Categories
AI Today in 5

AI Today in 5: July 3, 2026, The Can Corps Survive Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 AI stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Can AI keep up with complex ownership structures? (FinTechGlobal)
  2. Can corporations survive the Age of AI? (Time)
  3. US lifts restrictions on Anthropic. (NYT)
  4. Sam Altman on how to make AI safe. (FT)
  5. Grocery store wars in South Africa in the age of AI. (Bloomberg)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
AI in Financial Services in 5 Stories

AI in Financial Services in 5 Stories – Week Ending July 3, 2026

Welcome to AI in Financial Services in 5 Stories. A practical weekly roundup of the five most important AI developments affecting banking, insurance, payments, asset management, and fintech. Each Friday, Tom Fox will break down the top stories that matter most through the lenses of compliance, risk management, governance, and business strategy. Designed for compliance professionals, executives, legal teams, and financial services leaders, it goes beyond headlines to explain why each development matters in a highly regulated industry. The result is a concise weekly briefing that helps listeners stay current on AI innovation while asking sharper questions about oversight, accountability, and trust.

This week’s stories include the following:

  1. The future of AI in banking. (TheFinancialBrand)
  2. AI and global bankers. (Reuters)
  3. AI Playbook for financial services. (WEF)
  4. Trusted data in workflow. (Microsoft)
  5. Agentic AI in post-trade workflows. (FinTechFutures)

For more information on the use of AI in Compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Reflections Through the Compliance Mirror: Investigative Lessons from Star Trek’s “Mirror, Mirror”

In the iconic episode of Star Trek: The Original Series titled “Mirror, Mirror,” Captain Kirk, Dr. McCoy, Uhura, and Scotty encounter a transporter accident that thrusts them into a parallel universe. This alternate reality is a distorted mirror image of their universe, familiar yet different, governed by violence, suspicion, and fear rather than trust and mutual respect. In their efforts to return home, Kirk and his crew must navigate treacherous waters, carefully assess their situation, analyze subtle cues, and discern critical information.

Just as Captain Kirk found himself confronted with the challenge of recognizing and navigating deceptive appearances, corporate compliance professionals regularly face similar investigative challenges. Effective compliance investigations require keen perception, attention to nuance, and an unwavering commitment to uncovering the truth beneath surface-level anomalies. Drawing directly from this compelling episode, we examine five investigative lessons that compliance professionals can apply in their roles to ensure ethical resilience and organizational integrity.

Lesson 1: Quickly Recognize the Unexpected

Illustrated by: In the opening sequence, Kirk and his team are transported into the Mirror Universe. Almost instantly, Kirk notices something is profoundly wrong: altered uniforms, aggressive demeanors, and a chilling salute. He immediately perceives a departure from the familiar, even before fully understanding the new environment.

Compliance Lesson: Compliance professionals must maintain heightened situational awareness during investigations to ensure effective outcomes. Promptly identifying unexpected deviations, whether subtle discrepancies in financial reports, irregularities in third-party behaviors, or suspicious communications. This allows for quicker intervention. The speed and accuracy of initial perception set the stage for effective investigative action and minimize potential harm.

Lesson 2: Adapt and Blend into the Environment

Illustrated by: Realizing their perilous situation, Kirk instructs his crew to blend into the mirror universe’s ruthless culture. Though repulsed by the harsh environment, they adapt quickly, adjusting speech patterns and behaviors to survive and conduct their investigation without raising immediate suspicion.

Compliance Lesson: Investigative adaptability is critical. Compliance officers often operate within organizational cultures that vary significantly in terms of transparency, openness, and ethical climate. Being able to adapt investigative strategies to the realities of diverse organizational cultures and to navigate corporate politics without compromising ethical standards can enhance the effectiveness of compliance investigations.

Lesson 3: Secure Critical Information Discreetly

Illustrated by: A pivotal moment occurs when Kirk and Scotty clandestinely access the computer system aboard the mirror Enterprise to gather data. Kirk realizes that overt information-gathering would likely arouse dangerous suspicion, so he chooses subtle and indirect methods to secure the information necessary for their escape.

Compliance Lesson: Information security and discretion are foundational during investigations. Compliance investigations frequently require discretion, confidentiality, and careful handling of sensitive data. Investigators must judiciously plan their approaches to data collection, recognizing that overly aggressive or overt tactics may lead to premature disclosure, evidence tampering, or employee distrust.

