FCRA – Off Again, On Again – Maybe Both

In this episode of AML Conversations, Elliot Berman is joined by Christopher Sindik, Senior Director of Third‑Party Risk and Due Diligence at Blue Umbrella, for a deep dive into the Foreign Corrupt Practices Act (FCPA) and the recent deferred prosecution agreement involving Tigo Guatemala, Millicom, and the U.S. Department of Justice.

Elliot and Christopher break down how the misconduct unfolded, why the joint‑venture structure created an environment ripe for corruption, and what lessons compliance professionals can draw from the case. The conversation explores practical strategies for strengthening third-party risk management, including intrinsic and acquired risk factors, enhanced controls for high‑corruption jurisdictions, and the critical role of data analytics and AI in detecting anomalies.

They also discuss the importance of tone from the top, resource allocation for compliance programs, whistleblower protection, and how companies can ensure that legitimate services are properly documented and auditable. The episode highlights how proactive self-disclosure and robust compliance frameworks can significantly impact outcomes in enforcement actions.

FCRA – Off Again, On Again – Maybe Both - Transcript

Elliot Berman: Chris, welcome to today's session. I know we'd like to talk about the Foreign Corrupt Practices Act and a recent deferred prosecution agreement, which I'll introduce in a moment. But first I think I'll introduce myself to the audience. I'm Elliot Berman. I'm the marketing thought leadership specialist at AML RightSource. And Chris, why don't you introduce yourself to our audience as well.

Chris Sindik: Yeah, certainly Elliot. My name's Christopher Sindik and I'm the senior Director of Third Party Risk and Due Diligence at Blue Umbrella. Been in the industry for about 20 years or so, and really interested in third party risk management and due diligence, ethics and compliance and everything else that comes along with it.

Elliot Berman: And I'm looking forward to this conversation. We're going to focus on a recent deferred prosecution agreement that was entered into between the US Department of Justice and, Tigo Guatemala, which is a subsidiary of Millicom International Cellular, which is a Luxembourg company . The deferred prosecution agreement covers activity that started 12 or 13 years ago, and the various investigations and accusations have wandered along for all of that time.

There have been corporate reorgs and all sorts of things in the interim. But now the parties have reached a conclusion and put it on paper. And at a very simple level, deferred prosecution agreements, sometimes referred to as DPAs are an arrangement where the prosecuting authority, in this case, the Department of Justice says, you're acknowledging that you did these bad things. We are going to agree that if you clean up your act and don't do any bad things for the agreed upon period, then we will not move forward with prosecution for these bad things.

So our conversation because of what you and Blue Umbrella do is really in the context of third party due diligence and monitoring. What are the failures in third party due diligence or monitoring that allowed intermediaries in this case or more generally to be used as conduits for bribery? And how can those failures be detected early? So this kind of thing doesn't happen.

Chris Sindik: Yeah, it's a great question. You know, one of the things I've heard multiple times in my career is that it's good to learn from your mistakes, it's better to learn from other people's mistakes. So what can we learn? What can we learn collectively here about what was done and, and what we, what can we do to prevent acts of bribery and corruption in the future? And certainly the enforcement actions and damage that come along with it too.

There's been much written, uh, about the Millicom uh, enforcement action too. And I think one of the themes that came outta that, and in looking at the judgment too, is that the whole structure of the deal, uh, where it was a joint venture and then buyouts along the way was really ripe for corruption from the start.

It was a high risk country Guatemala historically for bribery and corruption. And then the operating company didn't really have a whole lot of oversight or control of the local operations a lot of times. So, I think the fact that they were operating in this industry, it was kind of an emerging time, if you will for telecom, which is the industry that was involved here, cellular phones and whatnot and the regulation that comes along with that. You know, you have to get your licenses. You can't just open up a new cell phone company there.

There's certain government permissions that come along with that too. I think that it really started at the inception too, uh, when those companies were, you know, sort of joined together and, and they opened up the market, if you will, for this business that ultimately had the enforcement action against them.

And I think that when a company goes into a merger or an acquisition phase, it's really like a marriage, uh, where it's not like you're just marrying your spouse. Uh, you really do get their whole family in the deal too. You know, you get the crazy uncle in the, in the wild cousins and the elder statesmen and women as well too. So they really inherited a lot of individuals, not just in the third party space, but obviously the local operations there too.

