Tag: Third parties

Categories
GSK in China: 13 Years Later

GSK In China: 13 Years Later – After the Humphreys Verdict: Managing Third-Party Risk When You Can’t Verify

Thirteen years after the GSK China scandal exploded onto the global stage, its lessons remain as urgent as ever for compliance professionals and business leaders. In this podcast series, we revisit the case not simply as corporate history, but as a living cautionary tale about culture, incentives, third parties, investigations, and governance. Each episode explores what went wrong, why it went wrong, and how those failures still echo in today’s compliance and ethics landscape. Join me as we unpack the scandal and draw practical lessons for building stronger, more resilient organizations. In this inaugural episode, we take a deep dive into the 2013 GSK China bribery scandal and examine why it still stands as one of the most important case studies in corporate compliance, governance, and culture. Our hosts are Timothy and Fiona.

The episode examines how multinational companies should manage third-party relationships and compliance in opaque markets like China when traditional intelligence-gathering is curtailed by privacy laws, using the case of corporate investigators Peter Humphreys and his wife Ying Zeng, who were hired by GSK to investigate a sex-tape scandal but were convicted and imprisoned for purchasing Chinese citizens’ personal data. The discussion highlights how the verdict created operational uncertainty for due diligence, M&A, supplier vetting, and anti-bribery efforts, and notes Humphrey’s claim that GSK withheld that it faced internal whistleblower corruption allegations. Drawing on DOJ expectations and an SCCE framework, it argues for shifting from “vet and forget” to continuous third-party management across five steps, reinforcing business justification, questionnaires, contracts, and ongoing oversight with mitigations like capped commissions, detailed invoice review, early audits, and use of public records and in-person interviews.

Key Highlights

  • Why Verification Matters
  • Privacy Laws Change Everything
  • When Partners Refuse Disclosure
  • Build Your Own Intelligence
  • Contract Controls and Oversight

Resources

GSK in China: A Game Changer for Compliance on Amazon.com

GSK in China: Anti-Bribery Enforcement Goes Global on Amazon.com

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Ed. Note-the voices of the hosts, Timothy and Fiona were created by Notebook LM based upon text written by Tom Fox

Categories
Blog

AI Concentration Risk: A New Third-Party and Operational Resilience Challenge for Compliance

For years, concentration risk was treated as someone else’s problem. Procurement is worried about sole-source vendors. Treasury worried about counterparty exposure. Supply chain teams worried about bottlenecks. Compliance, by contrast, often sat one step removed from those conversations. In the age of enterprise AI, that separation no longer works.

Today, AI concentration risk is a front-line compliance issue. When a company’s most important AI-enabled processes depend on a small number of cloud providers, model vendors, chip suppliers, or geographic regions, that dependency is not merely an operational detail. It is a governance decision. And when that dependency is not identified, documented, tested, and managed, it becomes evidence of weak oversight that regulators and prosecutors understand very well.

That is why Chief Compliance Officers (CCOs) need to move AI concentration risk out of the technology silo and into the compliance program. This is not simply about resilience. It is about whether the company can demonstrate, under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), that it has identified a material risk, assigned ownership, designed controls, tested those controls, and escalated what matters. In other words, AI concentration risk is now a test of whether governance is real.

Why AI Concentration Risk Belongs in Compliance

At its core, AI concentration risk arises when a company becomes overly dependent on a small number of external providers, infrastructure layers, or geographic regions to support key AI-enabled operations. This is a classic third-party risk problem because it involves reliance on outside parties for critical services. It is also an operational resilience problem because a failure at one of those chokepoints can disrupt business continuity, customer commitments, internal reporting, investigations, monitoring, or other compliance-relevant functions.

For compliance professionals, that should sound familiar. The ECCP has long required companies to identify their risk universe, tailor controls accordingly, allocate resources to higher-risk areas, and continuously assess whether those controls are working in practice. The DOJ asks whether compliance programs are well designed, adequately resourced, empowered to function effectively, and tested for real-world performance. AI concentration risk fits squarely within that framework.

If your company relies on a single model provider for third-party screening, a single cloud region for transaction monitoring, or a single AI vendor for investigation triage, then a disruption is not simply an IT problem. It may affect the company’s ability to prevent misconduct, detect red flags, escalate allegations, and maintain reliable controls. If management cannot explain those dependencies and cannot show what has been done to mitigate them, that is evidence of under-governance.

The ECCP as the Primary Lens

The ECCP provides a highly practical framework for thinking about AI concentration risk by forcing compliance professionals to ask implementation questions rather than merely conceptual ones.