Lesson 4: Leverage Allies Within Complex Environments

Illustrated by: One crucial decision Kirk makes is trusting the mirror universe’s Spock enough to appeal to his logic and inherent sense of reason subtly. Kirk correctly discerns Spock’s fundamental logical nature, even in a morally inverted universe, and cautiously builds an alliance based upon shared objectives rather than blind trust.

Compliance Lesson:

Building strategic relationships and leveraging internal allies can significantly improve investigation outcomes. Effective compliance professionals identify trustworthy internal stakeholders who understand the organization’s core values, governance objectives, and ethical commitments, even if the surrounding corporate culture appears compromised. Leveraging these relationships enhances the legitimacy of investigations, provides deeper insights, and helps ensure credibility and buy-in for investigative conclusions.

Lesson 5: Provide Actionable Guidance Based on Investigative Outcomes

Illustrated by: At the climax, Kirk directly confronts Mirror-Spock, presenting him with evidence and logical arguments to inspire long-term change within the oppressive Empire. Kirk’s final remarks focus not only on immediate survival but also on leaving actionable insights and recommendations to reform the Empire’s toxic culture.

Compliance Lesson: Investigations must always lead to clear, actionable recommendations. Identifying wrongdoing or risk exposure alone is insufficient. Compliance officers are responsible for translating investigative findings into practical actions, guidance, process improvements, control enhancements, or training recommendations that meaningfully mitigate future risks and promote an ethical organizational culture.

Final ComplianceLog reflections

The investigative narrative depicted in “Mirror, Mirror” presents powerful lessons for compliance professionals committed to conducting thorough, ethical, and practical investigations. Kirk and his crew were thrust into a world of distorted realities, facing the daunting task of discerning truths amid complex and dangerous situations. The strategies they adopted — early recognition, swift adaptation, discreet information gathering, strategic alliances, and actionable recommendations — precisely mirror the skills compliance officers require to navigate investigations.

Corporate compliance professionals today face environments increasingly characterized by complexity, subtlety, and high stakes. Whether investigating allegations of bribery, assessing third-party compliance risks, or responding to whistleblower reports, the investigative competencies vividly illustrated through “Mirror, Mirror” are foundational. Recognizing the unexpected, skillfully adapting, maintaining discretion, leveraging allies, and ensuring actionable recommendations are key to defining successful investigative processes.

Ultimately, investigations are not mere procedural formalities; they represent a defining moment for organizations, a mirror reflecting the organization’s authentic, ethical culture and commitment. As Captain Kirk implored Mirror-Spock to reflect deeply and embrace necessary reforms, compliance professionals similarly guide organizations through reflection, analysis, and moral growth. In so doing, investigations become powerful catalysts for meaningful organizational change, strengthening integrity, accountability, and trust.

Like Captain Kirk’s journey through the mirror universe, compliance professionals must navigate carefully yet decisively, continually adapting to new realities while remaining committed to the overarching mission of ethical corporate governance. Through effective investigative practices grounded in reflection, rigor, and resilience, compliance officers help ensure that the mirror held up to their organizations reflects clarity, accountability, and uncompromising ethical standards.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

Leadership Lessons from The Changeling

Leadership Lessons for Compliance Professionals from “The Changeling”

Compliance, fundamentally, is about leadership. It is about guiding individuals and entire organizations to act ethically, responsibly, and effectively, even when the path is uncertain or challenging. Today, we venture boldly into the classic episode “The Changeling,” which offers rich lessons in leadership directly applicable to corporate compliance. Here are five key lessons from the episode that illustrate critical skills compliance leaders must master.

Lesson 1: Clarity of Purpose is Essential

Illustrated by: Originally designed as a peaceful explorer, its mission was corrupted following a collision with an alien probe called “Tan Ru,” causing its core directives to merge and mutate dangerously.

Compliance Lesson. Compliance leaders must maintain absolute clarity about their purpose and objectives.

Lesson 2: Effective Communication Prevents Crisis Escalation

Illustrated by: Kirk’s precise, deliberate communication with Nomad slows down its destructive tendencies and provides crucial time to develop a solution.

Compliance Lesson. Communication in compliance crises is similarly critical. Compliance leaders must communicate clearly, calmly, and thoughtfully, particularly in high-stakes scenarios.

Lesson 3: Recognize When Adaptation is Necessary

Illustrated by: Initially, Kirk tries conventional diplomatic approaches. Recognizing that conventional methods have failed, he adapts swiftly and strategically.

Compliance Lesson. In compliance leadership, adaptability is essential. Regulatory landscapes and compliance risks constantly evolve, necessitating quick pivots and agile leadership responses.

Lesson 4: Confront Problems Directly and Courageously

Illustrated by: When Nomad determines Captain Kirk himself to be flawed and thus a threat, Kirk faces Nomad directly, boldly confronting it without hesitation, despite understanding the risk involved.

Compliance Lesson. Compliance leaders must similarly confront compliance issues directly and courageously. Avoiding difficult conversations or deferring tough decisions can magnify risks and vulnerabilities.

Lesson 5: Cultivate Critical Thinking Within the Team

Illustrated by: Throughout the episode, Kirk relies heavily on his team, particularly Spock’s analytical logic, Scotty’s technical skills, and Uhura’s linguistic insights after Nomad erases her memory.

Compliance is a collaborative discipline that requires collective critical thinking from diverse team members.

Final ComplianceLog Reflections

Each leadership lesson in this episode, clarity of purpose, effective communication, adaptability, courageous confrontation, and fostering critical thinking, is fundamental to guiding organizations safely through the complex maze of modern compliance challenges. Compliance leaders today face situations not unlike the Enterprise crew: unexpected challenges, high stakes, and rapidly changing conditions. The effectiveness of compliance hinges significantly on leadership skills that navigate these complexities with clarity, confidence, and ethical fortitude.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

Security, Extortion, and the New Compliance Mandate in Cartel-Driven Markets

This blog continues our series on the ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. What we are seeing across the region is not simply another enforcement trend. It is a structural change in the way compliance officers, boards, legal departments, security teams, and business leaders must assess and manage risk. The issue is where security, extortion, compliance, and enterprise risk management now sit at the same table.

The key point is one that every compliance professional has heard after a failure: “We did not see that coming.” In most cases, that statement does not mean the risk was invisible. It means the organization was not looking in the right way. It had a preconceived view of its threat environment. It relied on familiar dashboards. It accepted old assumptions. It conducted a risk assessment that confirmed management’s beliefs rather than testing them. That is not a security problem alone. That is a compliance failure.

Cartel Risk Is Now an Enterprise Risk

The designation of certain cartels and criminal organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists has changed the risk conversation. Executive Order 14157 established a process for certain international cartels and other organizations to be designated as FTOs or SDGTs and described international cartels as a national security threat beyond traditional organized crime, including through infiltration of governments across the Western Hemisphere. OFAC also lists an alert on international cartels designated as FTOs and SDGTs as part of its counterterrorism sanctions resources. (OFAC)

For CCOs, this means cartel and TCO exposure cannot be treated as a regional security issue or as a one-time sanctions-screening exercise. It must be integrated into risk assessments, third-party management, contract review, internal controls, HR, community relations, logistics, government affairs, and crisis response.

True threat assessment begins by stepping back, looking at the full operating environment, and then breaking the risk down by function. The Department of Justice has made clear that compliance programs must be robust, well-resourced, and empowered, and that companies are expected to continuously review and update compliance programs to account for emerging risk factors. A static, annual, checklist-driven risk assessment is not fit for a cartel-driven operating environment.

THIRA as a Compliance Tool

One of the most useful concepts in the attached article is the use of Threat and Hazard Identification and Risk Assessment, or THIRA. THIRA began in the public-sector preparedness world, but its discipline translates well into corporate compliance. FEMA describes THIRA as a three-step risk assessment process that helps communities identify the risks of greatest concern and determine the capabilities needed to address them. FEMA also notes that identifying and assessing risk should be a key input into planning and that plans must be risk-informed.

For compliance professionals, that is the point. Do not begin with the control. Begin with the threat. What could happen? Who could exploit the business model? What routes, facilities, vendors, unions, brokers, security providers, customers, or local officials create exposure? What happens if a logistics route becomes unsafe, a vendor is coerced, a local union is compromised, a government permit is delayed unless a payment is made, or a security provider is connected to criminal actors?

THIRA-style analysis forces a company to model realistic scenarios, assess consequences, and then determine whether it can respond. That means authority, communications, escalation, training, legal review, security protocols, financial controls, and board reporting must all be stress-tested before the crisis.

Continuous Monitoring Is Not Optional

In ordinary compliance discussions, “continuous monitoring” can sound like a best practice phrase. In a high-threat environment, it is an operating necessity. The attached article notes that threats can change by the hour, routes can become unsafe, infrastructure can fail, and misinformation can spread intentionally.

