Corporate Compliance and ‘Cartel Risk’
Last week I moderated a webinar on Latin American drug cartels, and where “cartel risk” is or isn’t similar to the corruption risks that compliance teams have worried about for years. Perfect timing! That same week, the Justice Department settled an FCPA case where drug trafficking was one element of the story. Let’s review the notes I took.
The inspiration for our webinar came from new protocols the Justice Department unveiled in June for when it would prosecute violations of the Foreign Corrupt Practices Act. Broadly speaking, the Justice Department wants to prosecute the FCPA less often; but one exception (among several) would be when the FCPA misconduct “is associated with the criminal operations of a cartel,” such as working with money launderers.
OK, fair enough; no sensible person likes drug cartels anyway — but what would that misconduct actually look like on the ground? What due diligence would a company be expected to perform on business partners? If you do find transactions somehow associated with cartel operations, what then? Do you self-disclose and cooperate against the cartel? Because that seems a lot more dangerous than cooperating to settle charges that you bribed the assistant minister of whatever in some foreign country.
Then by lucky coincidence came last week’s FCPA enforcement action against Millicom TIGO. Millicom is paying $60 million in a criminal penalty and $58.2 million in disgorgement to settle charges that its Guatemalan joint venture paid bribes to government officials there in the 2010s. One telling detail is that Millicom’s local partner in Guatemala used the proceeds of drug traffickers, laundered through a bank, to fund the bribes.
So that’s at least one example of cartel and FCPA risk overlapping. Moreover, cartels have been an endemic problem across Latin America for years; any interactions with them are a big problem for corporations, whether FCPA violations are part of the story or not. If you do business in Latin America, your compliance program needs to address that risk.
All of which brings us back to last week’s webinar. In that complicated and high-risk environment, what should compliance officers keep in mind? Our speakers had several pieces of advice.
Self-Disclosure Is Complicated
When you self-disclose an FCPA violation, you’re volunteering to let regulators punch your company in the face. Maybe the misconduct isn’t that bad, and prosecutors give you a tap on the forehead; or maybe the misconduct is egregious, and they wallop you in the teeth. Either way, your company is volunteering for punishment because you are the offending party. You are the target of the Justice Department’s ire.
Cartel risk can be quite different. In those scenarios, your company might well be the victim — say, if cartels infiltrated your transportation supplier and are smuggling drugs across the border in your shipments; or if you use financial firms that are fronts for cartel money laundering. In those cases, the cartel is the offending party the Justice Department wants to pursue. Your company might be an unwitting victim or an extortion target.
Or even if some part of your organization is involved in criminal misconduct that touches cartels, consider this scenario. Perhaps the Justice Department has already been building a case against the cartel, but is missing some crucial piece of evidence. If your company can provide that critical evidence, you might be able to leverage your position into a more favorable settlement.
Then again, when you self-disclose FCPA misconduct to the Justice Department, you’re disclosing to one regulator (or maybe two, if we count the Securities and Exchange Commission separately) who wants to settle the case and send you on your way with an improved compliance program.
The picture is more complicated with cartels. You might disclose to multiple regulators, from Justice to Homeland Security to the Drug Enforcement Agency and others. They might have different agendas, such as asking you to keep playing along with the cartel until law enforcement can build the case that it wants. (When has the Justice Department ever asked anyone to keep paying bribes in an FCPA case?) One regulator might have different expectations for cooperation than another.
In other words, what is a rather binary analysis for FCPA risk — “Do we self-disclose and try for a more favorable settlement; or keep quiet and hope Justice never finds out?” — is far more complicated when cartels are the issue. That will be true regardless of any FCPA violations that might be part of the picture.
Due Diligence Is More Complicated Too
Due diligence of your third parties isn’t any better. At least with FCPA violations, we have a good sense of the third parties most likely to be the highest risk (distributors, resellers, and the ever-popular “agents”), and the basic crime they’re trying to commit: bribery, by diverting your company’s cash flows to other accounts that end up in someone’s back pocket.
Misconduct involving cartels can take many more forms, with many more possible participants. So your risk assessment and due diligence procedures need to be much more expansive.
For example, cartels might extort your local offices for protection money. Or they might infiltrate your third-party service provider as a means to smuggle drugs from one location to another, like we mentioned earlier. Or they might be operating a bank to launder drug proceeds, and your local finance team may or may not know that fact.
So you’ll need robust due diligence capabilities that can assess the risks of parties you might have ignored when FCPA offenses were the priority. You’ll need better risk assessment procedures and internal controls to detect suspicious cash flows that might not resemble what you’d typically expect. (Although fake invoices and incomplete documentation for third parties seem to happen no matter what the crime.) You’ll need effective monitoring, since cartels might muscle into a vendor’s operations long after you onboarded the business.
A robust FCPA compliance program can provide a strong foundation for all that additional complexity, but make no mistake: a strong program to root out cartel risk must do more than what an FCPA compliance program typically does.
Will Cartel Enforcement Priorities Endure?
That’s the grand question. Is the Trump 2.0 Administration serious about applying more pressure to cartels, including use of the FCPA (and presumably other corporate crime statutes) where appropriate? Or are these new enforcement policies just showboating with no real substance behind them? Because lord knows we see plenty of the latter from President Trump.
The Millicom case is one specific example of what FCPA-meets-cartel enforcement might look like, but one example does not an enforcement shift make. This is still a Justice Department riven with staff turnover, incompetence, and a far greater focus on immigration enforcement. Maybe Millicom was a one-off. Maybe the fact patterns to allow such an enforcement action just won’t arise all that often.
Or even if the Trump Administration is serious, what happens when Trump departs? If future administrations (especially any future Democratic administrations) take the same expansive view of cartel and corruption enforcement, then we’ll have a permanent shift in compliance priorities akin to the rise in FCPA enforcement in the Bush and Obama administrations. A shift like that is what funds compliance budgets and restructures whole programs.
For now, we can only wait and see.