  1. Has your company conducted a risk assessment that includes AI dependency and concentration? Many organizations assess AI bias, privacy, and cybersecurity risk, but far fewer assess whether a small number of vendors represent single points of failure.
  2. Has your company translated that risk assessment into policies, procedures, and controls? It is not enough to know that dependency exists. The compliance question is whether there are controls in place for vendor onboarding, backup arrangements, portability, incident escalation, contractual protections, and contingency planning.
  3. Have those controls been tested? The ECCP is clear that paper programs are not enough. A company needs to know whether its controls function in practice. If there is a multi-cloud failover plan or an alternate-model runbook, has it actually been exercised?
  4. Has ownership been assigned? The DOJ repeatedly focuses on accountability. Someone must own the risk, someone must own the mitigation plan, and someone must report it to leadership.
  5. Is there evidence? Under the ECCP, documentation matters because it shows that a company did not merely talk about governance but operationalized it. In the AI context, this means inventories, risk rankings, contracts, testing logs, escalation protocols, incident reviews, and committee reporting. It is still Document Document Document.

Where Compliance Should Look First

For CCOs, the best way to begin is to map AI concentration risk across three layers.

The first is the infrastructure layer. Which GPU, accelerator, or compute providers support the organization’s most important AI functions? Is there heavy dependence on a single supplier or downstream foundry chain? Even if compliance does not make technical decisions, it should understand whether there is material operational exposure concentrated in a single location.

The second is the cloud and hosting layer. Which cloud providers and regions support production AI workloads? Are critical applications concentrated in one geography or one platform? Have failover and disaster recovery been tested, or are they merely theoretical?

The third is the model and application layer. Which model vendors, API providers, or AI-enabled workflow tools sit inside key business processes? Here is where the third-party risk lens becomes especially important. If one provider supports sanctions screening, hotline triage, policy search, transaction monitoring, or investigation workflows, the disruption risk is directly relevant to compliance effectiveness.

This is where a CCO should work closely with procurement, legal, IT, enterprise risk, and internal audit. The goal is not to take over technology governance. The goal is to ensure that AI concentration risk is incorporated into the company’s existing compliance and third-party risk architecture.

Building Practical Controls

Your approach should be practical and programmatic. First, start with inventory and classification. You cannot govern what you have not identified. Compliance should push for an inventory of AI use cases and the vendors, cloud environments, and model providers that support them. Those use cases should then be tiered based on business criticality, regulatory sensitivity, and operational dependency.

Next, update third-party due diligence. Traditional diligence questions around financial stability, security, and legal compliance remain important, but AI vendors should also be assessed for concentration-related risks. Can data and workflows be ported? Are there fallback options? What are the provider’s subcontracting dependencies? What audit rights exist? How are outages escalated?

Then move to contract design. This is where many compliance programs can add real value. Contracts should address incident notification, business continuity, data export, transition assistance, audit rights, service levels, and escalation expectations. Where concentration is likely to become significant, enhanced contractual protections should be mandatory.

After that, build contingency runbooks. If a model provider becomes unavailable, what happens? If a cloud region goes down, how quickly can key compliance processes be rerouted? If a vendor changes pricing or access terms, what is the escalation path? These runbooks should be documented, assigned to owners, and tested.

Finally, establish escalation thresholds. Governance is strongest when the company decides in advance what degree of concentration requires mitigation. For example, if more than half of a key compliance workflow depends on a single external provider, that may trigger a review by the board or executive committee. If a single region hosts a material portion of compliance-critical AI activity, failover testing may become mandatory.

Where NIST AI RMF and ISO/IEC 42001 Help

This is where the NIST AI Risk Management Framework and ISO/IEC 42001 become highly valuable for compliance officers. They help translate high-level concern into disciplined governance.

The NIST AI RMF emphasizes the Govern, Map, Measure, and Manage phases. That structure is especially useful here. Governance means assigning responsibility and setting risk appetite. Mapping means identifying where concentration exists and which business processes depend on it. Measuring means assessing the degree of dependency and resilience. Managing means putting in place mitigation, monitoring, and response mechanisms.

ISO/IEC 42001 adds an equally important management system discipline. It pushes organizations to define roles, document controls, monitor performance, conduct periodic reviews, and drive continual improvement. In other words, it helps turn AI governance into an operating system rather than a one-time project.

For compliance professionals, the lesson is clear. Use ECCP to define what effectiveness and accountability should look like. Use NIST AI RMF to structure the risk analysis. Use ISO 42001 to embed the resulting controls into a repeatable management process.