The compliance parallel is direct. A company cannot rely only on lagging indicators, annual certifications, or publicly available reports. In cartel-influenced markets, yesterday’s intelligence can create today’s exposure. The risk function must have access to live operational data, hotline reports, security intelligence, payment anomalies, logistics disruptions, vendor changes, law enforcement alerts, and local business intelligence.

This also requires delegated authority. If compliance or security sees a threat but lacks authority to pause activity, reroute shipments, reject a vendor, escalate a payment, or stop a transaction, the program is underpowered. Policies without authority are not controls. They are artifacts.

The Board’s Role: Oversight, Not Assumption

Boards must also recalibrate. Duncan’s point that boards often understand risk exists but do not always understand their lane should resonate with every CCO. The board’s role is not to manage routes, approve security plans, or second-guess local threat intelligence. Its role is to ensure that management has identified the risk, defined risk tolerance, resourced the response, assigned authority, and created reliable reporting.

In cartel-driven markets, the board should ask, “Where are we operating in areas of criminal influence?” Which third parties are essential to those operations? How do we know they are not compromised? What payments, donations, sponsorships, logistics arrangements, or security relationships create exposure? What is our escalation protocol if an employee, vendor, union representative, community leader, or government official signals coercion?

Risk tolerance must be written, debated, approved, and revisited. Silence is not neutrality. It is permission.

Security Is a Compliance Function

The attached article makes another crucial point: security is not just physical. Insider threats, personal vulnerabilities, substance abuse, coercion, espionage, poor training, and cultural dysfunction all create compliance exposure. Employees must understand not only what the rules are but also why the rules matter and how criminal organizations exploit weak points.

In Venezuela, the State Department’s June 27, 2026, advisory tells travelers to reconsider travel because of crime, kidnapping, terrorism, poor health infrastructure, and natural disaster risk, and it identifies Tren de Aragua and Cartel de los Soles as FTOs that started in Venezuela and continue to operate. The same advisory states that the U.S. government has extremely limited capacity to provide emergency services to U.S. citizens, especially outside Caracas.  That is a board-level fact pattern. It affects duty of care, insurance, crisis response, employee travel, third-party security, incident reporting, and operational continuity.

Build the Threat Hub

The most practical recommendation is to create a threat hub. It should be a cross-functional forum where legal, finance, operations, security, compliance, and other functions review threats, vulnerabilities, and operational changes. This is precisely what mature compliance should look like in a high-risk market.

The threat hub should review incidents, routes, payments, vendor changes, customer anomalies, government interactions, community demands, employee reports, and security intelligence. It should have the authority to escalate. It should report to management and the board. It should test crisis plans through realistic exercises.

Practical takeaways

First, refresh the risk assessment now. Second, add THIRA-style scenario planning to cartel and TCO risk. Third, empower compliance and security to act in real time. Fourth, review third parties, major contracts, customers, logistics providers, unions, community intermediaries, and security vendors. Fifth, educate the board on its oversight role and require explicit risk tolerance.

The final lesson is simple. In high-threat markets, static programs fail. Assumptions kill preparedness. Authority matters. Culture is defined by what leaders tolerate. The choice for every company is whether to learn before or after the crisis.

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments. Security has taken on even greater importance in Venezuela as President Trump has announced the US will not provide any security to US companies returning to the country.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness. Authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For the complete agenda, click here. You can receive 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
AI Today in 5

AI Today in 5: July 2, 2026, The Bank of the Future Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Does AI workflow matter more than the model? (FinTechGlobal)
  2. BoE says AI agents may need their own regs. (BankingExchange)
  3. Employers already rue laying off humans for AI. (CNBC)
  4. JPMorgan Chase is building the bank of the future. (Forbes)
  5. Human healthcare in the age of AI. (HospitalNews)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Daily Compliance News

Daily Compliance News: July 2, 2026, The Is Bribery Good Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Judges urge prosecutors to drop corruption charges against Netanyahu. (TimesofIsrael)
  • Can bribery be a good thing? (ProMarket)
  • Google ordered to pay $2bn in Swedish antitrust case. (FT)
  • After the scandal, McKinsey shakes up the Board. (WSJ)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Kerr250 Podcast

The Kerr250 Podcast: 4 Books on the Continental Congress

Kerr250 is a community-focused podcast dedicated to celebrating America’s 250th birthday through the people, businesses, traditions, and events of Kerr County. As our nation marks this historic anniversary on July 4, 2026, Kerr250 will highlight the local celebrations and community efforts that bring this milestone to life. Each episode will feature conversations with local leaders, business owners, organizers, volunteers, and proud citizens who are helping make Kerr County a vibrant part of this national moment. The podcast will explore how history, patriotism, service, and community pride come together in one county that believes America’s strength has always come from its people. Kerr250 is where Kerr County honors the past, celebrates the present, and helps inspire the future. In this episode, we look at 4 Books on the Continental Congress.

