Categories
Blog

Security, Extortion, and the New Compliance Mandate in Cartel-Driven Markets

This blog continues our series on the ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. What we are seeing across the region is not simply another enforcement trend. It is a structural change in the way compliance officers, boards, legal departments, security teams, and business leaders must assess and manage risk. The issue is where security, extortion, compliance, and enterprise risk management now sit at the same table.

The key point is one that every compliance professional has heard after a failure: “We did not see that coming.” In most cases, that statement does not mean the risk was invisible. It means the organization was not looking in the right way. It had a preconceived view of its threat environment. It relied on familiar dashboards. It accepted old assumptions. It conducted a risk assessment that confirmed management’s beliefs rather than testing them. That is not a security problem alone. That is a compliance failure.

Cartel Risk Is Now an Enterprise Risk

The designation of certain cartels and criminal organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists has changed the risk conversation. Executive Order 14157 established a process for certain international cartels and other organizations to be designated as FTOs or SDGTs and described international cartels as a national security threat beyond traditional organized crime, including through infiltration of governments across the Western Hemisphere. OFAC also lists an alert on international cartels designated as FTOs and SDGTs as part of its counterterrorism sanctions resources. (OFAC)

For CCOs, this means cartel and TCO exposure cannot be treated as a regional security issue or as a one-time sanctions-screening exercise. It must be integrated into risk assessments, third-party management, contract review, internal controls, HR, community relations, logistics, government affairs, and crisis response.

True threat assessment begins by stepping back, looking at the full operating environment, and then breaking the risk down by function. The Department of Justice has made clear that compliance programs must be robust, well-resourced, and empowered, and that companies are expected to continuously review and update compliance programs to account for emerging risk factors. A static, annual, checklist-driven risk assessment is not fit for a cartel-driven operating environment.

THIRA as a Compliance Tool

One of the most useful concepts in the attached article is the use of Threat and Hazard Identification and Risk Assessment, or THIRA. THIRA began in the public-sector preparedness world, but its discipline translates well into corporate compliance. FEMA describes THIRA as a three-step risk assessment process that helps communities identify the risks of greatest concern and determine the capabilities needed to address them. FEMA also notes that identifying and assessing risk should be a key input into planning and that plans must be risk-informed.

For compliance professionals, that is the point. Do not begin with the control. Begin with the threat. What could happen? Who could exploit the business model? What routes, facilities, vendors, unions, brokers, security providers, customers, or local officials create exposure? What happens if a logistics route becomes unsafe, a vendor is coerced, a local union is compromised, a government permit is delayed unless a payment is made, or a security provider is connected to criminal actors?

THIRA-style analysis forces a company to model realistic scenarios, assess consequences, and then determine whether it can respond. That means authority, communications, escalation, training, legal review, security protocols, financial controls, and board reporting must all be stress-tested before the crisis.

Continuous Monitoring Is Not Optional

In ordinary compliance discussions, “continuous monitoring” can sound like a best practice phrase. In a high-threat environment, it is an operating necessity. The attached article notes that threats can change by the hour, routes can become unsafe, infrastructure can fail, and misinformation can spread intentionally.

The compliance parallel is direct. A company cannot rely only on lagging indicators, annual certifications, or publicly available reports. In cartel-influenced markets, yesterday’s intelligence can create today’s exposure. The risk function must have access to live operational data, hotline reports, security intelligence, payment anomalies, logistics disruptions, vendor changes, law enforcement alerts, and local business intelligence.

This also requires delegated authority. If compliance or security sees a threat but lacks authority to pause activity, reroute shipments, reject a vendor, escalate a payment, or stop a transaction, the program is underpowered. Policies without authority are not controls. They are artifacts.

The Board’s Role: Oversight, Not Assumption

Boards must also recalibrate. Duncan’s point that boards often understand risk exists but do not always understand their lane should resonate with every CCO. The board’s role is not to manage routes, approve security plans, or second-guess local threat intelligence. Its role is to ensure that management has identified the risk, defined risk tolerance, resourced the response, assigned authority, and created reliable reporting.

In cartel-driven markets, the board should ask, “Where are we operating in areas of criminal influence?” Which third parties are essential to those operations? How do we know they are not compromised? What payments, donations, sponsorships, logistics arrangements, or security relationships create exposure? What is our escalation protocol if an employee, vendor, union representative, community leader, or government official signals coercion?

Risk tolerance must be written, debated, approved, and revisited. Silence is not neutrality. It is permission.

Security Is a Compliance Function

The attached article makes another crucial point: security is not just physical. Insider threats, personal vulnerabilities, substance abuse, coercion, espionage, poor training, and cultural dysfunction all create compliance exposure. Employees must understand not only what the rules are but also why the rules matter and how criminal organizations exploit weak points.

