Those findings suggest many businesses are already struggling to keep pace with evolving compliance obligations. Against that backdrop, boards should consider several practical questions. 

For groups operating across both the UK and Jersey, the challenge may be even greater. Governance structures, delegated authority frameworks, and reporting arrangements often span multiple entities and jurisdictions. Boards should ensure accountability remains clear across the wider group rather than focusing solely on individual legal entities. 

Review Who Qualifies as a Senior Manager

One of the first steps organisations should take is reviewing who may fall within the Act's expanded senior manager definition. The legislation focuses on the role an individual plays in managing or directing a substantial part of the organisation's activities.

As a result, businesses may find that individuals well below board level fall within scope. Regional directors, divisional leaders, heads of operations, compliance managers, and other functional leaders could all create exposure if they exercise significant decision-making authority.

This can be particularly challenging in larger organisations where authority is delegated across multiple business units. Governance teams should therefore map where real decision-making power sits, rather than relying solely on organisational charts or reporting structures. 

Reassess Your Governance Framework

The Crime and Policing Act 2026 creates a strong case for reviewing existing governance frameworks to determine whether they reflect how decisions are actually made within the organisation.

Many governance structures were designed around traditional assumptions of accountability, where responsibility flowed primarily through executive leadership and the board. The expanded corporate liability provisions require a broader view. Organisations need to be confident that authority, oversight, and accountability are clearly documented across all levels of management.

This review should consider delegation frameworks, committee structures, decision-making processes, and management reporting arrangements. It should also examine whether existing governance documentation accurately reflects operational realities. Where there is a gap between formal authority and actual influence, organisations may face increased compliance and legal risk.

Test Escalation and Reporting Procedures

The ability to identify and escalate potential issues quickly may become increasingly important under the new regime. Organisations should review whether existing reporting channels enable concerns to reach the appropriate decision-makers before they develop into more significant problems.

This includes whistleblowing procedures, incident reporting frameworks, internal investigations processes, and management escalation pathways. The key question is whether the organisation can identify potential misconduct early enough to intervene effectively.

Many organisations have reporting procedures in place, but these are not always tested in practice. Conducting scenario exercises or tabletop reviews can help identify weaknesses in escalation processes and clarify responsibilities during incidents.

Boards should also consider whether they receive sufficient visibility of emerging compliance risks. Effective board oversight responsibilities depend on timely and accurate information. If significant concerns remain within operational teams for too long, the organisation's ability to respond may be compromised.

Evaluate Compliance Culture

Policies and procedures remain important, but culture often determines whether those controls are followed in practice.

The expansion of corporate criminal liability places greater emphasis on the behaviours, attitudes, and decision-making norms that exist throughout an organisation. A strong compliance culture encourages employees and managers to raise concerns, challenge inappropriate conduct, and seek guidance when uncertainty arises.

Conversely, environments that prioritise commercial outcomes over governance and risk management may create conditions where problems go unreported or unresolved.

Organisations should therefore assess whether their compliance culture supports organisational accountability and ethical decision-making. This may involve reviewing training programmes, employee feedback, leadership behaviours, incentive structures, and the effectiveness of speak-up mechanisms.

Ultimately, governance frameworks and compliance controls are most effective when supported by a culture that values transparency, accountability, and responsible decision-making. Under the Crime and Policing Act 2026, that culture may become an increasingly important line of defence against organisational risk exposure.

Governance Actions Organisations Should Take Now

With the new provisions taking effect from 29 June 2026, organisations have a limited window to review whether existing governance arrangements remain fit for purpose. 

While every organisation's risk profile will differ, there are several practical actions that boards and governance teams should prioritise.

Map Decision-Making Authority

Many organisations have clear reporting structures on paper, but less clarity around where decisions are actually made in practice. The expanded senior manager definition means governance teams need a detailed understanding of who exercises significant managerial responsibility across the business.

This review should go beyond board members and executive leadership. Operational leaders, regional directors, divisional heads, and functional managers may all fall within scope if they play a significant role in directing a substantial part of the organisation's activities.

Understanding where authority sits is the foundation for effective compliance risk management and organisational accountability.

Review Delegations and Oversight Mechanisms

Delegations of authority should accurately reflect how decisions are made and where accountability rests. Organisations should assess whether existing governance frameworks provide sufficient oversight of higher-risk activities and whether reporting lines remain appropriate under the expanded liability regime.

This may involve reviewing committee structures, escalation protocols, approval authorities, and management reporting arrangements. The goal is to ensure that governance structures support effective oversight rather than simply documenting it.

Update Risk Assessments

Existing risk assessments often focus heavily on financial misconduct. Under the new Act, boards may also need to consider operational, regulatory, environmental, and health and safety risks that could create corporate liability exposure. 

