Tag: Venezuela

Categories
Blog

Returning to Venezuela: Part 5 – AML Risk and the Final Compliance Test

In this five-part series, I have walked through the core compliance risks US energy companies will face as they consider a return to Venezuela. We began with bribery and corruption and the long shadow of PdVSA (Parts 1 & 2). We moved through export controls (Part 3), security risks (Part 4), and the broader operational and strategic challenges of working in one of the most complex risk environments in the world. But this final post is different. Money laundering risk is not simply another risk category. It is the connective tissue that binds all the others together.

If bribery is how improper value enters the system, money laundering is how it is disguised, moved, and legitimized. If export control violations create pressure to reroute goods or payments, money laundering techniques make that rerouting possible. If security risks require local intermediaries, cash payments, or opaque vendors, those same decisions create AML exposure. For the compliance professional, money laundering risk in Venezuela is the capstone test of whether the program actually works.

The Regulatory Frame: FinCEN, ECCP, and Correspondent Banking Reality

Any AML discussion must start with expectations. US regulators have been explicit. The AML program pillars articulated by the Financial Crimes Enforcement Network (FinCEN) are not optional abstractions. They are operational requirements: risk-based controls, internal policies, independent testing, training, and designated responsibility.

Overlay that with the Department of Justice Evaluation of Corporate Compliance Programs (ECCP), which asks whether controls are designed, implemented, tested, and actually effective. Then add the reality of correspondent banking risk. Even if a US energy company does not directly move funds through US banks, its banking partners will apply US standards. Banks do not absorb Venezuela’s risk on behalf of their customers. They de-risk. Compliance failures upstream become frozen accounts downstream. This is why AML must be treated as an enterprise risk, not a compliance side project.

Operating Under Licenses Does Not Reduce AML Risk

This blog assumes that operations occur under general licenses, specific licenses, or wind-down authorizations issued by the Office of Foreign Assets Control. That matters for sanctions analysis, but it does not reduce AML exposure. Licenses permit activity. They do not cleanse counterparties, validate payment flows, or excuse weak controls. In fact, licensed activity often attracts heightened scrutiny because regulators know companies will push forward aggressively once permission is granted.

In Venezuela, licensed operations still involve high-risk state actors, politically exposed persons, weak financial institutions, and a long history of financial opacity. From an AML perspective, licenses are a starting gun, not a shield.

PdVSA as a Multi-Vector AML Risk

As we have previously noted, PdVSA must be treated not as a single counterparty risk but as multiple overlapping AML risk vectors. First, there is trade-based money laundering. Oil shipments are uniquely vulnerable to pricing manipulation, volume misstatements, phantom cargoes, and circular trading. In Venezuela, these risks are amplified by distressed infrastructure, a history of sanctions, and reliance on intermediaries.

Second, there is an intermediary risk. Shipping companies, charterers, port agents, and customs facilitators often operate through layered ownership structures. The farther one moves from the wellhead, the less transparency exists. Third, there is a risk to the payment structure. Delayed payments, in-kind arrangements, and third-country settlement accounts create fertile ground for laundering illicit proceeds. When oil becomes currency, AML controls must follow the barrel, not the invoice.

Venezuelan, Crypto, and Third-Country Banking Risk

Venezuelan banks operate under severe constraints. Many lack robust AML systems, and even well-intentioned institutions face talent shortages and technology gaps. As a result, payments often move through third-country banks. These arrangements create several red flags: unusual routing, non-USD transactions, inconsistent settlement timelines, and opaque beneficiary information. Each red flag increases the likelihood of SAR filings and banking friction. Compliance professionals must understand that correspondent banks apply their own risk lens. If they are uncomfortable, they will exit. That operational disruption becomes a compliance failure.

Crypto and alternative payment mechanisms are not edge cases in Venezuela. They are practical responses to currency instability, banking limitations, and sanctions pressure. From an AML standpoint, crypto introduces wallet anonymity, cross-border velocity, and limited recourse once funds move. Any use of crypto, whether by the company or its third parties, must be explicitly prohibited or tightly controlled. Silence is not neutrality. Silence is exposure.

Third Parties: Where AML, Bribery, and Security Collide

Local agents, logistics providers, customs brokers, and security vendors represent the highest combined risk in Venezuela. These third parties often operate in cash-intensive environments, maintain close ties to government actors, and perform functions critical to business continuity. Family-owned and politically connected vendors demand enhanced due diligence. That means beneficial ownership verification, source-of-funds analysis, ongoing monitoring, and contractual audit rights. Initial diligence alone is insufficient. Relationships evolve, and risk escalates quickly.

This is where the bribery blog, the security blog, and this AML blog converge. The same third party that creates bribery risk also creates money laundering risk. Controls must be integrated, not siloed.

The Operational Reality: This Is Manageable If You Manage It

Despite these risks, this is not a counsel of despair. US companies have operated in high-risk jurisdictions before. The key is realism. AML programs in Venezuela cannot rely on annual certifications, static risk assessments, or generic policies. They require transaction-level visibility, real-time escalation, and empowered compliance personnel. Friction with the business is inevitable and necessary.

Venezuela-Specific AML Operational Checklist

Below is a practical, compliance-focused checklist for operating in Venezuela:

Risk Assessment

  • Conduct a Venezuela-specific AML risk assessment tied to operations, not geography alone
  • Map payment flows end-to-end, including third-country routing
  • Identify trade-based money laundering scenarios tied to oil shipments

Policies and Controls

  • Prohibit unauthorized crypto usage explicitly
  • Require documented economic justification for all intermediaries
  • Establish clear escalation thresholds for delayed or rerouted payments

Third-Party Due Diligence

  • Perform enhanced due diligence on all local agents, logistics providers, customs brokers, and security vendors
  • Verify beneficial ownership and political exposure
  • Assess the source of funds and expected transaction behavior

Transaction Monitoring

  • Monitor oil pricing, volumes, and delivery discrepancies
  • Flag unusual settlement patterns or changes in banking instructions
  • Integrate AML alerts with sanctions and export control monitoring

Training and Culture

  • Provide targeted AML training for operations, finance, and procurement teams
  • Reinforce speak-up mechanisms tied to payment and logistics concerns

Testing and Auditing

  • Conduct targeted audits focused on high-risk transactions
  • Test controls against realistic laundering typologies
  • Document remediation and program enhancements

AML as the Series Capstone

This series has shown that returning to Venezuela is not a single compliance decision. It is a systems test. Money laundering risk sits at the center of that test because it exposes weaknesses everywhere else. If your AML program can function effectively in Venezuela, it can function anywhere. If it cannot, no license, policy, or assurance letter will save it. This is doable. But only if compliance is brought in early, appropriately resourced, and empowered to say yes, if.

Categories
Blog

Returning to Venezuela: Part 4 – From Physical Security to Enterprise Risk

In this five-part series, I have walked through the core compliance risks US energy companies will face as they consider a return to Venezuela. We began with bribery and corruption and the long shadow of PDVSA (Parts 1 & 2), then moved to export controls (Part 3).

Today, we consider the security risks and the broader operational and strategic challenges of working in one of the most complex risk environments in the world. For many compliance professionals, “security” still conjures images of guards, gates, and cameras. It is treated as an operational afterthought or a line item buried somewhere between facilities and travel. The conversation I recently had with Marc Duncan, COO at Salus Solutions, should permanently disabuse compliance officers, boards, and senior executives of that narrow view. As Duncan describes it, security is not a physical function. It is an enterprise risk discipline. It is continuous monitoring at its purest. And it is inseparable from culture, governance, and decision-making authority.

For compliance professionals, especially those operating globally or in volatile environments, this conversation offers a masterclass in how risk really works when theory collides with reality.

The First Compliance Failure: Thinking You Already Know the Risk

One of the most striking observations Duncan makes is also one compliance professionals hear far too often after a failure: “We did not see that coming.” As Duncan notes, that usually means the organization was not looking. They had a preconceived notion of their threats, locked onto a narrow risk model, and failed to challenge their assumptions. This is a classic compliance failure. Risk assessments that confirm management’s beliefs instead of testing them are not risk assessments. They are comfort exercises.

True threat assessment, whether physical, cyber, financial, or reputational, begins with abstraction. You step back, examine the environment holistically, and then break it down across functions. Duncan’s approach mirrors what the DOJ expects from a mature compliance program: financial risk, personnel risk, operational risk, cyber risk, structural risk, and external conditions assessed together, not in silos. Compliance professionals should take note. If your risk assessment is static, annual, and checklist-driven, you are already behind.

An additional framework compliance professionals should consider integrating into this approach is Threat and Hazard Identification and Risk Assessment (THIRA). While THIRA originated in the public sector and homeland security context, its core discipline translates directly to corporate compliance and enterprise risk management. THIRA forces organizations to first identify credible threats and hazards, assess their likelihood and impact, and only then evaluate existing capabilities and gaps. The discipline prevents the most common compliance failure: designing controls around assumed risks rather than actual ones.

