Section 250 Reaches Every UK Criminal Offence — Not Just Financial Crime

What s.250(1) actually says

Section 250(1) of the Crime and Policing Act 2026 (c.20) provides that where a senior manager of a body corporate or partnership acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the body corporate or partnership also commits the offence.

The provision contains no list of offence types. It does not say "financial offences" or "economic crimes" or "FCA-regulated conduct". The qualifying words are: any offence under the law of England and Wales, Scotland or Northern Ireland. That is the full statute. Any criminal offence committed by a senior manager, in any context, within their authority, triggers the attribution mechanism.

This is general information, not legal advice. Consult a qualified solicitor or FCA-regulated compliance adviser for your firm's specific position.

The scope is deliberately broad. It is not an accident of drafting. The explanatory notes to the Crime and Policing Act 2026 make clear that the attribution mechanism is designed to apply generally — tracking the senior manager's liability rather than defining a category of predicate offences.

Subject to the s.250(2) carve-out (addressed below), this means the exposure covers health and safety offences, manslaughter, data protection breaches prosecuted as criminal matters, bribery, tax evasion, fraud, environmental offences, and everything else in the criminal calendar.

Why this is different from ECCTA 2023 and the Bribery Act

The Economic Crime and Corporate Transparency Act 2023 (ECCTA, c.56) also introduced a senior-manager attribution mechanism, in s.196, but it is confined to a defined list of economic crimes set out in Schedule 12 — in force from 26 December 2023. The Bribery Act 2010 takes a different approach: s.7 creates a failure-to-prevent offence (not attribution) for bribery, but only for bribery.

Section 250 is neither of these. It does not rely on Schedule 12 or a defined predicate list. The only predicate is that the senior manager has committed an offence — any offence — under UK law. The ECCTA 2023 senior-manager attribution for economic crimes is a subset; s.250 is the general case.

For FCA-regulated firms, the practical consequence is that s.250 exposure tracks the full range of conduct risk — not just financial crime, but operational decisions that could give rise to health and safety liability, data breach, or other criminal matter. A senior manager who causes a serious workplace injury, or one who makes a decision leading to a criminal data breach, creates organisational liability under s.250 as readily as a senior manager who commits fraud.

The failure-to-prevent-fraud defence under ECCTA 2023 s.199 (in force 1 September 2025) is not a defence to s.250. Each regime operates independently. Firms compliant with failure-to-prevent-fraud adequate-procedures requirements still face s.250 exposure for the full range of offences outside the fraud category — and, if fraud is committed by a senior manager within authority, both attribution mechanisms may apply simultaneously.

The s.250(2) carve-out

Section 250(2) provides that s.250(1) does not apply where all of the conduct constituting the offence takes place outside the United Kingdom and the body corporate or partnership would not itself commit the offence on those facts.

This is a limited carve-out. It requires two conditions to be met simultaneously: (a) all of the conduct occurs outside the UK, and (b) the organisation would not itself commit the offence on those facts (because the offence has no extraterritorial reach).

If any element of the conduct occurs in the UK, s.250(2) does not apply. If the underlying offence has extraterritorial application to bodies corporate (as many financial crime offences do), s.250(2) does not apply. For FCA-regulated firms, which conduct regulated activities in the UK and are subject to UK-criminal-law jurisdiction for their UK business, the carve-out will rarely apply in practice. The safe assumption is that it does not apply unless the facts clearly meet both limbs.

Section 250(3) also excludes corporations sole (the legal entity that has only one member, which continues in a series) and partnerships not regarded as bodies corporate. These exclusions are not relevant to FCA-regulated limited companies, LLPs, or partnerships in the ordinary sense.

Why FCA-regulated firms face disproportionate exposure

FCA-regulated firms face particular exposure under s.250 for two reasons that compound each other.

First, the senior-manager test in s.250(3) is broader than the FCA's own Senior Management Functions designation. SM&CR applies to individuals approved by the FCA to perform specific designated functions. Section 250(3) applies to anyone who plays a significant role in the making of decisions about how the whole or a substantial part of the firm's activities are managed or organised. Those are different populations: an operations director, a CTO, or a senior portfolio manager may meet the s.250(3) test without holding an SMF. SM&CR does not protect these individuals from s.250 attribution.

Second, the all-offence scope of s.250 means that conduct risk across all business lines — not only regulated activities — can trigger attribution. A breach of health and safety law by a senior operations director, a data protection criminal offence by a senior IT manager, a fraud committed by a senior trader: all of these can now be attributed to the firm through the senior manager who committed them.

The combination — a broader population of relevant individuals and an uncapped predicate offence — is what makes s.250 the most significant extension of corporate criminal liability for UK financial services firms in recent years.

What this means for the gap analysis

An SM&CR register check tells you who has FCA approval. It does not tell you who meets the s.250(3) functional test across the full range of activities — only a purpose-built gap analysis does that.

The gap analysis must identify individuals in the s.250(3) population: those playing a significant role in managing or organising the whole or a substantial part of the firm's activities, regardless of FCA approval status. For each individual identified, the analysis should record: whether they hold an SMF (and so are within the SM&CR perimeter), whether they are covered by the certification regime, or whether they sit outside both — the gap population.

The gap population is the s.250 priority: these are the individuals whose criminal conduct creates organisational liability without the SM&CR governance structure around them. Getting them onto a Section 250 governance acknowledgement and into the board evidence pack is the mitigation action.

Note: documented diligence — gap analysis, declarations, board minutes — is evidential mitigation that can inform prosecutorial discretion and may be relevant at sentencing. It is not a statutory defence. Section 250 contains no adequate-procedures defence equivalent.

Related articles

Sources

• Crime and Policing Act 2026, s.250 (c.20)www.legislation.gov.uk/ukpga/2026/20/section/250
• Economic Crime and Corporate Transparency Act 2023, s.196 and Sch. 12 (c.56)www.legislation.gov.uk/ukpga/2023/56/schedule/12
• Bribery Act 2010, s.7www.legislation.gov.uk/ukpga/2010/23/section/7
• Criminal Finances Act 2017, s.45 (failure-to-prevent tax evasion — for comparison)www.legislation.gov.uk/ukpga/2017/22/section/45
• FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime