The changing landscape of FTO risk in México: Key points on compliance

Most companies often address anti‑corruption risk through a combination of internal controls, third‑party due diligence, and contractual provisions, such as audit rights and compliance obligations.

However, they may consider additional key measures, particularly in México and across Latin America, where compliance analyses have noted the potential for organized criminal activity to intersect with legitimate business activities. In high-risk jurisdictions, well-positioned compliance programs that consider third-party operations can withstand real-world exposure.

In this alert, we discuss how non-compliance has changed in light of recent designations by the United States Department of State, how risk may arise for companies working with third parties in México, and the importance of applying a heightened third-party compliance model.

The shift: Mexican cartels as FTOs and SDGTs

In February 2025, the US Department of State formally designated several transnational criminal organizations, including major Mexican cartels, as Foreign Terrorist Organizations (FTOs) and Specially Designated Global Terrorists (SDGTs).

In this evolving landscape, third-party relationships expose companies not only to corruption risks, but also to sanctions and counter-terrorism frameworks, even where the connection is indirect. As a result, organizations are encouraged to re-assess whether their existing third-party risk management frameworks are sufficiently robust to identify and mitigate exposure in environments where legitimate business operations may intersect with designated entities.

These designations – under both the FTO and SDGT frameworks – expand the scope of potential liability and reinforce expectations for robust, risk-based compliance controls.

How exposure arises

In practice, particularly in México, traditional compliance models are largely built around anti-bribery and anti-corruption risks. Against that backdrop, companies may now anticipate and manage high-risk exposures, including the risk of indirect links to terrorism, sanctions violations, and criminal liability. Such risks are not limited to misconduct – it extends to include direct or indirect material support through third-party relationships.

Notably, these types of risks may be difficult to identify. They often arise through routine business relationships – with third parties or intermediaries, or even through operational decisions – in which support could ultimately benefit a designated organization.

In certain jurisdictions, third parties may operate in environments where informal payments, territorial control, or reliance on local intermediaries present elevated compliance risks. Exposure can emerge indirectly. For instance, transactions that are framed as simple operational costs may, in reality, be extortionate payments coerced from a company to operate in a region. Similarly, subcontracting arrangements could introduce counterparties that were not initially assessed, and logistical or security support may, in certain contexts, create proximity to designated organizations.

These dynamics are not commonly captured through standard, static due diligence processes. Companies may interact with third parties through layered or indirect relationships, creating a potential disconnect between the formal structure of the business relationship and the practical reality of service delivery on the ground.

In these circumstances, traditional documentation-heavy compliance approaches may only encompass what is declared rather than what occurs in practice.

In the context of FTOs and SDGTs, the gap between formal compliance and operational reality is where most of the risk lies. Exposure stems from patterns that are difficult to detect without a deeper understanding of how third parties actually operate in a given territory.

Looking toward effective controls

For years, many organizations have relied on what could be described as a “check-the-box” model of compliance, built around standardized due diligence, template questionnaires, and classic contractual protections. While still useful, these elements may not, on their own, capture the full range of risks that can arise in third‑party relationships.

A key component of the compliance function is visibility into how third parties operate and the broader networks of entities they rely on. Often, much of the exposure sits one or two layers removed, within subcontractors or supporting providers that fall outside traditional review processes.

The complexity of third-party relationships amid the FTO and SDGT designations poses higher risk of scrutiny. Therefore, organizations may reconsider how their compliance practices and tools are applied.

Effective compliance models are built around the ability to reasonably explain – rather than simply document – why certain third parties were onboarded, how the risks were assessed, and the ongoing steps undertaken to monitor those risks over time.

Companies are encouraged to apply best practices – including periodic reviews, trigger-based re-assessments, and targeted audits – in a manner that reflects the operations of third parties.

For more information, please contact the authors.