Corporate Criminal Liability under the Crime and Policing Bill 2025: more confusion than clarity?

The Crime and Policing Bill 2025 creates a raft of new criminal offences from possession of blades, points, offensive blades weapons with intent, offences of child criminal exploitation, encouraging or assisting serious self -harm, concealing one’s identity at a protest, climbing on war memorials, child sexual abuse and online facilitation of child sexual exploitation (Clause 38). It also makes provision for the liability of bodies corporate for online facilitation of child sexual exploitation. Much of this is understandable, but in a less prominent part of the bill the proposed extension of corporate criminal liability arguably goes too far.    

The Crime and Policing Bill 2025 will create a raft of new offences – and police powers - addressing a large range of issues including child sexual abuse, public protest, stalking, knife crime, drug-related offending and terrorism. We will focus, though, on what may turn out to be a provision attracting less initial scrutiny. Clause 130 of the 2025 Bill will extend corporate criminal liability to all offences in the UK, if any such an offence is committed by a senior manager acting within the scope of their authority. As currently drafted, the main provision reads as follows:

Criminal liability of bodies corporate and partnerships where senior manager commits offence

(1) Where a senior manager of a body corporate or partnership (“the organisation”) acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence (subject to subsection (2)).

Clause 130 builds on the changes first made by section 196 of the Economic Crime and Corporate Transparency Act 2023. Section 196 made it possible for companies themselves to be found liable for a range of economic crimes (such as fraud and false accounting) when these were committed by their ‘senior managers,’ when the latter were acting at the time within the scope of their authority. It is easy to see why it might be important to ensure that companies can be held accountable in criminal law for economic crimes committed by associated persons in the course of business: a company can only act, for good or ill, through associated persons. However, clause 130 goes much further than section 196 (arguably, too far), and also imports some of the weaknesses that were already there in the section 196 regime. Whilst clause 130 may at this stage simply be a ‘place-holder’ provision, awaiting amendments, should it be enacted as it stands that would be a real concern for companies and their advisers.

Homicide

There is currently no restriction on the type or offence for which a company may be liable under clause 130. It has traditionally been accepted that a company cannot be convicted of murder. This is for the simple reason that the mandatory life sentence of imprisonment cannot be given a punitive meaning in the case of a company, and the passing of such a sentence on a company would hence be purely symbolic. However, under clause 130 as it stands, it now appears that companies will face conviction for murder, if that offence is committed by a senior manager acting with actual or apparent authority. It is not impossible that such a situation could plausibly arise:

S, a senior manager at defence company, C, has strict instructions to ensure trespassers do not in any circumstances approach the weapons manufacturing area of C Company’s plant. Protestors break into the plant, bent on taking over the weapons manufacturing area. During an altercation with the protestors, S intentionally stabs a protestor, V, to death to prevent V entering the area.

The point under clause 130 will not be whether S had specific authority to murder V; clearly S did not. The point will be that S was acting more broadly within the scope of what S was authorised to do, namely take action to keep out trespassers. Parliament must therefore decide what is to happen in such cases. Should the traditional corporate exemption for murder be maintained, by a ‘carve out’ in clause 130? Alternatively, is there a need for a special punishment over and above an unlimited fine to mark the seriousness of such cases?

Perhaps more significantly, clause 130 creates a lack of certainty between the scope for convicting a company of (involuntary) manslaughter, and the scope for convicting it of corporate manslaughter contrary to the Corporate Manslaughter and Corporate Homicide Act 2007. Under section 1(3) of the 2007 Act, a company is only to be convicted of corporate manslaughter if, amongst other things, ‘the way in which its activities are managed or organised by its senior management is a substantial element in the [gross] breach [of a duty of care]’. As currently drafted, clause 130 by-passes this restriction on the scope of corporate liability for manslaughter, when the offence is committed by a senior manager:

S, a senior manager at a well-run and safety-conscious ferry company, C, is responsible for closing the bow doors of the ferry at the appropriate time. Tired and intoxicated, he does not look at what he is doing and presses the wrong button before falling asleep and hence failing to hear warning sirens when the bow doors do not open. The ferry capsizes, with great loss of life.

In this example, S’s blameworthy conduct is not really a manifestation of ‘the way in which [the company’s] activities are managed or organised by its senior management,’ for the purposes of section 1(3) of the 2007 Act. It is instead simply a monumental individual blunder respecting which S could undoubtedly face manslaughter charges; but if that is so, then clause 130 implicates C Company in manslaughter. Following the same line of argument applicable to the previous example, the fact that S was not authorised to press the wrong button (or to be drunk on duty) will not make his responsibility for attempting to close the bow doors unauthorised, and so there is no escape for the company in any claim that S did not have ‘authorisation’ to do as he did. So, as in the case of murder, some amendment of clause 130 will be necessary to create policy consistency with the 2007 Act: Why should a lethal blunder by a senior manager implicate a company, whatever the state of its organisational and management practices, when an identical blunder by a junior manager would not have that effect?

Sexual Offences

As in the case of murder, it has traditionally been supposed that sexual offences involving any kind of intimate physical connection between persons cannot be committed by a company, even though a company can be convicted in cases that do not necessarily involve such a connection, such as the taking of indecent photographs of children. Clause 130, as currently drafted, sweeps away any such distinctions. That might be significant in some instances:

S, is a doctor and senior practice manager at a private medical company, C. S has been unnecessarily handling patients’ intimate areas in the course of routine examinations, re-assuring the patients by falsely claiming that this conduct is a necessary part of the examination when it is not.

