The Economic Crime and Corporate Transparency Act 2023 introduced a failure-to-prevent fraud offence for large organisations — and a reasonable-procedures defence to go with it. Section 250 of the Crime and Policing Act 2026 introduced a corporate attribution mechanism for any senior manager's offending — and no statutory defence at all. These are different provisions, with different scope, different triggers, and critically different positions on what documented diligence can achieve.
Two different provisions
It is easy to conflate the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023, c.56) failure-to-prevent fraud offence with Section 250 of the Crime and Policing Act 2026 (CPA 2026, c.20). Both create corporate criminal liability. Both are relevant to FCA-regulated firms. Both give documented diligence some evidential weight. But they are entirely different in structure, scope, and — most importantly for compliance planning — the position on statutory defences.
The single most consequential difference: ECCTA 2023 failure-to-prevent fraud (s.199(4)) has a reasonable-procedures defence. Section 250 of the CPA 2026 has no statutory defence of any kind.
This guide sets the two provisions side by side and explains what the asymmetry means in practice.
ECCTA 2023 c.56: failure-to-prevent fraud
The Economic Crime and Corporate Transparency Act 2023 received Royal Assent on 26 October 2023 and its failure-to-prevent fraud offence came into force on 1 September 2025 (Economic Crime and Corporate Transparency Act 2023 (Commencement No. 4) Regulations 2025). The offence is in s.199 of the Act in conjunction with Schedule 13 (the list of fraud offences); the reasonable-procedures defence is in s.199(4). (Schedule 12 is a different list — the economic crimes to which the separate s.196 senior-manager attribution rule, in force since 26 December 2023, applies.)
The offence applies only to large organisations: the definition requires a body corporate or partnership to satisfy at least two of three size thresholds (more than 250 employees, annual turnover above £36 million, balance sheet above £18 million) in the financial year preceding the alleged fraud. Small and medium-sized enterprises are outside scope.
The trigger is that an "associated person" of the organisation commits a relevant fraud offence (as listed in Schedule 13 — cheating the public revenue, fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly, and certain related preparatory or incitement offences) with intent to benefit the organisation or any person to whom the associated person provides services on behalf of the organisation.
Critically, the ECCTA failure-to-prevent offence operates differently from a corporate attribution mechanism. The organisation does not commit the fraud itself; it commits a separate offence of "failure to prevent" the fraud. The prosecution does not need to show the organisation's directing mind was involved. The associated person's fraud is the trigger; the organisation's liability is for the separate failure to prevent.
The reasonable-procedures defence under ECCTA s.199(4)
ECCTA 2023 s.199(4) provides an explicit statutory defence: it is a defence for the organisation to prove it had in place such prevention procedures as it was reasonable in all the circumstances to expect it to have in place, or that it was not reasonable in all the circumstances to expect it to have any prevention procedures in place.
This is the same structure as the adequate-procedures defence in the Bribery Act 2010 s.7(2), and the government published guidance on reasonable fraud-prevention procedures alongside the Act's commencement (September 2025 guidance). An organisation that implements the guidance — tone from the top, risk assessment, proportionate prevention procedures, due diligence on associated persons, communication and training, monitoring and review — has a credible basis to assert the defence.
The defence is a complete answer to a prosecution. If proved, the organisation is acquitted, not merely mitigated. That is an important distinction from what documentation achieves under Section 250.
CPA 2026 c.20 s.250: corporate attribution, no statutory defence
Section 250 of the Crime and Policing Act 2026 takes a structurally different approach. Under s.250(1), where a senior manager of a body corporate or partnership commits an offence under the law of England and Wales, Scotland or Northern Ireland, acting within the actual or apparent scope of their authority, the organisation is also treated as having committed that offence. The attribution is direct: the senior manager's crime becomes the organisation's crime. The organisation does not commit a separate "failure to prevent" offence; it commits the same offence as the individual.
Section 250 comes into force on 29 June 2026, two months after Royal Assent on 29 April 2026 (s.255(3)). The "senior manager" definition in s.250(3) is a functional test: an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities.
Section 250 has no adequate-procedures defence, no reasonable-procedures defence, and no reasonable-steps defence. There is nothing in the provision that allows an organisation to avoid liability by showing it had good systems in place. The attribution mechanism is engaged by the senior manager's qualifying act within the scope of their authority, and there is no safe harbour. This is the structural difference that matters most.
The scope of offences engaged is also wider than ECCTA. ECCTA failure-to-prevent fraud is limited to the specific fraud offences listed in Schedule 13. Section 250 applies to any criminal offence under the law of England and Wales, Scotland or Northern Ireland. This uncapped scope is one of the genuinely new features of the provision.
What documented diligence achieves under each regime
The different structural positions on defences mean that documented diligence has different effects under the two provisions.
Under ECCTA failure-to-prevent fraud: documented reasonable fraud-prevention procedures can be a complete defence. If the organisation proves it had procedures in place that were reasonable in all the circumstances, it is acquitted. The ECCTA guidance (September 2025) maps what such a system looks like. Documented procedures are the foundation of the defence.