A THIRA has three key steps:

  • Identify Threats and Hazards: Identify the threats and hazards that could impact them. These can include natural disasters such as hurricanes and earthquakes, technological hazards such as power outages, and human-caused events such as terrorism.
  • Assess Impacts: Once threats and hazards are identified, assess the potential impacts of these events. This involves understanding how these threats could affect people, property, and the environment.
  • Determine Capabilities: Based on the assessed impacts, determine the capabilities they need to address these threats and hazards. This includes identifying gaps in current capabilities and planning for resource allocation and training.

Used properly, THIRA complements a compliance risk assessment by grounding it in real-world scenarios, stress-testing assumptions, and aligning resources to consequence rather than convenience. In practice, compliance teams can use THIRA-style analysis to model disruptive events, validate whether policies and response plans would function under pressure, and ensure that authority, communications, and escalation protocols actually work in dynamic conditions. Like Duncan’s threat hub, THIRA is most effective when it is iterative, cross-functional, and embedded into daily decision-making rather than treated as a one-time exercise.

Continuous Monitoring Is Not a Buzzword in a Crisis Zone

In compliance circles, we often talk about continuous monitoring and continuous improvement. In high-risk environments, Duncan explains, these are not aspirational concepts. They are daily survival requirements. Threats change by the hour. Routes become unsafe. Infrastructure fails. Information degrades. Misinformation spreads intentionally. As Duncan makes clear, relying on sanitized reports or publicly available data alone is insufficient, particularly in places like Venezuela, where reliable information can be scarce and manipulated.

For compliance professionals, the parallel is obvious. If your organization relies solely on lagging indicators, static dashboards, or once-a-year training, you are operating on yesterday’s intelligence. A mature compliance program must be dynamic, responsive, and empowered to change course quickly.

Authority Matters More Than Policy

One of the most underappreciated insights in the discussion is the emphasis on delegated authority. Duncan is blunt: security teams must be empowered to make changes on the fly. Operations teams often resist this because they have a plan for the day. But rigid plans fail in dynamic environments. Compliance professionals should see themselves clearly in this description. How often does compliance identify a risk, only to be overruled by operational convenience? How often does policy exist without authority to enforce or adapt it?

This is not merely an execution issue. It is a governance failure. If compliance, security, or risk professionals lack real authority, then the program exists in name only.

Boards Are Often the Weakest Link

Perhaps the most candid portion of the conversation is Duncan’s discussion of boards of directors. Boards understand that risk exists, but they often do not understand their lane. Worse, they sometimes overstep based on assumptions rather than expertise, thereby influencing the organization’s security and risk culture to its detriment. This should resonate deeply with compliance professionals. Many compliance failures originate at the policy level. Boards check in periodically, hear a summary, and move on. They rarely engage with the complexity of the operating environment or the second- and third-order consequences of their decisions.

Duncan advocates for an ongoing relationship with boards or policy groups, not episodic briefings. Education is continuous. Risk is dynamic. Governance must keep pace. For compliance officers, this reinforces a critical point: board engagement is not about presentations. It is about sustained dialogue, shared understanding, and clearly articulated risk tolerance.

Culture Is Defined by Accepted Loss

One of the most insightful compliance lessons emerges from Duncan’s discussion of risk acceptance, particularly in the energy sector. Every organization accepts some level of loss. The problem arises when that acceptance is implicit, unexamined, or outdated. Compliance professionals should recognize this immediately. Risk tolerance that is not written down, debated, and revisited becomes invisible policy. It shapes behavior without accountability.

Duncan’s approach is instructive. He pushes organizations to explicitly articulate acceptable loss, document it, and use it as a guideline. When conditions change, that tolerance must be reassessed at the policy level. This is exactly how compliance culture should function. Silence is not neutrality. It is permission.

Security Is Not Just Physical: Insider Threats and Human Risk

If compliance professionals think security stops at the perimeter, Duncan quickly disabuses them of that notion. Insider threats loom large. Alcoholism, substance abuse, personal stressors, and poor life choices can all create vulnerabilities. So can espionage, coercion, and cultural dysfunction.

This is compliance territory. Training that treats employees like mushrooms kept in the dark will fail. Effective programs connect behavior to consequences: personal, professional, financial, and reputational. Duncan’s emphasis on “wholesome” training aligns with modern compliance expectations. Employees must understand not just what is prohibited, but why it matters, how it affects the organization, and how it exposes them personally.

Partnering with Locals: A Lesson in Third-Party Risk

One of the most counterintuitive lessons for many executives is the need to partner with local communities, vendors, and even security forces. Cutting locals out of economic participation breeds sabotage and resentment. Compliance professionals should immediately recognize the parallel to third-party risk management. Isolation does not reduce risk. Engagement does. Oversight, contracts, inspections, and partnerships create shared incentives and stability.

Whether it is food supply, logistics, or perimeter security, Duncan emphasizes layered controls and local investment. This is not unlike building a resilient third-party ecosystem rather than relying on transactional relationships.

The Threat Hub: A Compliance Blueprint

Perhaps the most transferable concept for compliance professionals is the “threat hub.” Duncan describes a cross-functional, daily forum where representatives from legal, finance, operations, security, and other functions review threats, vulnerabilities, and operational changes. This is what an effective compliance program should look like. Not a standalone department issuing policies, but an integrated function embedded across the organization, sharing intelligence, and adapting in real time.

Finally, Duncan issues a challenge that every compliance officer should take seriously: crisis exercises will break you. They expose gaps in policy, logistics, communications, authority, and preparedness that no binder ever reveals. Compliance professionals often assume crisis plans are adequate because they exist. Duncan’s experience says otherwise. Without realistic testing, organizations are unprepared when it matters most.

Final Thoughts

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness—authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

Join us tomorrow for Part 5 as we conclude our series by looking at AML risks associated with returning to Venezuela.

Categories
Blog

Returning to Venezuela: Part 3 – Export Controls and the Illusion of “Reopening”

We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.

When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.

Venezuela Remains a High-Risk Jurisdiction by Design

Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.

That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.

Regulatory Enforcement Follows Politics, but Law Follows Process

One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.

This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.

Start With the Business, but Do Not Stop There

Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.

This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.

Dual-Use Risk Is Not Theoretical in Venezuela

Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.

This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.

One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.

Siloed Compliance Will Fail in Venezuela

If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.

For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.

Board Oversight Must Evolve Beyond Periodic Updates

Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:

  • What export control risks are central to this opportunity?
  • What sanctions exposure remains?
  • How are we monitoring changes in real time?
  • What is our exit strategy if conditions reverse?

The Case for a Standing Enterprise Risk Committee

Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.

Enforcement Is Coming, Not Fading

The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.

Final Thoughts

The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.

Categories
Blog

Returning to Venezuela: Part 2 – Bribery, Corruption and the Risks You Must Confront Before You Enter

We continue our review of bribery and corruption issues (ABC) that you must address before you travel to Venezuela.  There is another set of problems that every compliance professional will face if their company decides to go into Venezuela. It is systemic corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore some of the key issues every company and every CCO will face when considering whether to enter (or re-enter) Venezuela. In Part 2, I will consider the second half of the 10 ABC risks a compliance professional will face. Later in this series, we will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

In Part 1, we described the corruption environment. In Part 2, we consider what happens when companies actually try to operate inside it. This is where theory meets pressure. We begin our numbers with 6, picking up where we left off yesterday.

6. Extortion Is Not a Defense

In Venezuela, companies are often told, “You have no choice.” Payments are demanded to release cargo, protect personnel, or continue operations, sometimes thinly veiled as “fees” for expedited treatment. Venezuelan law itself recognizes extortion as a corruption offense, in which a public official abuses their position to demand an undue benefit. Under Venezuelan anti-corruption law, extortion (called concussion) carries criminal penalties and fines.

At the same time, U.S. enforcement views participation in extortion as a compliance red flag. While coercion can be a mitigating factor in narrow circumstances under the Foreign Corrupt Practices Act (FCPA) or the Foreign Extortion Prevention Act (FEPA), repeated payments, disguised invoices, or third-party routing create evidence of complicity. Deciding to pay from the field without escalation essentially decides for the company, and compliance will struggle to justify it under an ECCP review. Compliance professionals must define escalation paths, refusal protocols, and clear exit points before any signs of extortion arise. Waiting to decide “in the moment” is too late.

Compliance Response

1. Assessment Controls

  • Identify operational choke points where officials or intermediaries can halt operations, including ports, customs, checkpoints, utilities, and inspections.
  • Assess historical incidents involving detentions, delays, threats, or asset seizure tied to payment demands.
  • Map scenarios where employee safety or operational continuity could be leveraged for improper payments.

2. Management Controls

  • Establish a zero-tolerance policy for extortion payments, with narrowly defined emergency exceptions tied to imminent health or safety threats.
  • Implement pre-approved emergency response protocols for detentions, threats, or seizures.
  • Prohibit third-party routing, recharacterization, or retroactive approval of payments in the context of extortion scenarios.
  • Require contemporaneous documentation of all extortion-related incidents and decisions.

3. Monitoring

  • Track frequency, location, and duration of detentions or operational stoppages.
  • Review off-cycle, urgent, or cash payment requests for patterns.
  • Audit expense categories are commonly used to disguise extortion payments.

