International Perspectives on Grant Compliance: A Cross-Border Guide for Funders
How grant compliance requirements differ across the UK, US, EU and Australia, with practical guidance on sanctions, data protection and proportionate controls.
Grant compliance is not one set of rules. It is many overlapping sets of rules, shaped by the legal system, regulatory culture and risk appetite of each jurisdiction a funder touches. A UK foundation distributing grants in East Africa faces different expectations from a US private foundation funding the same region, even if both are pursuing identical charitable purposes. The underlying principles are consistent (purpose, proportionality, records), but how those principles translate into practice varies considerably.
Around 16,000 charities registered in England and Wales work internationally, according to research published in the journal Voluntas (Clifford, 2016). More than half operate in just one country, but roughly 10% work across ten or more jurisdictions simultaneously. Each additional country adds a layer of regulatory obligations, from local registration rules and banking requirements to sanctions screening and data protection law. In 2024, the UK spent approximately 14.1 billion pounds on Official Development Assistance, with bilateral ODA to Africa increasing by 41% (UK Government, 2024). Much of this flows through or alongside charitable grantmaking, making compliance a practical necessity rather than an abstract concern.
This guide maps the key compliance frameworks across four major jurisdictions, explains where they diverge and converge, and sets out practical steps for funders working across borders.
How do compliance frameworks differ by country?
Every jurisdiction builds its grant compliance rules from the same raw materials (charity law, tax law, anti-terrorism legislation and data protection regulation), but the emphasis differs. The UK relies heavily on Charity Commission guidance and a principles-based approach. The US uses more prescriptive IRS rules. Australia has codified External Conduct Standards. EU member states layer multiple directives.
The Charity Commission for England and Wales publishes its Compliance Toolkit, which sets out a risk-based approach to due diligence, monitoring and verifying end use of funds (Charity Commission, 2024). Trustees must take "reasonable steps" proportionate to the size of grant and the risk profile of the recipient country. There is no single checklist; instead, the Commission expects documented reasoning.
In the United States, the IRS requires private foundations making grants to non-US organisations to either obtain an equivalency determination (confirming the grantee would qualify as a US public charity) or exercise expenditure responsibility, which includes detailed reporting to the IRS on how funds are spent (IRS, 2024). Public charities have more flexibility but must still demonstrate adequate oversight.
Australia's ACNC External Conduct Standards apply to any registered charity that operates outside Australia or sends any amount of money overseas. The standards require charities to manage resources to further charitable purposes, keep records of overseas operations, prevent fraud and corruption, and protect vulnerable individuals (ACNC, 2024).
What are the key regulatory requirements in each jurisdiction?
| Requirement | UK (England & Wales) | United States | Australia | EU (general) |
|---|---|---|---|---|
| Primary regulator | Charity Commission | IRS (federal); State AGs | ACNC | Varies by member state |
| Overseas grants framework | Compliance Toolkit (risk-based) | Equivalency determination or expenditure responsibility | External Conduct Standards | National charity law + EU directives |
| Sanctions screening | OFSI consolidated list | OFAC SDN list + sectoral lists | DFAT consolidated list | EU consolidated sanctions list |
| Data protection | UK GDPR + Data Protection Act 2018 | Sector-specific (no single federal law) | Privacy Act 1988 + APPs | EU GDPR (Regulation 2016/679) |
| Anti-money laundering | Proceeds of Crime Act 2002; Money Laundering Regulations 2017 | Bank Secrecy Act; USA PATRIOT Act | AML/CTF Act 2006 | AMLD6 (transposition by July 2027) |
| Reporting standard | SORP (new SORP effective January 2026) | Form 990-PF / 990 | ACNC Annual Information Statement | Varies; SORP-equivalents in some states |
| Risk approach | Proportionate; documented reasoning | Prescriptive procedures; detailed IRS reporting | Reasonable steps; four core standards | Varies; generally risk-based |
The new UK Statement of Recommended Practice (SORP 2026) takes effect for reporting periods starting on or after 1 January 2026, introducing changes to lease accounting, income recognition and restricted fund reporting (Compleat Software, 2025). Funders managing international portfolios will need to ensure their systems can produce reports aligned with these updated standards.
How do sanctions screening requirements compare?