  1. The Story of the First Continental Congress by CL Gammon
  2. American Legends by the Charles River editors
  3. Party Politics in the Continental Congress by James Henderson
  4. Reluctant Rebels by Lynn Montross

Resources:

Kerr250 website

GoodreadsTop Books on the Continental Congress

Categories
Blog

Re-Calibrating Risk Assessments: Uncovering FTO and TCO Exposure in Cartel-Driven Economies

This blog continues our series focusing on the upcoming ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. It is also why compliance officers need to understand that this is not simply another enforcement trend. It is a structural change in how risk must be assessed, governed, and managed. Today, I want to explore why you need to recalibrate your risk assessment in light of the US’s shift in classifying cartels from criminal organizations to Foreign Terrorist Organizations (FTOs).

For years, many companies treated cartel risk as a regional security issue, a physical safety issue, or a narrow sanctions-screening issue. That approach is no longer sufficient. Cartel-driven economies now create enterprise risk across sales, supply chain, procurement, logistics, human resources, community relations, government affairs, security, and internal controls. The CCO must help the organization move from episodic screening to a dynamic, evidence-based risk assessment model that identifies where the business may be exposed to Foreign Terrorist Organization (FTO) and Transnational Criminal Organization (TCO) risks.

The legal and enforcement environment has shifted. Executive Order 14157 established a process for certain international cartels and other organizations to be designated as FTOs or Specially Designated Global Terrorists, and described those organizations as threats to U.S. national security, foreign policy, and the economy. OFAC later issued an alert identifying eight designated organizations and warning that companies with operations in, or exposure to, high-risk jurisdictions where designated cartels are active should assess their sanctions compliance controls. That is the compliance lesson. This is not simply a legal list update. It is a risk assessment reset.

Cartel-Driven Economies Change the Risk Ranking Model

Traditional compliance risk assessments often rank risk by country, business unit, transaction value, government touchpoints, and third-party type. Those variables still matter. But cartel-driven economies require additional factors: territorial control, coercive influence, infiltration of local business networks, labor pressure, logistics-route control, cash intensity, proximity to ports or borders, public security risks, and the likelihood that a legitimate counterparty may be owned, controlled, taxed, extorted, or otherwise influenced by criminal organizations.

The ranking model should distinguish between three types of exposure. First, direct exposure, where a company deals with a designated party or a party it owns or controls. Second, indirect exposure, where a supplier, distributor, customer, logistics provider, labor broker, or security vendor is connected to cartel-linked actors. Third, environmental exposure, where the company operates in a geography or sector where coercion, extortion, or criminal facilitation is a predictable operating condition.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether third-party management is risk-based, integrated into vendor management, supported by business rationale, tied to appropriate contract terms, and subject to ongoing monitoring. Those questions should now be applied not only to anti-bribery risk, but also to FTO and TCO risk.

Create an Internal FTO Working Group

A company cannot manage this risk through sanctions screening alone. The CCO should establish an internal FTO working group with a clear charter, executive sponsorship, and board reporting. The group should include compliance, legal, sanctions, AML, procurement, sales, finance, logistics, security, HR, government affairs, community relations, internal audit, and enterprise risk management.

Its mandate should be practical: identify exposures, refresh risk rankings, define escalation protocols, review high-risk contracts, approve enhanced due diligence standards, monitor emerging typologies, and track remediation efforts. It should also define when the company will suspend a transaction, reject a counterparty, exit a relationship, seek external counsel, notify insurers, or brief the board. This working group should meet frequently at the outset, then move to a risk-based cadence. Its output should not be a memo that sits on a shelf. It should produce a revised heat map, a prioritized counterparty review list, an action tracker, and control enhancements that can be tested by internal audit.