Risk assessment procedures should consider areas such as health and safety, environmental compliance, operational misconduct, and other criminal offences that could now expose the organisation to corporate criminal liability.

The objective is not to predict every possible scenario but to understand where the organisation's most significant areas of exposure may exist and whether appropriate compliance controls are in place.

Strengthen Training and Awareness

The legislation reinforces the importance of ensuring that senior managers understand their responsibilities and the potential consequences of their actions.

Targeted training should focus on governance responsibilities, decision-making authority, reporting obligations, and the practical implications of the Act. This is particularly important for managers who may not previously have considered themselves part of the organisation's governance framework.

Training also provides an opportunity to reinforce organisational expectations around conduct, accountability, and compliance culture.

Prepare for Investigations and Escalations

The ability to respond quickly and effectively to potential misconduct may become increasingly important.

Organisations should review internal investigation procedures, whistleblowing arrangements, and escalation protocols to ensure they can identify, assess, and respond to issues before they develop into larger compliance or legal challenges.

This includes clarifying who should be informed, when external advisers should be engaged, and how significant incidents should be reported to the board.

As Jeri-Lea Brown explains: "The organisations best positioned for the new Act will be those that treat governance as an operational discipline rather than a compliance exercise. Clear accountability, effective oversight, and timely reporting become even more important when liability follows decision-making authority."

What the Crime and Policing Act Means for Governance Going Forward

Few pieces of legislation alter the practical boundaries of corporate accountability. The Crime and Policing Act 2026 is one of them. 

For many years, criminal liability was often viewed as a relatively remote risk for large organisations unless misconduct could be linked directly to the board or executive leadership. The new Act challenges that assumption.

Governance Must Reflect Operational Reality

One of the most significant consequences of the Act is that organisations may need to rethink how accountability is distributed across the business. Regulators and prosecutors are increasingly interested in where decisions are actually made, who exercises influence, and how oversight is maintained across the organisation.

This places greater emphasis on governance documentation, delegated authority frameworks, and board oversight responsibilities. Organisations that rely on outdated structures or unclear accountability arrangements may find themselves exposed to risks that were previously overlooked.

Corporate Liability Is No Longer a Specialist Issue

Historically, discussions around corporate criminal liability often sat within legal, compliance, or risk functions. The Crime and Policing Act 2026 brings those conversations into the boardroom.

The legislation highlights the connection between governance and risk management, organisational culture, compliance monitoring, and operational decision-making. In practice, preventing misconduct is no longer solely the responsibility of compliance teams. It requires engagement from leadership across the organisation.

This is one reason many governance professionals view the Act as a significant development in the evolution of corporate governance compliance.

Culture Will Matter More Than Ever

The legislation also reinforces the importance of culture as part of an effective governance framework.

Policies, procedures, and internal controls remain essential, but they are most effective when supported by leadership behaviours that promote accountability, transparency, and responsible decision-making.

Organisations with strong compliance cultures are generally better positioned to identify emerging risks, challenge inappropriate conduct, and respond quickly when issues arise.

Those cultural factors may become increasingly important as regulators place greater emphasis on organisational accountability and corporate misconduct prevention.

A New Governance Reality

The broader significance of the Crime and Policing Act 2026 is that it changes how organisations should think about risk.

Corporate criminal liability is no longer confined to a narrow group of individuals at the top of the organisation. It now extends to a wider range of decision-makers whose actions can create consequences for the business as a whole.

For businesses looking to assess their readiness, Sage Governance provides corporate governance and outsourced secretarial support to help organisations strengthen oversight, improve compliance processes, and navigate emerging regulatory requirements while maintaining strong governance standards. 

FAQs

Does the Crime and Policing Act 2026 apply only to large organisations?

No. The corporate liability provisions can apply to organisations of different sizes. The key consideration is not the size of the business, but whether a qualifying senior manager committed an offence while acting within the actual or apparent scope of their authority. Smaller organisations may have fewer management layers, but they are not automatically exempt from the new rules.

How is a senior manager defined under the Crime and Policing Act 2026?

The legislation focuses on an individual's role and level of influence rather than their job title. A senior manager is generally someone who plays a significant role in managing or directing a substantial part of the organisation's activities. Depending on the structure of the business, this could include operational leaders, regional directors, divisional managers, or heads of function, not just board members and executives.

What should boards do to prepare for the new corporate liability provisions?

Boards should review governance frameworks, delegated authority structures, reporting lines, and escalation procedures to ensure they accurately reflect how decisions are made in practice. It is also important to identify who may fall within the senior manager definition, assess organisational risk exposure, and ensure compliance and training programmes remain fit for purpose under the new regime.