Making use of a Western compliance framework can obscure the tell-tale indicators of fraud and corruption in Gulf Cooperation Council markets. Majid Mumtaz, an inner audit and governance chief within the GCC, explores these challenges by way of the lens of 4 instances spanning greater than a decade that reveal why controls in place weren’t calibrated for gulf cultural, financial and political norms.
Over the previous decade, 4 Western multinationals paid a mixed complete exceeding $5 billion to resolve FCPA violations related to Gulf Cooperation Council (GCC) markets. In every case, a compliance program was operational. Due diligence recordsdata had been full. Audit committees acquired clear studies. The controls ran and authorized as compliant what was not really compliant.
The usual rationalization is that the businesses evaded their controls. The extra correct rationalization, supported by the enforcement report, is that the controls weren’t designed for the business surroundings they had been utilized to. Every failure maps to a particular characteristic of GCC business structure that has no equal within the Western markets the place these frameworks had been constructed. Till compliance professionals perceive these options, they may proceed working thermometers to measure wind velocity.
Why GCC business structure is structurally completely different
Earlier than analyzing the enforcement instances, three options of Persian Gulf business structure require context as a result of they’re the supply of the calibration hole. Not as a result of they’re inherently corrupt, however as a result of they make corrupt and bonafide transactions look similar to a Western compliance framework.
Mandated middleman constructions. Industrial company legal guidelines throughout the GCC require international firms to interact native brokers, sponsors or distributors for many classes of economic exercise. The middleman is just not non-obligatory. It’s a authorized requirement. When a international firm pays an area agent 15% of a authorities contract worth, that cost is on its face utterly professional, and it’s the identical construction a corrupt cost would use. There isn’t any exterior marker that distinguishes them.
Wasta as business credential. Wasta, the system of non-public relationships and reciprocal obligation, is just not a deviation from how GCC enterprise works. It’s the infrastructure of it. Private connection to authorities decision-makers is a real business credential on this market. A well-connected household workplace consultant or a royal-circle adviser offers actual, authorized business worth by way of their networks. The corrupt model of that association is structurally similar. A due diligence verify that finds a ruling family-connected agent has discovered precisely what firms rent in these markets. It can not distinguish that from a corrupt association as a result of the excellence is just not within the construction. It’s in what strikes inside it.
State-owned entity (SOE) dominance. The GCC economic system is predominantly state-owned. Main telecoms, utilities, vitality firms, infrastructure authorities and monetary establishments are authorities entities. Underneath the FCPA, their workers are international officers. Because of this in GCC markets, virtually each vital business relationship is concurrently a authorities relationship. A marketing consultant who facilitates entry to a state telecoms operator is, by definition, facilitating entry to a international official. But the bill reads “market improvement providers.” A compliance program calibrated for markets with a transparent public-private distinction can not operate in a market the place that distinction is structurally absent.
4 instances the place the calibration failed
Case A: The agent whose credential was the issue (protection sector, gulf state, 2024)
A US protection contractor appointed an area business agent to pursue authorities protection contracts in a gulf state. The agent’s main credential was his proximity to the nation’s ruling circles, which is exactly what made him commercially precious on this market. The corporate paid over $30 million in success charges.
The compliance operate accomplished third-party due diligence: registered entity, legitimate commerce license, no opposed report. Inexperienced standing.
The GCC nuance the management missed: On this market, proximity to the ruling household is the business credential. Due diligence that confirms a well-connected agent has confirmed precisely what the market requires. The management had no instrument to ask the subsequent query: Is the agent’s price justified by documented business work, or is it justified fully by entry that required a cost the price is concealing?
Inside warnings concerning the lack of technical substance had been raised and dismissed as a result of the connection was considered as “business necessity,” a phrase that in GCC contexts is usually the correct description of how enterprise works and concurrently the language by way of which corrupt preparations are rationalized. The controls had no mechanism to tell apart between the 2 makes use of of that phrase.
Discovery got here not from inner audit however from new management conducting post-acquisition integration evaluations. The firm resolved the matter for $950 million.
Case B: The professional middleman with a parallel operate (oil and fuel providers, Saudi Arabia and Kuwait, 2021)
A UK-listed oil providers firm engaged a gulf-based business agent to facilitate contracts with nationwide oil firms throughout the area. The agent was not a shell firm. It had a real regional workplace, actual workers, documented shopper relationships and a observe report of economic work throughout a number of gulf states. Due diligence discovered a commercially credible, regionally established entity. The connection was authorised.
The GCC nuance the management missed: The agent maintained two parallel features. The primary was professional business facilitation: introductions, relationship administration, bid assist. The second was a scientific funds community routing funds to officers at nationwide oil firms in alternate for contract awards. Each features operated by way of the identical company construction, the identical personnel and the identical business relationships. Due diligence that verified business legitimacy verified the quilt for the parallel operate. It had no mechanism to detect the parallel operate itself.
This failure is restricted to GCC business structure. In a market the place real middleman worth is delivered by way of private relationships with authorities officers, a corrupt middleman is just not structurally distinguishable from a professional one. The professional observe offers actual cowl as a result of it’s actual.
The scheme was uncovered when inner communications had been obtained by investigative journalists, triggering a UK Critical Fraud Workplace investigation. The oil providers firm paid £77 million to resolve the matter. The agent’s principal additionally pleaded responsible to a number of counts of bribery.
Case C: The official hidden contained in the contract (telecoms infrastructure, gulf state, 2019 and 2023)
A European telecoms tools firm secured infrastructure contracts with state-owned operators throughout a number of gulf markets. Funds had been channeled by way of domestically engaged consultants beneath business service agreements. Vendor recordsdata had been full. Invoices matched buy orders. The compliance assessment discovered nothing to flag.
The GCC nuance the management missed: In GCC telecoms markets, each main operator is a state-owned entity. The consultants engaged to facilitate entry to those operators had been, by the FCPA’s personal definition, intermediaries with authorities officers. However the contracts described them as “market improvement” and “technical advisory” consultants, classes that exist in each market and set off no suspicion on their very own. The management verified the construction. It by no means requested whether or not the work described within the invoices was really carried out. In a market the place the road between business consulting and authorities facilitation is structurally blurred, that query was the one related one.
The fabrication of deliverables went undetected for years till a whistleblower offered an inner e-mail explicitly describing an official’s involvement in a contract award. A secondary enforcement motion adopted in 2023 when the corporate was discovered to have hid additional supplies in the course of the monitorship interval.
Mixed penalties exceeded $1.25 billion.
Case D: 17 years of regular (energy infrastructure, gulf state utility, 2014)
A European infrastructure firm maintained a community of native consultants throughout gulf markets to facilitate contracts with state-owned utilities. Marketing consultant engagements had been reviewed, renewed and authorized yearly by the compliance operate. For 17 years.
The GCC nuance the management missed: In gulf infrastructure markets, the connection between a international contractor and a state utility is just not a sequence of discrete transactions. It’s an ongoing, multi-decade partnership maintained by way of a steady relationship infrastructure: marketing consultant networks, hospitality, private introductions, facilitation of approvals. Each severe infrastructure firm working in these markets maintained equal constructions. The professional and the corrupt variations had been operationally similar. Annual compliance evaluations that confirmed the consultants had been registered and the contracts had been signed had no mechanism to check whether or not the underlying relationship infrastructure concerned funds to officers, as a result of the connection infrastructure itself was indistinguishable from commonplace observe.
The scheme was not found by inner audit. US authorities constructed the case by charging particular person executives first, utilizing proof from investigations in different jurisdictions. Company cooperation adopted particular person indictments. A pending acquisition by a bigger firm created further strain to resolve.
The settlement exceeded $770 million, nonetheless one of many largest FCPA felony fines.
The nuance that connects all 4 instances
Every of those instances failed on the identical level. The compliance management examined the business construction and located it professional as a result of, in GCC markets, it was professional. The agent was actual. The consultants had been registered. The contracts existed. The connection was commercially commonplace.
What the management by no means examined was the substance contained in the construction: whether or not the agent’s price was justified by documented work or by entry funds shifting inside a sub-arrangement; whether or not the marketing consultant’s bill corresponded to work that was really carried out; whether or not the connection infrastructure was creating worth the corporate might doc or worth it couldn’t.
