Legal Practice Notes

The UN Global Compact ( UNGC) is a voluntary initiative launched in 2000 under the auspices of the United Nations, engaging organisations to advance responsible and sustainable business. operate responsibly in line with ten sustainability principles spanning human rights, labour, the environment, and anti-corruption take actions that support the society around them demonstrate top-level commitment, including a public pledge from the CEO or equivalent (with board support), to: embed the UNGC’s ten principles within strategy, culture and day-to-day operations engage in projects that progress the broader UN Sustainable Development Goals ( SDGs) report annually on the organisation’s efforts and progress engage locally in places where they have a presence Over 20,000 organisations in more than 160 countries have signed up to the...

STOP PRESS: The Data ( Use and Access) Act 2025 ( Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82, bring into effect the remaining provisions of the Data ( Use and Access) Act 2025 ( DUAA 2025). Provisions concerning subject access requests, legitimate interests, purpose limitation, automated decision-making, international transfers and enforcement apply from 5 February 2026, while those covering penalty notices and complaints take effect from 19 June 2026. For further information, see Practice Note: Data ( Use and Access) Act 2025—employment implications. This Practice Note will be updated shortly to reflect these changes. This material currently considers Assimilated Regulation ( EU) 2016/679, the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018 ( DPA 2018), and, unless expressly stated otherwise, legislative links are to Assimilated Regulation ( EU) 2016/679 and the UK GDPR. For a more...

The Sanctions and Anti- Money Laundering Act 2018 ( SAMLA 2018) Established after Brexit, SAMLA 2018 sets out a UK‑centric system for putting sanctions in place and policing them domestically as well. The core UK sanctions regimes have been brought in via secondary legislation, and SAMLA 2018 permits regulations to be made covering the enforcement of any ban or obligation created by a regulation. See Practice Notes: The UK sanctions framework under SAMLA 2018 and UK sanctions regimes currently in force. Under sanctions regulations, SAMLA 2018 authorises the imposition of trade sanctions. Such trade measures curb the direct or indirect import or export of goods, non‑financial services, or technology connected to, intended for use in, or used in or by, a specified country, region, or person. Note that trade sanctions intersect with export controls but are not the same. See Practice Note:...

What are trade sanctions? Trade sanctions are restrictions that curb, whether directly or indirectly, the import or export of goods, non-financial services, or technology, where these relate to, or are intended for use in or by, a specified country, region, or individual. The UK applies sanctions to fulfil several aims: supporting foreign policy and national security goals, safeguarding international peace and security, and countering terrorism. These sanctioning regimes are established under the Sanctions and Anti- Money Laundering Act 2018 ( SAMLA 2018) and cover the entirety of the UK, including Northern Ireland. For further information on SAMLA 2018, see Practice Notes: The UK sanctions framework under SAMLA 2018 and UK sanctions regimes currently in force......

This Practice Note offers an overview of international sanctions regimes. It clarifies what sanctions mean, differentiates between financial sanctions and trade sanctions, and outlines the distinct legal frameworks through which international sanctions are imposed, including UN sanctions, UK domestic sanctions and EU sanctions. It also describes how sanctions are enforced and how, in the UK, penalties for breaching sanctions are applied. What are sanctions? Sanctions are temporary restrictions or bans put in place by governments that govern how their nationals and entities deal with sanctioned states or regimes. They may, for instance, forbid particular categories of goods from being exported to, or imported from, a sanctioned country, or designate individuals, companies or vessels in that jurisdiction with whom business is prohibited. In some situations, specific activities can be authorised under a licence issued by the competent...