4. Board Oversight

  • Where are we most exposed to extortion pressure?
  • How often are emergency exceptions invoked, and are they increasing?
  • At what point do we pause or exit operations rather than continue under pressure?

7. Third Parties as the Primary Corruption Vector

In Venezuela, third parties are the everyday vectors through which corruption pressure crystallizes. Agents, customs brokers, logistics providers, security vendors, and even local fixers frequently serve as the conduit for improper value transfers. These intermediaries claim to navigate Venezuela’s opaque systems, but they also create liability if their actions result in bribery or improper advantage.

Pressure points are endemic and include:

  • Customs clearance: Goods may be held pending unofficial “service fees” or clearance bribes.
  • Port operations: Terminal operators or officials may demand payments for priority access.
  • Transportation: Toleration at checkpoints is often predicated on unofficial payments.
  • Security arrangements: Local guards or militia may demand fees for access or protection.
  • Licensing follow-up: Expediency “services” are offered at a premium.

Third parties promise solutions. They also create liability when their conduct crosses legal lines. Under the ECCP, regulators will ask whether the company understands and monitors how these third parties operate in practice, not just whether it has a diligence checklist. Paper diligence alone is insufficient where pressure is constant, and corruption vectors hide in plain sight.

Compliance Response

1. Assessment Controls

  • Classify third parties by function (customs, logistics, security, licensing), not by spend alone.
  • Identify third parties that interact directly with government officials.
  • Assess compensation structures for success fees, urgency premiums, or discretionary payments.

2. Management Controls

  • Apply enhanced due diligence to high-pressure third-party functions.
  • Require detailed, verifiable scopes of work tied to legitimate services.
  • Mandate compliance approval before onboarding or paying high-risk third parties.
  • Prohibit subcontracting or pass-through arrangements without prior written approval.

3. Monitoring

  • Conduct invoice analytics to identify duplications, rounding issues, urgency issues, or vague descriptions.
  • Monitor third-party performance against contractual scope and deliverables.
  • Review third parties involved in repeated government interactions or escalations.

4. Board Oversight

  • Which third-party functions create the greatest corruption pressure?
  • How do we verify what third parties do in practice?
  • When do we terminate a third-party relationship rather than attempt remediation?

8. Organized Crime and the Blurred Line of “Business”

In Venezuela, organized crime intersects with commerce, logistics, and even parts of the formal economy. Corruption and criminal networks often coalesce in sectors like mining, fuel distribution, and transport infrastructure, where armed groups and informal power structures exercise influence. Some of these networks are intertwined with state actors, and corruption and illicit activity can reinforce one another.

For compliance professionals, this means recognizing when business relationships drift into criminal entanglement. That drift is not always obvious at contract signing. Contracts negotiated under duress or through intermediaries with opaque ownership may conceal criminal activity. Continuous monitoring matters precisely because initial signals are subtle. The line between a vendor and a syndicate can be ecosystem-specific and may manifest in patterns of behavior, unexplained payments, or associations with known corrupt actors.

This is also where AML risk begins to dominate. When organized crime is part of the value network, it is present through smuggling rings, illicit fuel markets, or bribery conduits.  The controls for bribery, AML, sanctions, and export compliance must interlock to detect and escalate suspicious patterns.

1. Assessment Controls

  • Screen vendors and partners for criminal exposure, unusual affiliations, and opaque ownership.
  • Assess whether services operate in sectors known for illicit activity, including fuel distribution, logistics, or private security.
  • Review beneficial ownership structures and local power dynamics.

2. Management Controls

  • Integrate anti-bribery, AML, and sanctions screening for high-risk vendors.
  • Require certifications regarding lawful sourcing, operations, and subcontractors.
  • Prohibit informal arrangements, undocumented services, or side agreements.

3. Monitoring

  • Monitor for cash-intensive activity without commercial justification.
  • Track changes in ownership, management, or operational behavior.
  • Escalate associations with known illicit markets, actors, or criminal networks.

4. Board Oversight

  • How do we detect drift from legitimate commerce into criminal entanglement?
  • What triggers an immediate suspension or exit?
  • Are our controls sufficient to identify concealed criminal exposure?

9. Currency, Pricing, and Manipulation Pressure

Venezuela’s economic distortions, including exchange controls, multiple currency rates, and the scarcity of hard currency, create fertile ground for corruption. Access to U.S. dollars through official channels is tightly controlled, which historically has led companies and intermediaries to engage in schemes to secure foreign exchange at preferential rates. A notable U.S. enforcement action involved a major telecommunications subsidiary that allegedly bribed officials to gain access to a currency auction and disguised corrupt commissions through inflated equipment purchases.

