What should your firm produce to show Section 250 compliance?

Section 250 does not prescribe a form — so what does it require?

Search for a "Section 250 declaration template" and you will find nothing official. That is not an oversight. Section 250 of the Crime and Policing Act 2026 is a corporate attribution mechanism. Under s.250(1), where a senior manager of a body corporate or partnership commits an offence within the actual or apparent scope of their authority, the organisation also commits that offence. Note the scope: it attaches to any criminal offence under the law of England and Wales, Scotland or Northern Ireland, not only offences created by the Act itself. The section imposes no duty to file a particular form and prescribes no template, unlike SM&CR, where the FCA mandates a Statement of Responsibilities for each Senior Management Function.

This is general information, not legal advice. Consult a qualified solicitor or FCA-regulated compliance adviser for your firm's specific situation.

What the statute leaves you with is an evidential question, not a form-filling one. Section 250 gives no adequate-procedures defence, so the documentation is not a statutory shield. It is the record that shows the firm knew who its senior managers were, told them what was expected, and acted on the result. Three artefacts carry the weight.

What are the three things you need to produce?

A firm needs three things. First, an identification record: a documented determination of who meets the s.250(3) test and why. Second, a notification and response audit trail: evidence that those individuals were informed and given the chance to respond, with dates. Third, a board evidence pack: a single record that compiles the analysis, the responses, and the board's acknowledgement.

None of these is a statutory form. All three are what a reviewer looking back in 2028 would expect a careful firm to have kept in the ordinary course of business. The order matters. The identification record defines the population. The audit trail proves you acted on it. The board pack demonstrates that the firm's governing body owned the outcome.

Document 1 — what goes in the identification record?

The identification record is the output of your gap analysis. It should list every individual the firm assessed against s.250(3), the conclusion for each, and the reasoning behind it. That means recording the out-of-scope verdicts as well as the in-scope ones. The s.250(3) test asks who plays a significant role in the making of decisions about how the whole or a substantial part of the firm's activities are to be managed or organised, or in the managing or organising of the whole or a substantial part of those activities. A COO or the head of a major division will usually sit inside that test; a regional team lead with no influence over the firm's direction usually will not. Showing that you considered both ends of that spectrum is what proves the firm applied the test across the whole senior population rather than stopping at the obvious names.

For each person, capture the source data the assessment relied on, the role, the verdict, and a confidence level. For an FCA-regulated firm, the date of the FCA register extract is a natural anchor, since the register is the public record of who the FCA or PRA has authorised or approved. The record should let someone who was not in the room understand why the firm reached each conclusion. A list of names with no reasoning is not an identification record. It is a list of names.

Document 2 — what does the notification audit trail capture?

Once you know who is in scope, you need evidence that you acted. The notification and response audit trail records, for each in-scope individual: when they were contacted, through what channel, when they accessed the request, when (or whether) they responded, and what they said. It also records the things that go wrong: bounced messages, non-responses, chase attempts, refusals. A non-response is itself part of the reasonable-steps story, not a gap in it, provided you can show you tried.

The defensibility of this trail depends on it being contemporaneous, built as events happen rather than reconstructed afterwards. Timestamps written at the moment of each event carry far more weight than a summary typed up weeks later. This is where a zero-login declaration workflow earns its place: it captures the access and submission timestamps automatically, with no account for the recipient to create.

Document 3 — what does the board evidence pack tie together?

The board evidence pack is what a firm hands over if it is ever asked to show its Section 250 position. It compiles the identification record and the notification audit trail into one document, adds an executive summary the board can act on, and records the board's formal acknowledgement that it reviewed the analysis and confirmed the cycle was complete.

The board's involvement is not decoration. The reasonable-steps story is strongest when the firm's governing body can be shown to have understood the exposure and signed it off. The pack is what turns a compliance exercise into a documented act of governance. Its format matters as much as its contents, which is the subject of the next section.

What evidence standard applies to all three?

All three artefacts share one requirement: they have to stand as business records. In civil proceedings, the route to admit a business record runs through the Civil Evidence Act 1995. Section 8 allows a statement in a document to be received in evidence, and section 9 allows a document forming part of the records of a business to be received without further proof if duly certified. A document produced through a consistent, ordinary-course process clears a real evidential hurdle by virtue of how it was made, before anyone examines its contents.

That is why integrity matters. PDF/A-3B is the ISO 19005-3 archival format (Level B guarantees reliable visual reproduction and supports embedded file attachments). Generate the pack in that format, embed the underlying records, and record the file's SHA-256 hash (a cryptographic fingerprint) at the moment of generation. You can then show, later, that the document is the same one the firm produced at the time.

A file format does not make a document admissible. Courts decide admissibility case by case, weighing authenticity, integrity, and chain of custody on the facts in front of them. What the archival format, the recorded hash, and a clear trail of how the document was made give you is a record built to support exactly those things. Describe the output as supporting business-record admissibility, not as court-admissible, and you are describing it honestly.

What happens if one of the three is missing?

Each artefact answers a different question, so a missing one leaves a specific hole. Without the identification record, the firm cannot show it knew who its senior managers were, which is the first thing any reviewer asks. Without the notification audit trail, the firm can show it knew but not that it acted. Without the board pack, the firm can show individual actions but not that its governing body owned the outcome.

The usual failure is more mundane than any of these. A firm keeps its evidence as an email thread and a spreadsheet, then finds, when it matters, that it cannot prove either is unchanged from the date it claims. Producing the three artefacts through a documented, integrity-preserving process is what stops you discovering that gap at the worst possible moment. Start with the gap analysis; the identification record falls out of it, and the other two follow.

Related articles

Sources

• Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
• Civil Evidence Act 1995, ss.8–9www.legislation.gov.uk/ukpga/1995/38/section/8
• FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime
• FCA Registerregister.fca.org.uk/
• ISO 19005-3 (PDF/A-3)www.iso.org/standard/57229.html