What could have been done earlier in that process? Knowing the regional knowledge about, what kinds of of businesses are more risky. And if you're in a high risk jurisdiction. Hey, it's a no-brainer. That is something that's gonna be heightened even more. And I also think just being aware of possibly the different standards that might take place in some parts of the world. Certain types of payments under the table, bribery or whatever it might be, are thought of as just a way of doing business.

And it's the way we've always done it. So stamping that out early and really changing the culture, I think is a big part of it too. To elevate really the operations to stay far away from the red line.

For example, uh, I was, uh, recently at. At two conferences this year. One was, uh, the SCCE which I'm sure folks know about. And then most recently, which came right after this enforcement action was announced was the ACI FCPA conference in Washington, DC. That was very eye-opening. We got to hear from some of the folks in the DOJ, at SEC, and law firms, and various large companies too, about how they reacted to this. It was the buzz in the room, people talking about these things.

It really gave some unique insight into why this happened. Some other things around the FCPA. Why this one happened when it did, and the many repercussions from it. Because certainly in February there was the pause of FCPA enforcement, that was the name of the uh, the act that was put into place and people were wondering how to interpret it. So to see this as the next major thing in FCPA after that I think a lot of eyeballs are on it now and we're trying to glean some next steps from it.

Elliot Berman: So how should a company assess the risk level of third parties that are operating in high corruption jurisdictions Guatemala was at that time. And what enhanced controls should they always consider putting in place for these environments?

Chris Sindik: I think it's a good question too because it's not every day that you're suddenly gonna have a new joint venture in a high risk country. That's a very unique situation for this enforcement action. What's much more common is that a company will think about doing work in another side of the world or another country or another region, and they need to have new business partners to make that happen.

We see it every day. So when you're going into a high risk jurisdiction or high risk work sometimes it a country that's not necessarily high risk or corruption overall. But if it's certain types of work, it could be a little bit more troublesome. Gas or petrol stations in South America might be used to launder money or have work with organized crime. Or travel agencies in China sometimes for making corrupt payments. These are the types of things you might need to know about too.

In terms of some mandatory controls and how to assess that risk level. Starting with the risk level, I think about it as two sort of main factors that come into play. Intrinsic factors and acquired factors.

So in looking at a third party, looking at those intrinsic factors, it's what type of work are they doing? Are they a supplier or are they a distributor? Are they a sales agent or a travel agent? Are they a catering company? Are they providing you stationary? Are they providing you this particular electronic component? All these things matter and there can be varying types of risks with those very nuanced too. So knowing that I think is key. The spend. If you're spending a hundred dollars with a third party, maybe not a huge risk of bribery corruption.

There are other risks certainly too, that are sort of spend agnostic when it comes to data and privacy and things like that. But some of the other intrinsic factors along with type of work and spend would be the location, where they are in the world. If they are a state-owned entity. If there are clear government connections and then some other things like are they publicly traded or not?

If it's a publicly traded company, a lot of times they have to have more controls in place. That could be a little bit more reassuring too, not always. If you look at the major enforcement actions in the past, there are some very well-known companies there too. But those types of formations, if it's a sole proprietorship, a private company that can be a factor to just, take into consideration to have a risk score. I think of the intrinsic risks is just kind of who they are. What they are and they, as they exist in the world.

But those acquired risks is kind of their personality, if you will. Have they had past enforcement actions and penalties? Are there controls? Poor? Hey, we don't have a code of conduct. We don't have an anti-bribery and corruption policy. , We do have a gifts and entertainment policy, and the limit on cash gifts is $2,000. These would be some things that would raise some eyebrows and some blood pressure of the general counsel or the chief compliance officer or whoever it might be. Pep connections, things like that too.

So I think if you look at those factors in varying methods, doing research questionnaires, order a due diligence report, it can tell you a lot too. That's a good way to go about it. And I think in terms of the other part of the question with controls it's greater oversight. Again, we mentioned that having a subsidiary in a high risk part of the world where you don't have as much control over it. That might be something to not have happen.

It's risky work. It's a risky location, it's high spend. Maybe they've had past enforcement actions. Maybe there's state owned entity, et cetera. Get down there. Go on there. And seeing is believing too. You know, these companies and these people, they don't live in Outlook or Zoom calls.

The context matters. Look at the office, walk around and certainly these are things that, that can be done when there's a certain level of commitment involved with the business relationship. Maybe even just getting some site visits from someone there locally to have a look around that that's certainly a good idea too.

