Grant Compliance in the UK: What Every Funder Must Know

Grant compliance in the UK is not a single set of rules. It is a web of overlapping duties drawn from charity law, data protection legislation, financial sanctions regulations and the expectations of the Charity Commission for England and Wales. Funders who distribute grants, whether they are charitable trusts, corporate giving programmes or public-sector bodies, must demonstrate that money was awarded lawfully, managed responsibly and applied to the purposes for which it was given.

The regulatory landscape has tightened in recent years. The Charity Commission assessed 3,132 serious incident reports in 2024-25, up from 3,106 the previous year, and exercised 13,076 regulatory powers across the same period (Charity Commission Annual Report, 2024-25). In March 2025, OFSI issued enforcement disclosures against three UK-registered charities for failing to respond to information requests, underscoring that sanctions obligations apply to the voluntary sector just as firmly as to the private sector (OFSI Annual Review, 2024-25).

For funders, the core question is straightforward: can you show that every grant decision was made in the best interests of beneficiaries, supported by proportionate checks, and documented well enough to withstand scrutiny? This guide breaks down the legal framework, the practical controls, and the common pitfalls that trip funders up.

What does grant compliance actually mean?

Grant compliance means meeting the legal, regulatory and contractual obligations that govern how funds are awarded, managed and reported. It is distinct from broader notions of "good practice" or "impact measurement", although in reality the three overlap.

In England and Wales, the primary regulatory body for charities is the Charity Commission. Its guidance document CC3, "The Essential Trustee", sets out six core duties: carry out your charity's purposes for the public benefit; comply with your governing document and the law; act in your charity's best interests; manage resources responsibly; act with reasonable care and skill; and ensure your charity is accountable (Charity Commission, CC3).

For funders specifically, these duties translate into practical obligations across the grant lifecycle: checking that a prospective grantee is a legitimate organisation; verifying it can deliver what it promises; issuing a clear grant agreement; monitoring progress; and closing out with proper records. Compliance is not about perfection. It is about proportionality. A 2,000-pound micro-grant to a well-known local charity warrants a lighter set of checks than a 200,000-pound multi-year award to an unfamiliar overseas partner.

The Charities Act 2022, which was implemented in phases between October 2022 and November 2025, brought several changes relevant to funders. Among them: simplified rules for disposing of charity property, greater flexibility around permanent endowment funds (trustees can now resolve to spend capital of funds valued at up to 25,000 pounds without Commission consent), and updated provisions for managing appeals that raise more or less than expected (GOV.UK, Charities Act 2022 guidance).

Which laws and regulators apply to UK funders?

UK grant compliance does not sit under a single statute. Funders need to navigate multiple regulatory regimes simultaneously, each with its own enforcement body.

The Charity Commission's "Protecting charities from harm" compliance toolkit, updated periodically, consolidates much of the practical guidance for funders. Chapter 2 deals specifically with due diligence, monitoring and verifying end use of funds. The toolkit makes clear that the greater the risk, the more trustees need to do to mitigate it (Charity Commission, Compliance Toolkit).

OFSI's enforcement powers have expanded notably. In its 2024-25 Annual Review, OFSI reported 32 enforcement actions in total, including the disclosure of three charities for sanctions regulation breaches. The review noted that OFSI's penalties operate on a strict liability basis for civil enforcement, meaning that a funder does not need to have intended to breach sanctions to face consequences.

How should funders approach due diligence?

Due diligence is the set of checks a funder carries out before and during a grant to verify that the recipient is legitimate, capable and not exposed to unacceptable risks. The Charity Commission expects that every funder will carry out due diligence proportionate to the size and nature of the grant and the risk profile of the grantee.

At a minimum, UK funders typically verify:

• Legal status: confirm registration via the Charity Commission register or Companies House, checking status, trustees or directors, and whether filings are up to date.
• Sanctions screening: search the OFSI consolidated list and record dates, search terms and findings.
• Financial health: review filed accounts for income trends, reserves, reliance on a single funder, and late filing.
• Governance documents: confirm that the governing document is current, that the dissolution clause directs assets to charitable purposes, and that conflict of interest provisions are in place.
• Safeguarding policies: check for a named safeguarding lead, references to current legislation (DBS, not the outdated CRB), and evidence of regular review.

For overseas grants, enhanced due diligence is mandatory. The Charity Commission's guidance on managing risks when working internationally notes that trustees must ensure controls are "sufficiently robust" in areas where proscribed organisations are known to operate. This typically means verifying partners through local registries, requiring more frequent reporting, and screening sub-grantees as well as direct recipients.