Proof of Governance in the AI Era

The deeper point is that AI concentration risk is no longer a hidden architecture issue. It is a test of whether the compliance function can help the enterprise identify dependencies before they fail. Under the ECCP, regulators are not simply asking whether a company had good intentions. They are asking whether it identified real risks, assigned responsibility, implemented controls, tested those controls, and learned from experience.

That is why AI concentration risk matters so much. It reveals whether the company understands how fragile its AI-enabled processes may be. It reveals whether third-party governance is keeping up with technological dependence. And it reveals whether compliance is engaged early enough to shape resilience rather than merely respond to disruption.

For the modern CCO, this is not a niche issue. It is a live example of how compliance adds value by helping the company operationalize governance before a crisis arrives.

Conclusion

In the end, AI concentration risk is not about servers, chips, or software contracts. It is about whether a company understands its vulnerabilities and has the discipline to govern them before they become failures. That is the heart of modern compliance. The issue is not whether disruption will come. The issue is whether your organization has done the hard work in advance to map dependency, build resilience, assign accountability, and prove that its controls can hold under pressure.

That is why this issue belongs squarely on the CCO’s agenda. Under the ECCP, a company must do more than claim it takes risk seriously. It must show its work. It must show that it identified the risk, assessed it, built controls around it, tested those controls, and updated them as the business evolved. The NIST AI Risk Management Framework and ISO/IEC 42001 help provide the structure. But the real challenge, and the real opportunity, belongs to compliance.

Because in the AI era, concentration risk is not merely a technical fragility. It is a governance signal. And the companies that can identify it, manage it, and document it will not only be more resilient. They will be able to demonstrate something even more valuable: that their compliance program is working exactly as it should.

Categories
Blog

The Game Is Afoot in Compliance: Why Sherlock Holmes Still Matters to the Modern Compliance Professional

It is with no small amount of pride that I am pleased to announce the publication of my latest book, The Game Is Afoot in Compliance. The book was sponsored by Gan Integrity. There is a reason Sherlock Holmes still resonates with compliance professionals. It is not nostalgia. It is not literary charm. It is not Victorian fog and deerstalker hats. It is a method.

That is what makes The Game Is Afoot in Compliance such a compelling contribution to the compliance profession. The book’s central insight is that Holmes gives us more than a detective story. He gives us a way to think. He gives us a discipline of observation, skepticism, rigor, and moral clarity that aligns remarkably well with the Department of Justice’s expectations for a modern compliance program.

For Chief Compliance Officers, compliance practitioners, boards, internal audit, and legal, that is the real message. Holmes is not a gimmick. Holmes is a framework. In the book, each of the four Holmes novels maps onto a core compliance discipline. Taken together, they form a coherent approach to designing, testing, and leading a best-practices compliance program.

We start with A Study in Scarlet. The lesson here is investigation. Holmes insists on evidence before theory. He refuses to let assumptions drive conclusions. He follows facts, not narratives. That is as close as one can get to the DOJ’s current expectations. Under the 2024 Evaluation of Corporate Compliance Programs, the DOJ is not interested in whether a company can identify a problem. It wants to know whether the company can investigate thoroughly, understand what happened, determine why it happened, and use that knowledge to improve going forward. The FCPA Resource Guide makes the same point differently. A compliance program must work in practice, and a credible investigative function is a large part of proving that.

Holmes would understand that immediately. He would also understand root cause analysis. The novel A Study in Scarlet is not simply about solving a crime. It is about going deeper than the surface event and uncovering the human, structural, and historical causes beneath it. That is precisely what compliance officers must do. Misconduct rarely appears out of nowhere. It is usually the product of pressure, weak controls, cultural tolerance, or a failure to act on warning signs.

Then comes The Sign of Four. Here, the lesson is signals, data, and decision-making. Holmes’ genius was not that he had more information than everyone else. It was that he knew how to distinguish signal from noise. That may be the most important compliance lesson of all in 2026. Every company today is awash in data. The issue is not access. The issue is architecture, judgment, and discipline.

This is where The Game Is Afoot in Compliance becomes particularly timely. Fox connects Holmes to data analytics, pattern recognition, communication, and ongoing monitoring. That is exactly where the compliance profession has moved. The best programs use data to identify anomalies, test controls, and surface risks before they become enforcement matters. But data alone is not enough. Holmes reminds us that human judgment still matters. Someone has to ask the right question. Someone has to notice the odd payment, the missing approval, the relationship that makes no sense, or the policy exception that keeps repeating.