Sanctions compliance is non-negotiable in every jurisdiction, but the lists, processes and penalties differ. UK funders must screen against the Office of Financial Sanctions Implementation (OFSI) consolidated list. US grantmakers screen against the Office of Foreign Assets Control (OFAC) Specially Designated Nationals list. Australian charities use the Department of Foreign Affairs and Trade (DFAT) consolidated list. EU funders use the EU consolidated sanctions list maintained by the European Commission.
OFAC has published a risk matrix specifically for charitable organisations, grading the risk level of different types of giving (OFAC, 2024). The more specifically funds are allocated and the more thoroughly the purpose is documented, the lower the assessed risk. General, undesignated donations to organisations in sanctioned regions carry the highest risk rating.
Screening must cover not just the recipient organisation but also its board members, key executives and, in some cases, downstream sub-grantees. The FATF completed its fourth round of mutual evaluations in October 2024 and identified six methods of NPO abuse for terrorism financing, including fund diversion, affiliation with terrorist entities and abuse of programme delivery (FATF, 2024). In July 2025, the FATF introduced a new procedure to address unintended consequences affecting non-profit organisations, recognising that disproportionate application of its standards had been disrupting legitimate charitable activity (FATF, 2025).
UK funders operating in sanctioned regions should note that the UK government issues general licences for humanitarian activity. For example, General Licence INT/2025/5810196 permits payments for humanitarian assistance activities in Syria (Global Sanctions, 2025). Documenting reliance on such licences is part of the compliance record.
What data protection rules apply to cross-border grantmaking?
International grantmaking almost always involves transferring personal data across borders, whether that is beneficiary details, partner staff records or monitoring information. The rules governing those transfers depend on where the data originates and where it goes.
Under UK GDPR, personal data can only be transferred to countries outside the UK where adequate protection exists or where appropriate safeguards are in place. The UK International Data Transfer Agreement (IDTA) or the addendum to the EU Standard Contractual Clauses (SCCs) are the main mechanisms (ICO, 2024). Funders must also carry out a Transfer Impact Assessment where the destination country's laws might undermine data protection.
The EU GDPR (Regulation 2016/679) imposes similar requirements on EU-based funders. Article 44 sets the principle that the level of protection must not be undermined by any transfer. Standard Contractual Clauses remain the most common transfer mechanism.
US grantmakers face a different landscape. There is no single federal data protection law equivalent to GDPR. However, if a US funder collects data on EU or UK residents (as is common in international grantmaking), it must comply with those regimes for that data. Australian charities must comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs) when handling personal information, including data sent overseas.
Charities must establish clear data processing agreements with overseas partners. As the DPO Centre notes, charities engaging third-party services must implement appropriate safeguards through written agreements (DPO Centre, 2024). The practical challenge is that many smaller overseas partners are unfamiliar with these requirements, making capacity building an integral part of compliance.
How should funders approach risk-based due diligence across borders?
A risk-based approach means calibrating the depth and frequency of checks to the actual level of risk rather than applying the same procedures everywhere. A small grant to an established partner in a stable country requires less intensive scrutiny than a large grant to a new partner in a conflict-affected region.
The Charity Commission's Compliance Toolkit recommends that the level of due diligence should depend on the circumstances, with more risk management required where funds are sent to higher-risk locations or the sums are large (Charity Commission, 2024). Practical checks include verifying the partner's legal status, reviewing governance arrangements, assessing financial controls and confirming the absence of connections to sanctioned entities.
Where formal registration systems are limited or incomplete, funders should use multiple evidence routes. Letters from local officials, site photographs, references from other funders, and milestone-based deliverables can all provide assurance without requiring documentation that simply does not exist in some contexts.
The US approach under expenditure responsibility is more prescriptive. The IRS requires foundations to obtain full and complete reports from grantees on how funds are spent and to make detailed reports to the IRS themselves (IRS, 2024). Equivalency determinations, which must be prepared by a qualified tax practitioner, are valid for two consecutive tax periods before renewal is needed.
For funders managing grants across multiple jurisdictions, the challenge is maintaining a consistent standard of assurance while adapting the method of achieving it to local realities. This is where technology can help. Tools like Plinth support configurable monitoring schedules and structured reporting forms that can be adapted to different grant types and risk levels, while maintaining a single audit trail across all grants regardless of geography.
What does proportionate compliance look like in practice?
