Date of publication
30 June 2026
Reading Time
5 minutes and 53 seconds

From 29 June 2026, UK law makes companies liable for any criminal offence by a “senior manager” acting within their actual or apparent authority. Coupled with the new EU Directive on combatting corruption (the Directive) - which sets minimum rules, including on holding companies criminally responsible for corruption offences - corporate criminal liability regimes are expanding. And with it, legal risk for companies. How this impacts compliance systems will be a key consideration for ethics and compliance professionals going forward.

The evolution of corporate criminal liability in the UK

The need to identify who within the company can be held responsible for its actions is a longstanding feature of UK law. Until recently, this required identifying those who represent the company’s “directing mind or will”, that is are “entrusted with the exercise of the powers of the company”  (the identification doctrine).

Reforming the identification doctrine is something Transparency International UK and others have long advocated because it has proved tough to hold a company liable based on this test alone, especially with the onset of decentralised decision-making. 

The UK Bribery Act introduced a novel model for secondary liability through the ‘failure to prevent’ offence in part to address limitations of the identification doctrine. This established the principle that a company has a legal duty to prevent bribery by “associated” persons, being individuals and entities providing “services for or on behalf of” the company. As a strict liability (no fault) offence, prosecutors don’t need to evidence criminal intent and company personnel don’t need to authorise or even know about the bribe.

The ‘failure to prevent’ model has proved a more effective tool for prosecutors , and has been extended to certain other offences . However, the narrow identification doctrine remained a hurdle to direct liability. Even the CEO of a large company was found not to represent the company’s directing mind or will in a major corporate fraud case in 2018.

In 2023, the Economic Crime and Corporate Transparency Act updated the legal trigger for direct liability, drawing on the “senior management” test in the Corporate Manslaughter and Corporate Homicide Act 2007 to make companies liable where a company’s “senior manager […] acting within the actual or apparent scope of their authority” commits certain economic crimes, including bribery, fraud and tax evasion .

The Crime and Policing Act 2026 (CPA) at s.250, extends this trigger to any crime. The business activities affected are wide-ranging including data protection, environmental practices, labour practices and supply chain, health and safety, consumer protection and advertising.

Comparing the EU Directive and UK law corporate liability provisions

In Europe too, the landscape on corporate criminal liability is shifting. Among other provisions, the Directive outlines two grounds for corporate liability for corruption: (1) direct liability, where someone in a “leading position” in the company commits a corruption offence “for the benefit of” the company ; and (2) secondary/indirect liability, where a “lack of supervision or control” by those in leading positions made the offence possible “by a person under [their] authority” .

There are four key areas in how UK law and the Directive differ, although to be clarified through case law and when the Directive is transposed.

  1. “Senior manager” vs “leading position”: a “senior manager” in the CPA is someone who “plays a significant role in” making decisions about how company activities are managed or organised or managing/organising these activities. The Directive (mirroring EU anti-money laundering (AML) directives) defines “leading position” as someone who has “power of representation” of the company, the authority to “take decisions on behalf of” or “exercise control within” the company . On the face of it, “leading position” seems to capture fewer individuals in a company than the “senior manager” threshold and under UK law there’s no need to show that the conduct benefits the company. In practice, assessing the substance of the individual’s actual and ostensible power and authority, rather than the title alone, will be key under both UK and EU regimes for companies and prosecutors alike.
  2. “Failure to prevent” vs “failure to supervise”: EU law established the “lack of supervision or control” ground for corporate liability in the 1990s , which informed the UK’s ‘failure to prevent bribery’ offence and “failure to supervise” offences in EU AML directives. While the underlying principle is the same, the scope of “associated persons” in the UK Bribery Act is open to interpretation on the facts, suggesting a broader scope than under the Directive. The UK legal position also focuses on the company’s compliance system rather than the supervisory role of individuals in leading positions.
  3. Defences vs “mitigating circumstances”: under UK law, a company has a full defence to a ‘failure to prevent bribery’ charge if it can prove it had adequate procedures at the time (the burden of proof sits with the company) . There is, however, no comparable defence where a company is charged based on senior manager conduct. Here, the only defences relate to the base offence. The Directive takes a different approach, because of the type of criminal offence, by positioning “genuine, effective and duly assessed internal controls, ethics, and compliance programmes” as a potential mitigating factor when sentencing a company, but not a defence.
  4. Criminalising “trading in influence”: the Directive reiterates “trading in influence” as a specific offence  (defined as exerting “improper influence” over a public official “with a view to obtaining an undue advantage” even if this advantage doesn’t materialise ), unlike UK law. While elements are captured by the UK bribery offence, the EU Directive’s broad definition of “public official”, which extends to individuals in “at state-owned enterprises and privately held companies that deliver public services”  means this potentially creates a new facet of lobbying and public procurement risk for companies.

What does this mean for companies?

It’s getting easier to prosecute companies for criminal conduct. In the corruption context, the Directive also sets out tough penalties with corporate fines of at least 2-5% of global turnover (which would’ve significantly boosted Glencore Energy Limited’s bribery fine) or €24-€40 million, depending on the offence, as well as prison sentences for individual offenders.

Managing risk exposure from “leading position” and “senior manager” attribution, means updating risk assessments, mapping who is responsible for what, approves company decisions, signs off risk and appears to manage/organise/supervise even where the formal role says otherwise.

Beyond this, the building blocks of an anti-bribery and corruption framework are relevant to managing any regulatory risk. These include setting clear policies, regular risk assessments, implementing proportionate controls, training (including to high-risk business partners), third party due diligence, and nurturing an organisational culture which incentivises the right behaviours and encourages speaking up. 

Despite the differences, both UK and EU law establish a powerful incentive for companies to evaluate their ethics and compliance framework to ensure measures are fit-for-purpose and “not simply a paper exercise” or mere “window dressing” . Companies should look to upholding the highest standards and these legal changes are an opportunity to invest in effective compliance.

Further reading