Boards should take note here as well. Board oversight in compliance is not passive. Directors should be asking whether the company has information flows that produce timely, useful, and actionable insights. They should ask whether the compliance function can convert data into decisions. They should ask whether management can explain what it is monitoring, why it is monitoring it, and what it has learned from that work. A dashboard without analysis is decoration. Holmes would have no patience for decorative oversight.

In The Hound of the Baskervilles, I turn to third-party risk and accountability. This may be the most direct compliance analogy in the entire book. The great danger in The Hound is not simply the hound itself. It is the myth surrounding it. People accept the legend. They stop asking hard questions. They allow fear and assumption to take the place of inquiry. How often does that happen in business? “That distributor has been with us forever.” “That agent knows the local market.” “That is how business gets done there.” Those are the modern legends of the Baskerville moor. In compliance, they are red flags wrapped in habit.

The FCPA Resource Guide is crystal clear that risk-based due diligence on third parties is essential. The DOJ has repeatedly emphasized that onboarding due diligence is not enough. Companies must monitor. They must test. They must revisit. Fox makes exactly that point through Holmes: trust without verification is not trust. It is negligence

This is also where independence comes in. Holmes often solved the problem because he was willing to step back from accepted narratives and popular opinion. The compliance function must have that same independence. It must be empowered, adequately resourced, and able to challenge business assumptions. If compliance is too close to the business to question it, then the program is already standing in the Grimpen Mire.

Finally, The Valley of Fear gives us the lessons of a speak-up culture, whistleblower protection, and controls on retaliation. This is perhaps the most urgent message in the book. Fear kills truth. It silences witnesses. It protects wrongdoers. It allows misconduct to metastasize. I use The Valley of Fear to show that a hotline alone is never enough. Regulators now expect proof that employees can raise concerns safely, that those concerns are investigated fairly, and that retaliation is prevented and punished. The ECCP makes this explicit. Companies must demonstrate that their reporting system is trusted and that appropriate controls are in place to prevent retaliation.

This is where leadership and board oversight become inseparable from culture. Tone at the top still matters, but so does conduct in the middle and response at the bottom. Employees watch what happens when someone raises a concern. They watch whether the reporter is protected. They watch whether the issue disappears. Every response is a cultural signal. That is one reason I wanted to write The Game Is Afoot in Compliance, and why I believe it is valuable for the compliance professional. It reminds us that compliance is not only about structure. It is about posture. Holmes teaches posture. He teaches curiosity over complacency. Evidence over assumption. Courage over convenience. Truth over comfort. Those are not literary flourishes. They are operational requirements for an effective compliance program.

The larger point is this: Holmes gives compliance professionals a mindset that fits modern enforcement expectations. The DOJ wants programs that work in practice. The FCPA Resource Guide calls for risk-based, dynamic, and grounded programs. Boards are increasingly expected to oversee not merely whether a program exists, but whether it is effective. In that environment, The Game Is Afoot in Compliance lands at exactly the right time.

It is a book launch with a larger purpose. It does not simply promote Sherlock Holmes as an entertaining analogy. It positions Holmes as a serious guide for the modern compliance professional. Fox gets that exactly right. Because at the end of the day, the best compliance officers are detectives of culture, analysts of systems, skeptics of easy answers, and guardians of institutional integrity. In other words, they are Holmesian.

And that is why this book matters.

5 Key Takeaways

  1. The Game Is Afoot in Compliance shows that Holmes provides a practical framework for modern compliance, not just a literary metaphor.
  2. A Study in Scarlet teaches the value of evidence before theory, rigorous investigation, and root cause analysis.
  3. The Sign of Four demonstrates that data only becomes useful when it is translated into disciplined monitoring, sound judgment, and defensible decisions.
  4. The Hound of the Baskervilles is a powerful lesson in third-party risk, independence, and the danger of letting myth or business custom replace due diligence.
  5. The Valley of Fear reminds us that fear and retaliation destroy speak-up culture, and that regulators now expect companies to prove their systems protect those who raise concerns.

You can purchase a copy of The Game Is Afoot in Compliance from Amazon.com. The book is sponsored by Gan Integrity and features a foreword by Karen Moore. Gan Integrity is sponsoring a road show, The Integrity Road, highlighting the book and each novel as a launching point for a larger discussion of compliance in 2026. The schedule is

Tuesday, April 21, in NYC, where we will discuss A Study in Scarlet and Investigations.

Tuesday, April 28, in San Francisco, where we will discuss the Sign of Four and AI in Compliance.

Tuesday, May 19, in London, where we will discuss The Hound of the Baskervilles and 3rd Party Risk.

You can register and find out more information here.

Categories
GSK in China: 13 Years Later

GSK In China: 13 Years Later – GSK in China: The Compliance Breakdown That Still Echoes 13 Years Later

Thirteen years after the GSK China scandal exploded onto the global stage, its lessons remain as urgent as ever for compliance professionals and business leaders. In this podcast series, we revisit the case not simply as corporate history, but as a living cautionary tale about culture, incentives, third parties, investigations, and governance. Each episode explores what went wrong, why it went wrong, and how those failures still echo in today’s compliance and ethics landscape. Join me as we unpack the scandal and draw practical lessons for building stronger, more resilient organizations. In this inaugural episode, we take a deep dive into the 2013 GSK China bribery scandal and examine why it remains one of the most important case studies in corporate compliance, governance, and culture. Our hosts are Timothy and Fiona.

We unpack how a global pharmaceutical giant was alleged to have used travel agencies, fake conferences, false VAT receipts, and targeted marketing programs to channel illicit payments to doctors, officials, and other intermediaries, all while an internal whistleblower warning and a four-month internal investigation failed to detect the misconduct. The episode also explores the tension between polished global compliance structures and compromised local execution, showing how incentives, third-party relationships, and regional sales pressure can overwhelm formal controls. Most importantly, it asks a question that remains urgent today: are corporate compliance systems truly designed to find the truth, or can they create a false sense of security that allows misconduct to flourish undetected?

Key highlights:

  • The scale of the alleged misconduct was enormous.
  • Third parties were central to the scheme.
  • Internal controls failed when they were needed most.
  • Corporate culture and incentives drove the risk.
  • Why the lessons are still highly relevant today.

Resources:

GSK in China: A Game Changer for Compliance on Amazon.com

GSK in China: Anti-Bribery Enforcement Goes Global on Amazon.com

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Ed. Note: The Notebook LM created notes, the voices of the hosts, Timothy and Fiona, based upon text written by Tom Fox

Categories
Blog

The Hobson FCPA Trial: Commissions, Coded Cash, and the Compliance Risk Indicators

The Foreign Corrupt Practices Act (FCPA) trial of a former coal company executive offers a real-time reminder that FCPA cases are rarely about a single payment. They are about systems;  how third parties are engaged, how commissions are justified, how money moves, and how people communicate when they think no one is watching. The trial of former Corsa Coal executive Charles Hunter Hobson has featured opening statements from both sides, testimony from a cooperating former colleague, testimony from an FBI agent who reviewed messages and bank records, and expert testimony on the status of the foreign counterparty and the legality of bribery under Egyptian law.

Prosecutors have advanced a bribery theory based on inflated commissions paid to a sales agent, with kickbacks allegedly returning to the executive. Defense counsel has argued a lack of knowledge, a lack of control over the agent’s downstream conduct, and challenges around whether the foreign buyer qualifies as a state-owned enterprise for FCPA purposes. At this point, the defense has not presented its Case-in-Chief, so it is unknown if the defendant will testify. The value for compliance professionals lies in seeing how ordinary-seeming commercial mechanics are translated into an FCPA narrative before a jury.

The Prosecution Narrative: High Commissions, Bribes to “the Team,” and Business Won

In opening arguments, prosecutors told jurors that the company’s Egypt-based agent received higher-than-normal commissions and used a portion of those payments to bribe officials connected to the buyer, Al Nasr, in exchange for coal purchase contracts valued at roughly $143 million. Prosecutors further alleged that the agent paid $4.8 million to individuals described as government employees or employees of a state-owned business, and that the executive received approximately $200,000 in kickbacks.

In the government’s telling, this was not incidental. It was purposeful: pay the agent more than market, allow the agent to distribute those funds to secure business, and then share the proceeds back to the executive. The business obtained through the relationship and the revenue tied to those contracts form the “benefit” side of the alleged corruption equation. The alleged bribe payments and kickbacks form the “means.”

For compliance professionals, the risk indicator is not merely “third party in a high-risk market.” It is the combination of (1) pricing and award dynamics, (2) commission pressure, (3) coded communications, and (4) money movement patterns that appear designed to avoid normal transparency.