Proportionality is the guiding principle. The Association of Charitable Foundations (ACF) has consistently argued that requirements should be proportionate to the funding on offer and the risks involved, and that the sector should work towards standardising certain baseline checks to reduce duplication for applicants.

What should a compliant grant agreement include?

A grant agreement is the contract between funder and grantee. It sets out what the money is for, the conditions attached, and what happens if things go wrong. From a compliance perspective, it is the single most important document in the grant lifecycle because it creates enforceable obligations on both sides.

A well-drafted UK grant agreement should cover:

• Grant purpose and permitted use: a clear description of the funded activity or project, with a clause restricting use of funds to that purpose.
• Payment schedule and conditions: whether funds are paid upfront, in instalments, or on delivery of milestones, and what triggers payment holds.
• Reporting requirements: the frequency, format and content of progress and financial reports.
• Monitoring and access rights: the funder's right to request information, visit the project, or commission an evaluation.
• Variation and termination: how either party can request changes, and the circumstances in which the funder may suspend or claw back funds.
• Data protection clauses: who is the data controller for beneficiary data, what lawful basis applies, and how long data will be retained.
• Acknowledgement and branding: requirements for crediting the funder in communications.

Many funders now use digital grant agreements with electronic signatures and automated reminders for reporting deadlines. This approach reduces administrative delay and creates a timestamped record of when both parties agreed to the terms.

The Charity Commission's guidance on internal financial controls (CC8), updated in April 2023 for the first time since 2012, emphasises that all financial commitments, including grant awards, should be properly authorised, recorded and reconciled. Grant agreements are a critical part of that control framework.

What monitoring and reporting do regulators expect?

Monitoring is where compliance meets reality. A grant agreement can be perfectly drafted, but if nobody checks whether the money was spent as intended, the funder has failed in its duty of stewardship.

The Charity Commission does not prescribe a fixed monitoring regime. Instead, it expects trustees to take "reasonable steps" to verify that funds are used for their stated purpose. What counts as reasonable depends on the size of the grant, the track record of the grantee, and the level of risk.

Practical monitoring typically includes:

• Scheduled progress reports: usually quarterly or six-monthly, covering activities delivered, beneficiaries reached, and any changes to the plan.
• Financial reports: a breakdown of how the grant was spent against the approved budget, with receipts or management accounts for larger grants.
• Site visits or calls: particularly for larger or higher-risk grants, to observe delivery first-hand and discuss any concerns.
• End-of-grant reports: a final narrative and financial report, plus evidence of outcomes where feasible.

The Charity Commission Annual Return Regulations 2024, effective for accounting periods ending on or after 1 January 2025, require richer data from charities in their annual returns. This means that grantees themselves face more detailed reporting obligations to the Commission, which in turn supports funders in verifying the health and compliance of their grantees.

For multi-year grants, best practice is to refresh due diligence checks before each payment tranche, not just at the point of initial award. Register lookups, sanctions screening and a review of the latest filed accounts take minutes but can flag material changes in a grantee's circumstances.

How does data protection apply to grantmaking?

UK GDPR applies to every stage of the grant lifecycle where personal data is processed, from the initial application form through to monitoring data and beneficiary case studies. Funders are typically data controllers for application data and must have a lawful basis for processing it.

The most common lawful basis for processing grant application data is legitimate interests, not consent. The ICO's guidance makes clear that consent is appropriate only where it is genuinely optional and can be withdrawn without consequence. Since declining to provide data on a grant application would typically prevent the application from being considered, consent is rarely the right basis.

Key data protection obligations for funders include:

• Privacy notices: tell applicants what data you collect, why, how long you keep it, and who you share it with.
• Data minimisation: collect only what you need. If you do not require beneficiary-level data at application stage, do not ask for it.
• Retention schedules: set clear periods for how long application data is kept, both for successful and unsuccessful applicants.
• Security measures: encrypt data at rest and in transit, apply role-based access controls, and maintain audit logs of who accessed what.
• Data subject rights: be ready to respond to subject access requests within one calendar month.

The ICO issued 18 fines totalling 2.7 million pounds in 2024, including enforcement action against charities for data protection breaches (ICO enforcement data, 2024). By the first half of 2025, the ICO had already issued fines totalling approximately 5.6 million pounds, signalling an upward trajectory in enforcement.

For funders using technology platforms to manage grants, it is important to verify that the platform stores data in UK or adequately protected jurisdictions, provides role-based access, and can support data deletion or export on request.

What are the rules on sanctions screening and counter-terrorism?

UK sanctions obligations are among the most consequential compliance requirements for funders, because breaches carry strict liability under civil enforcement. This means that even unintentional breaches can result in monetary penalties from OFSI.