This Practice Note offers advice on setting up systems and controls to meet obligations under the UK sanctions framework. It excludes systems and controls for organisations providing sanctions-related services, e.g. contesting designation decisions, which demand specialised skills and expertise. Your systems and controls There are several actions to take when creating your systems and controls. You should: evaluate your potential exposure to sanctions restrictions, i.e. carry out an organisation-wide risk assessment use the findings to design and implement suitable policies and procedures, covering due diligence, screening against sanctions lists, and steps to follow if a designated person is identified, etc keep appropriate records of sanctions compliance, including the organisation-wide risk assessment, per customer/matter risk assessments, policies and procedures, and investigations into possible matches, etc train staff on the sanctions framework and your internal procedures regularly review your systems and...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill obtained Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025), with parts taking effect that same day. Provisions addressing matters such as dealing with data subject access requests and granting powers to make further regulations commenced immediately on 19 June 2025. Other measures, covering notices from the Information Commissioner and certain facets of law enforcement processing, began on 19 August 2025 (two months after Royal Assent). The bulk of DUAA 2025’s measures still require additional regulations, in the form of statutory instruments, before they can commence. Parts 5 and 6 update elements of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 and the Privacy and...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill secured Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025) and partially commencing on that date. Certain parts of DUAA 2025, addressing matters such as replies to data subject access requests and the conferral of powers to make additional regulations, took effect immediately on 19 June 2025. Other elements, dealing with notices from the Information Commissioner and particular aspects of law enforcement processing, commenced on 19 August 2025 (two months after Royal Assent). Most of DUAA 2025’s measures require further regulations (as statutory instruments) to be made before they take effect. Parts 5 and 6 of DUAA 2025 amend elements of data protection and e Privacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data...

The Office of Trade Sanctions Implementation ( OTSI) The Office of Trade Sanctions Implementation ( OTSI) sits within the Department for Business and Trade ( DBT). It helps businesses to navigate UK trade sanctions and holds civil enforcement powers in respect of certain trade sanctions breaches. OTSI also acts as the licensing authority for specified trade sanctions licences—covering permissions to provide (and procure) particular standalone sanctioned services, as well as some export-related prohibitions concerning goods and their associated ancillary services. In the UK, responsibility for trade sanctions licensing is divided between different licensing bodies, depending on whether the activity concerns standalone services, goods, ancillary services or imports. If the planned activity falls under more than one body’s remit, you may need to submit separate licence applications. See also Practice Note: Licences and exceptions in trade sanctions. OTSI performs licensing functions granted by the relevant...

How-to guide The Office of Financial Sanctions Implementation ( OFSI) sits within HM Treasury. It communicates, implements and enforces financial sanctions in the UK. It also has powers to issue licences that permit activities or transactions which would otherwise be prohibited under the UK financial sanctions regime. OFSI can only grant licences relating to financial sanctions. If your application concerns another category of sanction, eg trade or immigration, you must send it to the appropriate department. See further Practice Note: Understanding the financial sanctions regime. OFSI licences can be general or specific: General licences. Specific licences where a transaction is involved and no statutory exception or general licence applies. Where a transaction involves a person or organisation subject to financial sanctions (directly or indirectly), and no applicable statutory exception or general licence is in place, you must obtain a specific licence to proceed without...

Practice Note This Practice Note sets out guidance on the obligation to report material discrepancies in beneficial ownership information. It is aimed at organisations within scope of the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended, when engaging with clients or customers that are corporate bodies and trusts, including overseas entities. It is not a guide for corporate bodies or trusts on their own obligations concerning beneficial ownership information and registration. The Money Laundering and Terrorist Financing ( Amendment) ( No 2) Regulations 2022, SI 2022/860, in force from 1 April 2023, expanded the scope of discrepancy reporting so that it applies: throughout the life of the business relationship, rather than being confined to client inception only to entities recorded on the Register of Overseas Entities (a public register of the beneficial owners of...

Staff training and awareness The Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended, impose obligations concerning staff training and awareness, which are compulsory for organisations caught by the MLR 2017. All organisations, together with their personnel, have a duty to comply with applicable anti‑money laundering ( AML) legislation at all times. Even if the MLR 2017 requirements do not apply to your organisation, the Proceeds of Crime Act 2002 ( POCA 2002) and the Terrorism Act 2000 ( TA 2000) legislation still apply to your partners/directors and employees as private individuals; for instance, if they become involved in something they know or suspect is connected to money laundering, they have a legal obligation to report it. Consequently, whether or not your organisation is within scope of the MLR 2017, you may wish to...