But financial controls, pre-approval of expenses, continuous monitoring, training, these are kind of the gold standards, if you will, for a compliance program today. And it could be a help too, when it comes to third parties and mitigating some of that bribery risk. They can't make a bribe if they don't have the money to do it too. So I think the finance side of it too, really locking that down and having a lot of gatekeeping steps along the way and let people know what to do and what to look out for, I think is a good place to start.

Elliot Berman: So what can be done by companies and their employees if their executive leadership doesn't show a commitment to third party risk management or the overall compliance program?

Chris Sindik: Yeah, times being as they are sometimes the program can be thought of by some, I think erroneously is a cost center and what's your ROI that you're getting out of it? And we gotta reduce the budget, we gotta save money and you guys are slowing things down with this due diligence process. I like to think of it as a race car where the compliance program, or some of these checks can be the brakes on the car and people are ha ha, you are slowing us down. You're the brakes. And that's true.

But the best race cars they have the strongest brakes, and they can take those corners faster going into it and slow down quickly. If you have two cars racing each other and one has brakes and one doesn't, I can tell you which one's a gonna finish the race and which one's gonna do it faster too. Although it's there to occasionally slow things down. We gotta think about the whole race here, and not just one lap, but a hundred laps. So to your question what can be done?

I think point to these enforcement actions, particularly if they're in your industry or one's in the past too. You can see, and there's been a lot of research about this, that a prudent ethics and compliance program and third party risk management program and onboarding and monitoring and everything that goes along with it has an ROI. And you could even point to, subtly at times the DOJs evaluation of corporate compliance programs, which is basically, if something goes wrong, here's what we're gonna look at, and you better have it in place.

And if you don't there might be a penalty with an extra zero on it at the end of the day too. And there's a whole section about tone from the top and appropriate resources. Sometimes it's not gonna be an executive coming out and saying, we don't care about this program anymore. They just strangle it. They go ahead and they just cut the resources, cut the people, et cetera too. The program has to be sufficiently resourced and independent to really be effective too. And, and I'll say too, if they're always seeing what we can try to do do with the resources that we have on hand.

Look for the best ROI and sometimes just look at the baseline risk that you can handle. In a volume that scales for the company. Something like doing screenings, watch list checks, that's kind of baseline standards these days to make sure you're not working with the sanctioned entity or looking at media on them, to see if they've had past problems or they have bad press about them or they're being accused of possible bad acts too.

So see if you can rely on some of these cheaper tools. Do what you can within your own four walls, but open the door on that fourth wall and look at the other departments. I again was told a long time ago that one of the most influential people in the ethics and compliance department can be an accounting analyst, where they can go in and look at payments and they can scrutinize them and they ask, what's this about? What's this travel fee for $10,000? It's strange. It's a round amount. Why is it exactly $10,000? And other questions obviously that come along with that.

But see if you can get some help from the accounting department. See if you can get some help from the procurement department. Sometimes they have a pretty good budget, and having some of these checks in their process too and leveraging technology. Having a really effective tool sometimes can bridge the gap between headcount. If you're doing things manually getting a tool in place and Blue Umbrella has a great one, can really have meaningful savings on time and resources if you're faced with that situation. And most programs, they'll reach a tipping point at some point where manual searches and tracking things and spreadsheets and whatnot, it's too cumbersome. So, more of a platform makes sense. If all else fails and you see your company doing something inappropriate, hey whistleblower programs exist.

And again, at the conferences that I was a part of, ACI FCPA as an attendee, that was one of the key things that is still reiterated. The whistleblower protections and how they want companies and individuals to come forward. It can really help things out and there's certainly the bounty programs as if individuals have to go that route too.

Elliot Berman: How can companies ensure that legitimate business services provided by third parties are documented, measurable, and can be easily audited to prevent misuse. As bribery channels?

Chris Sindik: It is a good question because now the other side of it is companies that want to do things the right way. And they want to protect themselves from the bad apples that are out there. And what to do with the resources they have on hand. I'll harken back to the point I just made is that there's technology to track all of it. And certainly if someone is moving to a platform for the first time it can be a little bit of data organization and cleansing and things of this nature as well.

But it does pay dividends certainly in the long run. And you know, you need to have it documented and audited and things like this so, if you get subpoenaed or rated or whatever it is, you can very easily point to it and say, we did know about this party on December 1st. We screened them on December 1st. We ran a due diligence report with them on December 20th. We reviewed it for a week. They were approved, and starting January 10th after a proper vetting process where they were ranked as medium high. you can really point to things and it really shows your case that you you tried to do the right thing.

So I think that really helps too. But outside of that what you can do to help prevent misuse of bribery channels. Again, a bribe can't be paid if the money's not there. Making sure that pre-approval is obtained, that can really help with a lot of things, primarily with GTE. If companies are worried about that, it's one of the easiest things that they can do is just say pre-approval. We're not gonna pay anything out unless it's pre-approved. I think that can definitely help.

And then I'll say too, look out for the deals or the third parties or, things that try to go through the process that are special or it's the MVP. We need to get this fast tracked. This is a million dollar deal. Don't hold this up, okay, puts people on edge, especially if it's someone senior asking for that in the company. And everyone, jumps into action and sometimes you make deviations from the normal process because of this sense of urgency or uniqueness. So, be aware of those those special deals and that there aren't exceptions made that would be inappropriate otherwise.

Elliot Berman: You talked about unusual payment patterns and, financial analysts in the finance department who can help with that. More broadly, what should the role of data analytics, transaction monitoring, periodic audits be in identifying those kinds of, payment issues or inflated invoices or other things that might be a red flag for bribery risk?

Chris Sindik: Well, it wouldn't be a podcast in 2025 if we didn't mention AI in one way or another. So here we are. All joking aside, I think those are, good possible use cases for data analytics, AI, transaction monitoring. Humans going in there and looking at these things as well, when appropriate there is a use case for all of them. But AI is certainly better than ever and it's getting better all the time. Certainly we will assume that all the controls and vetting and testing and confidentiality and security are in place for AI in this instance too. But once that is all done, it can get in there and it can flag round number transaction, an anomaly, certain transactions in certain parts of the world or types of third parties.

And then that's the point where a person would come in and look at that and scrutinize the details just to make sure everything's above board too. I also think that there are certain channels that can be scrutinized more. When it comes to things like payments that would be considered consulting fees or unique discounts or rebates. Where are they being rebated to? Is it the same entity? Are there travel fees, GT&E, gifts, travel and entertainment. So making sure that those channels that traditionally have been used to facilitate bribery, are locked down and there's oversight and there's transparency, and there's a certain amount of rigor there as, as well .

And I think apart from that, if we look back to the enforcement action, one of the difficulties that they had faced in paying their bribes was getting getting cash into the hands of the, the bribe takers. And that led them down even more of a darker path, to get involved, allegedly with cartels and getting money in that way. I think a really interesting part of it was they were transporting duffle bags of cash via helicopter. There was an emergency and they had to land at a military base.

And when they made this landing one of the commanders of the base was, what are you guys doing? I'm glad you're all right. What's going on? And they noticed all these duffle bags full of money which is a very interesting part of the story. If someone's trying to get their hands on a lot of cash, obviously that's a red flag too.

If it does go to that point of involving a cartel or one of these organizations that has a lot of cash, traditionally in some parts of the world they can appear more like legitimate businesses than you'd think. They have a business ID number, they have accounts with major banks, they have operations. They pay taxes. They seem like a very legitimate organization. People that have their foot maybe in the legitimate and the criminal world at the same time to facilitate these things that are happening time and time again.

I think there's a lot of ways that bribery can be done these days. So it's important for companies to, to stay one step ahead and focus on the most likely avenues and ones that are the most risky.

Elliot Berman: Chris, I wanna thank you for this great conversation. I think it shed a lot of light on what people can do in a lot of circumstances and what makes a lot of sense. One of the things that I noticed in the deferred prosecution agreement was that the DOJ gave a lot of credit in figuring out what the balance of everything would be to the companies because of self-disclosure. And that can happen because you have a good program and people bubble it up. That's another thing for everybody to remember. But getting a good routine in place that really is risk-based and then following through is the key. Chris, I know we're gonna have some future conversations and I know you've got some other things planned where you're gonna moderate with some of your colleagues.

So our audience should continue to watch the website and LinkedIn. As we post new material in 2026. Thanks for your time today and I look forward to talking with you in the future.

Chris Sindik: Yeah, certainly Elliot. Lots of things to talk about in, in this year and, and many years to come too. So thanks for your time.

Elliot Berman: You too. Bye-bye.