Every UK funder must screen grantees and, where relevant, their key personnel against the OFSI consolidated list. This list includes individuals and entities subject to asset freezes under various UK sanctions regimes. Making funds available to a designated person, or dealing with funds belonging to a designated person, is a criminal offence.

For most domestic grants to established UK charities, sanctions screening is a quick, low-burden check. The risk increases significantly for:

• Overseas grants, particularly in regions subject to UK sanctions (currently including Russia, Syria, North Korea, Iran, and others).
• Grants to unregistered or informal groups, where the identity of ultimate beneficiaries is harder to verify.
• Pass-through funding, where the direct grantee sub-grants to other organisations.

The Charity Commission's compliance toolkit recommends that funders record the date, search terms and results of every sanctions check, and refresh those checks at key points during the grant, including before each payment. Where a potential match arises, the funder must not proceed with the payment and should report the suspected breach to OFSI.

In 2024-25, OFSI took 32 enforcement actions across all sectors (OFSI Annual Review, 2024-25). Three of these were disclosures against UK-registered charities for failing to respond to information requests. While these did not result in monetary penalties, OFSI assessed the breaches as moderately serious and published the charities' names, a form of reputational sanction in itself.

How can funders build proportionate internal controls?

The Charity Commission's CC8 guidance, refreshed in 2023, sets out the framework for internal financial controls that every charity, including grant-making charities, should have in place. The 2023 update brought the guidance into line with modern digital operations, covering mobile payment systems, cybercrime risks, and crypto assets for the first time.

Proportionate controls do not mean minimal controls. They mean matching the intensity of your checks to the level of risk. A useful framework is to tier your grants:

Consistency matters as much as intensity. The most common compliance failures stem not from a lack of controls, but from inconsistent application. If your policy requires a sanctions check for every grant but the check is skipped for a long-standing grantee, that gap is exactly the kind of thing a Charity Commission inquiry would flag.

Key elements of a robust internal control framework include: segregation of duties between those who approve grants and those who process payments; a conflicts of interest register with declarations recorded per funding round; documented decision-making with reasons for both approvals and declines; and a clear escalation process for when things go wrong.

What records should funders keep and for how long?

Good record-keeping is the backbone of compliance. If you cannot demonstrate what checks you carried out, what decisions you made, and why, then you cannot demonstrate compliance, no matter how diligent you were in practice.

Funders should maintain records covering every stage of the grant lifecycle:

• Application records: the original application, supporting documents, and any correspondence with the applicant.
• Due diligence records: register lookups, sanctions screening results, policy review notes, and financial analysis.
• Decision records: panel or committee minutes, scoring sheets, reasons for approval or decline, and any conditions attached.
• Grant agreements: the signed agreement, any variations, and evidence of grantee acceptance.
• Monitoring records: progress reports, financial reports, site visit notes, and any remedial actions taken.
• Close-out records: the final report, financial reconciliation, and any lessons learned.

There is no single legal retention period for grant records. The Charity Commission expects records to be kept long enough to support accountability and any future inquiries. In practice, most funders retain grant records for at least six years after the end of the grant, aligning with the limitation period for contract claims. For grants involving vulnerable beneficiaries or safeguarding data, longer retention may be appropriate, balanced against data minimisation requirements under UK GDPR.

The Charity Commission's 2024-25 annual report noted that 170,862 charities were on the register at 31 March 2025. With that volume, the regulator increasingly relies on data analysis and risk indicators to target its oversight. Funders whose records are incomplete or inconsistent are more likely to face scrutiny.

Tools like Plinth support compliance record-keeping by creating an automatic audit trail for every action in the grant lifecycle. Each due diligence check, decision, payment and monitoring submission is timestamped and linked to the relevant case record, with role-based access controls ensuring that only authorised staff can view or edit sensitive data. Plinth runs automated checks against the Charity Commission register, Companies House and the OFSI consolidated list, saving time while ensuring screening is not accidentally skipped. For funders managing multiple programmes, the ability to export complete audit trails for a specific grant or an entire funding round makes external scrutiny, whether from auditors, trustees or the regulator, significantly less disruptive.

Common compliance pitfalls and how to avoid them

Most compliance failures are not dramatic. They are quiet, cumulative and rooted in inconsistency. Based on Charity Commission inquiry reports and sector experience, the most frequent issues include:

• Inconsistent due diligence: checking some grantees thoroughly while waving through others, particularly long-standing partners. The remedy is a standard checklist applied to every application, with documented exceptions where proportionality genuinely warrants a lighter approach.
• Undocumented decisions: approving grants in meetings without recording the reasons, the panel composition, or the conflicts declared. Even a brief note of who was present, what was discussed, and why the decision was made is sufficient.
• Outdated policies in the supply chain: accepting safeguarding or governance policies from grantees without checking whether they are current, reference current legislation, and name a responsible individual.
• Ignoring reporting gaps: when a grantee misses a reporting deadline, the temptation is to chase informally and move on. Best practice is to record the gap, the follow-up action, and the outcome, and to hold subsequent payments until reporting is up to date.
• Treating compliance as a one-off event: due diligence at the point of application is necessary but not sufficient. For multi-year grants, checks should be refreshed at least annually and before each payment.