The Defense Narrative: No Direction to Bribe, No Control After Payment, and Disputed Knowledge

The defense has pressed a different story: that the executive did not hire the broker, did not personally pay him, and did not direct bribery; that once commissions were paid, the company did not control what the agent did with his earnings; and that the executive did not know or believe the buyer was government-affiliated at the relevant time.

Defense counsel also highlighted practical gaps a jury may notice: the absence of testimony from the foreign agent and foreign officials, and the difficulty of proving what happened abroad when the investigation is largely built on U.S.-available records. This posture is familiar in many FCPA matters: the defense seeks to separate commission payments from corrupt intent and to isolate the alleged misconduct to a third party’s independent actions.

The risk indicator here is the argument itself: organizations routinely assume that once a third party is paid, the risk transfers. However, that is not true in compliance or under the FCPA. Most certainly, such a willful blindness approach will not sit well with the DOJ when there is evidence suggesting knowledge, willful blindness, or coded coordination.

Third-Party Risk: Onboarding, Commission Benchmarking, and Relationship Ownership

Across the testimony elicited to date, the third-party storyline turns on three governance pressure points: how the agent was onboarded, how commission levels were justified, and who “owned” the relationship operationally. A cooperating former colleague of the defendant testified that the commissions were unusually high compared to industry norms and described communications he interpreted as references to individuals who needed to be “taken care of,” including discussions about keeping commissions high to support pricing and approvals. That is the heart of third-party compliance risk: when the commission structure becomes the economic channel through which influence is allegedly purchased, the company’s controls on justification, approvals, and monitoring become central to how the story is told to a jury.

State-Owned Enterprise and Egyptian Law: Why It Matters and What the Jury Heard

A key FCPA element is whether the recipients are “foreign officials,” which can include employees of state-owned enterprises. The DOJ presented expert testimony that the buyer was a public entity under Egyptian law and that bribery involving public officials is illegal under the Egyptian Penal Code. The defense challenged the expert’s treatment of Egyptian corporate structure and attempted to undermine the legal framing by citing academic discussions of corruption as socially prevalent, an approach the court rejected while allowing limited exploration of the distinction between written law and real-world practice. For compliance professionals, the risk indicator is straightforward. If your counterparty’s status as state-owned is ambiguous, you must assume that ambiguity will be litigated, and prosecutors will use foreign-law testimony to make the entity’s status legible to a U.S. jury.

The Money Trail: How the Government Says Funds Moved and Why It Matters

The most operationally revealing testimony described in coverage to date comes from the FBI agent who reviewed communications and financial records. The government presented a picture of commerce and payments operating in parallel:

  1. Commercial negotiation and commission splitting. Messages allegedly mixed coal pricing discussions with references to commission allocations associated with initials that the agent said corresponded to individuals at the foreign buyer and to the two principals themselves. The government’s point was not merely that commissions were paid; it was that commissions were structured and discussed in a manner consistent with the intended distribution.
  2. Coded references to cash and timing pressure. The phrase “Mr. Yen” was presented as a coded term for money, with messages allegedly asking for “Mr. Yen” by a certain day and asking whether it would be in U.S. dollars. In the government’s narrative, the coding supports consciousness of wrongdoing and intent to conceal.
  3. Use of informal transfer mechanisms and offshore touchpoints. Testimony referenced Western Union transfer records and a Dubai-based company, with messages and timing tied to travel and financial activity. The government described the executive receiving money through these channels, including activity linked to a Dubai entity and subsequent movement of funds to a U.S. entity sharing the executive’s address.
  4. Invoice construction to facilitate payment. The jury heard about exchanges in which an invoice was drafted for a substantial payment (described as $150,000), including efforts to create documentation, such as a business seal, and then a wire to the Dubai entity, followed by the transfer of a large portion of the funds.

The compliance relevance of this money trail is not that every company has Dubai entities or international wires. The relevance is that prosecutors can take a set of operational steps that may be individually explainable and argue that, taken together, they show an intent to route funds in ways that obscure purpose and beneficiaries. In a trial context, the story is built from the alignment of sequencing, communications, and financial records.

Conclusion

The Hobson trial, at this point, is a live demonstration of how an FCPA case can be built from a combination of commission economics, business obtained, communications, and money movement. Prosecutors say inflated commissions funded bribes and that kickbacks flowed back to the executive; the defense says the executive did not direct bribery, did not control the agent’s conduct after payment, and did not know the buyer’s alleged government affiliation at the time.

For the readers of this Blog, the value is not in sensational details. The value is in the compliance risk indicators that a jury is now being asked to interpret: what was said, what was paid, how it was routed, and what business it helped secure. That is the terrain where compliance programs either demonstrate discipline or discover, far too late, that “commissions” can become the government’s favorite word for “bribery.”

