Export Compliance for Financial Services Companies — UK

UK financial services export compliance is governed by multiple frameworks: OFSI sanctions regulations (administered through the Sanctions and Anti-Money Laundering Act 2018), the Money Laundering Regulations 2017 requiring customer due diligence on restricted jurisdictions, and FCA Handbook requirements including SYSC (Systems and Controls) rules. The Trade and Investment Bill (2023) strengthens these obligations. Additionally, firms must comply with international sanction regimes including UN Security Council sanctions, EU sanctions transposed into UK law, and US OFAC regulations when handling dollar transactions. PRA-regulated institutions face additional expectations through supervisory statements. Non-compliance triggers FCA enforcement, PRA action, criminal prosecution, and mandatory reporting to NCA and OFSI. Our data shows 212,629 active firms must navigate this complex framework, with particular challenges for the 132,406 newer firms established since 2020 lacking mature compliance infrastructure.

Companies should systematically map all PSCs (our data shows average 14.8 PSCs across 216,696 firms) against OFSI consolidated sanctions lists, PEP databases, and adverse media sources. High psc_ownership_concentration (averaging 14.1 in our dataset) requires enhanced due diligence procedures. Implement annual beneficial ownership verification requiring PSCs to confirm identity and provide updated information. Cross-reference all new PSC designations against sanctions lists within 48 hours of Companies House notification. Establish procedures identifying ultimate beneficial owners in complex corporate structures through multiple ownership layers. Document compliance decisions and risk assessments in permanent files. Higher-risk factors include PSCs from sanctioned jurisdictions, politically exposed persons without documented risk mitigation, recent PSC changes, or opaque ownership structures. Financial institutions should view beneficial ownership assessment as continuous process rather than one-time exercise, particularly given regulatory priority on beneficial ownership transparency.

While often used interchangeably, these represent distinct compliance functions. Sanctions screening specifically focuses on identifying and preventing transactions involving designated individuals, entities, and jurisdictions on consolidated sanctions lists—primarily OFSI's list. Export compliance encompasses this but extends to broader regulatory obligations: controlling financial services provision to restricted sectors (arms, nuclear materials, certain technologies), ensuring compliance with embargoes on specified jurisdictions, documenting trade finance transactions, and maintaining comprehensive audit trails. Export compliance also includes correspondent banking controls, restricting provision of investment services to certain jurisdictions, and managing reputational risk through PEP identification. Sanctions screening is essentially a technical control (database matching), while export compliance requires substantive business decisions about client relationships and transaction structures. Financial services firms must integrate both functions into unified frameworks rather than treating them as separate compliance workstreams. The FCA expects institutions to document how these functions interact and ensure consistent application across all transaction types.

OFSI designations are added to the consolidated sanctions list continuously—sometimes multiple times daily during active sanctions escalation periods. Industry best practice and regulatory expectation require sanction list updates at minimum daily, with many institutions implementing multiple updates throughout business days. Compliance procedures should be reviewed quarterly at minimum, or immediately when regulatory guidance changes or internal reviews identify gaps. All staff involved in client onboarding, transaction processing, or investment decisions must complete export compliance training annually, with refresher training triggered by regulatory changes or identified compliance failures. Director and senior management (our data shows average 2.6 directors per firm) should receive board-level export compliance updates quarterly, escalating any material compliance issues. Given that 132,406 firms were established since 2020, many lack mature processes—these organizations should prioritize establishing daily update mechanisms and formal quarterly reviews before transitioning to longer cycles. Documentation of all update activities strengthens regulatory credibility when examination or enforcement actions occur.

Export compliance violations trigger both criminal and civil consequences. Criminal penalties under the Sanctions Act 2018 include imprisonment up to 14 years for serious violations and unlimited fines for institutions and individuals. Recent enforcement actions show OFSI pursuing criminal charges against senior management personally for sanctions breaches, with custodial sentences for knowing violations. Civil penalties from FCA for export control breaches typically range from £1 million to £100+ million depending on severity and institutional size—major banks have faced £20-100 million fines. Additionally, FCA enforcement includes: operating restrictions limiting business activities, mandatory appointment of external compliance monitors (costing millions annually), requirement to remediate all historical transactions (potentially affecting thousands of clients), and reputational damage affecting client relationships and regulatory standing. PRA-regulated institutions face additional supervisor action including capital requirements adjustments and restriction of dividend payments. Criminal liability extends to individual directors and compliance officers—personal prosecution sends strong deterrent message. Recent cases show regulators increasingly pursuing individual accountability rather than solely institutional penalties. Beyond regulatory consequences, export violations require mandatory reporting to NCA, may trigger criminal investigation, and create substantial civil liability from counterparties.