Due Diligence in Mexico: Managing FTO and Cartel-Related Risk

For two decades, companies operating in Mexico treated cartel activity as a security and

reputational problem: a question of physical safety, insurance premiums, and operational

continuity. In 2025 that framing became obsolete. The United States now treats the major

Mexican cartels as terrorist organizations, and in doing so it has converted a security problem

into a legal one. The discipline that now determines a company's exposure to that legal problem

is due diligence.

The relevant question for a board is no longer whether a counterparty appears on a sanctions

list. It is whether the company's ordinary operations (its suppliers, its logistics, its routes, its local

payments) confer a benefit on an organization the United States has designated as terrorist.

That question cannot be answered by screening a name against a database. It requires

enhanced due diligence in Mexico, calibrated to a counterterrorism standard.

The reclassification: cartels as Foreign Terrorist Organizations

On 20 January 2025, Executive Order 14157 directed the designation of cartels and other

transnational criminal organizations as Foreign Terrorist Organizations (FTOs) and Specially

Designated Global Terrorists (SDGTs). On 20 February 2025 the designations took effect: eight

organizations, six of them Mexico-based cartels, were designated under both authorities. The

FTO regime derives from the Immigration and Nationality Act; the SDGT regime derives from

Executive Order 13224.

The designation did more than attach a label. It layered the United States' counterterrorism legal

architecture on top of the narcotics, money-laundering, and sanctions tools that had governed

cartel risk for thirty years. Conduct previously analyzed as a trafficking or corruption matter is

now also analyzed for material support to terrorism. The threshold of exposure fell, and the

severity of the consequences rose.

Figure 1. The principal U.S. measures reshaping cartel-related risk in Mexico, 2025 to 2026.

Why an FTO designation changes the calculus for due diligence in Mexico

The change is not rhetorical. Several distinct bodies of law are now engaged at once.

Material support. Under 18 U.S.C. § 2339B, it is a federal crime to knowingly provide “material

support or resources” to a designated FTO. The statutory definition is deliberately broad,

capturing currency, financial services, property, transportation, lodging, personnel, and expert

assistance, among other things. Penalties run to twenty years' imprisonment, and to life where

death results. The statute reaches conduct abroad, and it has long been applied to support that

is indirect.

No comfort in coercion. Companies frequently assume that a payment made under threat

cannot be criminal. The law does not agree. Neither the material-support framework nor the

sanctions regime recognizes an extortion defense, and the duress defense is narrow, generally

confined to an imminent, unlawful threat of death or serious bodily injury with no reasonable

opportunity to escape. A pattern of payments made over time, in the ordinary course of keeping

an operation running, will rarely qualify.

Sanctions, and the reach beyond U.S. borders. Under OFAC's 50 Percent Rule, an entity

owned 50 percent or more, directly or indirectly and in the aggregate, by one or more blocked

persons is itself blocked even if it does not appear by name on a sanctions list. Separately,

entities controlled by, acting for, or materially assisting designated organizations present

elevated sanctions, material-support, and designation risk. Secondary sanctions authority

2extends this reach further, to non-U.S. persons with no U.S. nexus, and the gravest

consequence is not a fine but exclusion from the U.S. financial system.

Civil liability. The Anti-Terrorism Act gives U.S. nationals injured by international terrorism a

civil cause of action for treble damages and attorneys' fees. As amended by the Justice Against

Sponsors of Terrorism Act, it extends to those who knowingly provide substantial assistance to

an act of terrorism committed by a designated FTO. The plaintiffs' bar has taken note, and

recent years have seen new Anti-Terrorism Act suits naming corporate defendants in sectors

with Latin American exposure.

Disclosure, and time. Issuers reporting to the Securities and Exchange Commission carry

mandatory disclosure obligations for certain dealings that touch designated parties. And the

enforcement window has doubled: the FEND Off Fentanyl Act extended the statute of limitations

for sanctions violations from five years to ten. Conduct from a decade ago, and every legacy

relationship that predates a designation, is now within reach.

The exposure is indirect, and that is the danger

Few companies will ever knowingly transact with a cartel. Exposure does not arrive that way. It

arrives through the ordinary machinery of operating in Mexico: a logistics aggregator that

subcontracts transport the company never vetted; a customs broker or port agent of uncertain

ownership; a warehouse in contested territory; a local union or association that must be paid for

“labor peace”; a security provider; a payment intermediary; a route that passes through a

corridor under criminal control.

It arrives, too, through payments that look mundane on an invoice: unexplained fees, “security”

charges, route-access costs, and the informal taxation widely known in Mexico as cobro de

piso. It arrives through intermediaries engaged to handle government paperwork whose own

books are opaque. In each case the company may have no direct relationship with a designated

group and still confer the operational or financial benefit on which the material-support analysis

turns.

The corollary is willful blindness. The law does not reward a company for choosing not to ask. A

manager who suspects that a vendor's “union” is something else, and declines to confirm it,

does not reduce the company's exposure; he may increase it. This is the precise point at which

due diligence in Mexico earns its keep, by surfacing 

Why Mexico rates as a high-risk jurisdiction

The indirect exposure described above is not hypothetical, because criminal influence in Mexico

is both pervasive and economically diversified. Official data set the baseline. In its 2024 National

Survey of Business Victimization, Mexico's statistics agency, INEGI, reported that 27.2 percent

of the country's economic units were victims of crime during 2023, up from 24.6 percent in 2021,

and that extortion was the single most frequent offense recorded against businesses. The

agency placed the direct cost of crime to those businesses at roughly 124 billion pesos,

equivalent to about half a percentage point of national GDP.