In Venezuela, the State Department’s June 27, 2026, advisory tells travelers to reconsider travel because of crime, kidnapping, terrorism, poor health infrastructure, and natural disaster risk, and it identifies Tren de Aragua and Cartel de los Soles as FTOs that started in Venezuela and continue to operate. The same advisory states that the U.S. government has extremely limited capacity to provide emergency services to U.S. citizens, especially outside Caracas.  That is a board-level fact pattern. It affects duty of care, insurance, crisis response, employee travel, third-party security, incident reporting, and operational continuity.

Build the Threat Hub

The most practical recommendation is to create a threat hub. It should be a cross-functional forum where legal, finance, operations, security, compliance, and other functions review threats, vulnerabilities, and operational changes. This is precisely what mature compliance should look like in a high-risk market.

The threat hub should review incidents, routes, payments, vendor changes, customer anomalies, government interactions, community demands, employee reports, and security intelligence. It should have the authority to escalate. It should report to management and the board. It should test crisis plans through realistic exercises.

Practical takeaways

First, refresh the risk assessment now. Second, add THIRA-style scenario planning to cartel and TCO risk. Third, empower compliance and security to act in real time. Fourth, review third parties, major contracts, customers, logistics providers, unions, community intermediaries, and security vendors. Fifth, educate the board on its oversight role and require explicit risk tolerance.

The final lesson is simple. In high-threat markets, static programs fail. Assumptions kill preparedness. Authority matters. Culture is defined by what leaders tolerate. The choice for every company is whether to learn before or after the crisis.

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments. Security has taken on even greater importance in Venezuela as President Trump has announced the US will not provide any security to US companies returning to the country.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness. Authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For the complete agenda, click here. You can receive 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
Blog

Cartels, Extortion, and the New FCPA Risk: Lessons from Millicom

For years, many companies treated cartel risk as a security issue rather than a compliance issue. That view is no longer sufficient. In Mexico, Central America, and Brazil, organized criminal groups do not simply threaten operations from outside the company. They can infiltrate markets through corrupted officials, cartel-linked intermediaries, compromised law enforcement, logistics providers, bankers, community leaders, and local political actors. This will be a significant topic at the upcoming ACI Cartels, TCOs & Compliance Conference in Latin America next month in Washington, D.C.

That is why the Millicom Cellular FCPA enforcement action is such an important enforcement lesson. The case was not simply about bribes paid to government officials. It was about the convergence of bribery, cartel money, cash controls, joint venture governance failures, political influence, money laundering, and accounting controls. The DOJ stated that TIGO Guatemala paid more than $118 million to resolve a long-running bribery investigation involving monthly cash bribes to Guatemalan members of Congress and that some cash used for bribe payments came from laundered narcotrafficking proceeds.

The Crossover Risk: When Cartel Risk Becomes FCPA Risk

The most dangerous risk is not always the obvious cartel member with a gun. It may be the official who is cartel-affiliated, cartel-controlled, cartel-compromised, or operating in a cartel-controlled territory. That person may hold a municipal permit, customs role, police function, legislative position, procurement seat, or regulatory gatekeeper role. For the company, the question is not only whether the demand comes from a public official. It is about whether the demand sits within a criminal ecosystem that can convert ordinary business activity into FCPA, AML, sanctions, books-and-records, internal controls, and even material support risks.

Mexico shows the point clearly. OSAC has warned that several Mexican transnational criminal organizations were designated as Foreign Terrorist Organizations and Specially Designated Global Terrorists and that paying extortion demands, including derecho de piso, can create material support concerns for U.S. organizations. Brazil presents a different but equally serious model. The U.K. Home Office reported that Brazil has more than 80 organized criminal groups, including the PCC and Comando Vermelho (CV), and that militia groups made up of current and former state agents extort populations under their control.

The US Treasury Department has described PCC as one of the largest organized crime groups in Latin America, involved in money laundering, extortion, murder-for-hire, and drug debt collection. Indeed, in May 2026, the US State Department designated both the PCC and CV as Foreign Terrorist Organizations.

Central America adds another layer. In a regional Extortion Report, the Global Initiative Against Transnational Organized Crime noted that corruption within state institutions is pervasive and that security officials may use institutional power to extort, while collusion by corrupt officials sustains extortion markets. That is the crossover risk for companies: the same demand can be an extortion event, a corruption event, and an accounting controls event.

