In April 2026, the Crime and Policing Act received Royal Assent, and enforcement begins on 29 June. Across its 257 sections, it covers everything from anti-social behaviour to violence against women and girls, topics that have drawn the most media coverage. But one provision has attracted almost no attention, despite carrying significant implications for how businesses manage risk.

Section 250 makes a company criminally liable for offences committed by any senior managers acting within the scope of their authority, regardless of whether the company had any knowledge of or involvement in the conduct.

The previous framework, introduced through the Economic Crime and Corporate Transparency Act 2023, applied this principle to economic crimes only. Section 250 expands it to cover all criminal offences including environmental breaches, data protection failures, health and safety violations, modern slavery, and sanctions.

The definition of “senior manager” is deliberately broad. The Act borrows the test from the Corporate Manslaughter and Corporate Homicide Act 2007: the question is not what someone’s job title is, but whether they play a significant role in managing or making decisions about a substantial part of the organisation’s activities.

A senior manager is “an individual who plays a significant role in—
(a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or
(b) the managing or organising of the whole or a substantial part of those activities.”

There is no defence available to a company that can demonstrate it had procedures in place, or that it acted in good faith.

The compliance implications

For risk and compliance teams, there are two major implications. First, your organisation must now be able to accurately identify every individual who functionally qualifies as a senior manager — by what they decide, not what their contract says. Second, your organisation must also have the ability to discern who qualifies as a senior manager within the third parties you work with.

The second implication is the harder one. Supplier onboarding and monitoring were largely designed around fraud and financial crime risk. Section 250 widens the offences that must be included in the scope of compliance, meaning teams are held to a higher standard of third-party due diligence. It’s now critical to know who holds genuine decision-making authority at the organisations you partner with — and what risk surrounds those individuals.

This shift is part of a wider pattern of regulation expanding what compliance teams are expected to know about the people they work with. The FCA’s forthcoming PS25/23 guidance, coming into force in September, takes a similar approach in financial services. This FCA legislation extends what firms must assess about individuals beyond financial and regulatory records. We’ve written about what that means in practice here. The question in both cases is the same: do you actually know who you’re doing business with, and can you clearly demonstrate that you do?

Xapien’s platform was built for exactly this kind of research: consistently identifying the individuals connected with an organisation, operating across jurisdictions and 300+ languages, and accelerating the background research process to minutes. All of this means Xapien enables due diligence to move earlier in the compliance process, before investing in the business relationship. As Section 250 comes into force on 29 June, the ability to do that faster and earlier in the relationship is no longer optional.