The organizations behind those figures no longer derive revenue only from narcotics. They have

moved into fuel theft (huachicol), the extortion of agricultural producers and food businesses,

mining, real estate, migrant smuggling, and the broader cash economy. As revenue diversifies,

the number of ordinary commercial sectors that may intersect with a designated organization

grows with it. A designation that began as a counter-narcotics measure now reaches fraud,

logistics, and agribusiness alike.

The practical consequence is statistical. The probability that a Mexican counterparty, route, or

supply chain touches a designated organization is materially higher than in most jurisdictions a

compliance program is built to handle, and materially higher than standard, list-based screening

is designed to detect.

What the precedents teach

Two cases define the contours of corporate exposure, and both predate the Mexican

designations.

A U.S. fruit company operating in Colombia paid a designated paramilitary organization

between 1997 and 2004 to protect its operations. It pleaded guilty in 2007 and paid a $25 million

criminal fine; prosecutors rejected the contention that the payments were made under duress, in

part because they continued, in dozens of installments, over years. The civil chapter has proved

longer and costlier than the criminal one: in 2024 a jury awarded $38.3 million to victims'

families, and related litigation has run for the better part of two decades.

A French cement manufacturer paid ISIS and another designated group to keep a plant

operating in Syria. In 2022 it became the first corporation to plead guilty to providing material

support to a foreign terrorist organization, agreeing to pay $778 million; criminal proceedings

against individual executives followed.

4The lessons are precise. First, when a designation changes the legal status of a counterparty,

legacy practices that were previously tolerated become acutely dangerous; existing

relationships must be reassessed, not merely new ones. Second, business continuity and

coercion rarely excuse a sustained course of payments. Third, executives face personal

exposure. Fourth, civil litigation can outlast and exceed the government's penalty. Each lesson

points to the same control: rigorous, documented due diligence.

Why standard sanctions screening is not enough

FTO exposure rarely announces itself on a list. It hides one layer down: in beneficial

ownership that resolves to a different person than the counterparty's letterhead; in nominee

holders and front companies; in the subcontractor who actually performs the work; in the route,

the warehouse, and the payment flow.

What enhanced due diligence in Mexico should involve

There is no statutory checklist; regulators expect a reasonable, risk-based program

proportionate to a company's footprint and exposure. In a high-risk jurisdiction, a credible

program for due diligence in Mexico will ordinarily address the following:

• Beneficial ownership, unwound to ultimate owners. Mexican anti-money-laundering law itself requires identification of ultimate beneficial owners; a persistent inability or refusal to provide that information is itself a red flag.

• Local public records, adverse media, and litigation and criminal indicators, drawn from Mexican sources rather than from global databases alone, which frequently miss locally reported links.

• Source of funds and source of wealth, tested where a counterparty's commercial profile does not match its apparent means.

• Supply-chain and subcontractor mapping that identifies who actually performs the work beneath the direct supplier.

• Geographic and route-risk assessment across operating zones, corridors, ports, and warehouses.

• Payment-flow and U.S.-nexus analysis: U.S. dollar settlement, correspondent banking, and U.S. insurers or customers, each of which can trigger U.S. jurisdiction.

• On-the-ground intelligence on local reputation and informal control, which seldom appears in formal filings.

• Contractual safeguards: audit and inspection rights, subcontractor-disclosure and restriction clauses, anti-terrorism and sanctions representations, suspension and termination rights, flow-down obligations, and certifications of no dealings with designated groups.

• Ongoing monitoring, and the reassessment of legacy relationships following any new designation.
  

Calibration matters as much as coverage. A company operating only in Mexico City carries a

different profile from one moving goods through a contested northern corridor, and the depth of

inquiry should reflect that difference.

The defensible record: what regulators expect

Regulators do not expect a company to eliminate risk; they expect it to recognize, escalate,

investigate, mitigate, and document. The difference between a defensible position and a willful-

blindness narrative is most often the paper trail: what the company knew, when it knew it, who

reviewed it, what alternatives were weighed, what it decided, and why.

Two organizational failures recur. The first is the silo between security and compliance. Security

teams in Mexico frequently hold the most important information about cartel exposure, and that

information must reach legal and compliance, not stop at the plant gate. The second is informal,

local, undocumented decision-making. With a ten-year limitations period, the records a

company keeps today are the evidence it will rely on years from now.

How Businesses Should Respond

For companies operating in Mexico, the practical response is not to withdraw from the market. It

is to raise the standard of inquiry.

A defensible due diligence program should identify who ultimately owns and controls a

counterparty, who actually performs the work beneath the direct supplier, where goods and

payments move, whether local intermediaries have unexplained influence, and whether the

company can document its decision-making if challenged later.

Warden Consulting supports companies, law firms, investors, and compliance teams with

enhanced due diligence in Mexico, including beneficial ownership analysis, adverse media and

litigation checks, local public-records research, source-of-funds review, supplier and site

verification, and discreet field enquiries where database screening is not enough.

Learn more about Warden Consutling’s due diligence services in Mexico here.