Delegation Matrices and Authority Documentation for Section 250

Why authority documentation matters for Section 250

Section 250(1) of the Crime and Policing Act 2026 (c.20) attributes a senior manager's criminal offence to the organisation where they act within the "actual or apparent scope of their authority". Both limbs of that gate — actual and apparent authority — are directly informed by what the organisation has documented about what its senior managers are authorised to do.

On actual authority: a delegation matrix that clearly defines the formal scope of each senior manager's role gives the organisation a factual record of what they were authorised to do. That record is directly relevant to the actual-authority analysis.

On apparent authority: where a senior manager's documented role is inconsistent with how they are presented externally (in public announcements, board papers, regulatory filings), the inconsistency can expand apparent-authority risk. Good documentation that accurately reflects the role, and is consistent with external representations, helps limit that risk.

Skadden's June 2026 review of the Crime and Policing Act 2026 attribution mechanism listed delegation matrices and authority documentation as action item three — after completing the s.250(3) gap analysis and running the declaration cycle. Travers Smith's analysis of the senior-manager attribution test reached a consistent conclusion: firms whose governance documentation accurately maps each senior manager's authority to their actual organisational remit are better placed to defend both the actual and apparent limbs of the scope gate.

What a delegation matrix should contain

A delegation matrix for s.250 purposes does not need to be a separate document from your existing governance framework — the goal is to ensure your existing governance documentation is accurate, complete, and accessible, with role authority clearly tied to named individuals and dated.

For each individual in the s.250(3) population (those who meet the functional test — playing a significant role in deciding how a substantial part of the organisation's activities are managed or organised), the documentation should record: (1) the scope of activities they are authorised to manage or organise; (2) the limit of their authority — what decisions require escalation or board sign-off; (3) the source of the authority — board approval, contract, terms of reference; and (4) the effective date and last review date of the authority record.

The granularity required depends on the width of the individual's role. For a CEO or CFO whose authority is broad and well-established, the documentation may be brief: board approval of the role mandate, a clear statement of the scope of executive authority, the escalation thresholds for board decisions. For a divisional head whose authority over a substantial part of the business is less formally documented, more specificity may be needed.

One practical test: if a senior manager committed a serious offence tomorrow, could the firm produce, within 24 hours, a clear document showing exactly what that person was authorised to do and what was outside their mandate? If not, the documentation is insufficient for s.250 purposes.

The consistency problem: internal records vs external representations

A significant documentation risk for FCA-regulated firms arises where internal authority records are narrower than the external narrative about a senior individual's role.

Consider a divisional CEO who is described in press releases and investor materials as "responsible for the group's UK operations" but whose internal mandate specifically excludes certain business lines that were migrated to a holding company structure. If that individual commits an offence in the context of one of the excluded business lines, the firm wants to argue they were acting outside their authority. But the external description, which is consistent with the broader remit, creates an apparent-authority problem: a reasonable outside party reading the press materials would not know about the internal carve-out.

CMS Law's May 2026 analysis of the apparent-authority test identified this misalignment between internal mandates and external representations as a specific risk area for firms post-Royal Assent. Their advice: review external communications (board announcements, regulatory notifications, public filings describing individual roles) against internal delegation records, and ensure they are consistent or that carve-outs are explicit.

This is not a theoretical risk. Many FCA-regulated firms operate under group structures where the same individual holds roles at multiple entities, and where the description of their authority in regulatory filings may not align precisely with their internal mandate. The s.250 analysis should flag these inconsistencies as risk items for the board.

How authority documentation fits into the gap analysis

The s.250(3) gap analysis identifies who meets the functional test. Authority documentation supports the ongoing defensibility of the analysis in two ways.

First, it provides the factual basis for the scope-of-authority assessment that the gap analysis should include. The gap analysis is not just a headcount of who is in the s.250(3) population — it should also record what scope of authority each individual has, so the board evidence pack reflects the full picture: who is in scope, under what authority, and with what documented limits.

Second, it creates the record against which a post-incident s.250 analysis would be conducted. If s.250 is invoked and the question becomes "was this person acting within the scope of their authority when they committed the offence?", the delegation matrix and authority records from the gap analysis are the primary evidence. A gap analysis that simply lists names without documenting authority scope gives the organisation less to work with.

CoverProof's board evidence packs capture the gap analysis methodology and each individual's classification rationale. The documentation of authority scope sits alongside the declaration cycle record — creating a single audit trail that addresses both the s.250(3) functional-test analysis and the scope-of-authority gate in s.250(1).

Ongoing maintenance: role changes and the renewal cycle

A delegation matrix is not a one-time document. Authority records become stale when people change roles, when organisational structures change, and when firm strategies shift. For s.250, a stale authority record is almost as problematic as no record at all: it tells you what the organisation thought it had authorised two years ago, not what was actually in place when the offence was committed.

The practical answer is to tie authority record reviews to the existing s.250 renewal cycle. Section 250 declarations should be renewed annually and on material role changes — and authority documentation should be updated at the same trigger points. When a new divisional head is appointed, they come with a new authority record. When an existing senior manager's remit expands (or contracts), the authority record is updated and redated.

For the board evidence pack, this means maintaining a current, dated delegation matrix alongside the declaration records — so the pack captures both who the organisation identified as senior managers and what scope of authority the organisation documented for each of them at the time the declarations were made.

Related articles

Sources

• Crime and Policing Act 2026, s.250 (c.20)www.legislation.gov.uk/ukpga/2026/20/section/250
• Skadden — Crime and Policing Act 2026: Senior Manager Attribution (June 2026)www.skadden.com/insights/publications/2026/06/crime-and-policing-act-2026-senior-manager-attribution
• Travers Smith — Section 250 and authority documentation (June 2026)www.traverssmith.com/knowledge/knowledge-portal/section-250-crime-policing-act-2026/
• CMS Law — Crime and Policing Act 2026: apparent authority analysis (May 2026)cms.law/en/gbr/publication/crime-and-policing-act-2026-corporate-liability
• FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime