For compliance professionals, some years mark an evolution. Others mark a turning point. In 2026, corporate compliance in Latin America has reached that turning point. For the past two decades, most companies approached regional risk through a familiar lens: anti-corruption. The focus was on government touchpoints, customs interactions, licensing, permits, state-owned enterprises, and third-party intermediaries. That framework is still important. But it is no longer sufficient.

Today, the risk landscape has expanded dramatically. Cartels, transnational criminal organizations, foreign terrorist organization designations, sanctions, anti-money laundering exposure, and supply chain infiltration have all moved to the center of the compliance conversation. What was once a specialized concern has become a board-level issue.

That is why the upcoming ACI Forum on Cartels, TCOs, and Compliance in Latin America is so timely. It is also why compliance officers need to understand that this is not simply another enforcement trend. It is a structural change in how risk must be assessed, governed, and managed. I recently had to opportunity to visit with Matt Ellis, Member at Miller & Chevalier and co-Chair of the Forum. You can listen to Ellis’ remarks on this episode of the FCPA Compliance Report on the Compliance Podcast Network.

The New Risk Equation

The Trump administration has made clear that cartels, fentanyl trafficking, organized crime, and the influence of China in Latin America are policy priorities. That focus has brought multiple enforcement tools to bear, including sanctions, anti-money laundering authorities, FTO designations, and a broader integration of these issues into the compliance and enforcement landscape.

Ellis said that companies, the old model of regional compliance risk must be rethought. The issue is no longer limited to whether a payment touched a foreign official. The question now is whether a company’s supply chain, transportation provider, security arrangement, or local commercial partner could create exposure under anti-terrorism, sanctions, or AML frameworks.

Mexico Is the Opening Chapter, Not the Whole Book

Much of the current focus is on Mexico, and for good reason. That is where the enforcement spotlight is currently brightest. But compliance professionals should not make the mistake of thinking this challenge begins and ends there.

The risks extend across Latin America, including Central America, Venezuela, Colombia, Brazil, Panama, and other markets where cartel activity, organized crime influence, sanctions risk, or opaque commercial structures may create significant exposure. Each country carries its own risk profile, but the common lesson is clear. Mexico may be the first chapter, but it will not be the last.

For boards and executive teams, that means regional strategy must be reviewed through a broader lens. Market entry, third-party engagement, logistics routes, security providers, and local partnerships all need to be reassessed.

Why the Supply Chain Has Become a Compliance Flashpoint

One of the most important lessons from this discussion is that cartel risk can be embedded in the supply chain. This is where compliance professionals need to recalibrate their thinking. In the anti-corruption world, companies typically focus on agents, distributors, customs brokers, and third parties with direct government interaction. In the cartel and TCO context, risk can sit inside ordinary business operations. Transportation vendors, warehouse providers, local suppliers, labor relationships, and security services may all present hidden risk if they are controlled by, connected to, or exploited by organized crime.

That changes the role of compliance. Procurement, logistics, operations, and security can no longer be treated as peripheral functions. They are now front-line participants in risk identification and mitigation. This is where the compliance function must show leadership. The CCO must bring these disciplines together and translate legal and enforcement developments into practical operational controls.

Due Diligence Must Move Beyond Check-the-Box

If there is one message compliance professionals should take from Ellis’ podcast, it is this: traditional due diligence is not enough. In anti-corruption compliance, companies have become skilled at identifying common red flags. They know how to screen for politically exposed persons, government connections, unusual payment terms, and opaque ownership structures. Those tools still matter, but they will not always surface cartel-linked risk. Organized crime does not announce itself in a database hit.

Instead, companies need a more nuanced and operationally grounded approach. Are there local security concerns being raised by employees? Are there unusual labor dynamics in a region where those patterns do not make commercial sense? Is there persistent chatter about a vendor, route, or business partner that cannot be ignored? Are operations in a community producing concerns that legal and compliance have not fully explored? These are not traditional diligence questions, but they are increasingly the right ones.

Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), regulators continue to ask whether a company’s program is designed, implemented, and tested in a manner that addresses actual risk. This is precisely where program effectiveness will now be measured in high-risk Latin American operations.

The Importance of Listening to the People on the Ground

One of the most practical insights from the interview was the emphasis on local intelligence. Employees who live and work in these communities often know far more than any desktop diligence report will reveal.

That point should resonate deeply with compliance professionals. A company’s speak-up culture is not simply about hotline metrics or case closure rates. It is about whether employees trust the organization enough to raise concerns that may not yet fit into a neat legal category. It is about whether the company listens when local personnel say that something does not add up. This is where compliance, culture, and internal controls intersect.

If a company has not built mechanisms to capture and escalate local concerns, then it is not simply missing information. It is missing one of the most effective risk detection tools available to it. These are not abstract governance questions. They go directly to program effectiveness, risk ownership, and business sustainability.

A Whole-of-Government Enforcement Model

Another important takeaway is the multidimensional nature of this risk environment. In the FCPA era, companies often focused on DOJ and the SEC. That framework no longer captures the full picture. Now the compliance professional must think across Treasury, OFAC, FinCEN, Homeland Security, DEA, and other agencies, all of which may have an interest in the same underlying conduct. This level of coordination matters because it means the government’s expectations are no longer siloed. Enforcement, intelligence, sanctions, and AML concerns can converge quickly. For compliance officers, this demands a more integrated model of risk management. Silos inside the company will not work when the government itself is operating in a coordinated manner.

Is There More Room for Government Engagement?

One of the more interesting themes from the discussion was whether companies may have more room to engage with government than they traditionally would in the anti-corruption context. That does not mean every issue should be self-disclosed. It does mean that in high-risk environments, thoughtful engagement may sometimes be part of a sound compliance strategy.

The key is judgment. No company should rush into a conversation with the government without understanding the facts and the implications. But where risks are ambiguous, stakes are high, and the legal regimes overlap, strategic dialogue may help demonstrate good faith, show the absence of criminal intent, and allow a company to explain the reasonable steps it is taking. That is not leniency. That is credibility.

The Bottom Line

This is the next generation of Latin America compliance risk. It does not replace anti-corruption compliance. It expands it, hardens it, and operationalizes it. The lesson for compliance professionals is clear. You cannot address cartel and TCO risk with yesterday’s playbook. You need broader risk assessments, deeper third-party diligence, stronger local reporting channels, tighter cross-functional coordination, and more informed board oversight.

In 2026, the companies that succeed will not be the ones with the longest policy manuals. They will be the ones that can demonstrate a compliance program built for the reality of where they operate. For the CCO, that is the challenge. For the board, that is the oversight mandate. For the business, that is the cost of operating responsibly in a changed enforcement environment. The future of compliance in Latin America is already here. The only question is whether your program is ready for it.

Check out the ACI Forum on Cartels, TCOs, and Compliance in Latin America by clicking here. You can receive a 10% off the price by using the Discount Code is D10-999-CPN26.