These distortions become more than operational headaches. They create incentives for side payments and off-book arrangements on pricing and contracts. These practices are not just bribery issues. They implicate accounting integrity, financial reporting, AML vigilance, and sanctions exposure. Once money flows lose transparency, whether through inflated vendor invoices, opaque currency conversions, or third-party routing, compliance loses line-of-sight and control. This intersection reinforces why a compliance program must integrate transactional monitoring and financial controls alongside anti-bribery controls to detect anomalies that traditional gift/entertainment policies won’t reveal.

Compliance Response

1. Assessment Controls

  • Identify exposure to foreign exchange approvals, currency scarcity, and pricing discretion.
  • Review historical pricing anomalies or currency-related workarounds.
  • Map payment flows involving third-country or non-standard accounts.

2. Management Controls

  • Enforce strict controls over pricing adjustments and currency conversions.
  • Require joint Finance–Compliance approval for non-standard payment terms.
  • Prohibit side agreements, rebates, or off-book arrangements.

3. Monitoring

  • Monitor invoices for inconsistencies with market pricing.
  • Flag requests for alternative currencies or complex payment routing.
  • Conduct periodic reviews of foreign exchange transactions and pricing deviations.

4. Board Oversight

  • Where do currency controls create the strongest corruption incentives?
  • How do we maintain transparency in pricing and payments?
  • When does financial complexity cross into unacceptable risk?

10. Weak Rule of Law Raises the Stakes

Venezuela’s judiciary and law enforcement institutions are widely seen as politicized, under-resourced, and inconsistent in enforcing anti-corruption laws. Although the Venezuelan legal framework criminalizes extortion, passive and active bribery, and related offenses, enforcement is weak and selective. In practice, companies cannot rely on local remedies to resolve disputes or push back against corrupt demands.

This elevates the importance of internal compliance controls and pre-defined exit strategies. When there is no neutral referee, no reliable government adjudicator, and prevention becomes the only viable protection. It also means that compliance must internalize enforcement risk rather than outsource it to local authorities. A robust compliance program must include strict refusal protocols, incident documentation, real-time monitoring, and clear decision-making boundaries. Without these, companies are exposed to both local corruption risk and U.S. enforcement risk under the FCPA and allied statutes.

Compliance Response

1. Assessment Controls

  • Assume limited availability of neutral local legal remedies.
  • Identify areas where officials exercise unchecked discretion.
  • Assess reliance on informal dispute resolution mechanisms.

2. Management Controls

  • Strengthen internal documentation, approval, and escalation requirements.
  • Define clear walk-away criteria when disputes cannot be resolved lawfully.
  • Require Legal and Compliance review of all high-risk disputes and resolutions.

3. Monitoring

  • Track disputes resolved outside formal legal or contractual processes.
  • Review patterns of repeated “local solutions” or informal settlements.
  • Assess escalation timelines and resolution outcomes.

4. Board Oversight

  • Where are we relying on influence rather than process?
  • How quickly do disputes escalate to senior leadership?
  • When do we exit rather than attempt resolution?

Parts 1 and 2 of this series make clear that bribery and corruption are not peripheral risks in Venezuela. They are the entry conditions. From systemic corruption and PDVSA exposure to extortion, third-party involvement, currency manipulation, and a weak rule of law, each risk compounds the next. For compliance professionals, the lesson is not that Venezuela is impossible, but that it is unforgiving of informal controls, delayed escalation, and weak governance. Elevated risk can be managed only through disciplined assessment, operational controls, continuous monitoring, and engaged board oversight. When corruption becomes operational, however, another risk inevitably follows.

Next in Part 3 of this series, we turn to anti-money laundering, where improper value moves, hides, and metastasizes beyond corruption alone. Bribery is how improper value enters the system. Money laundering is how it moves and hides. Once corruption becomes operational, AML risk becomes unavoidable. Join us tomorrow for Part 3 in our series.

Categories
Blog

Returning to Venezuela: Part 1 – Bribery, Corruption and the Risks You Must Confront Before You Enter

When US energy companies talk about returning to Venezuela, the conversation almost always starts with opportunity. Yet the CEO of Exxon has said Venezuela is ‘uninvestible’. There is another set of problems that every corporate compliance team will face if their company decides to enter the Brazilian market. For the compliance professional, it must start with corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore key issues every company and CCO will face when considering whether to enter (or re-enter) Venezuela. In Parts 1 and 2, I will consider the top 10 anti-bribery/anti-corruption (ABC) risks a compliance professional will face. (Part 1, risks 1-5; Part 2, risks 6-10). We will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

1. Systemic Corruption Is the Baseline Condition

Risk

Venezuela is not a market where corruption appears as an exception. It is the default condition against which all business activity must be measured. For compliance professionals, this means risk assessments cannot ask whether corruption exists. They must assume it does and ask where pressure will arise. Licensing, customs, inspections, labor issues, utilities, and currency all present opportunities for improper advantage. Boards must understand this upfront. Entering Venezuela without acknowledging systemic corruption is not optimism. It is a governance failure.