Proportionality is the principle that compliance effort should match the risk. It appears in guidance from every major regulator, but applying it consistently across an international portfolio is difficult without clear frameworks.
A useful starting point is to categorise grants by risk tier. Low-risk grants (small amounts to established partners in stable countries) might require basic identity verification, an annual narrative report and a simple financial summary. Medium-risk grants add periodic monitoring visits, more detailed financial reporting and mid-term reviews. High-risk grants (large sums, new partners, conflict-affected regions, sanctioned countries) require enhanced due diligence, regular monitoring, site visits where possible and detailed financial reconciliation.
The ACNC's approach is instructive. Its External Conduct Standards do not prescribe specific procedures. Instead, they require charities to take "reasonable steps", with what counts as reasonable depending on the charity's size, the nature of the activity and the context (ACNC, 2024). A large international NGO is expected to do more than a small charity sending a single grant overseas.
Grant agreements should reflect the compliance tier. Include clear terms on reporting frequency, financial documentation requirements, monitoring arrangements and what happens if the recipient fails to comply. The grant agreement guide covers the essential elements in more detail.
How are anti-money laundering rules affecting grantmaking?
Anti-money laundering (AML) regulation increasingly affects charitable grantmaking, particularly for cross-border flows. While charities are not typically "obliged entities" under most AML regimes, they face indirect pressure from banks and payment providers that are.
In May 2024, the EU Council adopted a new anti-money laundering package that will apply from July 2027. This includes Regulation 2024/1624 on preventing the use of the financial system for money laundering, and Directive 2024/1640 requiring member states to put preventive mechanisms in place (EU Council, 2024). A new Anti-Money Laundering Authority (AMLA), based in Frankfurt, commenced operations in July 2025.
One practical consequence for international grantmakers is bank de-risking: financial institutions closing accounts or refusing to process payments to certain regions. From April 2026, UK banks will be required to give at least 90 days' notice before closing an account and provide a clear explanation (Russell Cooke, 2025). This is a significant change. Bank account closures have been a persistent problem for charities working in regions perceived as high-risk, disrupting legitimate humanitarian and development work.
Funders can reduce the friction by maintaining clear records of their compliance processes, documenting the purpose of each transfer, screening recipients against sanctions lists and being able to demonstrate a functioning compliance framework when challenged by financial institutions.
How can technology support cross-border compliance?
Managing compliance across multiple jurisdictions manually is time-consuming and error-prone. A funder awarding grants in five countries may be dealing with five sets of sanctions lists, multiple data protection regimes, different reporting standards and varying documentation requirements.
Grant management platforms can centralise these processes. Plinth, for example, supports structured monitoring with configurable schedules, so funders can set different reporting frequencies for different risk tiers. Its grant management features include monitoring timeline views, disbursement tracking and milestone-based progress recording, all maintaining a single audit trail that can be exported for regulatory purposes. The platform also supports AI-generated impact reports in over 25 languages, including Arabic, Urdu, Somali and Swahili, which is particularly relevant for funders working with partners whose primary language is not English. Reports can be generated from the same underlying data but tailored to different funder requirements and compliance frameworks.
For due diligence, structured application forms and eligibility screening can be configured to capture the specific information each jurisdiction requires. The due diligence guide covers the fundamentals. Digital records also simplify the audit trail obligations that regulators across all jurisdictions expect, making it straightforward to demonstrate compliance when questioned by regulators or banking partners.
Plinth offers a free tier, making it accessible to smaller funders who may be making their first international grants and need to establish proportionate compliance processes without a large upfront investment.
What about training and cultural considerations?
Compliance is not just a legal and technical exercise. It happens through relationships with partners who may be operating in very different cultural, linguistic and institutional contexts. A monitoring form designed in London may not translate effectively to a community organisation in rural Mozambique, not because of language alone but because of assumptions about record-keeping, governance structures and communication norms.
Effective cross-border compliance requires funders to invest in partner capacity. This means providing templates and guidance in local languages, explaining the rationale for compliance requirements openly, and building systems that accommodate varying levels of digital access and administrative capacity. The digital divide in grantmaking is a real barrier that compliance frameworks must account for.