In this example, S will be guilty of sexual assault, other things being equal; and in virtue of clause 130, C company will also be guilty of that crime. Opinions may differ as the propriety of such an outcome, in labelling (or common sense) terms. Three points are worth making. First, clause 130 creates an arbitrary distinction, in point of corporate liability for the offence, between cases in which a senior manager commits the offence, and cases in which it is committed by a more junior employee. In the latter cases, the company will not be liable, in part because a company cannot be vicariously liable for a fault-based offence, and in part because the traditional thinking that companies cannot commit intimate sex crimes will still be applicable when the offence is committed by someone other than a senior manager. From a victim’s point of view, that outcome wrongly gives the impression that the violation of their body matters less, in law, when it is committed by a more junior employee.

In the example given, a company that did not take care to protect patients from sexual predators might be guilty of a health and safety offence; and so patients would not be unprotected by the criminal law in relation to corporate wrongdoing. However, if there is a sexual offence committed by the company in the example given, it could perhaps best be described as ‘failing to prevent’ sexual assault by an employee, rather than as ‘sexual assault’. Seeing the wrong in such terms makes the status of the employee who committed the crime legally insignificant, vindicating the rights of victims. Further, if the typical model for failure-to-prevent offences were to be followed, seeing the company’s wrong as a failure to prevent the crime brings into focus the adequacy of safeguarding procedures that the company had in place to prevent such conduct. However, no change is made by clause 130 to the scope of failure-to-prevent crimes, which remain confined in their application to economic criminality. Finally, clause 130, like the existing section 196 of the 2023 Act, does not currently require that the offence committed by the senior manager be committed in order to benefit the company commercially, if the company is to be implicated. There appears to be an assumption that if the senior manager was acting within the scope of their authority, then they would ipso facto have been acting to benefit the company; but such an assumption is false, as illustrated by the example just given. S was acting purely self-interestedly. Even so, there can be no doubt that the doctor, S, was acting within the scope of his authority in examining the patients, even if particular acts undertaken during the examination would not have been authorised. Clause 130 therefore raises, but does not answer, the question of whether it is appropriate to find a company liable for a crime committed (within the scope of their authority) by a senior manager, when that crime reflected a purely selfish motive unrelated to a corporate goal.

The Range of Offences and Compliance Obligations

Clause 130 as presently drafted exposes companies to liability for in excess of 10,000 offences currently in force in UK law, when they are committed by senior managers acting within the scope of their authority. To some extent, that is not as dramatic a result as it seems. Most of these crimes are ones of strict liability Many such crimes already entail corporate criminal liability through the doctrine of vicarious liability, whether they are committed by a senior manager or by some other associated person. Having said that, clause 130 will in due course reveal the extent to which corporate liability now extends beyond traditional boundaries, posing challenges for companies trying the determine the scope of their compliance obligations. For example, a company has been traditionally considered incapable of committing a driving offence necessarily involving a human person at the wheel, such as dangerous driving. Clause 130 ostensibly changes that position. It now appears that if a senior manager drives dangerously (say) to ensure she does not miss a key client meeting, the company also commits that offence. Accordingly, a new set of corporate compliance concerns in relation to the driving standards observed by senior managers have been generated, where there were none before.

Another example of enhanced compliance obligations necessitated by clause 130 involves the activities of security personnel (‘bouncers’) outside pubs and clubs. The Private Security Industry Act 2001 requires that the employer ensure such persons are properly licenced; but clause 130 takes the employer’s compliance much further. Suppose that an employer’s senior managing security officer, whether properly licenced or not, commits a violent offence by using disproportionate force in (say) ejecting an uninvited guest from the premises. Clearly, security personnel have authority to eject trespassers in certain circumstances. So, if the officer is regarded by the court as one of the employer’s ‘senior managers’ , then the employer will also commit that violent offence, because in committing it, the officer was engaged in a type of conduct (ejecting trespassers) that was authorised. Whilst it might be expected that employers would ordinarily issue guidance to security employees about the use of force, there is now more at stake for the company, in terms of its exposure to criminal liability, and so a greater incentive to do more in terms of compliance. Some might consider that to be no bad thing. However, the application of the ordinary criminal law in corporate regulatory contexts is notoriously haphazard, unpredictable, and subject to arbitrary distinctions in point of available penalty. It does little to promote proportionate and systematic forms of compliance.

Conclusion

Companies are by now accustomed to being regulated in many domains of their activity, and to facing liability for offences and regulatory penalties attached to regulatory failures on their part. However, they have traditionally been shielded from prosecution, in many instances, for the kinds of serious fault-based wrongdoing that regulation is designed to prevent. For example, whilst financial regulation of companies, and its associated penalty regime, is designed in part to reduce the incidence of serious fraud committed by company employees, the company itself has not hitherto faced prosecution for that offence if and when it is committed by an employee. That position has now changed with respect to the conduct of a ‘senior manager’ acting within the scope of their authority. It has changed, not only in relation financial crimes, but also in relation to (i) any fault-based crime (such as a sexual or violent offence), and (ii) any offence, whether or not fault based (such as a driving offence) that hitherto has been regarded as an offence that only a human individual can commit. The National Audit Office has hitherto estimated the annual cost of regulatory compliance for UK businesses generally to be between £70 and £100 billion. If clause 130 is enacted as it stands, that cost is going to rise very substantially.