In Western markets, this distinction is less complicated to attract as a result of there’s a baseline. A compliance officer is aware of what a professional marketing consultant engagement appears to be like like of their jurisdiction. They’ll determine a deviation. In GCC markets, most Western compliance applications have by no means constructed that baseline. They can’t determine a deviation from a norm they’ve by no means mapped.
The result’s compliance certification that displays procedural adherence, not precise danger protection. In all 4 instances above, the compliance program labored as designed. The issue is the design was flawed for the market.
What a GCC-calibrated management framework requires
Three changes tackle the structural hole.
- Substance assessment, not construction assessment. For each middleman, marketing consultant or advisor engaged in markets with vital authorities interface, due diligence should require documented proof of economic deliverables that justify the price. Entry, introductions and facilitation of presidency conferences will not be commercially documentable deliverables beneath the FCPA no matter how they’re invoiced. If the substance of the connection is entry, the association requires escalation, not a inexperienced standing.
- Escalation authority impartial of income management. Case B illustrates the exact failure mode: Compliance flagged the priority; the enterprise overrode it. In GCC deal contexts, the place relationship logic and business strain each favor continuing, a compliance operate whose escalation path runs by way of senior administration has no authority. Impartial escalation to the audit committee or board on GCC government-facing transactions particularly is a structural requirement, not a choice.
- Upstream horizon assessment, not transaction-triggered assessment. In GCC procurement, the decisive affect happens earlier than the formal course of: which firms are invited to tender, which specs are written, which analysis standards are utilized. A compliance assessment triggered by a contract award is auditing the end result of a choice that was made 18 months earlier in a majlis, at an iftar or by way of an middleman whose engagement predated the RFP by two years. Efficient controls require a horizon-level assessment of which authorities relationships are being cultivated, what worth is being exchanged and what procurement choices are anticipated to observe.
With FCPA enforcement resuming on the DOJ following the 2025 pause, compliance professionals working in GCC markets will not be going through a brand new danger. They’re going through a documented danger that 4 main enforcement actions have already priced. The calibration drawback is just not technical. It’s a failure to know {that a} management framework constructed for one business surroundings can’t be deployed in a structurally completely different one with out first mapping the distinction.
Making use of a Western compliance framework can obscure the tell-tale indicators of fraud and corruption in Gulf Cooperation Council markets. Majid Mumtaz, an inner audit and governance chief within the GCC, explores these challenges by way of the lens of 4 instances spanning greater than a decade that reveal why controls in place weren’t calibrated for gulf cultural, financial and political norms.
Over the previous decade, 4 Western multinationals paid a mixed complete exceeding $5 billion to resolve FCPA violations related to Gulf Cooperation Council (GCC) markets. In every case, a compliance program was operational. Due diligence recordsdata had been full. Audit committees acquired clear studies. The controls ran and authorized as compliant what was not really compliant.
The usual rationalization is that the businesses evaded their controls. The extra correct rationalization, supported by the enforcement report, is that the controls weren’t designed for the business surroundings they had been utilized to. Every failure maps to a particular characteristic of GCC business structure that has no equal within the Western markets the place these frameworks had been constructed. Till compliance professionals perceive these options, they may proceed working thermometers to measure wind velocity.
Why GCC business structure is structurally completely different
Earlier than analyzing the enforcement instances, three options of Persian Gulf business structure require context as a result of they’re the supply of the calibration hole. Not as a result of they’re inherently corrupt, however as a result of they make corrupt and bonafide transactions look similar to a Western compliance framework.
Mandated middleman constructions. Industrial company legal guidelines throughout the GCC require international firms to interact native brokers, sponsors or distributors for many classes of economic exercise. The middleman is just not non-obligatory. It’s a authorized requirement. When a international firm pays an area agent 15% of a authorities contract worth, that cost is on its face utterly professional, and it’s the identical construction a corrupt cost would use. There isn’t any exterior marker that distinguishes them.
Wasta as business credential. Wasta, the system of non-public relationships and reciprocal obligation, is just not a deviation from how GCC enterprise works. It’s the infrastructure of it. Private connection to authorities decision-makers is a real business credential on this market. A well-connected household workplace consultant or a royal-circle adviser offers actual, authorized business worth by way of their networks. The corrupt model of that association is structurally similar. A due diligence verify that finds a ruling family-connected agent has discovered precisely what firms rent in these markets. It can not distinguish that from a corrupt association as a result of the excellence is just not within the construction. It’s in what strikes inside it.