Leverage Existing Risk Assessments

The most efficient approach is not to create a wholly separate FTO risk assessment. The better approach is to integrate FTO/TCO risk into existing assessments. Your FCPA risk assessment already identifies government touchpoints, customs brokers, permitting issues, gifts and entertainment, charitable donations, intermediaries, consultants, and high-risk payments. Those same data points are highly relevant to cartel exposure because criminal networks often exploit local permitting, customs clearance, transportation, public security, and procurement systems.

The business and human rights assessment also provides critical intelligence. The UN Guiding Principles on Business and Human Rights recognize a corporate responsibility to respect human rights through due diligence that avoids infringing on the rights of others and addresses adverse impacts with which the business is involved. In cartel-affected markets, human rights due diligence can reveal forced labor, threats against workers, community intimidation, unsafe security practices, land-access disputes, migrant exploitation, and labor-broker abuse.

Sanctions, AML, trade compliance, cybersecurity, and fraud risk assessments should also be mined. Look for recurring names, addresses, beneficial owners, banks, payment patterns, shell entities, shared directors, unusual routes, unexplained subcontractors, and counterparties that appear across unrelated business units.

Review Major Contracts and Customers for FTO/TCO Risk

Companies often focus due diligence on suppliers and intermediaries, while under-reviewing major customers. That is a mistake. A customer can create sanctions, money-laundering, books-and-records, reputational, and material-support risks. The company should identify major contracts in high-risk geographies and sectors, then re-rank them based on ownership transparency, payment behavior, sector exposure, government interaction, logistics routes, and local operating conditions. High-risk contracts should include enhanced representations, beneficial ownership update obligations, audit rights, sanctions, and FTO/TCO clauses, payment transparency requirements, subcontractor disclosure, termination rights, and controls over cash, commissions, rebates, donations, sponsorships, and community payments.

A contract should move into enhanced review when the business cannot explain the counterparty’s commercial rationale, when pricing is uneconomic, when payment comes from unrelated parties, when revenue spikes in cartel-affected regions, when the counterparty refuses beneficial ownership disclosure, or when local employees report pressure to use a particular vendor, union, broker, transporter, or security provider.

Detect Commingling of Legitimate and Illegal Activity

The core challenge is commingling. Cartels do not always operate through obviously illicit entities. They use logistics companies, fuel businesses, casinos, real estate, import-export companies, labor brokers, charities, community organizations, and professional service providers.

Recent enforcement actions show the point. Recently, the US Department of the Treasury announced multiple CJNG-linked fuel schemes involving cross-border smuggling, falsified customs documents, and shell companies. OFAC also described cartel-linked casino activity used to launder proceeds and integrate illicit funds into the legitimate financial system. For compliance professionals, these examples reinforce a familiar truth: a company’s legal form is not the same as its risk profile.

Detection requires data and local intelligence. Compare invoices to actual services. Review customs documentation against logistics activity. Test whether vendors have employees, assets, facilities, and capacity. Analyze payment flows for round-dollar amounts, rapid pass-through activity, third-party payments, and mismatches between business size and transaction volume. Monitor hotline reports for references to threats, forced vendors, security payments, labor pressure, and community demands.

Functions That Must Be in Scope

Supply chain must map critical suppliers, second-tier exposure, logistics corridors, warehousing, border crossings, ports, and emergency sourcing decisions. HR must assess labor brokers, recruitment channels, employee intimidation, workplace violence, the risk of retaliation, and escalation pathways for threatened employees. Community relations must review donations, sponsorships, local foundations, land-access payments, and community intermediaries. Union relations must assess whether labor organizations or labor contractors are being used as pressure points. Government affairs must evaluate permitting, customs, inspections, police interaction, and local political exposure. Security must review private security providers, public security coordination, incident response, travel protocols, and extortion procedures. The board should ask one question above all others: where could the company be doing legitimate business through a channel that criminal actors influence, control, or monetize?

Practical Takeaways

CCOs should refresh the risk assessment now, not after a transaction is called into question. Build the FTO working group, integrate existing FCPA and human rights intelligence, re-rank major contracts and customers, and test controls for commingling. The objective is not perfection. The objective is a documented, risk-based, board-visible process that shows the company understands its exposure, updates its controls, and acts when the risk profile changes.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive a 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
AI Today in 5

AI Today in 5: July 1, 2026, The Anthropic Released Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Customer risk management. (FinTechGlobal)
  2. AI governance. (Automotive World)
  3. US releases Anthropic Fable model. (WSJ)
  4. AI-generated code risks for compliance. (helpnetsecurity)
  5. Whose advantage if everyone uses the same AI model? (Bloomberg)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.