Beyond ECCTA: The Next Phase of Corporate Criminal Liability Reform

Most boards and compliance teams spent the past two years focused on the Economic Crime and Corporate Transparency Act 2023. They were right to. ECCTA introduced a new way of holding organisations criminally accountable for the acts of their senior managers in the context of economic crime, and it demanded a significant response from businesses across every sector.

What received rather less attention was Section 250 of the Crime and Policing Act 2026. Although it attracted relatively little attention during its passage through Parliament, it may have significant implications for corporate criminal liability.

That is partly understandable: it is tucked near the end of a lengthy piece of legislation and attracted few headlines on its passage through Parliament. However, the provision has the potential to expand the attribution model introduced by ECCTA beyond the economic crime context and into a much broader range of criminal offences.

Section 250 takes the attribution model that ECCTA applied to economic crime and extends it across the criminal law more generally. It contains no equivalent of a reasonable procedures defence, and the definition of senior manager is broad enough to capture a significant number of individuals below board level who may not yet appreciate that they are potentially within scope.

This briefing sets out what the provision does, who it affects, and what organisations should be considering now.

In this article, we'll cover:

• What Section 250 does and how it differs from ECCTA
• The statutory wording and what it means in practice
• Who qualifies as a senior manager
• Why growing businesses face particular exposure
• What organisations should do now

Key Takeaways

• Section 250 of the Crime and Policing Act 2026 comes into force on 29 June 2026.
• It extends the senior manager attribution model, introduced for economic crime by ECCTA 2023, to any criminal offence under the law of England and Wales, Scotland or Northern Ireland.
• Where a senior manager commits a qualifying offence within the actual or apparent scope of their authority, the organisation also commits that offence and may be convicted accordingly.
• Unlike the ECCTA failure-to-prevent regimes, Section 250 contains no reasonable procedures defence, though compliance remains relevant to enforcement decisions.
• The definition of senior manager is functional, not tied to job title, and will capture many individuals below board level.
• Conduct occurring on or after 29 June is immediately in scope.

Background: From the Identification Doctrine to ECCTA to the CPA

To understand why Section 250 matters, it helps to understand what it replaces.

For most of the twentieth century, corporate criminal liability in England and Wales rested on the identification doctrine: a company could only be found guilty of a criminal offence if the offending individual was the directing mind and will of the company, typically a board director or very senior executive. In large, decentralised organisations, that threshold proved consistently difficult for prosecutors to meet.

The Economic Crime and Corporate Transparency Act 2023 made the first significant break with that tradition. Section 196 of ECCTA introduced a new statutory attribution model for a defined list of economic crimes, including fraud, false accounting and related offences, under which liability could be established if a qualifying senior manager had committed the offence within the scope of their authority, without any need to prove board-level involvement. The identification doctrine was not abolished; ECCTA simply created an alternative statutory route, confined to economic crime.

Section 250 of the Crime and Policing Act 2026 takes that same attribution model and extends it across all criminal offences. It repeals and replaces Section 196 of ECCTA. The result is a single, broadly applicable statutory rule: if a senior manager commits any criminal offence while acting within the actual or apparent scope of their authority, the organisation also commits that offence.

Section 250 passed through Parliament quietly, attracting little attention, tucked near the end of a lengthy piece of legislation. If interpreted broadly by the courts, the provision has the potential to significantly expand the circumstances in which organisations may face criminal liability for the acts of senior decision-makers.

What the Legislation Actually Says

The statutory wording of Section 250(1) is direct: where a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence.

There is one express exception. Under Section 250(2), an organisation does not commit an offence where all of the conduct constituting the offence occurs outside the United Kingdom and the organisation would not have committed the offence if that conduct were its own rather than the senior manager's. That carve-out is narrow, and international businesses should not assume it provides meaningful protection for cross-border operations.

The provision applies to bodies corporate, including companies incorporated outside the United Kingdom, as well as to partnerships and LLPs.