Resources

All Law360 articles written by Matthew Santoni. Unfortunately, a subscription is required to access the articles.

Coal Exec Used ‘Mr… Yen’ To Talk Kickbacks, FBI Testifies

Egypt’s ‘Social Law’ Doesn’t Endorse Bribery, Jury Told

Coal Exec’s Co-Worker Says Emails Hinted At Egypt Bribes

Coal Exec Knew Egyptian Broker Paid Bribes, Jury Told

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – Third Party Risk Management Process

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 20 episode, we delve into third-party risk management, a crucial aspect of corporate compliance under the FCPA.

Key highlights:

  • Introduction to Third-Party Risk Management
  • The Five Steps of Third-Party Risk Management
  • Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Virna Di Palma on The Evolution of Third-Party Risk Management and the Role of AI

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Virna di Palma, Head of Global Content and Brand at Ethixbase360.

Virna offers insights into her extensive background in third-party risk management, with a focus on FCPA compliance and the evolution of due diligence. They discuss the ongoing importance of third-party risk management, recent shifts in FCPA enforcement, and the growing impact of new regulations on corporate compliance. Virna highlights the transformative role of automation and AI in enhancing compliance programs while emphasizing the need for human analysis. The conversation also addresses emerging issues, such as modern slavery and sustainability, and explores how organizations can optimize investments in risk management to drive business growth and resilience.

Key highlights:

  • Importance of Third-Party Risk Management
  • Impact of FCPA Enforcement Pause
  • Technological Advancements in Compliance
  • Human Rights and Modern Slavery
  • Future of Third-Party Risk Management

Resources:

Virna Di Palma on LinkedIn

Ethixbase360

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Third-Party Due Diligence: Five Lessons from Star Trek’s The Mark of Gideon

In the modern compliance landscape, third-party due diligence is not optional but essential. Regulators from the DOJ to the SFO have made it clear: if your business partner is involved in misconduct, you are on the hook if you did not take reasonable steps to know who you were dealing with.

Few pop culture moments capture the risks of blind engagement as vividly as Star Trek: The Original Series’ “The Mark of Gideon.” In this episode, Captain Kirk beams down to what he believes is the planet Gideon for diplomatic talks—only to find himself aboard what appears to be an empty Enterprise. What follows is a masterclass in the dangers of walking into a deal without verifying the facts. For compliance professionals, Gideon’s deception is the perfect allegory for the hazards of onboarding a third party without a thorough vetting process. Let’s break down five key lessons.

Lesson 1: Verify the True Identity of Your Counterparty

Illustrated By: When Kirk believes he is beamed down to Gideon, he is actually inside a replica of the Enterprise. The Gideonites have created this fake environment to isolate him for their purposes.

Compliance Lesson. If you do not confirm the true identity of a third party, you may find yourself dealing with a façade. Shell companies, undisclosed beneficial owners, and entities with misleading corporate registrations are the corporate world’s “empty Enterprise.”Always confirm a third party’s corporate existence and ownership through independent sources. This means checking official registries, using reliable due diligence databases, and, when needed, engaging investigative firms to trace beneficial ownership. Without these checks, you risk contracting with a front for illicit activity.

Lesson 2: Understand the Real Motives Behind the Partnership

Illustrated By: The Gideonites’ true purpose is not peaceful diplomacy; instead, they want to infect their overpopulated planet with a deadly virus carried by Kirk. They present their plan as a noble solution to their problem, but it’s built on deception and exploitation.

Compliance Lesson. Third parties sometimes have agendas that differ sharply from what they present. They may seek access to your brand to legitimize questionable practices, gain entry to restricted markets, or launder illicit funds. Beyond standard questionnaires, compliance teams should assess the commercial rationale for the relationship. Why do they want to work with you? Who else do they do business with? Are their financials consistent with the scale of the deal? If their motives don’t align with your values and compliance commitments, that is a red flag.

Lesson 3: Never Rely Solely on What the Other Party Tells You

Illustrated By: Kirk repeatedly asks the Gideonites to explain what is happening, but their answers are vague, evasive, and occasionally contradictory. They hope his lack of information will keep him compliant long enough to serve their plan.

Compliance Lesson. Self-reported information from a potential third party should be viewed as one data point, not the whole picture. Misrepresentations are common, whether deliberate or due to internal ignorance. Cross-verify all claims with independent checks, customer references, industry reputation research, litigation and sanctions screening, and on-site visits when possible. If the only source for a claim is the counterparty itself, your risk exposure rises dramatically.