This Practice Note outlines the obligation to pinpoint and evaluate organisation‑wide risks under the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended. The guidance is of general application. Check whether the MLR 2017 include additional or altered duties for your sector, and whether your regulator imposes further, sector‑specific requirements on risk assessment. There is no single correct approach to conducting a risk assessment; what matters is being thorough. Examine what you do, as well as what you do not. Yet, even with robust assessments and appropriate controls, some criminals may still exploit your organisation for illicit purposes. A detailed, documented organisation‑wide risk assessment, alongside written records of decisions on individual customers and transactions, will enable you to justify your judgements and actions to law enforcement agencies and your...

This Practice Note sets out your responsibilities for enhanced due diligence ( EDD) and how to apply them in everyday professional practice. It aligns with the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended. The guidance provided is of general application. You should determine whether the MLR 2017 impose additional or varied requirements for your sector, and whether your regulatory body sets any extra, sector-specific obligations relating to EDD......

Section 54 of the Modern Slavery Act 2015 ( MSA 2015) It obliges certain commercial organisations operating in the UK to publish an annual transparency statement that outlines the actions taken during the financial year to make sure slavery and human trafficking are not occurring in any supply chains or any part of the business. The statement may set out details of the organisation's structure, policies, due diligence, the assessment and management of risk, training, and how effective these measures are in ensuring the business's supply chain is free from modern slavery and human trafficking. MSA 2015, s 54 applies to all commercial organisations that: carry on a business, or part of a business, in the UK ......

The Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692 As amended, these regulations require organisations to put in place and maintain policies, controls and procedures that effectively mitigate and manage the risks of money laundering, terrorist financing and proliferation financing identified in their organisation-wide risk assessment. Those arrangements must: be reviewed regularly and updated as necessary cover the monitoring and management of compliance with, and the internal communication of, those policies, controls and procedures This Practice Note sets out how organisations can monitor and assess both the effectiveness of, and compliance with, the anti-money laundering ( AML), counter-terrorist financing ( CTF) and counter-proliferation financing measures they have adopted. It reflects the requirements of the MLR 2017, as amended. Tools for monitoring and review include: audit work and file reviews ...

The Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended, place obligations on organisations regarding beneficial owners. This Practice Note: explains: the meaning of beneficial ownership who falls within the definition of a beneficial owner the customer due diligence ( CDD) measures required covers: when certain customers must provide details of their beneficial owners what can be accessed from beneficial ownership registers provides guidance on: how you can/should rely on...

Why you need to manage this risk Information is a valuable asset, and safeguarding it underpins an organisation’s commercial success. It cannot be addressed in a vacuum, as it overlaps with cyber security, data protection, records management and the control of physical spaces. Although every business relies on technology to store and process information, deploying advanced IT will not make your company invulnerable. Criminals online are just as, if not more, sophisticated, and the human element must not be overlooked—your own people can, accidentally or deliberately, expose the organisation to data loss or a cyber attack. This guide recognises that most in-house lawyers and compliance professionals are not information security experts, nor are they typically accountable for it within their organisation; that duty commonly sits with the IT department. Nevertheless, when an information security breach arises, it is usually the in-house legal team and/or...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill attained Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025) and partly commencing that same day. Provisions addressing matters such as handling data subject access requests and granting powers to make further regulations took effect immediately on 19 June 2025. Other elements, including notices from the Information Commissioner and certain aspects of law enforcement processing, commenced on 19 August 2025 (two months after Royal Assent). Most of DUAA 2025’s measures require additional regulations, in the form of statutory instruments, before they can be brought into force. Parts 5 and 6 modify aspects of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 and the Privacy and...

On 6 July 2020, the UK unveiled its first autonomous sanctions regime under the Sanctions and Anti- Money Laundering Act 2018 ( SAMLA 2018). The Global Human Rights Sanctions Regulations 2020 (the human rights sanctions regime), SI 2020/680, empower the UK to establish sanctions regimes designed to ensure accountability for, or to deter, ‘gross violations of human rights’. These measures are commonly known as ‘ Magnitsky sanctions’. This Practice Note sets out the scope of the UK’s global human rights sanctions regime. It details the activities the regime targets, the sanctions available, who is within scope, and the guidance issued by the Office of Financial Sanctions Implementation ( OFSI). It also addresses practical considerations for businesses. For material on the statutory purposes for creating sanctions regimes under SAMLA 2018, the obligations to publish guidance on those regimes, and how...