[co-authors: Evan Lord, Gabi Poskute]
Corporate criminal responsibility in the UK is poised for further reform as the Crime and Policing Bill 2025 (CPB) advances through Parliament. Currently through the House of Commons, and now in the House of Lords, the proposed legislation – if enacted – will significantly broaden the scope of corporate criminal liability introduced through the actions of "senior managers."
This article examines the anticipated amends to the "relevant offenses" that can implicate a corporation if committed by senior managers, the enforcement risks stemming from the CPB, and how an organization can prepare to mitigate these risks.
What’s new? Expanding beyond ECCTA and reforming the identification principle
Under current UK law, if a senior manager acts within the apparent scope of their authority and commits a "relevant offense," the organization may be found guilty of that offense. The "relevant offenses" recently introduced by Schedule 12 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) are limited to economic crimes such as fraud, bribery, cheating the public revenue, and sanctions violations.
However, if enacted, the CPB will repeal the current schedule of relevant offenses and replace it with an equivalent senior manager attribution test applicable to all offenses. Under this provision, a company or partnership is criminally liable if a senior manager commits an offense while acting within their actual or apparent scope of authority.
The statutory test modernizes the common law “directing mind and will” doctrine established in Tesco Supermarkets Ltd v. Nattrass [1972], which narrowly focused on a small group of individuals at the top of an organization. That doctrine was often the subject of criticism by enforcement agencies, particularly when applied to complex corporate structures. The new approach widens the scope by emphasizing the functional role of the individual rather than their title, remuneration, or formal seniority.
The definition of a “senior manager” includes anyone who plays a significant role in either (a) making decisions about how the whole or a substantial part of the organization’s activities are managed or organized or (b) actually managing or organizing those activities. This extends to senior individuals in key business functions such as finance, operations, human resources (HR), compliance, and regional management.
There is no requirement that the senior manager intended their conduct to benefit the company, nor is there a defense based on the existence of reasonable or adequate procedures – unlike the UK's " failure to prevent" offenses (eg, bribery; facilitation of tax evasion; and, from September 1, 2025, fraud). This removes key safeguards and significantly lowers the bar for corporate liability.
Scope of crimes: A broader risk profile
The CPB expands corporate liability far beyond the economic crimes covered by ECCTA. The proposed amendments capture any criminal offense under the law of England and Wales, Scotland, or Northern Ireland, provided it is committed by a senior manager acting within their actual or apparent scope of authority. The offenses under the new provision can be grouped into two broad categories:
1. Organizational or functional offenses: These are offenses that could arise in the course of business operations and are closely tied to the functional responsibilities of senior managers. Examples include environmental offenses, data protection violations, health and safety breaches, modern slavery, and competition law violations. These types of misconduct typically fall within the scope of conduct that a senior manager may ordinarily carry out as part of their role, and are therefore likely – subject to the facts of the case – to be within "the actual or apparent scope of their authority."
2. Personal or individualized offenses: These are offenses that may be entirely personal in nature. Examples include violent crime, driving offenses, sexual offenses, or harassment. The CPB, as drafted, does not distinguish between these two categories of offenses, potentially raising concerns that serious sexual misconduct committed at a work function could potentially be attributed to the company.
These examples underscore the ambiguity surrounding the concept of “actual or apparent authority.” The CPB's current lack of clarity risks exposing companies to liability for conduct that could arguably be personal and unconnected to the organization – creating significant compliance uncertainty. This concern is compounded by the absence of any requirement that the act be carried out with the intention of benefiting the organization.
Without additional legislative clarification or judicial guidance, companies may find themselves liable for a wide range of offenses committed by individuals acting in managerial roles – regardless of motive or benefit.
Enforcement risk
ECCTA has significantly lowered the threshold for establishing corporate criminal liability in the UK, increasing the likelihood of enforcement action against companies. Law enforcement agencies have signaled their intent to pursue corporate prosecutions where senior managers commit offenses.
In addition to the Serious Fraud Office (SFO) – which would generally only prosecute a corporation if the offense is (a) sufficiently complex and (b) there is intention to harm the public, the integrity of the UK as an international financial center, or the economic prosperity of the UK (which typically requires a significant financial impact) – consideration may also be given to the enforcement risk posed by other authorities. This includes His Majesty’s Revenue and Customs (HMRC), particularly in relation to financial offenses such as fraud and cheating the public revenue, as well as broader enforcement by the Police and Crown Prosecution Service.
Mitigating risk
In the absence of a statutory defense, a proactive and well-resourced compliance framework remains key. While these measures do not provide a statutory defense, they may help reduce the risk of misconduct and support more favorable outcomes in investigations or enforcement actions by addressing the public interest surrounding potential criminal actions.
Businesses are encouraged to consider preparatory steps, such as:
1. Conducting comprehensive risk assessments, including identifying senior managers
2. Reviewing and strengthening policies and procedures
3. Improving governance
4. Enhancing staff vetting and monitoring
5. Implementing targeted training programs
6. Strengthening whistleblowing and internal investigation mechanisms
7. Conducting third-party due diligence
8. Auditing and monitoring compliance frameworks
Conclusion
While broad changes proposed by the CPB are not yet in force, senior managers can already expose their organizations to liability for certain economic offenses. Organizations are encouraged to take early, structured, and well-documented action. These steps may be important for managing potential exposure and demonstrating a responsible corporate posture in the face of heightened liability.
[View source.]
