Shadow senior managers and apparent authority – the new challenge for compliance teams

On 29 June 2026, s.250 of the UK’s Crime and Policing Act (CPA) came into force, and going forward corporates and partnerships may find themselves liable for any offences committed by senior managers who were acting within the actual (or apparent) scope of their authority.

In the past, corporate criminal liability required the offender to be the “directing mind and will” of the corporate, such as a C-suite individual. This was in practice a difficult test for prosecutors to satisfy, particularly in organisations where the making of routine decisions sits below C-suite level. 

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) sought to move away from that problem by making organisations potentially liable for certain economic crimes, such as fraud and money laundering, committed by their senior managers (s.196-8). 

The UK has on 29 June 2026 travelled much further down the path of attributed corporate liability. Organisations are now potentially liable for all criminal offences, not only economic crimes. No defence is given: no matter how impressive may be the organisation’s procedures, corporate liability can nonetheless arise under CPA s.250.

CPA s.250 provides that:

• if a senior manager of an organisation, acting within the actual or apparent scope of their authority, commits any offence, the organisation also commits the offence, save that
• an organisation does not commit that offence if:
  • all of the offence occurs outside the UK, and
  • the organisation would not commit the offence if that conduct were the organisation’s.

 ECCTA s.196-8 is revoked by CPA s.250. 

So, who is a senior manager acting within the scope of their actual or apparent authority, and what might they do?  As to the former, the CPA is clear that the definition is functional, irrespective of job title. In the CPA, a senior manager is someone who plays a significant role in making decisions about how the whole (or a substantial part) of the organisation’s activities are to be managed/organised, or who wholly or substantially manages/organises such activities.

This leaves many questions for compliance teams to ponder.  Assuming that it is clear what the organisation’s “activities” are, what does it mean to have a “significant” role in making decisions about them? What comprises a “substantial” part of those activities and what is it to play a substantial part in organising/managing that? What conduct could potentially create criminal offences during such activity, mindful of offences relating not only to bribery and corruption laws but also to data protection, sanctions, human rights, environmental and indeed all other legislation?  Who within the organisation is authorised to do such things, and how much does that even matter, if the key question turns out to be not whether those staff had such authority – but whether other people thought that they did? This gives rise to complex and detailed decisions to be factored into risk assessments in a way that hasn’t yet been tested. 

Organisations may also need to consider if they are insured for the costs of defending allegations that the organisation has attracted liability under s.250 CPA, and if that insurance captures the new functional definition of senior manager, or is limited to acts authorised by directors and officers. Already organisations are discovering the cost in both time and money of responding to allegations which are low in merit but high in volume and frequency, as those of a vexatious nature experiment with the capabilities of AI to generate compliance complaints. 

Equally, Insurers will also need to consider how, to whom and to what extent they provide cover for such defence costs and how s.250 CPA affects their own risk assessments both internally and in terms of coverage options. 

There are many unknowns posed by the CPA, but what is clear is that it requires compliance teams to consider a new question: who are our functional senior managers as defined in the CPA, and what activities might they appear, to those outside our organisation, to be authorised to do, even if only in part? 

We have already seen prosecutors and the courts grapple with the concept of the directing mind and will of the company, with cases such as The SFO vs Barclays PLC [2018] EWHC 3055 (QB) underlining the importance of forensically assessing the level of authority and discretion required to result in corporate attribution. The CPA now creates a further question, who is a senior manager?  Assessing the activity of senior managers including ‘shadow senior managers’ may turn out to be the biggest challenge compliance teams have seen in recent years, and only time will tell if the senior manager test proves to be more straightforward than its directing mind and will predecessor. 

For questions on the issues raised in this article, contact Anousheh Bromfield, Yolanda McCarthy, or Toby Lamarque.