State-owned entity (SOE) dominance. The GCC economic system is predominantly state-owned. Main telecoms, utilities, vitality firms, infrastructure authorities and monetary establishments are authorities entities. Underneath the FCPA, their workers are international officers. Because of this in GCC markets, virtually each vital business relationship is concurrently a authorities relationship. A marketing consultant who facilitates entry to a state telecoms operator is, by definition, facilitating entry to a international official. But the bill reads “market improvement providers.” A compliance program calibrated for markets with a transparent public-private distinction can not operate in a market the place that distinction is structurally absent.
4 instances the place the calibration failed
Case A: The agent whose credential was the issue (protection sector, gulf state, 2024)
A US protection contractor appointed an area business agent to pursue authorities protection contracts in a gulf state. The agent’s main credential was his proximity to the nation’s ruling circles, which is exactly what made him commercially precious on this market. The corporate paid over $30 million in success charges.
The compliance operate accomplished third-party due diligence: registered entity, legitimate commerce license, no opposed report. Inexperienced standing.
The GCC nuance the management missed: On this market, proximity to the ruling household is the business credential. Due diligence that confirms a well-connected agent has confirmed precisely what the market requires. The management had no instrument to ask the subsequent query: Is the agent’s price justified by documented business work, or is it justified fully by entry that required a cost the price is concealing?
Inside warnings concerning the lack of technical substance had been raised and dismissed as a result of the connection was considered as “business necessity,” a phrase that in GCC contexts is usually the correct description of how enterprise works and concurrently the language by way of which corrupt preparations are rationalized. The controls had no mechanism to tell apart between the 2 makes use of of that phrase.
Discovery got here not from inner audit however from new management conducting post-acquisition integration evaluations. The firm resolved the matter for $950 million.
Case B: The professional middleman with a parallel operate (oil and fuel providers, Saudi Arabia and Kuwait, 2021)
A UK-listed oil providers firm engaged a gulf-based business agent to facilitate contracts with nationwide oil firms throughout the area. The agent was not a shell firm. It had a real regional workplace, actual workers, documented shopper relationships and a observe report of economic work throughout a number of gulf states. Due diligence discovered a commercially credible, regionally established entity. The connection was authorised.
The GCC nuance the management missed: The agent maintained two parallel features. The primary was professional business facilitation: introductions, relationship administration, bid assist. The second was a scientific funds community routing funds to officers at nationwide oil firms in alternate for contract awards. Each features operated by way of the identical company construction, the identical personnel and the identical business relationships. Due diligence that verified business legitimacy verified the quilt for the parallel operate. It had no mechanism to detect the parallel operate itself.
This failure is restricted to GCC business structure. In a market the place real middleman worth is delivered by way of private relationships with authorities officers, a corrupt middleman is just not structurally distinguishable from a professional one. The professional observe offers actual cowl as a result of it’s actual.
The scheme was uncovered when inner communications had been obtained by investigative journalists, triggering a UK Critical Fraud Workplace investigation. The oil providers firm paid £77 million to resolve the matter. The agent’s principal additionally pleaded responsible to a number of counts of bribery.
Case C: The official hidden contained in the contract (telecoms infrastructure, gulf state, 2019 and 2023)
A European telecoms tools firm secured infrastructure contracts with state-owned operators throughout a number of gulf markets. Funds had been channeled by way of domestically engaged consultants beneath business service agreements. Vendor recordsdata had been full. Invoices matched buy orders. The compliance assessment discovered nothing to flag.
The GCC nuance the management missed: In GCC telecoms markets, each main operator is a state-owned entity. The consultants engaged to facilitate entry to those operators had been, by the FCPA’s personal definition, intermediaries with authorities officers. However the contracts described them as “market improvement” and “technical advisory” consultants, classes that exist in each market and set off no suspicion on their very own. The management verified the construction. It by no means requested whether or not the work described within the invoices was really carried out. In a market the place the road between business consulting and authorities facilitation is structurally blurred, that query was the one related one.