Bribery Versus Extortion

The difference between a bribe and extortion is not always intuitive, but it is critical. A bribe is a corrupt payment made to obtain or retain business, secure an improper advantage, influence an official act, or induce the misuse of an official position. The payment can be requested by the official first. The fact that the official demanded the payment does not automatically make it extortion under the FCPA. The FCPA Resource Guide, 2nd edition, explains that corrupt intent exists when a payment is intended to induce the recipient to misuse an official position, including to obtain preferential legislation or regulations.

True extortion or duress is different. The FCPA Resource Guide states that payments made in response to true extortionate demands under imminent threat of physical harm do not give rise to FCPA liability because they are not made with corrupt intent or for the purpose of obtaining or retaining business. But the same guidance draws a hard line: mere economic coercion does not amount to extortion. A payment demanded as the price of market entry or contract award remains a bribery risk because the company can decide not to pay.

That distinction matters in cartel-heavy environments. A payment to stop an immediate threat to employees may be a duress-driven safety response. A payment to obtain a permit, avoid a regulatory delay, secure customs clearance, influence a municipal inspection, or win a contract is not transformed into lawful conduct merely because the official made the demand aggressively.

Derecho de Piso and Derecho de Paso

Derecho de Piso is generally understood as a criminal “floor tax” or protection payment required to operate in a territory. It may be demanded from retailers, agricultural producers, logistics companies, construction firms, miners, energy operators, or local distributors. Derecho de Paso means a “right of passage” payment, often framed as a toll to move people, trucks, cargo, or goods through a controlled area.

Both are dangerous because they blur lines. A company may believe it is facing a security threat. In reality, it may be funding a designated organization, recording a false business expense, using a third party as a payment conduit, or allowing a cartel-linked official to convert extortion into a corrupt advantage. The compliance lesson is not that employee safety should take a back seat. It should not. The lesson is that safety-driven decisions must still be documented truthfully, escalated appropriately, and controlled through legal, compliance, security, finance, and senior management.

Millicom as the Centerpiece

The Millicom FCPA enforcement action demonstrates how these risks manifest in practice. TIGO Guatemala’s scheme ran from at least 2012 to 2018 and involved efforts to influence Guatemalan legislators, including support for radiofrequency renewals and “Ley TIGO,” a telecommunications law that benefited the company. The company earned at least $58 million in profits from the schemes.

The mechanics were extraordinary. Cash was delivered by helicopter to the TIGO Guatemala helipad in duffel bags. A $15 million put-call execution fee was used as part of a bribery slush fund. A $12 million inflated contract and backdated invoices created the appearance of legitimate services. Most troubling, a banker laundered narcotrafficking proceeds and funneled cash to support TIGO Guatemala bribe payments.

This is the compliance lesson. The company did not face a single bad invoice. It faced a criminal infrastructure. Cash, shell companies, backdated contracts, cartel-linked funds, compromised governance, and political influence worked together. That is the modern FCPA risk environment in cartel-affected markets.

The Accounting Provisions Cannot Be an Afterthought

The FCPA accounting provisions are where many companies will face their hardest questions. The FCPA Resource Guide explains that issuers must keep books and records that accurately and fairly reflect transactions and maintain internal accounting controls sufficient to provide reasonable assurances over authorization, recording, accountability, and access to assets. It also states that it is never appropriate to mischaracterize transactions and that bribes are often hidden as consulting fees, commissions, petty cash withdrawals, vendor payments, or miscellaneous expenses.

This is especially important for extortion. A payment made under duress should never be hidden as a logistics fee, community relations expense, consulting payment, security charge, donation, customs support fee, or facilitation-style cost. Even where the anti-bribery analysis turns on duress, the books-and-records analysis turns on accuracy. The internal controls analysis turns on whether the company had reasonable controls over cash, third parties, approvals, documentation, payment channels, escalation, and post-event review.

Millicom’s remediation shows what DOJ expects after such a failure. DOJ credited remediation that included root cause analysis, termination of involved personnel, new management and compliance personnel, enhanced third-party onboarding and transaction monitoring, data analytics, testing of more than 250 transactions, an ephemeral messaging policy, training, a direct compliance reporting line, and an 800 percent increase in dedicated compliance headcount. The attached analysis rightly frames this as organizational reinvention rather than ordinary remediation.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
Blog

Cartels, TCOs, and Compliance in Latin America: Why 2026 Is a Watershed Moment

For compliance professionals, some years mark an evolution. Others mark a turning point. In 2026, corporate compliance in Latin America has reached that turning point. For the past two decades, most companies approached regional risk through a familiar lens: anti-corruption. The focus was on government touchpoints, customs interactions, licensing, permits, state-owned enterprises, and third-party intermediaries. That framework is still important. But it is no longer sufficient.

Today, the risk landscape has expanded dramatically. Cartels, transnational criminal organizations, foreign terrorist organization designations, sanctions, anti-money laundering exposure, and supply chain infiltration have all moved to the center of the compliance conversation. What was once a specialized concern has become a board-level issue.

That is why the upcoming ACI Forum on Cartels, TCOs, and Compliance in Latin America is so timely. It is also why compliance officers need to understand that this is not simply another enforcement trend. It is a structural change in how risk must be assessed, governed, and managed. I recently had the opportunity to visit with Matt Ellis, Member at Miller & Chevalier and co-Chair of the Forum. You can listen to Ellis’ remarks on this episode of the FCPA Compliance Report on the Compliance Podcast Network.

The New Risk Equation

The Trump administration has made clear that cartels, fentanyl trafficking, organized crime, and the influence of China in Latin America are policy priorities. That focus has brought multiple enforcement tools to bear, including sanctions, anti-money laundering authorities, FTO designations, and a broader integration of these issues into the compliance and enforcement landscape.

Ellis said that companies, the old model of regional compliance risk must be rethought. The issue is no longer limited to whether a payment was made to a foreign official. The question now is whether a company’s supply chain, transportation provider, security arrangement, or local commercial partner could create exposure under anti-terrorism, sanctions, or AML frameworks.

Mexico Is the Opening Chapter, Not the Whole Book

Much of the current focus is on Mexico, and for good reason. That is where the enforcement spotlight is currently brightest. But compliance professionals should not make the mistake of thinking this challenge begins and ends there.

The risks extend across Latin America, including Central America, Venezuela, Colombia, Brazil, Panama, and other markets where cartel activity, organized crime influence, sanctions risk, or opaque commercial structures may create significant exposure. Each country carries its own risk profile, but the common lesson is clear. Mexico may be the first chapter, but it will not be the last.

For boards and executive teams, that means regional strategy must be reviewed through a broader lens. Market entry, third-party engagement, logistics routes, security providers, and local partnerships all need to be reassessed.

Why the Supply Chain Has Become a Compliance Flashpoint

One of the most important lessons from this discussion is that cartel risk can be embedded in the supply chain. This is where compliance professionals need to recalibrate their thinking. In the anti-corruption world, companies typically focus on agents, distributors, customs brokers, and other third parties that have direct government interactions. In the cartel and TCO context, risk can be embedded within ordinary business operations. Transportation vendors, warehouse providers, local suppliers, labor relationships, and security services may all present hidden risk if they are controlled by, connected to, or exploited by organized crime.

That changes the role of compliance. Procurement, logistics, operations, and security can no longer be treated as peripheral functions. They are now front-line participants in risk identification and mitigation. This is where the compliance function must show leadership. The CCO must bring these disciplines together and translate legal and enforcement developments into practical operational controls.

Due Diligence Must Move Beyond Check-the-Box

If there is one message compliance professionals should take from Ellis’ podcast, it is this: traditional due diligence is not enough. In anti-corruption compliance, companies have become skilled at identifying common red flags. They know how to screen for politically exposed persons, government connections, unusual payment terms, and opaque ownership structures. Those tools still matter, but they will not always surface cartel-linked risk. Organized crime does not announce itself in a database hit.

Instead, companies need a more nuanced and operationally grounded approach. Are there local security concerns being raised by employees? Are there unusual labor dynamics in a region where those patterns do not make commercial sense? Is there persistent chatter about a vendor, route, or business partner that cannot be ignored? Are operations in a community producing concerns that legal and compliance have not fully explored? These are not traditional diligence questions, but they are increasingly the right ones.

Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), regulators continue to ask whether a company’s program is designed, implemented, and tested in a manner that addresses actual risk. This is precisely where program effectiveness will now be measured in high-risk operations in Latin America.

The Importance of Listening to the People on the Ground

One of the most practical insights from the interview was the emphasis on local intelligence. Employees who live and work in these communities often know far more than any desktop diligence report will reveal.

That point should resonate deeply with compliance professionals. A company’s speak-up culture is not simply about hotline metrics or case closure rates. It is about whether employees trust the organization enough to raise concerns that may not yet fit into a neat legal category. It is about whether the company listens when local personnel say that something does not add up. This is where compliance, culture, and internal controls intersect.

If a company has not built mechanisms to capture and escalate local concerns, then it is not simply missing information. It is missing one of the most effective risk detection tools available to it. These are not abstract governance questions. They go directly to program effectiveness, risk ownership, and business sustainability.

A Whole-of-Government Enforcement Model

Another important takeaway is the multidimensional nature of this risk environment. In the FCPA era, companies often focused on the DOJ and the SEC. That framework no longer captures the full picture. Now the compliance professional must think across Treasury, OFAC, FinCEN, Homeland Security, DEA, and other agencies, all of which may be interested in the same underlying conduct. This level of coordination matters because it means the government’s expectations are no longer siloed. Enforcement, intelligence, sanctions, and AML concerns can converge quickly. For compliance officers, this demands a more integrated risk management model. Silos within the company will not work when the government itself operates in a coordinated manner.

Is There More Room for Government Engagement?

One of the more interesting themes from the discussion was whether companies may have more room to engage with the government than they traditionally would in the anti-corruption context. That does not mean every issue should be self-disclosed. It does mean that in high-risk environments, thoughtful engagement may sometimes be part of a sound compliance strategy.

The key is judgment. No company should rush into a conversation with the government without understanding the facts and the implications. But where risks are ambiguous, stakes are high, and the legal regimes overlap, strategic dialogue may help demonstrate good faith, show the absence of criminal intent, and allow a company to explain the reasonable steps it is taking. That is not leniency. That is credibility.

The Bottom Line

This is the next generation of Latin America compliance risk. It does not replace anti-corruption compliance. It expands it, hardens it, and operationalizes it. The lesson for compliance professionals is clear. You cannot address cartel and TCO risk with yesterday’s playbook. You need broader risk assessments, deeper third-party diligence, stronger local reporting channels, tighter cross-functional coordination, and more informed board oversight.

In 2026, the companies that succeed will not be the ones with the longest policy manuals. They will be the ones who can demonstrate a compliance program built for the reality of where they operate. For the CCO, that is the challenge. For the board, that is the oversight mandate. For the business, that is the cost of operating responsibly in a changed enforcement environment. The future of compliance in Latin America is already here. The only question is whether your program is ready for it.

Check out the ACI Forum on Cartels, TCOs, and Compliance in Latin America by clicking here. You can receive a 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
FCPA Compliance Report

FCPA Compliance Report: Matt Ellis on Cartels, FTO Risk, and Corporate Compliance in Latin America

In this episode, Tom Fox welcomes Matt Ellis of Miller & Chevalier about the ACI “Cartels, TCOs and Compliance in Latin America” forum (July 20–21, Washington, DC) and why cartel/TCO/FTO risk is a timely 2026 compliance priority.

Ellis describes the Trump administration’s focus on cartels, fentanyl, China’s influence, and the expanded enforcement toolkit—FCPA guidance linking to cartel activity, sanctions, AML actions (including FinCEN orders against Mexican financial institutions), and cartel FTO designations implicating the Anti-Terrorism Act. They discuss how cartels infiltrate supply chains, creating “material support” exposure, and why due diligence must go beyond traditional screening to on-the-ground intelligence and nuanced red flags. Ellis notes government interest in compliance expectations, extortion-payment considerations, the Lafarge/ISIS example, anticipated investigations, broader regional risk (Mexico, Venezuela, Colombia, Brazil), and increased multi-agency coordination and potential dialogue with U.S. authorities.

Key highlights:

  • Why This Conference Now
  • Due Diligence Goes Deeper
  • Extortion and Self-Reporting
  • Beyond Mexico Regional Risks
  • Whole-of-Government Focus
  • When to Engage Government

Resources:

Cartels, TCOs and Compliance in Latin America, July 20-21

Matt Ellis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Millicom Cellular, Part 2: Lessons Learned on Cartels, Cash, and Control Failures

The Millicom Cellular FCPA enforcement action is not just another FCPA case. It is a case that signals a new frontier for compliance risk. It blends classic corrupt-payment schemes with organized crime, narcotrafficking proceeds, obstructed governance, and aggressive legislative capture. It is a wake-up call for compliance officers that the threat landscape is expanding in ways that require deeper operational controls, broader due diligence frameworks, and more sophisticated cross-functional collaboration.

In Part 1, we considered the underlying facts and FCPA violations of this matter. In Part 2, we examine what compliance professionals must take away from the case.

Lesson 1: Joint-Venture Governance Failures Are Not a Defense

Millicom Cellular held a 55 percent ownership stake in TIGO Guatemala, but the local partner exercised operational control and blocked Millicom Cellular from information and cooperation. The DOJ notes that Millicom Cellular voluntarily disclosed early concerns in 2015 but was unable to compel cooperation from local executives or obtain complete data. The result is a clear message:

Ownership without operational control equals enormous FCPA exposure.

Compliance professionals must:

  • Implement JV governance protocols that require access rights, audit rights, and cooperation language in shareholder agreements. Try to place your company’s representative as the CFO of the joint venture.
  • Establish escalation pathways if a partner obstructs investigations.
  • Treat “majority ownership without control” as a high-risk structure in compliance risk assessments.

Yet notwithstanding the foregoing, DOJ has made clear it will not accept a lack of control as an excuse for failing to detect corruption, especially when red flags are visible.

Lesson 2: Cash-Based Bribery Ecosystems Require a Different Kind of Monitoring

The bribery scheme ran almost entirely on cash: cash in duffel bags delivered by helicopter, cash laundered through drug traffickers, cash moved through shell companies, and cash withdrawn from banks in plastic bags. Traditional financial controls are almost useless in the face of an off-books cash economy. Compliance must be enhanced:

  • Controls around cash withdrawals
  • Monitoring of cash-intensive vendors
  • Patterns of invoicing irregularities
  • Real-time analytics on deviations in expense and procurement behavior

This is not a theoretical exercise. It is an operational reality for companies in high-risk jurisdictions.

Lesson 3: Cartel Exposure Is Emerging as a Corporate Compliance Obligation

This case represents one of the most explicit linkages between FCPA violations and narco-trafficking cash flows. The scheme not only involved bribes; it also involved bribes financed by organized crime. Compliance officers must now assume that criminal networks may view legitimate multinationals as conduits for illicit financial flows. This demands:

  • Enhanced beneficial-ownership checks
  • Screening for cartel-linked financial intermediaries
  • Deeper diligence on bankers, lawyers, and consultants
  • Country-level threat mapping that includes cartel and organized crime indicators

The DOJ has increasingly emphasized convergence risk between corruption, money laundering, and organized crime. The Millicom Cellular enforcement action is a prime example.

Lesson 4: “Influencing Legislation” Is a Red Flag, Not a Business Strategy

TIGO Guatemala sought legislative outcomes that would alter the national telecom law. That in itself is not illegal. What is unlawful is tying legislative outcomes to cash bribes, helicopter deliveries, and cartel-funded transactions. Compliance teams must scrutinize:

  • Payments to lobbyists, political consultants, and intermediaries
  • Relationships with legislators and political parties
  • Sponsorships, charitable donations, and community programs with political beneficiaries

Any effort to “shape legislation” must come with strict controls.

Lesson 5: Data Gaps Are Compliance Gaps

Millicom’s inability to obtain information access within its own joint venture delayed detection and undermined the credibility of its initial self-disclosure. Compliance professionals must demand:

  • Rights to data
  • Rights to conduct investigations
  • Rights to interview employees
  • The right to require cooperation from partners

A partner who denies access creates liability.

Lesson 6: Remediation Must Be Conducted Like a Corporate Transformation

Millicom’s remediation was extensive. It included:

  • Replacing senior personnel
  • Centralizing compliance oversight
  • Enhancing third-party onboarding and continuous monitoring
  • Adding data analytics
  • Conducting control testing across more than 250 transactions
  • Creating an ephemeral-messaging retention policy
  • Increasing compliance headcount by 800 percent (pages 5–6)

The DOJ’s description reads less like remediation and more like organizational reinvention. That is the expectation now. Compliance must treat remediation as a fully integrated operational overhaul.

Lesson 7: The DOJ Will Reopen Cases When New Evidence Emerges

The DOJ initially closed the investigation in 2018. It reopened the case in 2020 after uncovering new evidence from outside sources, including cartel-linked transactions. The message is clear:

  • Self-disclosure is not a shield when the company lacks visibility into misconduct.
  • Failure to detect ongoing wrongdoing can undermine trust and credit for cooperation.
  • Compliance must ensure continuous monitoring even after perceived risk has been reduced.

Conclusion: The New Compliance Mandate

The Millicom Cellular enforcement action demonstrates that compliance risk is no longer confined to corrupt payments. It now involves organized crime, cash-based bribery systems, cross-border laundering, political capture, and governance obstructions. Compliance professionals must operate with a broader risk lens, encompassing cartel risk, cash-economy vulnerabilities, high-risk political interactions, and joint-venture control structures. This is a key enforcement effort of the Trump Administration.

The future of compliance is not about preventing bribery alone. It is about defending the corporation from becoming an unwitting partner in a criminal enterprise.

Categories
Blog

Millicom Cellular Part 1: Bribery by Helicopter – Unpacking the Full Extent of the FCPA Violations

The Millicom Cellular enforcement action stands out as one of the most interesting Foreign Corrupt Practices Act (FCPA) cases in recent memory. It sits at the intersection of telecom, political corruption, joint-venture governance failures, and international criminal cartels. For compliance professionals, this matter is not simply about bribery. It is about understanding how criminal ecosystems infiltrate legitimate business chains, how corporate governance can be weaponized, and how cash-based bribery systems can bypass formal controls entirely. It also demonstrates the Trump Administration’s clear enforcement priorities for FCPA enforcement going forward.

In Part 1, we will consider the facts: what the Department of Justice uncovered, how the bribery schemes operated, and why cartel money ended up in a major telecom enterprise. In Part 2, we will focus on the lessons learned for the compliance professional.

The Scheme: Bribery at Scale to Influence National Legislation

According to the Statement of Facts, between at least 2012 and 2018, Comunicaciones Celulares S.A. (TIGO Guatemala) engaged in a widespread and prolonged bribery scheme to influence Guatemalan legislators and secure favorable laws, regulatory decisions, and business advantages for the company. The scheme was orchestrated by:

  • TIGO Guatemala Executive 1;
  • Former Chief Corporate Affairs Officer Acisclo Valladares;
  • Shareholder 1, owner of the Panama-based joint-venture partner; and
  • Numerous intermediaries and employees who facilitated cash movements and interactions with government officials

The benefits sought were substantial. TIGO Guatemala paid bribes to secure support for the renewal of valuable radiofrequency usufruct titles for a twenty-year term. The company also paid bribes to secure passage of “Ley TIGO,” a telecommunications law that disproportionately benefited the company by giving it preferential infrastructure authorization rights at the national, rather than municipal, level. The company earned at least USD 58 million in profits from these schemes.

In short, these were not sporadic acts of misconduct. They were deliberate, sustained, and intended to shape the legal and commercial landscape of an entire national industry.

The Mechanics: How the Bribes Were Paid

The bribery system relied almost entirely on cash. That fact alone created multiple operational and legal vulnerabilities. But the methods used to generate, transport, and disguise that cash reveal the depth of the misconduct.

1. Helicopter Deliveries of Cash

Early in the scheme, cash was transported in duffel bags flown by helicopter to the TIGO Guatemala helipad, where Valladares retrieved it and stored it in his office (page A-6). Government officials or their security teams visited the TIGO offices in person to collect payments. This unusual method came to an abrupt stop when one helicopter made an emergency landing at a military base. Cash-filled duffel bags were discovered by the base commander, triggering inquiries.

2. Millicom’s Put-Call Agreement Fee Used as a Bribery Slush Fund

In late 2013, Shareholder 1 informed a Millicom executive that part of the USD 15 million “execution fee” for a put-call agreement would be used to pay bribes and fund political campaigns. Although Millicom did not control TIGO Guatemala at the time and objected to the practice, the fee was used to reimburse bribes previously paid and to create additional liquidity for further corrupt payments.

3. Inflated and Backdated Contracts

In 2014, TIGO Guatemala Executive 1 executed a grossly inflated USD 12 million contract with an entity associated with Shareholder 1 to generate a slush fund. Shell companies then backdated invoices to create the appearance of legitimate legal or consulting services. Funds were funneled to Valladares, including into his personal bank account in the United States.

4. Cartel-Linked Cash Through a Money-Laundering Banker

The most alarming element involved the use of narcotrafficking proceeds. Beginning in 2014, banker Álvaro Estuardo Cobar Bustamante laundered cash for drug traffickers and funneled that cash to Valladares for TIGO Guatemala’s bribe payments (pages A-8 to A-10). In one instance, Cobar laundered USD 1 million for a narcotics trafficker, then delivered the cash to be used for bribes. In 2017, Valladares wired USD 350,000 from his U.S. account to one of Cobar’s accounts as part of a cross-border laundering operation that served both TIGO’s bribery needs and cartel objectives.

The fact that cartel money entered the corporate bloodstream of a multinational telecom enterprise is extraordinary. It transforms this case from a classic FCPA scenario into one that also implicates money laundering, organized crime, and regional security threats.

Millicom’s Partial Self-Disclosure and Its Limitations

Millicom, the parent company and majority owner since 2015, self-disclosed concerns in 2015. But Millicom did not have operational control over the joint venture and was blocked from accessing key information. As a result:

  • Millicom received partial self-disclosure credit.
  • The DOJ closed the first phase of the investigation in 2018.
  • The investigation was later reopened in 2020 after independent evidence emerged that the scheme had continued, including cartel-linked cash flows.

These dynamics highlight the vulnerabilities of joint ventures, in which a local partner holds operational control and may intentionally obstruct visibility into corruption risks.