The no-benefit position and a consequence worth noting

Unlike corporate liability regimes in some other jurisdictions, Section 250 does not require that the offence be committed for the benefit of the organisation. The consequence is one that boards may not immediately anticipate: if a senior manager fraudulently diverts company funds into their own account, the organisation could potentially face liability for that fraud even though the company is itself the victim. Whether prosecutors would pursue such a case is a separate question, but the exposure exists on the face of the provision.

Apparent authority

The extension to apparent authority is worth examining carefully. An organisation may be exposed even where the senior manager was acting outside what they were formally authorised to do, if their position gave the impression to others that they had that authority. The Explanatory Notes to the Act confirm that this does not require the senior manager to have been authorised to commit the offence itself: it is sufficient that the act was of a type they were authorised to undertake, or which would ordinarily be undertaken by a person in their position. This concept is well established in civil law, particularly in the law of agency, but its application in a criminal context is untested. How courts will approach it under Section 250 will emerge through enforcement and litigation over time. Organisations with loose or poorly documented governance around authority levels carry more exposure on this point than those with clear delegation frameworks.

No reasonable procedures defence, but compliance still matters

Unlike the failure-to-prevent offences under the Bribery Act 2010, the Criminal Finances Act 2017 and the ECCTA fraud regime, Section 250 provides no statutory reasonable procedures defence. This is a point many boards will not yet have absorbed, having grown accustomed to the ECCTA framework.

The absence of a statutory defence does not make compliance irrelevant. Even where there is sufficient evidence to proceed, prosecutors must still satisfy the public interest test before bringing a corporate prosecution. The Joint SFO-CPS Corporate Prosecution Guidance sets out factors bearing against prosecution, including a proactive approach by management, self-reporting, remedial action and the absence of a history of similar conduct. Good governance is not a legal shield under Section 250, but it remains directly relevant to whether a prosecution is brought at all.

The Scope of Potential Exposure

The provision is not limited to any category of offence. Any criminal offence capable of being committed by a corporate entity is potentially in scope, subject to the senior manager test and authority requirements being met.

The offences most likely to be relevant across different sectors include environmental offences under the Environmental Protection Act 1990 and the Environmental Permitting Regulations 2016, health and safety offences, sanctions breaches and modern slavery offences. Data protection requires a specific note: regulatory breaches under the UK GDPR do not of themselves give rise to criminal liability. Criminal liability under data protection legislation arises in more specific circumstances, for example under Section 170 of the Data Protection Act 2018, which concerns the unlawful obtaining or disclosing of personal data. Boards should not treat those two regimes as interchangeable when assessing exposure.

Health and safety is worth addressing separately. The Corporate Manslaughter and Corporate Homicide Act 2007 has historically presented real evidentiary hurdles for prosecutors, with prosecutions remaining rare. Section 250 may now offer an alternative route. If a senior manager whose role encompasses responsibility for workplace safety commits gross negligence manslaughter while acting within their actual or apparent authority, that offence could be attributed to the organisation without the need to satisfy the CMCHA's specific requirements. For businesses with operational or site-based functions, this warrants careful consideration.

Who Counts as a Senior Manager?

The definition is carried over unchanged from Section 196 of ECCTA. It captures any individual who plays a significant role in the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or in the actual managing or organising of those activities.

The test is functional. Job title and salary grade are not determinative. What matters is the substance of the role: whether the individual exercises meaningful decision-making authority over a substantial part of the business.

In practice the relevant population almost always extends below board level. Divisional managing directors, country managers running material markets, regional heads with genuine operational authority and heads of major business functions are all capable of meeting the definition depending on the actual scope of their role. In global businesses, a country manager responsible for a significant jurisdiction may qualify regardless of where they sit in the corporate hierarchy. When organisations map this properly, the list of individuals who satisfy the statutory test typically turns out to be considerably longer than a first reading of the org chart would suggest.

Whether any particular individual qualifies will require a fact-specific assessment. The concepts of significant role and substantial part are not defined in the legislation, and until tested in proceedings some interpretive uncertainty will remain.

Why This Matters for Growing Businesses

Established businesses with mature governance structures may find this relatively straightforward to map. The harder question arises in businesses that have grown quickly.