The Captain Tom Foundation inquiry, published by the Charity Commission in November 2024, serves as a high-profile illustration of what happens when governance and financial controls break down. The inquiry found repeated instances of misconduct and mismanagement, resulting in trustee disqualifications of up to ten years.

Funders who embed proportionate controls into their workflows from the outset, rather than layering them on as an afterthought, consistently find that compliance is less burdensome and more reliable. Grant management platforms with built-in compliance workflows, such as Plinth, can automate routine checks and surface exceptions for human review, reducing the risk of gaps without adding to the administrative burden on small teams. Plinth also offers a free tier, making structured compliance workflows accessible to smaller funders and foundations.

Frequently asked questions

Do micro-grants require the same compliance checks as large awards?

No. The Charity Commission expects proportionate checks, meaning the intensity of due diligence should match the size of the grant and the level of risk. A micro-grant under 5,000 pounds to a well-known local charity typically requires a register lookup and sanctions screen, but not a full governance review. Document your rationale for any lighter approach.

Are UK funders allowed to make grants overseas?

Yes, but enhanced due diligence is required. The Charity Commission's compliance toolkit and international operations guidance require funders to verify partners through local registries, screen against sanctions lists, and implement robust monitoring and reporting. The greater the risk inherent in the operating environment, the more steps trustees must take.

What happens if a grantee breaches the terms of the grant agreement?

The funder should record the breach, discuss it with the grantee, and agree a remedial plan where possible. If the breach is serious, the funder may suspend or withhold payments and, in extreme cases, seek repayment. The key is to document every action taken and the reasoning behind it. If a safeguarding or criminal matter is involved, the funder must also report to the relevant authorities.

Do funders need consent under UK GDPR to process grant applications?

Usually not. The appropriate lawful basis for processing grant application data is typically legitimate interests, not consent. The ICO has made clear that consent is only appropriate where it is genuinely optional and can be withdrawn without consequence. Since withdrawing consent would prevent an application from being processed, legitimate interests is almost always the correct basis.

How often should sanctions screening be refreshed?

At a minimum, screen against the OFSI consolidated list at the point of application and before each payment. For multi-year grants, refresh screening at least annually. Record the date, search terms and results of every check. If a potential match arises, do not proceed with the payment and report to OFSI immediately.

Can funders rely on AI tools for due diligence and compliance?

AI tools can automate routine checks such as register lookups, sanctions screening and policy document review, significantly reducing manual effort and the risk of human error. However, the Charity Commission expects a human to review and approve the results. AI should assist decision-making, not replace it. Tools like Plinth use AI to read uploaded governance documents, safeguarding policies and accounts, surfacing issues and risk flags for a grants officer to review before making a final determination.

What should a funder do if the Charity Commission opens an inquiry?

Cooperate fully and promptly. Provide all requested records, including decision notes, due diligence documentation, grant agreements and monitoring reports. Having a complete, well-organised audit trail is the single most effective defence. The Commission's annual report for 2024-25 noted that 50 statutory inquiries were opened in one quarter alone, so preparation is not a hypothetical exercise.

How does the Charities Act 2022 affect grantmaking compliance?

The Charities Act 2022 introduced several changes relevant to funders, implemented in phases through to November 2025. Key provisions include simplified property disposal rules, greater flexibility to spend permanent endowment capital (up to 25,000 pounds without Commission consent), and updated provisions for managing over- or under-funded appeals. The Act did not change the fundamental duties of trustees but modernised some of the administrative procedures around them.

Recommended next pages

• How to Automate Due Diligence in Grantmaking — Practical workflows for automating register lookups, sanctions screens and policy reviews.
• Grant Risk Management: Identifying and Mitigating Potential Issues — Frameworks for assessing and managing grant-level and portfolio-level risk.
• Grant Compliance Guide: Ensuring Regulatory Adherence — A broader overview of compliance requirements, including data protection and conflict of interest management.
• The Cost of Non-Compliance in Grantmaking — What goes wrong when controls fail, and how to prevent it.
• What Is a Grant Agreement? — A plain-language guide to the terms and clauses that make a grant agreement effective.

Last updated: February 2026