The Resolution

Under the deferred prosecution agreement, TIGO Guatemala agreed to:

  • Pay a USD 60 million criminal penalty;
  • Forfeit USD 58,198,343;
  • Implement extensive remediation and compliance enhancements; and
  • Cooperate in ongoing investigations.

The DOJ credited Millicom Cellular for extensive remediation after acquiring full operational control in 2021, including overhauling compliance resources, enhancing third-party monitoring, building data analytics systems, and significantly increasing compliance staffing.

Conclusion

The Millicom Cellular enforcement action reveals a corporate ecosystem in which political corruption, weak joint venture governance, and cartel money combined to create a perfect storm of FCPA risk. Join us tomorrow for Part 2, where I will examine what this means for compliance professionals, including the emerging expectation that compliance programs incorporate cartel-risk mapping and cross-border illicit finance detection.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Uncovering FCPA Violations: Millicom’s Complex Case Involving Drug Cartel Funds

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the intricate details of a recent FCPA enforcement action against Millicom Cellular, a Luxembourg-based telecommunications company with operations in Guatemala.

The discussion uncovers how Millicom’s joint venture, Comunicaciones Celulares (CommCell), became embroiled in bribery and corruption involving duffel bags of drug cartel cash used to pay off Guatemalan officials. Despite the DOJ’s earlier pause on FCPA enforcement, the emergence of narco-trafficking aspects led to a reopened investigation and significant penalties for Millicom. Key points include the case timeline, the lack of Millicom’s operational control and visibility, and the broader implications for due diligence in joint ventures and cross-border operations in high-risk regions.

Key highlights:

  • Details of the FCPA Enforcement Action
  • Millicom’s Joint Venture in Guatemala
  • Self-Disclosure and DOJ’s Response
  • Timeline of Events and Corruption Details
  • Drug Trafficking and Bribery Connections
  • Implications and Compliance Lessons

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
ACI FCPA Conference 2025

ACI-FCPA Conference Speaker Preview Series – Ricardo Wagner de Araujo on Potential Trouble in your (Latin American) Supply Chain

In this episode of the ACI-FCPA and Global Anti-Corruption Conference Speaker Podcasts series, Ricardo Wagner de Araujo discusses his panel at the event, “Managing New Risks in Latin America: A Look at the Biggest Ways Cartels/TCOs Are Infiltrating Businesses and Supply Chains, and How Companies Are Responding.”

Some of the issues the panel will discuss are:

    • The changing risks in Latin America.
    • How TCOs and cartels exploit 3rd party relationships.
    • Tips for adapting your compliance programs in Latin America.

I hope you can join me at the ACI–FCPA Conference. This year’s event will take place on December 3-4 at the Gaylord National Resort & Convention Center in National Harbor, Maryland, near Washington, D.C. The lineup of this year’s event is simply first-rate, featuring some of the top FCPA professionals, white-collar attorneys, and compliance practitioners in the field.

The 2025 program is being completely redesigned to help your organization stay agile, responsive, and ahead of the curve. Expect a dynamic agenda shaped by real-world priorities, practical takeaways, and the most cutting-edge thinking in compliance—led by a faculty of global practitioners with boots on the ground, encountering the very risks that come across your desk.

Please join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount by using the code D10-999-CPN26.

Categories
All Things Investigations

All Things Investigations – Terrorism Designations of Mexican Cartels Fundamentally Enhances Risk for All Companies

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox is joined by Jeremy Paner and Diego Durán de la Vega to discuss the designation of cartels and other actors in Mexico as foreign terrorist organizations and what this means for US businesses.

This episode considers the significant compliance regulation changes affecting US domestic and Mexican companies. The focal point is the recent designation of cartels and their members as Foreign Terrorist Organizations (FTO) and/or Specially Designated Global Terrorists (SDGT). Unlike in the past, where counter-narcotics sanctions had a limited impact on day-to-day business operations, these new rules introduced a different risk landscape. The spotlight is not simply on the widely-publicized foreign terrorist organizations but rather on the lesser-known yet impactful, specially designated global terrorist (SDGT) actions. These SDGT designations empower the US Treasury’s terrorist finance tracking program, effectively increasing surveillance on Mexican payments, thus posing new challenges and risks for domestic companies.

Key highlights:

  • Introduction to New Rules Impacting US Companies
  • Impact on Domestic Mexican Companies
  • Terrorism Designations and Their Implications
  • Treasury’s Terrorist Finance Tracking Program

Resources:

Jeremy Paner

Diego Durán de la Vega

Hughes Hubbard & Reed website

Designation of Criminal Cartels as Foreign Terrorist Organizations Increases Compliance Risks for Companies (US or Not) Operating in Mexico and Greater Latin America