In scale-ups and founder-led businesses, authority is often delegated well before governance structures catch up. A country manager hired to run a new market may have wide operational discretion, full control of a local P&L, and the ability to make decisions that bind the organisation, without ever having been formally documented in a delegation framework. Under Section 250, that individual may well qualify as a senior manager regardless of how their role is described internally.

The same issue arises in divisional structures. As businesses grow, divisional heads and functional leaders take on genuine decision-making authority over substantial parts of the business. They may manage significant teams, hold external-facing authority, and make commitments on behalf of the organisation. Whether they appreciate that they are potentially in scope under a new corporate criminal liability regime is a different matter.

The gap between how a business thinks about its governance structure and how that structure actually operates in practice is exactly the territory Section 250 is designed to reach. An organisation that assumes only the board carries this kind of exposure is likely to be wrong. For businesses planning rapid expansion, or those already operating across multiple jurisdictions with distributed leadership, it is worth reviewing this now rather than retrospectively.

Cross-Border Considerations

The provision applies to offences under the law of England and Wales, Scotland or Northern Ireland and extends to bodies corporate incorporated outside the United Kingdom. A non-UK company with operations or senior managers active in the UK may be within scope if a qualifying offence is committed here, or if the underlying offence has extraterritorial reach. The Explanatory Notes clarify that the territorial carve-out is designed to ensure a company based and operating entirely overseas is not exposed simply because the senior manager happens to be subject to UK extraterritorial jurisdiction, for example because they hold British citizenship. International businesses should not assume the provision is otherwise limited to UK-incorporated entities.

What Boards Should Do

Map your actual senior managers using the right test. The starting point is not the org chart. The question is which individuals can bind the company, set strategy for a division or make significant operational decisions without board sign-off. That population is almost certainly larger than the board itself, and mapping it accurately is the essential first step.

Widen the risk picture beyond financial crime. Many organisations have spent the last two years calibrating their compliance frameworks around the ECCTA economic crime perimeter. Section 250 displaces that perimeter. Risk assessments need to cover the full range of criminal exposure relevant to the business, with particular focus on areas where senior managers exercise meaningful operational authority.

Review your governance and delegation frameworks. The apparent authority element of Section 250 will focus attention on how authority is documented and communicated internally and externally. Clear delegation matrices, properly maintained, reduce the risk of unanticipated gaps.

Review your management liability insurance coverage. The interaction between Section 250 and existing D&O insurance is not straightforward. Criminal liability provisions vary across policies, and the absence of a reasonable procedures defence makes the coverage question more pressing than under the ECCTA failure-to-prevent regime. Policy wording and exclusions should be reviewed with your insurance advisers.

Train the right people. Updating generic training across the business is useful but insufficient. The more important task is ensuring that the individuals who meet the senior manager definition understand both the personal and corporate dimensions of this liability, and that your escalation and reporting procedures give them clear routes to raise concerns.

Looking Ahead

Section 250 materially widens the basis on which organisations can face criminal prosecution in the UK. The shift from a regime focused on economic crime to one covering all criminal offences is significant, and it applies to a broader group of people than many organisations will currently have in mind.

How the provision will be applied in practice, and where the courts will draw the line on questions like apparent authority and the senior manager threshold, remains to be seen. Prosecutors have not yet tested the ECCTA senior manager regime in proceedings, and Section 250 will take time to develop through enforcement. That uncertainty cuts both ways: there is no immediate wave of prosecutions to prepare for, but there is also no established body of case law to rely on for comfort.

What organisations can do is ensure their governance structures, risk frameworks and delegation arrangements reflect the reality of how their business actually operates, not just how it looks on paper. For many businesses, that is a useful exercise regardless of Section 250. The Act simply adds a new reason to do it now.

If you would like to discuss what Section 250 means for your organisation, please contact Karine Ahton or the Biztech Lawyers team.

This briefing is intended as general guidance only and does not constitute legal advice. The application of Section 250 will depend on the specific facts and circumstances of each organisation. Biztech Lawyers accepts no liability for reliance on this briefing without specific legal advice.