For years, many companies treated cartel risk as a security issue, not a compliance issue. That view is no longer sufficient. In Mexico, Central America, and Brazil, organized criminal groups do not simply threaten operations from outside the company. They can infiltrate markets through corrupted officials, cartel-linked intermediaries, compromised law enforcement, logistics providers, bankers, community leaders, and local political actors. This will be a significant topic at the upcoming ACI Cartels, TCOs & Compliance Conference in Latin American next month in Washington DC.
That is why the Millicom Cellular FCPA enforcement action is such an important enforcement lesson. The case was not simply about bribes paid to government officials. It was about the convergence of bribery, cartel money, cash controls, joint venture governance failures, political influence, money laundering, and accounting controls. DOJ stated that TIGO Guatemala paid more than $118 million to resolve a long-running bribery investigation involving monthly cash bribes to Guatemalan members of Congress, and that some cash used for bribe payments came from laundered narcotrafficking proceeds.
The Crossover Risk: When Cartel Risk Becomes FCPA Risk
The most dangerous risk is not always the obvious cartel member with a gun. It may be the official who is cartel-affiliated, cartel-controlled, cartel-compromised, or operating in a cartel-controlled territory. That person may hold a municipal permit, customs role, police function, legislative position, procurement seat, or regulatory gatekeeper role. For the company, the question is not only whether the demand comes from a public official. It is whether the demand sits inside a criminal ecosystem that can convert ordinary business activity into FCPA, AML, sanctions, books-and-records, internal controls, and even material support risk.
Mexico shows the point clearly. OSAC has warned that several Mexican transnational criminal organizations were designated as Foreign Terrorist Organizations and Specially Designated Global Terrorists, and that paying extortion demands, including derecho de piso, can create material support concerns for U.S. organizations. Brazil presents a different but equally serious model. The U.K. Home Office reported that Brazil has more than 80 organized criminal groups, including the PCC and Comando Vermelho (CV) and that militia groups made up of current and former state agents extort populations under their control.
The US Treasury Department has described PCC as one of the largest organized crime groups in Latin America, involved in money laundering, extortion, murder-for-hire, and drug debt collection. Indeed in May 2026, the US State Department designated both PCC and CV as Foreign Terrorist Organizations.
Central America adds another layer. In a regional Extortion Report, the Global Initiative Against Transnational Organized Crime noted that corruption within state institutions is pervasive and that security officials may use institutional power to extort, while collusion by corrupt officials sustains extortion markets. That is the crossover risk for companies: the same demand can be an extortion event, a corruption event, and an accounting controls event.
Bribery Versus Extortion
The difference between a bribe and extortion is not always intuitive, but it is critical. A bribe is a corrupt payment made to obtain or retain business, secure an improper advantage, influence an official act, or induce the misuse of official position. The payment can be requested by the official first. The fact that the official demanded the payment does not automatically make it extortion under the FCPA. The FCPA Resource Guide, 2nd edition, explains that corrupt intent exists when a payment is intended to induce the recipient to misuse an official position, including to obtain preferential legislation or regulations.
True extortion or duress is different. The FCPA Resource Guide states that payments made in response to true extortionate demands under imminent threat of physical harm do not give rise to FCPA liability because they are not made with corrupt intent or for the purpose of obtaining or retaining business. But the same guidance draws a hard line: mere economic coercion does not amount to extortion. A payment demanded as the price of market entry or contract award remains a bribe risk because the company can decide not to pay.
That distinction matters in cartel-heavy environments. A payment to stop an immediate threat to employees may be a duress-driven safety response. A payment to obtain a permit, avoid a regulatory delay, secure customs clearance, influence a municipal inspection, or win a contract is not transformed into lawful conduct merely because the official made the demand aggressively.
Derecho de Piso and Derecho de Paso
Derecho de Piso is generally understood as a criminal “floor tax” or protection payment demanded for the right to operate in a territory. It may be demanded from retailers, agricultural producers, logistics companies, construction firms, miners, energy operators, or local distributors. Derecho de Paso means a “right of passage” payment, often framed as a toll to move people, trucks, cargo, or goods through a controlled area.
Both are dangerous because they blur lines. A company may think it is dealing with a security threat. In reality, it may be funding a designated organization, recording a false business expense, using a third party as a payment conduit, or allowing a cartel-linked official to convert extortion into a corrupt advantage. The compliance lesson is not that employee safety should take a back seat. It should not. The lesson is that safety-driven decisions must still be documented truthfully, escalated appropriately, and controlled through legal, compliance, security, finance, and senior management.
Millicom as the Centerpiece
The Millicom FCPA enforcement action demonstrates how these risks become operational. TIGO Guatemala’s scheme ran from at least 2012 to 2018 and involved efforts to influence Guatemalan legislators, including support for radiofrequency renewals and “Ley TIGO,” a telecommunications law that benefited the company. The company earned at least $58 million in profits from the schemes.
The mechanics were extraordinary. Cash was delivered by helicopter in duffel bags to the TIGO Guatemala helipad. A $15 million put-call execution fee was used as part of a bribery slush fund. A $12 million inflated contract and backdated invoices created the appearance of legitimate services. Most troubling, a banker laundered narcotrafficking proceeds and funneled cash to support TIGO Guatemala bribe payments.
This is the compliance lesson. The company did not face a single bad invoice. It faced a criminal infrastructure. Cash, shell companies, backdated contracts, cartel-linked funds, compromised governance, and political influence worked together. That is the modern FCPA risk environment in cartel-affected markets.
The Accounting Provisions Cannot Be an Afterthought
The FCPA accounting provisions are where many companies will face their hardest questions. The FCPA Resource Guide explains that issuers must keep books and records that accurately and fairly reflect transactions and maintain internal accounting controls sufficient to provide reasonable assurances over authorization, recording, accountability, and access to assets. It also states that it is never appropriate to mischaracterize transactions, and that bribes are often hidden as consulting fees, commissions, petty cash withdrawals, vendor payments, or miscellaneous expenses.
This is especially important for extortion. A payment made under duress should never be hidden as a logistics fee, community relations expense, consulting payment, security charge, donation, customs support fee, or facilitation-style cost. Even where the anti-bribery analysis turns on duress, the books-and-records analysis turns on accuracy. The internal controls analysis turns on whether the company had reasonable controls over cash, third parties, approvals, documentation, payment channels, escalation, and post-event review.
Millicom’s remediation shows what DOJ expects after such a failure. DOJ credited remediation that included root cause analysis, termination of involved personnel, new management and compliance personnel, enhanced third-party onboarding and transaction monitoring, data analytics, testing of more than 250 transactions, an ephemeral messaging policy, training, a direct compliance reporting line, and an 800 percent increase in dedicated compliance headcount. The attached analysis rightly frames this as organizational reinvention, not ordinary remediation.
The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive a 10% off the price by using the Discount Code is D10-999-CPN26.
ACI is the sponsor of today’s blog.
