Export Compliance for Public Administration Companies — UK

UK Public Administration companies must comply with the Export Control Order 2008, the Trade and Cooperation Agreement (TCA) implementing regulations, and UK-specific sanctions legislation administered by OFSI. The ECJU maintains consolidated lists of controlled goods requiring licenses for export. Companies handling dual-use items (goods with both civilian and military applications), encryption technology, or supplying international partners must obtain explicit export licenses. For government contractors specifically, Cabinet Office guidance mandates that companies establish internal export control programs verifying end-use of supplied goods and ensuring compliance with UK foreign policy objectives. Additionally, if companies receive contracts involving NATO-classified information or defense-related materials, compliance with MOFCOM and MOD security protocols becomes mandatory, with violations resulting in contract termination and potential criminal prosecution.

Directors and Persons of Significant Control establish organizational accountability chains critical for export compliance. Our data shows 12,378 director records with average risk score 1.5 and 10,883 PSC records averaging 14.9, indicating significant variation in oversight quality. Regulators hold directors personally liable for company export violations—individuals can face imprisonment and unlimited fines. Therefore, examining director backgrounds for prior export violations, involvement with sanctioned entities, or financial distress (which may incentivize illegal export schemes) is essential. PSC analysis matters because complex ownership structures can obscure decision-making authority, allowing exports to proceed without proper authorization. A director claiming lack of knowledge about PSC intentions provides insufficient defense if beneficial owners have ties to sanctioned jurisdictions or if ownership concentration patterns suggest coordinated evasion schemes.

PSC concentration risk assessment requires identifying whether single entities or coordinated groups control >50% of company ownership, decision-making authority, or profit distribution rights. Our dataset reveals 10,856 PSC records with concentration score averaging 13.5—above typical commercial thresholds. For export compliance, concentrated ownership raises risk if PSC holders lack demonstrated export compliance expertise or have international connections suggesting foreign influence. Fragmented ownership (many small shareholders) creates opposite risk: decision-making becomes diffuse, enabling unauthorized exports if no individual assumes compliance responsibility. Best practice involves mapping beneficial ownership through all layers (corporate vehicles, trusts, nominee arrangements) to identify ultimate decision-makers, then conducting background screening on those individuals. Document this analysis, as regulators expect companies to demonstrate they understand who truly controls their export decisions—ignorance of PSC intentions provides insufficient compliance defense.

Companies must maintain comprehensive records demonstrating compliance with every export transaction: export license applications and approvals; classification determinations for goods/technologies; customer due diligence evidence; end-use certifications; shipping documentation; and internal approvals. For technology transfers, document technology control plan implementations, classified information access controls, and encryption authorization records. Supply chain documentation should include vendor export compliance attestations and subcontractor due diligence records. Personnel training records prove staff understand export regulations. Additionally, maintain records of compliance officer appointment, internal compliance audit findings, and any regulatory correspondence. The 8,368 companies formed since 2020 likely lack mature documentation systems—regulators expect this and conduct inspections specifically examining documentation gaps. Inability to produce contemporaneous records during inspection strongly suggests regulatory violations occurred, often resulting in enforcement action even if violations cannot be directly proven through other means.

Efficient screening requires establishing systematic procedures integrating multiple data sources: ECJU Consolidated Export Control Lists; OFSI consolidated sanctions lists; the Enhanced Scrutiny List; relevant international lists (US OFAC, EU sanctions); Companies House director/PSC databases; and historical regulatory enforcement announcements. Many companies employ third-party screening software automating daily updates against these lists, immediately flagging matches. For government contractors, Cabinet Office security vetting integrates these checks during contract award processes. Best practice involves: initial screening when engaging new directors, PSC members, or major suppliers; monthly rescreening against updated lists (sanctions change frequently); transaction-specific screening before export approvals; and supply chain screening of vendors and end-customers. Documentation proving screening was conducted contemporaneously—not retroactively—is essential for audit purposes. Given the sector's 1.6% dissolution rate, companies demonstrating robust, documented screening programs demonstrate compliance commitment and reduce regulatory enforcement risk substantially.