The FATF's 2025 procedure on unintended consequences explicitly recognises that disproportionate compliance requirements can suppress legitimate civil society activity (FATF, 2025). Funders have a responsibility to ensure their compliance processes do not inadvertently exclude the very communities they aim to serve.
Practical steps include conducting compliance induction sessions with new partners, offering multilingual guidance materials, and building feedback loops so partners can flag when requirements are disproportionate or unworkable in their context.
What is changing in 2025 and 2026?
The regulatory environment for international grantmaking is shifting on several fronts. Funders should be preparing for the following changes:
UK SORP 2026: The new Statement of Recommended Practice applies to reporting periods starting on or after 1 January 2026. It introduces changes to income recognition, lease accounting and restricted fund reporting. International funders will need to ensure their financial reporting systems can accommodate these changes (Compleat Software, 2025).
UK Finance Bill 2025-26: From April 2026, all charitable investments must satisfy a purpose/benefit test, with changes to the tainted charity donations rules (Russell Cooke, 2025).
Bank account closure protections: From April 2026, UK banks must give 90 days' notice and a clear explanation before closing a charity's account.
EU AML package: The new anti-money laundering regulation (2024/1624) and directive (2024/1640) will apply from July 2027, with AMLA already operational since July 2025.
FATF fifth round: The FATF's fifth round of mutual evaluations, which began in 2024, will continue to shape expectations around how countries supervise nonprofit compliance with counter-terrorism financing rules.
For funders, the practical message is to review compliance processes now, update systems to handle new reporting requirements and ensure that audit trails are robust enough to meet tightening regulatory expectations.
FAQs
Do we need legal advice in every country where we make grants?
Not necessarily. Seek specialist legal advice where the risk is high, such as grants to sanctioned regions or large programmes in countries with complex charity registration requirements. For lower-risk grants, proportionate due diligence based on published regulatory guidance is usually sufficient.
Can a UK charity centralise compliance oversight for international grants?
Yes, but with local flexibility. A centralised compliance function can set standards, maintain sanctions screening processes and manage data protection obligations. However, local staff or partners need the authority and guidance to adapt procedures to their context, with clear escalation routes for issues that need central decision-making.
How do we handle grants to countries on sanctions lists?
Check whether humanitarian exemptions or general licences apply. The UK, US and EU all maintain mechanisms for legitimate charitable activity in sanctioned regions. Screen all parties against the relevant sanctions list, document your assessment and the legal basis for proceeding, and maintain records of all decisions.
What happens if a grantee is in a country without formal charity registration?
Use alternative evidence of legitimacy. Letters from government officials, references from other established funders, site visits, milestone-based funding and graduated trust-building (starting with smaller grants) are all approaches recognised by regulators. Document your reasoning for accepting alternative evidence.
Is GDPR relevant if we are a UK funder making grants in Africa?
Yes, if you are collecting or processing personal data about individuals in the course of your grantmaking. UK GDPR applies to your processing activities as a UK-based data controller. If your partners collect data on your behalf, you need data processing agreements in place. If you are transferring data internationally, appropriate safeguards such as the UK IDTA must be used.
How often should we screen grantees against sanctions lists?
At a minimum, screen at the point of application, before each disbursement and when there are material changes to the sanctioned persons lists. Ongoing monitoring between these points is advisable for grants in higher-risk regions.
Can technology replace manual compliance checks?
Technology can automate repetitive tasks like sanctions screening, monitoring schedule management and report generation, but it cannot replace human judgement on risk assessment and proportionality. The most effective approach combines digital tools for efficiency with staff expertise for decision-making.
What is the biggest compliance risk for international grantmakers?
Inconsistency. The greatest risk is not usually a single catastrophic failure but rather an inconsistent approach across different grants, partners and countries, which makes it difficult to demonstrate to regulators that you have a functioning compliance framework. Centralised systems with documented, proportionate processes are the best defence.
Recommended next pages
- Grant Compliance in the UK: What Every Funder Must Know — Core UK compliance principles and Charity Commission expectations
- What Is a Due Diligence Check? — Fundamentals of grantee verification and risk assessment
- The Cost of Non-Compliance in Grantmaking — Financial, reputational and regulatory consequences of compliance failures
- GDPR and Grantmaking: What's Required — Data protection obligations for funders handling applicant information
- Audit Trails in Grant Software — Why digital records matter for accountability and regulatory defence
Last updated: February 2026