Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.
When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.
Venezuela Remains a High-Risk Jurisdiction by Design
Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.
That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.
Regulatory Enforcement Follows Politics, but Law Follows Process
One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.
This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.
Start With the Business, but Do Not Stop There
Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.
This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.
Dual-Use Risk Is Not Theoretical in Venezuela
Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.
This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.
One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.
Siloed Compliance Will Fail in Venezuela
If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.
For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.
Board Oversight Must Evolve Beyond Periodic Updates
Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:
The Case for a Standing Enterprise Risk Committee
Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.
Enforcement Is Coming, Not Fading
The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.
Final Thoughts
The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.
Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 20 episode, we delve into third-party risk management, a crucial aspect of corporate compliance under the FCPA.
Key highlights:
Resources:
Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.
Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.
Top AI stories include:
For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Top stories include:
Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes guests Bill Sanders, Olivia Storelli, and Andrew Stevens to explore the theme ‘From Hierarchy to High Performance’ in the context of AI and corporate governance.
They take a deep dive into the critical role of AI governance, highlighting its importance for accountability and competitive advantage, and stress the need for decentralized, automated governance to ensure fair and unbiased outcomes. The discussion also covers the interplay between leadership, accountability, and culture in achieving AI success, and outlines the three primary functions of AI: customer relationships, operations, and business models. The episode emphasizes the need for execution over ambition for AI value creation and addresses how legal and compliance professionals can keep pace with the rapidly changing business environment through AI.
Key highlights:
Resources:
Download the AI Executive Whitepaper:
Text the word PLAYBOOK to 415.960.1161.
or
Visit https://whitepaper.download/
LinkedIn: Bill Sanders
LinkedIn: Olivia Storelli
LinkedIn: Andrew Stevens
Books:
Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.
We continue our review of bribery and corruption issues (ABC) that you must address before you travel to Venezuela. There is another set of problems that every compliance professional will face if their company decides to go into Venezuela. It is systemic corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.
The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore some of the key issues every company and every CCO will face when considering whether to enter (or re-enter) Venezuela. In Part 2, I will consider the second half of the 10 ABC risks a compliance professional will face. Later in this series, we will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.
In Part 1, we described the corruption environment. In Part 2, we consider what happens when companies actually try to operate inside it. This is where theory meets pressure. We begin our numbers with 6, picking up where we left off yesterday.
6. Extortion Is Not a Defense
In Venezuela, companies are often told, “You have no choice.” Payments are demanded to release cargo, protect personnel, or continue operations, sometimes thinly veiled as “fees” for expedited treatment. Venezuelan law itself recognizes extortion as a corruption offense, in which a public official abuses their position to demand an undue benefit. Under Venezuelan anti-corruption law, extortion (called concussion) carries criminal penalties and fines.
At the same time, U.S. enforcement views participation in extortion as a compliance red flag. While coercion can be a mitigating factor in narrow circumstances under the Foreign Corrupt Practices Act (FCPA) or the Foreign Extortion Prevention Act (FEPA), repeated payments, disguised invoices, or third-party routing create evidence of complicity. Deciding to pay from the field without escalation essentially decides for the company, and compliance will struggle to justify it under an ECCP review. Compliance professionals must define escalation paths, refusal protocols, and clear exit points before any signs of extortion arise. Waiting to decide “in the moment” is too late.
Compliance Response
1. Assessment Controls
2. Management Controls
3. Monitoring
4. Board Oversight
7. Third Parties as the Primary Corruption Vector
In Venezuela, third parties are the everyday vectors through which corruption pressure crystallizes. Agents, customs brokers, logistics providers, security vendors, and even local fixers frequently serve as the conduit for improper value transfers. These intermediaries claim to navigate Venezuela’s opaque systems, but they also create liability if their actions result in bribery or improper advantage.
Pressure points are endemic and include:
Third parties promise solutions. They also create liability when their conduct crosses legal lines. Under the ECCP, regulators will ask whether the company understands and monitors how these third parties operate in practice, not just whether it has a diligence checklist. Paper diligence alone is insufficient where pressure is constant, and corruption vectors hide in plain sight.
Compliance Response
1. Assessment Controls
2. Management Controls
3. Monitoring
4. Board Oversight
8. Organized Crime and the Blurred Line of “Business”
In Venezuela, organized crime intersects with commerce, logistics, and even parts of the formal economy. Corruption and criminal networks often coalesce in sectors like mining, fuel distribution, and transport infrastructure, where armed groups and informal power structures exercise influence. Some of these networks are intertwined with state actors, and corruption and illicit activity can reinforce one another.
