CoverProof
Compliance15 July 20267 min read

Section 250 and outsourcing: when your service provider's people become your problem

There are two outsourcing questions under Section 250, and most firms ask only the first: have my counterparties run their own analysis? The harder one is whether someone at an outsourced provider, who effectively runs a substantial part of your activities, is your senior manager under s.250(3). This guide takes both, plus the apparent-authority clause that connects them.

TL;DR

There are two outsourcing questions under Section 250, and most firms ask only the first: have my counterparties run their own analysis? The harder one is whether someone at an outsourced provider, who effectively runs a substantial part of your activities, is your senior manager under s.250(3). This guide takes both, plus the apparent-authority clause that connects them.

What are the two Section 250 questions for outsourced functions?

Section 250 of the Crime and Policing Act 2026 took effect on 29 June 2026. For firms that outsource material functions, it raises two questions that are easy to run together.

The first is the counterparty question: have the third parties you rely on run their own Section 250 analysis? The second is the internal-scope question: could an individual at an outsourced provider be one of your senior managers, because they manage or organise a substantial part of your activities?

This is general information, not legal advice. Consult a qualified solicitor or FCA-regulated compliance adviser for your firm's specific situation.

The two questions have different answers and different evidence. The counterparty question is largely procedural: request confirmation, retain it. The internal-scope question means applying the s.250(3) functional test to people who are not on your payroll, which is unfamiliar ground for most firms. This guide is mostly about the second.

When does an outsourced individual become your senior manager?

Section 250(3) defines a senior manager as an individual who plays a significant role in making decisions about how the whole or a substantial part of the activities of a body corporate or partnership are managed or organised, or in the managing or organising of those activities. It says nothing about employment. The person does not have to be on your payroll or contracted directly to you.

Where a function is genuinely outsourced, so the provider's staff make the operating decisions, set the priorities and run the function day to day, the person leading it may be doing exactly what s.250(3) describes, in respect of your activities.

The assessment is one of substance. Outsource a function but retain real control, where your people direct the work and the provider executes, and the provider's staff are unlikely to be your senior managers. Outsource both the work and the control, so the provider effectively runs a substantial part of your business, and the case is much stronger. The label "outsourced" does not settle it. What the people actually decide does.

How does the "apparent authority" clause apply to outsourced staff?

Under s.250(1), where a senior manager of a body corporate or partnership commits a criminal offence within the actual or apparent scope of their authority, the organisation also commits the offence. The offence can be any criminal offence under the law of England and Wales, Scotland or Northern Ireland, not only something created by the Act itself. The "apparent authority" wording matters for outsourcing, because outsourced individuals often act in ways that look, from the outside, like the firm's own actions: signing in the firm's name, dealing with the firm's clients, operating the firm's systems.

Apparent authority is a long-standing concept. It is the authority a reasonable third party would believe a person holds, judged by how the organisation has held them out, even where the formal grant is narrower.

For a firm with outsourced functions, the s.250 analysis cannot stop at the contract. It has to account for how outsourced individuals are presented to clients and counterparties, because apparent authority can pull conduct the firm never formally authorised into the attribution mechanism.

How do FCA outsourcing rules interact with Section 250?

The FCA's operational-resilience regime is the relevant backdrop. In policy statement PS21/3, "Building operational resilience" (in force from 31 March 2022, with firms required to be able to remain within their impact tolerances by 31 March 2025), the FCA was clear that outsourcing a service does not outsource the accountability for it. Where a third party supports an important business service, the firm stays responsible for remaining within its impact tolerances.

That principle sits alongside Section 250 rather than overlapping with it. PS21/3 keeps regulatory accountability with the firm even when delivery is outsourced. Section 250 can keep criminal attribution with the firm where the outsourced individuals are, in substance, managing a substantial part of its activities. Different regimes, different purposes, but they point the same way: outsourcing the delivery does not outsource the responsibility.

What about an outsourced CCO, CTO or head of operations?

The roles most likely to raise the internal-scope question are the ones where a firm outsources a whole senior function. An outsourced Chief Compliance Officer or compliance function. An outsourced Chief Technology Officer or managed-IT arrangement running the firm's entire technology estate. An outsourced operations or administration function.

In each, the test is whether the outsourced individual makes the decisions or merely executes the firm's. An outsourced CTO arrangement where the provider sets the technology strategy and runs the systems is a strong candidate for s.250 scope. A managed-service contract where the firm's own people direct the work and the provider supplies hands is weaker.

Assess each outsourced senior function specifically. Record which way the control actually runs. Treat the in-scope cases as you would an internal senior manager: include them in your identification record, run them through the declaration cycle, and keep that evidence with the rest of your Section 250 pack.

How does this differ from a counterparty compliance request?

The two outsourcing questions call for different action, so it pays to separate them.

The counterparty compliance request asks a significant third party to confirm it has run its own Section 250 analysis for its own people. You retain the confirmation as part of your evidence, and the third party's individuals stay the third party's senior managers.

The internal-scope analysis asks whether an outsourced individual is one of your senior managers. If they are, they belong in your own identification record and declaration cycle.

Most firms with material outsourcing need both. The counterparty request manages the relationship-level risk. The internal-scope analysis manages the attribution risk that an outsourced individual running a substantial part of your business could be treated as yours. Run only the first and the harder risk stays open.

section 250outsourcingthird partyapparent authorityoperational resilience

Related articles

Documented governance under Section 250: building an evidence record

11 min read

The Section 250 functional test: why SM&CR-covered isn't Section 250-covered

9 min read

Section 250 and Counterparty Obligations: What FCA Firms Must Request

5 min read

What Is Section 250 of the Crime and Policing Act 2026?

8 min read

Ready to identify your Section 250 exposure?

Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.

Start Free Gap Analysis →

Sources

  • Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
  • FCA PS21/3 — Building operational resiliencewww.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
  • FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime
Section 250 and Outsourcing: Third-Party Liability | CoverProof | CoverProof