Since patches will download from the Protect console, you don't really need a distribution server unless your US computers would benefit from one, such as having a few sites spread over a WAN link.
Assuming all 100 computers are at a single site, using a Protect console in data rollup mode is a good way to get scan and patch results from the US, but you will still need to login to that console to initiate those tasks. You won't really be able to "manage" your US site from the UK console.
No special licensing is needed, you just need to have enough seats for those ~100 machines in the US on your existing license.
You may also want to look at using agents on those machines, having them connect via Protect Cloud, and having those agents download patches either from a distribution server, or over the internet. This eliminates data rollup traffic over a WAN link from the US to UK, since results are sent to the cloud, and then your UK console grabs those results from the cloud.
A quick overview of the Protect cloud can be found here: Protect Cloud Overview - FAQ
So is my current deployment incorrect?
We have 8 sites in London (all connected by VPN) but only one Protect console in HQ.
Should we not have distributions server at each site?
Distributions servers are really there for your convenience. While I would recommend having them set up on each local network, to reduce WAN traffic and speed up patch downloads, I'm also unaware of other aspects of your setup there.
In general, most people find it beneficial to use distribution servers at each local site, due to the relative slowness and cost associated with WAN connections. For example, deploying a patch for Office 2010 to 50 computers over that vpn will download the same patch 50 times, once to each computer. Conversely, with a DS(distribution server), it only downloads once, to the DS. From there, the computers can each grab patches from the DS over their local network.
Your deployment isn't really incorrect, as long as it works. Your situation is one that would probably benefit from using a DS at each site, assuming there isn't anything preventing you from doing so.
You right this deployment works for us in here, in London but it would make sense to have dedicated DS and console for all US sites.
Having only console in US it would still pull all the updates from UK correct?
By default, the US console will download updates from the vendor's download site, not from your UK console. While you could configure it to download from your UK site, there isn't any benefit, and it would be much slower.
I am totally confused now. Is there a KB describing who does what for console and DS?