Categories
Blog

Cartels, Extortion, and the New FCPA Risk: Lessons from Millicom

For years, many companies treated cartel risk as a security issue rather than a compliance issue. That view is no longer sufficient. In Mexico, Central America, and Brazil, organized criminal groups do not simply threaten operations from outside the company. They can infiltrate markets through corrupted officials, cartel-linked intermediaries, compromised law enforcement, logistics providers, bankers, community leaders, and local political actors. This will be a significant topic at the upcoming ACI Cartels, TCOs & Compliance Conference in Latin America next month in Washington, D.C.

That is why the Millicom Cellular FCPA enforcement action is such an important enforcement lesson. The case was not simply about bribes paid to government officials. It was about the convergence of bribery, cartel money, cash controls, joint venture governance failures, political influence, money laundering, and accounting controls. The DOJ stated that TIGO Guatemala paid more than $118 million to resolve a long-running bribery investigation involving monthly cash bribes to Guatemalan members of Congress and that some cash used for bribe payments came from laundered narcotrafficking proceeds.

The Crossover Risk: When Cartel Risk Becomes FCPA Risk

The most dangerous risk is not always the obvious cartel member with a gun. It may be the official who is cartel-affiliated, cartel-controlled, cartel-compromised, or operating in a cartel-controlled territory. That person may hold a municipal permit, customs role, police function, legislative position, procurement seat, or regulatory gatekeeper role. For the company, the question is not only whether the demand comes from a public official. It is about whether the demand sits within a criminal ecosystem that can convert ordinary business activity into FCPA, AML, sanctions, books-and-records, internal controls, and even material support risks.

Mexico shows the point clearly. OSAC has warned that several Mexican transnational criminal organizations were designated as Foreign Terrorist Organizations and Specially Designated Global Terrorists and that paying extortion demands, including derecho de piso, can create material support concerns for U.S. organizations. Brazil presents a different but equally serious model. The U.K. Home Office reported that Brazil has more than 80 organized criminal groups, including the PCC and Comando Vermelho (CV), and that militia groups made up of current and former state agents extort populations under their control.

The US Treasury Department has described PCC as one of the largest organized crime groups in Latin America, involved in money laundering, extortion, murder-for-hire, and drug debt collection. Indeed, in May 2026, the US State Department designated both the PCC and CV as Foreign Terrorist Organizations.

Central America adds another layer. In a regional Extortion Report, the Global Initiative Against Transnational Organized Crime noted that corruption within state institutions is pervasive and that security officials may use institutional power to extort, while collusion by corrupt officials sustains extortion markets. That is the crossover risk for companies: the same demand can be an extortion event, a corruption event, and an accounting controls event.

Bribery Versus Extortion

The difference between a bribe and extortion is not always intuitive, but it is critical. A bribe is a corrupt payment made to obtain or retain business, secure an improper advantage, influence an official act, or induce the misuse of an official position. The payment can be requested by the official first. The fact that the official demanded the payment does not automatically make it extortion under the FCPA. The FCPA Resource Guide, 2nd edition, explains that corrupt intent exists when a payment is intended to induce the recipient to misuse an official position, including to obtain preferential legislation or regulations.

True extortion or duress is different. The FCPA Resource Guide states that payments made in response to true extortionate demands under imminent threat of physical harm do not give rise to FCPA liability because they are not made with corrupt intent or for the purpose of obtaining or retaining business. But the same guidance draws a hard line: mere economic coercion does not amount to extortion. A payment demanded as the price of market entry or contract award remains a bribery risk because the company can decide not to pay.

That distinction matters in cartel-heavy environments. A payment to stop an immediate threat to employees may be a duress-driven safety response. A payment to obtain a permit, avoid a regulatory delay, secure customs clearance, influence a municipal inspection, or win a contract is not transformed into lawful conduct merely because the official made the demand aggressively.

Derecho de Piso and Derecho de Paso

Derecho de Piso is generally understood as a criminal “floor tax” or protection payment required to operate in a territory. It may be demanded from retailers, agricultural producers, logistics companies, construction firms, miners, energy operators, or local distributors. Derecho de Paso means a “right of passage” payment, often framed as a toll to move people, trucks, cargo, or goods through a controlled area.

Both are dangerous because they blur lines. A company may believe it is facing a security threat. In reality, it may be funding a designated organization, recording a false business expense, using a third party as a payment conduit, or allowing a cartel-linked official to convert extortion into a corrupt advantage. The compliance lesson is not that employee safety should take a back seat. It should not. The lesson is that safety-driven decisions must still be documented truthfully, escalated appropriately, and controlled through legal, compliance, security, finance, and senior management.

Millicom as the Centerpiece

The Millicom FCPA enforcement action demonstrates how these risks manifest in practice. TIGO Guatemala’s scheme ran from at least 2012 to 2018 and involved efforts to influence Guatemalan legislators, including support for radiofrequency renewals and “Ley TIGO,” a telecommunications law that benefited the company. The company earned at least $58 million in profits from the schemes.

The mechanics were extraordinary. Cash was delivered by helicopter to the TIGO Guatemala helipad in duffel bags. A $15 million put-call execution fee was used as part of a bribery slush fund. A $12 million inflated contract and backdated invoices created the appearance of legitimate services. Most troubling, a banker laundered narcotrafficking proceeds and funneled cash to support TIGO Guatemala bribe payments.

This is the compliance lesson. The company did not face a single bad invoice. It faced a criminal infrastructure. Cash, shell companies, backdated contracts, cartel-linked funds, compromised governance, and political influence worked together. That is the modern FCPA risk environment in cartel-affected markets.

The Accounting Provisions Cannot Be an Afterthought

The FCPA accounting provisions are where many companies will face their hardest questions. The FCPA Resource Guide explains that issuers must keep books and records that accurately and fairly reflect transactions and maintain internal accounting controls sufficient to provide reasonable assurances over authorization, recording, accountability, and access to assets. It also states that it is never appropriate to mischaracterize transactions and that bribes are often hidden as consulting fees, commissions, petty cash withdrawals, vendor payments, or miscellaneous expenses.

This is especially important for extortion. A payment made under duress should never be hidden as a logistics fee, community relations expense, consulting payment, security charge, donation, customs support fee, or facilitation-style cost. Even where the anti-bribery analysis turns on duress, the books-and-records analysis turns on accuracy. The internal controls analysis turns on whether the company had reasonable controls over cash, third parties, approvals, documentation, payment channels, escalation, and post-event review.

Millicom’s remediation shows what DOJ expects after such a failure. DOJ credited remediation that included root cause analysis, termination of involved personnel, new management and compliance personnel, enhanced third-party onboarding and transaction monitoring, data analytics, testing of more than 250 transactions, an ephemeral messaging policy, training, a direct compliance reporting line, and an 800 percent increase in dedicated compliance headcount. The attached analysis rightly frames this as organizational reinvention rather than ordinary remediation.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
Blog

Cartels, TCOs, and Compliance in Latin America: Why 2026 Is a Watershed Moment

For compliance professionals, some years mark an evolution. Others mark a turning point. In 2026, corporate compliance in Latin America has reached that turning point. For the past two decades, most companies approached regional risk through a familiar lens: anti-corruption. The focus was on government touchpoints, customs interactions, licensing, permits, state-owned enterprises, and third-party intermediaries. That framework is still important. But it is no longer sufficient.

Today, the risk landscape has expanded dramatically. Cartels, transnational criminal organizations, foreign terrorist organization designations, sanctions, anti-money laundering exposure, and supply chain infiltration have all moved to the center of the compliance conversation. What was once a specialized concern has become a board-level issue.

That is why the upcoming ACI Forum on Cartels, TCOs, and Compliance in Latin America is so timely. It is also why compliance officers need to understand that this is not simply another enforcement trend. It is a structural change in how risk must be assessed, governed, and managed. I recently had the opportunity to visit with Matt Ellis, Member at Miller & Chevalier and co-Chair of the Forum. You can listen to Ellis’ remarks on this episode of the FCPA Compliance Report on the Compliance Podcast Network.

The New Risk Equation

The Trump administration has made clear that cartels, fentanyl trafficking, organized crime, and the influence of China in Latin America are policy priorities. That focus has brought multiple enforcement tools to bear, including sanctions, anti-money laundering authorities, FTO designations, and a broader integration of these issues into the compliance and enforcement landscape.

Ellis said that companies, the old model of regional compliance risk must be rethought. The issue is no longer limited to whether a payment was made to a foreign official. The question now is whether a company’s supply chain, transportation provider, security arrangement, or local commercial partner could create exposure under anti-terrorism, sanctions, or AML frameworks.

Mexico Is the Opening Chapter, Not the Whole Book

Much of the current focus is on Mexico, and for good reason. That is where the enforcement spotlight is currently brightest. But compliance professionals should not make the mistake of thinking this challenge begins and ends there.

The risks extend across Latin America, including Central America, Venezuela, Colombia, Brazil, Panama, and other markets where cartel activity, organized crime influence, sanctions risk, or opaque commercial structures may create significant exposure. Each country carries its own risk profile, but the common lesson is clear. Mexico may be the first chapter, but it will not be the last.

For boards and executive teams, that means regional strategy must be reviewed through a broader lens. Market entry, third-party engagement, logistics routes, security providers, and local partnerships all need to be reassessed.

Why the Supply Chain Has Become a Compliance Flashpoint

One of the most important lessons from this discussion is that cartel risk can be embedded in the supply chain. This is where compliance professionals need to recalibrate their thinking. In the anti-corruption world, companies typically focus on agents, distributors, customs brokers, and other third parties that have direct government interactions. In the cartel and TCO context, risk can be embedded within ordinary business operations. Transportation vendors, warehouse providers, local suppliers, labor relationships, and security services may all present hidden risk if they are controlled by, connected to, or exploited by organized crime.

That changes the role of compliance. Procurement, logistics, operations, and security can no longer be treated as peripheral functions. They are now front-line participants in risk identification and mitigation. This is where the compliance function must show leadership. The CCO must bring these disciplines together and translate legal and enforcement developments into practical operational controls.

Due Diligence Must Move Beyond Check-the-Box

If there is one message compliance professionals should take from Ellis’ podcast, it is this: traditional due diligence is not enough. In anti-corruption compliance, companies have become skilled at identifying common red flags. They know how to screen for politically exposed persons, government connections, unusual payment terms, and opaque ownership structures. Those tools still matter, but they will not always surface cartel-linked risk. Organized crime does not announce itself in a database hit.

Instead, companies need a more nuanced and operationally grounded approach. Are there local security concerns being raised by employees? Are there unusual labor dynamics in a region where those patterns do not make commercial sense? Is there persistent chatter about a vendor, route, or business partner that cannot be ignored? Are operations in a community producing concerns that legal and compliance have not fully explored? These are not traditional diligence questions, but they are increasingly the right ones.

Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), regulators continue to ask whether a company’s program is designed, implemented, and tested in a manner that addresses actual risk. This is precisely where program effectiveness will now be measured in high-risk operations in Latin America.

The Importance of Listening to the People on the Ground

One of the most practical insights from the interview was the emphasis on local intelligence. Employees who live and work in these communities often know far more than any desktop diligence report will reveal.

That point should resonate deeply with compliance professionals. A company’s speak-up culture is not simply about hotline metrics or case closure rates. It is about whether employees trust the organization enough to raise concerns that may not yet fit into a neat legal category. It is about whether the company listens when local personnel say that something does not add up. This is where compliance, culture, and internal controls intersect.

If a company has not built mechanisms to capture and escalate local concerns, then it is not simply missing information. It is missing one of the most effective risk detection tools available to it. These are not abstract governance questions. They go directly to program effectiveness, risk ownership, and business sustainability.

A Whole-of-Government Enforcement Model

Another important takeaway is the multidimensional nature of this risk environment. In the FCPA era, companies often focused on the DOJ and the SEC. That framework no longer captures the full picture. Now the compliance professional must think across Treasury, OFAC, FinCEN, Homeland Security, DEA, and other agencies, all of which may be interested in the same underlying conduct. This level of coordination matters because it means the government’s expectations are no longer siloed. Enforcement, intelligence, sanctions, and AML concerns can converge quickly. For compliance officers, this demands a more integrated risk management model. Silos within the company will not work when the government itself operates in a coordinated manner.

Is There More Room for Government Engagement?

One of the more interesting themes from the discussion was whether companies may have more room to engage with the government than they traditionally would in the anti-corruption context. That does not mean every issue should be self-disclosed. It does mean that in high-risk environments, thoughtful engagement may sometimes be part of a sound compliance strategy.

The key is judgment. No company should rush into a conversation with the government without understanding the facts and the implications. But where risks are ambiguous, stakes are high, and the legal regimes overlap, strategic dialogue may help demonstrate good faith, show the absence of criminal intent, and allow a company to explain the reasonable steps it is taking. That is not leniency. That is credibility.

The Bottom Line

This is the next generation of Latin America compliance risk. It does not replace anti-corruption compliance. It expands it, hardens it, and operationalizes it. The lesson for compliance professionals is clear. You cannot address cartel and TCO risk with yesterday’s playbook. You need broader risk assessments, deeper third-party diligence, stronger local reporting channels, tighter cross-functional coordination, and more informed board oversight.

In 2026, the companies that succeed will not be the ones with the longest policy manuals. They will be the ones who can demonstrate a compliance program built for the reality of where they operate. For the CCO, that is the challenge. For the board, that is the oversight mandate. For the business, that is the cost of operating responsibly in a changed enforcement environment. The future of compliance in Latin America is already here. The only question is whether your program is ready for it.

Check out the ACI Forum on Cartels, TCOs, and Compliance in Latin America by clicking here. You can receive a 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
FCPA Compliance Report

FCPA Compliance Report: Matt Ellis on Cartels, FTO Risk, and Corporate Compliance in Latin America

In this episode, Tom Fox welcomes Matt Ellis of Miller & Chevalier about the ACI “Cartels, TCOs and Compliance in Latin America” forum (July 20–21, Washington, DC) and why cartel/TCO/FTO risk is a timely 2026 compliance priority.

Ellis describes the Trump administration’s focus on cartels, fentanyl, China’s influence, and the expanded enforcement toolkit—FCPA guidance linking to cartel activity, sanctions, AML actions (including FinCEN orders against Mexican financial institutions), and cartel FTO designations implicating the Anti-Terrorism Act. They discuss how cartels infiltrate supply chains, creating “material support” exposure, and why due diligence must go beyond traditional screening to on-the-ground intelligence and nuanced red flags. Ellis notes government interest in compliance expectations, extortion-payment considerations, the Lafarge/ISIS example, anticipated investigations, broader regional risk (Mexico, Venezuela, Colombia, Brazil), and increased multi-agency coordination and potential dialogue with U.S. authorities.

Key highlights:

  • Why This Conference Now
  • Due Diligence Goes Deeper
  • Extortion and Self-Reporting
  • Beyond Mexico Regional Risks
  • Whole-of-Government Focus
  • When to Engage Government

Resources:

Cartels, TCOs and Compliance in Latin America, July 20-21

Matt Ellis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
ACI FCPA Conference 2025

ACI-FCPA Conference Speaker Preview Series – Dan Kahn on the New DOJ Enforcement Priorities

In this episode of the ACI-FCPA and Global Anti-Corruption Conference Speaker Podcasts series, Dan Kahn discusses his panel at the event, “Unpacking the DOJ’s New FCPA Enforcement Guidelines and Priorities: Practical Takeaways for Updating Risk Management, Internal Investigations, and Compliance Strategies.”

Some of the issues the panel will discuss are:

  • How does the current DOJ guidance inform compliance?
  • How to recalibrate your compliance program based on the updated Guidance.
  • What does the DOJ FCPA Guidance say about enforcement priorities? 

I hope you can join me at the ACI–FCPA Conference. This year’s event will take place on December 3-4 at the Gaylord National Resort & Convention Center in National Harbor, Maryland, near Washington, D.C. The lineup of this year’s event is simply first-rate, featuring some of the top FCPA professionals, white-collar attorneys, and compliance practitioners in the field.

The 2025 program is being completely redesigned to help your organization stay agile, responsive, and ahead of the curve. Expect a dynamic agenda shaped by real-world priorities, practical takeaways, and the most cutting-edge thinking in compliance—led by a faculty of global practitioners with boots on the ground, encountering the very risks that come across your desk.

Please join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount by using the code D10-999-CPN26.

Categories
Daily Compliance News

Daily Compliance News: October 19, 2023 – The Loser Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Google’s anti-trust defense ‘We’re smarter than the average bear’.   (NYT)
  • US tightens US chips sent to China.  (WSJ)
  • Computer error leads to $20MM fine for ACI. (WSJ)
  • Jim Jordan loses again. (FT)