Compliance Framework Response

Before addressing individual risks, the compliance function must establish baseline principles governing how risk is assessed and managed in Venezuela.

  1. Assume corruption pressure exists. The risk assessment does not ask if corruption will arise, but where and how.
  2. Controls must be operational, not theoretical. Policies without authority, monitoring, and escalation are not controls.
  3. Risk ownership must be explicit. Every risk category has a business owner, a compliance owner, and a board oversight hook.
  4. Boards govern risk; they do not run operations. Oversight is mandatory. Tactical interference is prohibited.

2. PdVSA as a Prominent and Persistent Risk

Risk

Any discussion of bribery risk in Venezuela must begin with Petróleos de Venezuela S.A. (PdVSA), which has been at the center of some of the most significant corruption schemes in modern enforcement history, involving contracts, invoices, intermediaries, and payment routing. Indeed, 10 years ago, I wrote that it would cost a fortune to schedule and confirm a meeting. But companies make the mistake of treating PdVSA as a single risk node. In reality, it is a network risk. Joint ventures, service contracts, maintenance agreements, and procurement relationships all radiate outward, exposing the organization to corruption. If your counterparty touches PdVSA, you have inherited PdVSA risk.

Compliance Framework Response

The starting point is a Venezuela-specific bribery and corruption risk assessment, refreshed whenever business scope, counterparties, or operating conditions change.

This assessment must:

  • Map all government touchpoints.
  • Identify all third parties by function, not just by name;
  • Distinguish systemic risk from transactional risk; and
  • Flag PdVSA exposure explicitly.

Outputs are not static reports. They are control design inputs.

3. Joint Ventures and Service Contracts: Shared Risk, Shared Liability

Risk

Joint ventures are often framed as risk mitigation tools. In Venezuela, they frequently do the opposite. Local partners may be politically connected. Governance structures may be opaque. Control rights may be illusory. Compliance professionals must scrutinize who appoints management, who controls procurement, and who interacts with government officials. Under the ECCP, regulators ask whether compliance has authority commensurate with risk. In a Venezuelan JV, symbolic compliance oversight is not enough.

Compliance Framework Response

1. Assessment Controls

  • Government interaction mapping by function and frequency
  • Identification of pressure points where discretion exists
  • Historical analysis of delays, denials, or unexplained variability

2. Management Controls

  • Pre-approval requirements for all government-facing interactions
  • Clear prohibitions on facilitation payments
  • Mandatory escalation for any demand tied to speed, access, or discretion

Monitoring

  • Trend analysis of approvals and delays
  • Comparison of processing times across regions or projects

1. Board Oversight Questions

  • Where do we face the highest government discretion risk?
  • What interactions cannot proceed without a compliance sign-off?

4. Procurement as the First Corruption Flashpoint

Risk

Procurement is where corruption pressure materializes fastest. Vendors expect to be paid for access. Officials expect influence. Intermediaries promise to “make things happen.” This is even more true in Venezuela. This is where third parties begin to matter and where compliance must be in place before contracts are signed. Retrospective diligence does not cure a corrupted procurement process. Boards should demand visibility into how vendors are selected, not just who they are.

Compliance Framework Response

1. Assessment Controls

  • Explicit identification of direct and indirect PdVSA touchpoints
  • Mapping of PdVSA influence over pricing, approvals, and payments
  • Review of historical enforcement patterns tied to similar structures

2. Management Controls

  • Enhanced due diligence for any counterparty touching PdVSA
  • Compliance approval of all PdVSA-facing contract terms
  • Segregation of duties around invoicing and change orders

Monitoring

  • Continuous review of intermediaries interacting with PdVSA
  • Red flag monitoring for unusual invoice timing or routing
  1. Board Oversight Questions
  2. How are PdVSA’s risks different from those of other SOEs we engage with?
  3. What controls exist beyond standard third-party diligence?

5. The Illusion of “Routine” Government Interaction

Risk

Companies often underestimate corruption risk by labeling interactions as routine: inspections, permits, customs clearances, utilities, and labor approvals. And yes, the DOJ has said it will back off on enforcement of small payments, which may be traditionally made, but in Venezuela, routine functions are often monetized.  Compliance programs must draw hard lines early and firmly.