The fabrication of deliverables went undetected for years till a whistleblower offered an inner e-mail explicitly describing an official’s involvement in a contract award. A secondary enforcement motion adopted in 2023 when the corporate was discovered to have hid additional supplies in the course of the monitorship interval.
Mixed penalties exceeded $1.25 billion.
Case D: 17 years of regular (energy infrastructure, gulf state utility, 2014)
A European infrastructure firm maintained a community of native consultants throughout gulf markets to facilitate contracts with state-owned utilities. Marketing consultant engagements had been reviewed, renewed and authorized yearly by the compliance operate. For 17 years.
The GCC nuance the management missed: In gulf infrastructure markets, the connection between a international contractor and a state utility is just not a sequence of discrete transactions. It’s an ongoing, multi-decade partnership maintained by way of a steady relationship infrastructure: marketing consultant networks, hospitality, private introductions, facilitation of approvals. Each severe infrastructure firm working in these markets maintained equal constructions. The professional and the corrupt variations had been operationally similar. Annual compliance evaluations that confirmed the consultants had been registered and the contracts had been signed had no mechanism to check whether or not the underlying relationship infrastructure concerned funds to officers, as a result of the connection infrastructure itself was indistinguishable from commonplace observe.
The scheme was not found by inner audit. US authorities constructed the case by charging particular person executives first, utilizing proof from investigations in different jurisdictions. Company cooperation adopted particular person indictments. A pending acquisition by a bigger firm created further strain to resolve.
The settlement exceeded $770 million, nonetheless one of many largest FCPA felony fines.
The nuance that connects all 4 instances
Every of those instances failed on the identical level. The compliance management examined the business construction and located it professional as a result of, in GCC markets, it was professional. The agent was actual. The consultants had been registered. The contracts existed. The connection was commercially commonplace.
What the management by no means examined was the substance contained in the construction: whether or not the agent’s price was justified by documented work or by entry funds shifting inside a sub-arrangement; whether or not the marketing consultant’s bill corresponded to work that was really carried out; whether or not the connection infrastructure was creating worth the corporate might doc or worth it couldn’t.
In Western markets, this distinction is less complicated to attract as a result of there’s a baseline. A compliance officer is aware of what a professional marketing consultant engagement appears to be like like of their jurisdiction. They’ll determine a deviation. In GCC markets, most Western compliance applications have by no means constructed that baseline. They can’t determine a deviation from a norm they’ve by no means mapped.
The result’s compliance certification that displays procedural adherence, not precise danger protection. In all 4 instances above, the compliance program labored as designed. The issue is the design was flawed for the market.
What a GCC-calibrated management framework requires
Three changes tackle the structural hole.
- Substance assessment, not construction assessment. For each middleman, marketing consultant or advisor engaged in markets with vital authorities interface, due diligence should require documented proof of economic deliverables that justify the price. Entry, introductions and facilitation of presidency conferences will not be commercially documentable deliverables beneath the FCPA no matter how they’re invoiced. If the substance of the connection is entry, the association requires escalation, not a inexperienced standing.
- Escalation authority impartial of income management. Case B illustrates the exact failure mode: Compliance flagged the priority; the enterprise overrode it. In GCC deal contexts, the place relationship logic and business strain each favor continuing, a compliance operate whose escalation path runs by way of senior administration has no authority. Impartial escalation to the audit committee or board on GCC government-facing transactions particularly is a structural requirement, not a choice.
- Upstream horizon assessment, not transaction-triggered assessment. In GCC procurement, the decisive affect happens earlier than the formal course of: which firms are invited to tender, which specs are written, which analysis standards are utilized. A compliance assessment triggered by a contract award is auditing the end result of a choice that was made 18 months earlier in a majlis, at an iftar or by way of an middleman whose engagement predated the RFP by two years. Efficient controls require a horizon-level assessment of which authorities relationships are being cultivated, what worth is being exchanged and what procurement choices are anticipated to observe.
With FCPA enforcement resuming on the DOJ following the 2025 pause, compliance professionals working in GCC markets will not be going through a brand new danger. They’re going through a documented danger that 4 main enforcement actions have already priced. The calibration drawback is just not technical. It’s a failure to know {that a} management framework constructed for one business surroundings can’t be deployed in a structurally completely different one with out first mapping the distinction.
