The recent FT Adviser article regarding government led changing compliance rules highlights a major shift in corporate criminal liability. With the Economic Crime and Corporate Transparency Act 2023 already broadening attribution rules, the proposed 2025 Crime and Policing Bill pushes accountability even further — from economic crime to health, safety, environmental, and data offences. The direction of travel is clear: corporate liability now attaches not only to intent but to ordinary management decisions made under pressure.
There’s no compliance defence, no requirement for corporate benefit, and in many cases, recklessness will suffice. That creates a governance challenge few boards can afford to ignore. Mapping who qualifies as a “senior manager” by function, not title, and stress-testing apparent authority scenarios are now essential. Equally important is co-ordination between compliance, legal, and audit teams when incidents arise — since even an internal review may trigger disclosure duties or Directors and Officers (D&O) liability notifications.
This new legislative direction also adds another layer of compliance oversight to existing regulations.- Senior Managers and Certification Regime (SM&CR). Firms must now map senior management functions to real decision-making authority rather than job titles and reassess how accountability sits across the organisation.
- Systems, controls, and communication procedures are fully aligned with new requirements
- Consumer Duty responsibilities are properly implemented and evidenced. Understanding each senior manager’s knowledge, roles, and responsibilities in light of the ECCTA and the Crime and Policing Bill is now imperative — not only to demonstrate regulatory compliance but to evidence the integrity of governance frameworks to auditors and regulators alike.
Where all this get's tricky is the subjective line between perceived acting in the business interests and reckless action. An example could be senior management continuing to run the business to meet goals and objectives despite capital reserves running low or under FCA requirements, or Appointed Representative Networks not heeding or gaining risk driven data about the actions of their AR firms and Registered Individuals regarding products sold to certain target markets.
Law can enforce compliance upgrades, but only culture prevents the crime. That means leadership tone, transparent escalation routes, and robust whistleblowing processes must complement the regulatory architecture. However, culture alone is not enough without evidence.
This is where RegTech earns its place. Intelligent compliance and audit software platforms can provide firms with a real-time third line of defence — continuously testing controls, capturing management decisions, and evidencing conduct before it becomes a liability. For auditors, these systems offer instant visibility into governance gaps and support independent assurance over conduct risk frameworks.
Three key takeaways
-
Expanded attribution means exposure — Section 196 ECCTA and the forthcoming bill hold firms criminally liable for ordinary managerial acts within apparent authority.
-
Culture and systems must align — Ethical tone and behavioural oversight are critical, but they need measurable support from governance tech.
-
RegTech closes the assurance gap — Automated monitoring and digital audit trails give boards the visibility they need to demonstrate effective oversight and protect against escalating compliance risk.
Please click the below icon to learn more about MO RegTech today..