Compliance Framework Response

1. Assessment Controls

  • Governance and control-rights analysis
  • Identification of who appoints management and controls procurement
  • Mapping of partner government relationships

2. Management Controls

  • Contractual compliance rights with audit and termination authority
  • Compliance veto power over high-risk activities
  • Mandatory training for JV-appointed personnel

Monitoring

  • Periodic compliance audits of JV operations
  • Review of partner interactions with officials

1. Board Oversight Questions

  • Where do we lack real compliance leverage in our JVs?
  • Are control rights aligned with our risk exposure?

Join us tomorrow as we look at ABC risks 6-10, including third parties, extortion, organized crime, currency issues, and a weak rule of law.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – The Corruption is Free Speech Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories This Week Include:

  • FirstEnergy defendants in Ohio say corruption is simply ‘free speech’. (Ohio Capitol Journal)
  • British national sentenced to 6 years in jail over Wirecard fraud. (FT)
  • Corruption led to the Hong Kong fire disaster. (Bloomberg)
  • Translations as a compliance issue. (BBN Times)
  • Will Trump suspend the FCPA in Venezuela? (FCPA Compliance and Ethics Report)
  • X Faces U.K. Probe Over Grok’s Sexualized Images (WSJ)
  • Six Compliance Events to Watch in 2026 (Radical Compliance)
  • Why Are Your Policies Yelling at Me? It’s Time to Rethink Tone in Rules (CCI)
  • 10 must-know workforce trends for 2026 (Dayforce)
  • Florida man arrested after trying to flee deputies on riding lawn mower (NBC News)

Connect with the Hosts:

Resources:

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
All Things Investigations

All Things Investigations – Navigating Compliance Challenges in Venezuela’s Energy Sector

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox welcomes back Mike DeBernardis to discuss the implications of entering Venezuela for energy companies and the historical precedents.

They explore the return of US energy companies to the Venezuelan market and historical precedents, such as the Iraq Oil-for-Food Program, post-2003 Iraq, and the 1990s Russian market opening, to identify the risks and the necessary compliance measures. Key insights include the importance of stringent third-party controls, understanding the nuances of dealing with state-owned entities such as PdVSA, and having a robust risk management strategy. The conversation underscores the critical need for compliance professionals to thoroughly understand business operations to build effective compliance programs in high-risk environments.

Key highlights:

  • Challenges and Opportunities in Venezuela
  • Historical Parallels: Iraq Oil for Food Program
  • Lessons from Post-2003 Iraq
  • Comparing Venezuela to 1990s Russia
  • Counseling Clients on High-Risk Opportunities

Resources:

Hughes Hubbard & Reed website

Mike DeBernardis

Categories
Daily Compliance News

Daily Compliance News: January 12, 2026, The Corruption is Free Speech Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • FirstEnergy defendants in Ohio say corruption is simply ‘free speech’. (Ohio Capitol Journal)
  • Corruption allegations rock Cyprus. (Politico)
  • Venezuelans say Trump ‘too corrupt’. (Fortune)
  • Florida MAGA ‘queasy’ over Trump corruption. (AlterNet)
Categories
FCPA Compliance Report

FCPA Compliance Report: Going into Venezuela, Navigating the Corruption Risks, a Conversation with Matt Ellis

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. We take a short break from our 2-part series with Mike Volkov to review the issues arising from the Trump Administration’s invasion of Venezuela. Matt Ellis joins Tom Fox to look at what all this means for companies looking to do business in Venezuela.

They discuss the complex landscape of doing business in Venezuela, focusing on the rampant corruption, security challenges, and the implications of U.S. sanctions. They explore the risks associated with engaging with the national oil company, PdVSA, and the broader implications for U.S. companies considering re-entry into the Venezuelan market. The conversation also touches on Cuba’s role, international organizations, and the potential for infrastructure rebuilding in Venezuela, emphasizing the need for long-term strategies and careful risk management.

Key highlights:

  • Navigating Corruption and Security Risks in Business
  • Banking and Money Laundering Concerns
  • Cuba’s Role and Sanctions Implications
  • International Organizations and Corruption Regulations
  • Infrastructure Rebuilding in Venezuela
  • Long-term Strategies for Companies

Resources:

Matt Ellis on LinkedIn

Miller & Chevalier LLC

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: January 9, 2026, The Tell Me If You’ve Seen This Movie Before Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump says the US could stay in Venezuela ‘for years.’ (NYT)
  • Cambodian scam tycoon extradited to China. (WSJ)
  • A Kazakh oligarch paid Prince Andrew millions. (BBC)
  • How a botched Bulgarian corruption investigation brought chaos to EPPO. (Follow The Money)