For compliance professionals, this means recognizing when business relationships drift into criminal entanglement. That drift is not always obvious at contract signing. Contracts negotiated under duress or through intermediaries with opaque ownership may conceal criminal activity. Continuous monitoring matters precisely because initial signals are subtle. The line between a vendor and a syndicate can be ecosystem-specific and may manifest in patterns of behavior, unexplained payments, or associations with known corrupt actors.
This is also where AML risk begins to dominate. When organized crime is part of the value network, it is present through smuggling rings, illicit fuel markets, or bribery conduits. The controls for bribery, AML, sanctions, and export compliance must interlock to detect and escalate suspicious patterns.
1. Assessment Controls
2. Management Controls
3. Monitoring
4. Board Oversight
9. Currency, Pricing, and Manipulation Pressure
Venezuela’s economic distortions, including exchange controls, multiple currency rates, and the scarcity of hard currency, create fertile ground for corruption. Access to U.S. dollars through official channels is tightly controlled, which historically has led companies and intermediaries to engage in schemes to secure foreign exchange at preferential rates. A notable U.S. enforcement action involved a major telecommunications subsidiary that allegedly bribed officials to gain access to a currency auction and disguised corrupt commissions through inflated equipment purchases.
These distortions become more than operational headaches. They create incentives for side payments and off-book arrangements on pricing and contracts. These practices are not just bribery issues. They implicate accounting integrity, financial reporting, AML vigilance, and sanctions exposure. Once money flows lose transparency, whether through inflated vendor invoices, opaque currency conversions, or third-party routing, compliance loses line-of-sight and control. This intersection reinforces why a compliance program must integrate transactional monitoring and financial controls alongside anti-bribery controls to detect anomalies that traditional gift/entertainment policies won’t reveal.
Compliance Response
1. Assessment Controls
2. Management Controls
3. Monitoring
4. Board Oversight
10. Weak Rule of Law Raises the Stakes
Venezuela’s judiciary and law enforcement institutions are widely seen as politicized, under-resourced, and inconsistent in enforcing anti-corruption laws. Although the Venezuelan legal framework criminalizes extortion, passive and active bribery, and related offenses, enforcement is weak and selective. In practice, companies cannot rely on local remedies to resolve disputes or push back against corrupt demands.
This elevates the importance of internal compliance controls and pre-defined exit strategies. When there is no neutral referee, no reliable government adjudicator, and prevention becomes the only viable protection. It also means that compliance must internalize enforcement risk rather than outsource it to local authorities. A robust compliance program must include strict refusal protocols, incident documentation, real-time monitoring, and clear decision-making boundaries. Without these, companies are exposed to both local corruption risk and U.S. enforcement risk under the FCPA and allied statutes.
Compliance Response
1. Assessment Controls
2. Management Controls
3. Monitoring
4. Board Oversight
Parts 1 and 2 of this series make clear that bribery and corruption are not peripheral risks in Venezuela. They are the entry conditions. From systemic corruption and PDVSA exposure to extortion, third-party involvement, currency manipulation, and a weak rule of law, each risk compounds the next. For compliance professionals, the lesson is not that Venezuela is impossible, but that it is unforgiving of informal controls, delayed escalation, and weak governance. Elevated risk can be managed only through disciplined assessment, operational controls, continuous monitoring, and engaged board oversight. When corruption becomes operational, however, another risk inevitably follows.
Next in Part 3 of this series, we turn to anti-money laundering, where improper value moves, hides, and metastasizes beyond corruption alone. Bribery is how improper value enters the system. Money laundering is how it moves and hides. Once corruption becomes operational, AML risk becomes unavoidable. Join us tomorrow for Part 3 in our series.
Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this inaugural episode of 2026, Tom Fox welcomes back his good friend and colleague, Mike Volkov, to reflect on the tumultuous year of 2025 and discuss the new trends for the upcoming year. This is Part 2 of a two-part series.
This episode delves into the significance of the False Claims Act (FCA) as a critical tool for government enforcement, discussing its constitutionality and potential outcomes before the Supreme Court. The conversation expands to discuss how FCA applies across various areas, such as trade enforcement and tariffs, and how it encourages corporate whistleblowing. Additionally, the discussion highlights the growing role of technology, AI, and ChatGPT in compliance, as well as the risks associated with their use. Other focal points include the importance of conflict-of-interest programs and the impact of ethical conduct on marketplace dynamics. The episode underlines the growing scrutiny from financial institutions and private equity over compliance practices, as well as the long-term trend towards a more ethics-driven corporate culture.
Key highlights:
Resources:
Mike Volkov on LinkedIn
Tom Fox
Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 19 episode, we review the critical process of evaluating and translating risk assessments into actionable risk profiles.
Key highlights:
Resources:
Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.
When US energy companies talk about returning to Venezuela, the conversation almost always starts with opportunity. Yet the CEO of Exxon has said Venezuela is ‘uninvestible’. There is another set of problems that every corporate compliance team will face if their company decides to enter the Brazilian market. For the compliance professional, it must start with corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.
The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore key issues every company and CCO will face when considering whether to enter (or re-enter) Venezuela. In Parts 1 and 2, I will consider the top 10 anti-bribery/anti-corruption (ABC) risks a compliance professional will face. (Part 1, risks 1-5; Part 2, risks 6-10). We will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.
1. Systemic Corruption Is the Baseline Condition
Risk
Venezuela is not a market where corruption appears as an exception. It is the default condition against which all business activity must be measured. For compliance professionals, this means risk assessments cannot ask whether corruption exists. They must assume it does and ask where pressure will arise. Licensing, customs, inspections, labor issues, utilities, and currency all present opportunities for improper advantage. Boards must understand this upfront. Entering Venezuela without acknowledging systemic corruption is not optimism. It is a governance failure.
Compliance Framework Response
Before addressing individual risks, the compliance function must establish baseline principles governing how risk is assessed and managed in Venezuela.
2. PdVSA as a Prominent and Persistent Risk
Risk
Any discussion of bribery risk in Venezuela must begin with Petróleos de Venezuela S.A. (PdVSA), which has been at the center of some of the most significant corruption schemes in modern enforcement history, involving contracts, invoices, intermediaries, and payment routing. Indeed, 10 years ago, I wrote that it would cost a fortune to schedule and confirm a meeting. But companies make the mistake of treating PdVSA as a single risk node. In reality, it is a network risk. Joint ventures, service contracts, maintenance agreements, and procurement relationships all radiate outward, exposing the organization to corruption. If your counterparty touches PdVSA, you have inherited PdVSA risk.
Compliance Framework Response
The starting point is a Venezuela-specific bribery and corruption risk assessment, refreshed whenever business scope, counterparties, or operating conditions change.
This assessment must:
Outputs are not static reports. They are control design inputs.
3. Joint Ventures and Service Contracts: Shared Risk, Shared Liability
Risk
Joint ventures are often framed as risk mitigation tools. In Venezuela, they frequently do the opposite. Local partners may be politically connected. Governance structures may be opaque. Control rights may be illusory. Compliance professionals must scrutinize who appoints management, who controls procurement, and who interacts with government officials. Under the ECCP, regulators ask whether compliance has authority commensurate with risk. In a Venezuelan JV, symbolic compliance oversight is not enough.
Compliance Framework Response
1. Assessment Controls
2. Management Controls
Monitoring
1. Board Oversight Questions
4. Procurement as the First Corruption Flashpoint
Risk
Procurement is where corruption pressure materializes fastest. Vendors expect to be paid for access. Officials expect influence. Intermediaries promise to “make things happen.” This is even more true in Venezuela. This is where third parties begin to matter and where compliance must be in place before contracts are signed. Retrospective diligence does not cure a corrupted procurement process. Boards should demand visibility into how vendors are selected, not just who they are.
Compliance Framework Response
1. Assessment Controls
2. Management Controls
Monitoring
5. The Illusion of “Routine” Government Interaction
Risk
Companies often underestimate corruption risk by labeling interactions as routine: inspections, permits, customs clearances, utilities, and labor approvals. And yes, the DOJ has said it will back off on enforcement of small payments, which may be traditionally made, but in Venezuela, routine functions are often monetized. Compliance programs must draw hard lines early and firmly.
Compliance Framework Response
1. Assessment Controls
2. Management Controls
Monitoring
1. Board Oversight Questions
Join us tomorrow as we look at ABC risks 6-10, including third parties, extortion, organized crime, currency issues, and a weak rule of law.