Under Section 250: there is no statutory defence. Documentation cannot create a defence because the statute provides no mechanism for one to operate. What documentation achieves is different in kind:
First, it is material to prosecutorial discretion. Joint SFO-CPS guidance on corporate prosecutions requires prosecutors to consider the organisation's compliance culture, self-reporting behaviour, and the steps it took to identify and address the risk. An organisation that documented its gap analysis, obtained declarations, and produced a board evidence pack before commencement has a materially different risk profile than one that took no steps at all. The prosecution decision is influenced by these factors.
Second, it may be relevant at sentencing. If the organisation is convicted of the underlying offence via attribution, the documented steps it took before commencement may be presented as mitigation. There is currently no Sentencing Council guideline for s.250 attribution, so the weight given to mitigation is in the court's discretion.
The honest characterisation is: under ECCTA, documented procedures can avoid liability. Under Section 250, documented steps reduce attribution risk and inform prosecutorial and judicial judgment — they are evidential weight, not a statutory shield.
Scope comparison: large organisations only vs all bodies corporate
The size-threshold difference is operationally significant. ECCTA failure-to-prevent fraud applies only to large organisations meeting the two-of-three thresholds: more than 250 employees, annual turnover above £36 million, or balance sheet above £18 million. A firm below these thresholds does not commit the failure-to-prevent offence, even if an associated person commits a qualifying fraud with intent to benefit it.
Section 250 applies to all UK bodies corporate and partnerships. There is no minimum size threshold. A sole-employee company with one director can have its liability attributed if that director is a "senior manager" and commits a qualifying offence within the scope of their authority. The provision does not scale its obligations to firm size.
For FCA-regulated firms — typically large enough to clear the ECCTA thresholds — both provisions are simultaneously relevant and both require compliance work. But for smaller firms and for firms that are considering only one of the two: ECCTA may not apply; Section 250 almost certainly does.
Associated persons vs senior managers: different attribution targets
ECCTA failure-to-prevent fraud is triggered by an "associated person" committing a relevant fraud offence. "Associated person" is defined broadly to include employees, agents, and subsidiaries — essentially anyone performing services on behalf of the organisation, not just senior executives.
Section 250 is triggered by a "senior manager" committing any criminal offence. The attribution is limited to senior managers as defined by the s.250(3) functional test (significant role in managing a substantial part of the organisation's activities) — a narrower population than ECCTA's associated persons.
The practical consequence is that the two provisions address different risk populations. ECCTA is designed to catch fraud by anyone operating on the organisation's behalf, down to sales agents and distributors. Section 250 is designed to catch criminal conduct by individuals at the top of the organisational decision-making structure. Both provisions can be engaged in the same fact-pattern — a senior manager who commits fraud would simultaneously trigger s.250 attribution and (for large organisations) ECCTA failure-to-prevent — but the compliance work to address each is different.
Running compliance for both provisions
For FCA-regulated firms, both ECCTA failure-to-prevent fraud and Section 250 are live requirements. The compliance programmes for each overlap but are not identical.
For ECCTA compliance: the core task is building and documenting a reasonable fraud-prevention programme using the September 2025 guidance framework. The programme must address risk, apply proportionate prevention procedures, conduct due diligence on associated persons, and be communicated and monitored. The goal is a system whose documentation would support the s.199(4) defence if ever needed.
For Section 250 compliance: the core task is identifying the senior-manager population under the s.250(3) functional test, cross-referencing against the SM&CR register to find the gap, obtaining declarations, and producing a board evidence pack before 29 June 2026. There is no defence to build; the goal is to document the analysis and mitigation steps thoroughly enough to inform prosecutorial discretion and reduce attribution risk.
A well-run Section 250 gap analysis naturally produces documentation relevant to ECCTA compliance as well: the board evidence pack, the declaration cycle, and the documented analysis of who exercises authority over what functions. But the two programmes answer different questions and should be maintained separately.
For the Section 250 programme, the deadline was 29 June 2026 — fixed by s.255(3), two months after Royal Assent. Running the gap analysis after that date still matters for ongoing risk management, but the pre-commencement evidential record cannot be backdated.
Related articles
Who qualifies as a senior manager under Section 250? A role-by-role guide
9 min read
Section 250 Gap Analysis: The Complete Compliance Checklist
5 min read
What Makes Compliance Evidence Admissible as a Business Record?
6 min read
SM&CR Approved Persons: A Plain-English Guide for 2026
7 min read
What Is Section 250 of the Crime and Policing Act 2026?
8 min read
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- Crime and Policing Act 2026, s.255 — commencementwww.legislation.gov.uk/ukpga/2026/20/section/255
- Economic Crime and Corporate Transparency Act 2023, s.199 and Schedule 13www.legislation.gov.uk/ukpga/2023/56/schedule/13
- ECCTA 2023 — failure-to-prevent fraud guidance (September 2025)www.gov.uk/government/publications/failure-to-prevent-fraud-guidance
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime