Part Two: Tightening sanctions – Sanctions Lists and End User Controls

In our previous piece, we looked at recent changes to the UK sanctions rules which focused on Russia, in particular the new ban on the provision of construction services to persons connected with that country.

This piece examines two other changes of critical importance: the introduction of sanctions “end-user” controls to the UK sanctions rules and the changes to the UK sanctions lists. Neither is confined to Russia, and both alter not merely what compliance teams screen for, but how they must operate.

End-user controls

Persons or entities who are subject to the sanctions rules will be familiar with the discipline of screening: checking a counterparty, a destination or a category of goods against a list of what is prohibited. End-user controls work in a different way, and represent a significant shift in approach.

Those who deal with the UK’s strategic export control regime will recognise the concept. Under the Export Control Order 2008, the Government may “inform” an exporter that goods which are not otherwise controlled are, or may be, intended for an objectionable end use, such as a weapons of mass destruction programme. Once that notification is given, the exporter may not proceed without a licence. The control is triggered not by the nature of the goods, but by what the Government knows about their likely destination or use.

The 2026 Regulations import this mechanism into the sanctions sphere. Where the Secretary of State informs a UK person that goods, or technology related to their export, are or may be intended for a sanctioned destination, or for a person connected with such a destination, it becomes a criminal offence to export them without a licence. The classic mischief is the use of a proxy: an apparently innocent company in a third country which is, in truth, procuring goods on behalf of a sanctioned state. The connection may be impossible for an honest exporter to detect, because the relevant intelligence sits with the Government.

Two points are key. First, the control goes beyond military or dual use goods (these items are already separately controlled under Schedule 2 to the Export Control Order 2008 or Annex I to the Dual-Use Regulation) meaning anything is within scope. Secondly, the control is brought into effect immediately on the issue of a notice from the Secretary of State.

Do the rules already prevent circumvention? The rules prohibit making funds or economic resources available indirectly to designated persons, and in most circumvention cases the party making the goods or funds available will be aware of, and perhaps party to, a scheme to evade the prohibitions through proxies or corporate structures. Such conduct is caught by regulation 19 (financial sanctions) and regulation 55 (trade sanctions) of the Russia Regulations. In some cases, however, a party may have no reasonable cause to suspect that it is dealing indirectly with a sanctioned person or entity, or otherwise infringing trade sanctions. A notification under the new regime plugs that knowledge gap and creates an immediate prohibition on continuing to deal without a licence.

Changes to the UK Sanctions Lists

The second change concerns the infrastructure of screening itself. For years, those checking whether they were dealing with a designated person consulted the OFSI Consolidated List of Asset Freeze Targets. Since 28 January 2026, that list has closed and is no longer maintained. The single authoritative source for all UK designations is now the UK Sanctions List, maintained by the Foreign, Commonwealth and Development Office.

Any business, or third-party screening provider, whose systems still draw on the retired Consolidated List is therefore working from data that is no longer updated. The identifiers have changed too: designations are now keyed to a UK Sanctions List unique identifier rather than the old OFSI “Group ID”, so automated matching built around the latter may silently fail. Contractual clauses which require a counterparty to screen against the “OFSI Consolidated List” now point to a list that no longer exists. Such clauses should be revisited. The lists themselves continue to grow: on 11 May 2026, the same week the Regulations commenced, the UK added 85 individuals and entities to its Russia designations.

The consequences

For those affected by these changes, our key takeaways are as follows:

• Decide, now, who within your organisation would receive an end-user control notification, including one arriving by unsolicited email, and how that person would halt a shipment or transaction within hours. Ensure that email filtering does not divert or block correspondence from the Government, OFSI or OTSI.
• Confirm that your screening systems, and those of any third-party provider, draw on the UK Sanctions List rather than the retired OFSI Consolidated List, and that matching does not rely on legacy OFSI Group IDs.
• Review and, where necessary, update contractual sanctions provisions that refer to the OFSI Consolidated List.
• Treat due diligence on end use and counterparties as an ongoing discipline rather than a one-off check. The decisive facts – the real end user, the true beneficial owner – frequently sit behind the documents.

Regulators have shown that they will penalise a failure to engage with them, irrespective of whether any underlying breach is ever established. In April 2025, OFSI imposed its first ever penalty for a pure information offence, fining Svarog Shipping & Trading Company Limited £5,000 for failing to respond to a statutory request for information, even though it ultimately concluded that Svarog’s underlying transactions had not breached sanctions. Tellingly, Svarog had confirmed the email address to which the request would be sent, but no one was monitoring it. The Competition and Markets Authority has displayed the same instinct: in December 2025, in the first exercise of its new fining powers under the Digital Markets, Competition and Consumers Act 2024, it imposed a penalty of £473,000 on Euro Car Parks Limited for failing, without reasonable excuse, to respond to a statutory information notice despite seven attempts at contact. The company said it had blocked the regulator’s emails believing them to be fraudulent; the CMA did not accept this as a reasonable excuse, noting that the company had taken no steps to verify the correspondence beforehand. Euro Car Parks has appealed to the High Court, and no investigation has been opened into its underlying conduct.

The lesson of both cases is uncomfortable but clear. In an environment of end-user controls and ever-changing lists, the safest working assumption is that any communication purporting to come from a UK regulator is genuine and time-critical, while remaining alert, of course, to the real risk of impersonation and fraud. Verifying directly and promptly with the regulator is the course that protects a business on both fronts. These are developments that no firm exposed to the UK sanctions regime can afford to ignore.

If you have any questions regarding the information discussed in this article, please contact Paul Henty.