Lesson 4: Assess the Operating Environment Before Engagement

Illustrated By: The Gideonites hide the actual conditions on their planet. Kirk learns later that Gideon is overcrowded to the point of people standing shoulder-to-shoulder, unable to move freely. Had this been disclosed, he would have understood the real risks before arriving.

Compliance Lesson. A third party’s operating environment, political stability, corruption levels, and regulatory enforcement directly affect your compliance risk. Entering into a business relationship without assessing this environment is akin to beaming down blind. Incorporate country risk analysis into your process. Use resources like Transparency International’s Corruption Perceptions Index, U.S. State Department human rights reports, and local legal counsel. An otherwise legitimate partner in a high-risk jurisdiction requires enhanced due diligence and monitoring.

Lesson 5: Build Exit Strategies Into the Relationship

Illustrated By: Once Kirk understands the Gideonites’ true intentions, he must escape the replica Enterprise to stop their plan. Without a clear route back to his crew, he risks being trapped indefinitely.

Compliance Lesson. Some third-party relationships turn sour despite your best due diligence efforts. Whether due to leadership changes, shifts in political conditions, or the surfacing of previously hidden misconduct, you need a plan to disengage without disrupting your operations. Include termination clauses tied to compliance breaches in your contracts. Maintain operational flexibility so you can pivot to alternate suppliers or partners if needed. Regularly re-screen third parties to ensure ongoing compliance, not just a one-time check at onboarding.

Final ComplianceLog Reflections

In The Mark of Gideon, the Enterprise crew’s lack of verified intelligence before Kirk’s “beam down” mirrors what happens when companies rush into a third-party relationship to seize a perceived opportunity. The Gideonites knew how to manipulate the Federation’s diplomatic eagerness. Likewise, unscrupulous partners today exploit companies’ urgency to enter new markets or secure rare supply chains.

The lesson? Due diligence is not a delay; it is a safeguard. The few extra weeks spent vetting a partner can prevent years of litigation, regulatory penalties, and reputational damage.

The Mark of Gideon” is not just a quirky Star Trek morality tale. It is a warning for every compliance professional. Without thorough third-party due diligence, you risk waking up in a corporate “replica Enterprise,” surrounded by partners whose true motives only become clear when it’s too late.

Your job as a compliance officer is to ensure the company doesn’t act blindly. By verifying identities, probing motives, cross-checking information, assessing environments, and building exit strategies, you safeguard your organization’s reputation and operational integrity. In short: trust, but verify, especially when the other side is as smooth-talking as the people of Gideon.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Internal Controls for Third Parties

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

How to make specific internal controls for 3rd parties.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Upping Your Game

Upping Your Game – Harnessing AI to Revolutionize Third-Party Risk Management

In February, the Trump Administration suspended investigations under and enforcement of the FCPA. Many compliance professionals have since wondered what this will mean for corporate compliance programs going forward. Hui Chen challenged compliance professionals with the statement, “It’s time to up your game.”

This podcast series, sponsored by Ethico and co-hosted by Ethico co-CEO Nick Gallo, aims to meet Hui Chen’s challenge for compliance professionals. We will discuss how compliance professionals can ‘Up Their Game’ by utilizing currently existing Generative AI (GenAI) tools to significantly enhance their compliance programs. As compliance professionals, it is crucial to recognize that this moment is not merely about incremental improvements but about elevating our profession to an entirely new level of effectiveness, efficiency, and organizational value.

In this episode, Tom and Nick delve into the transformative potential of AI in mitigating third-party compliance risks. They discuss the inherent limitations of traditional compliance methods, which are often reactive and manual. The conversation highlights how AI can streamline processes, minimize false positives, and boost efficiency by offering real-time monitoring and data analysis. They also highlight the broader business value of AI, which can expedite onboarding, enhance risk identification, and ultimately drive greater return on investment (ROI). They conclude that the importance of investing in AI training for compliance teams lies in staying ahead of the curve and maximizing the benefits of these emerging technologies.

Key highlights:

  • Challenges in Third-Party Risk Management
  • AI as a Game Changer
  • Types of Third-Party Risks
  • Business Value of AI in Compliance
  • Innovations and Tools in AI
  • Practical Applications and Examples

Resources:

Upping Your Game-How Compliance and Risk Management Move to 2030 and Beyond on Amazon.com

Nick Gallo on LinkedIn

Ethico

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn