Cartels, Terrorism, and US Enforcement: A Shift in Risk Classification
(Click on image for to watch the full recording)
The US and Mexico maintain deep economic ties, with most major US corporations and financial institutions operating in or trading with Mexico. However, the compliance risk landscape has changed. Mexican cartels are now treated as equivalent to terrorist organizations—appearing alongside Al-Qaeda, Hezbollah, and Hamas in U.S. enforcement narratives.
This has serious implications. US regulators expect financial institutions to apply the same enhanced risk frameworks used in high-risk jurisdictions like Lebanon or Gaza—not just when operating in Mexico, but when transacting with Mexican entities. Exposure doesn’t require a physical presence—trade alone is sufficient.
Under the Trump administration, the policy became explicit: how you mitigate the risk is up to you—but failing to mitigate it is not an option.
TFTP: A Counter-Terrorism Tool with Direct Impact on Financial Institutions
The Terrorist Finance Tracking Program (TFTP) was launched after 9/11 to identify and disrupt terrorist financing. The premise was that targeting a small number of financial facilitators could dismantle broader networks. To enable this, the US gained access to SWIFT messaging data, allowing Treasury analysts to trace suspicious financial activity.
How it works:
Legal Authority: Under Executive Order 13224, analysts must show a nexus between a financial search and a designated terrorist entity, meaning they must justify why a specific search through SWIFT relates to a sanctioned terrorist entity.
Search Scope: The connection can be indirect—any plausible link between a suspicious party and a sanctioned entity qualifies for searchData Access: Once justified, the analyst can review all SWIFT messages tied to the subject of the search.
This tool gives the government sweeping access to financial data where a terrorism nexus can be claimed.
What this means for compliance leaders
When cartels are designated as terrorists, TFTP authorities apply.
Once a cartel is designated as a terrorist group, TFTP authorities come into play, significantly raising the stakes and the level of scrutiny when you're doing business in high-risk regions or with counterparties tied to cartel operations. This isn’t a routine exam from the OCC or the Fed. It’s proactive surveillance by counter-terrorism agencies. It’s the government proactively reviewing data and then approaching institutions in a more aggressive, enforcement-oriented way.
For financial institutions with exposure to Mexico or Mexican counterparties traditional AML frameworks may no longer be sufficient.
Civil liability: Beyond OFAC and the Department of Justice
When it comes to cartel exposure, regulatory risk is only part of the equation. The Anti-Terrorism Act (ATA) opens the door to civil lawsuits. Under the ATA, victims of cartel-related violence can sue U.S. companies if they’re found to have provided material support—even unintentionally—to those groups. There are two primary payment scenarios that create risk:
Extortion payments: When companies knowingly pay cartels for “protection.”
Third-Party exposure: When customers, vendors, or counterparties are affiliated with cartel networks.
In both cases, the payment can be interpreted as aiding and abetting violent activity. That opens the door to civil litigation and liability under the ATA.
The Data Gap and Screening Challenges in Mexico
Conducting effective screening in Mexico poses unique challenges, such as:
Challenge 1: Unreliable identifiers
Due to cultural naming conventions, individuals commonly use multiple surnames or name combinations, making static identifier matching unreliable. This increases the risk of false negatives in name-based screening.
Challenge 2: The cartel sanctions gap
When it comes to cartel exposure, OFAC’s Specially Designated Nationals (SDN) list is only the beginning. The US has sanctioned numerous cartel members and networks through the SDNT and SDNTK programs. However, these lists cover roughly 3,000 names, while estimates suggest over 100,000 individuals and entities may be tied to cartel operations across Mexico.
Compounding the issue, cartels don’t maintain org charts. As a result, reliable data is scarce. Affiliated actors often operate under opaque ownership structures. This creates a major disconnect between sanctioned parties and the full scope of exposure. Financial institutions are expected to fill that gap—despite limited official data.
Challenge 3: Screening complexity
The US classification of cartels as terrorist entities introduces a dual challenge:
Breadth: Similar to sectoral sanctions in terms of reach.
Severity: Equivalent to terrorism designations under TFTP authority.
In practice, compliance teams must navigate the worst of both worlds—expansive risk with limited visibility and heightened regulatory scrutiny under counter-terrorism frameworks.
What’s Expected of Financial Institutions?
US regulators don’t expect you to rely solely on government lists. In high-risk jurisdictions like Mexico, the responsibility of implementing a risk-based compliance approach and tighter screening controls to address known blind spots lies with financial institutions.
Modern screening solutions like Castellum.AI can help bridge these gaps by incorporating:
Advanced adverse media screening to identify reputational and criminal risk.
Ultimate beneficial ownership intelligence to uncover hidden ties to sanctioned or high-risk entities.
Advanced Adverse Media Screening
In a jurisdiction like Mexico—where enforcement pressure is high, and traditional data is limited—adverse media screening is an essential intelligence layer that can make the difference between early risk detection and regulatory exposure.
At a minimum, your solution must:
Include comprehensive coverage of Mexico
Index Spanish-language sources
But baseline coverage is not enough. The value lies in granularity and speed.
Granular Risk Categories: Beyond the Checkbox
Generic “adverse media” flags aren't adequate. Screening results must be highly targeted to be useful. Compliance teams need the ability to filter by specific risk categories—such as bribery, corruption, homicide, criminal conspiracy and more. You want to surface relevant risks—not irrelevant mentions of topics like pollution or municipal waste. Precision matters.
Solutions like Castellum.AI provide more than 100 granular risk categories, enabling compliance teams to pinpoint exactly the type of exposure that aligns with their institution’s risk appetite and regulatory obligations. Results are delivered in both English and Spanish, and you always get the full original article, not just a snippet or broken link.
Real-Time Intelligence, Not Outdated Summaries
Speed is equally critical. Legacy providers often depend on manual workflows in which human analysts review articles and summarize content. While sometimes insightful, this approach is incomplete and slow. If the analyst missed the story, it doesn’t exist in the system.
Modern platforms take a fundamentally different approach. Castellum.AI, for example:
Works directly with publishers, not web scrapers
Ingests articles instantly upon publication
Uses advanced language models to tag and categorize content in real time (e.g., “crime and corruption”)
Automatically extracts key entities, such as victim, perpetrator, and bystander, and assigns them to relevant risk categories.
This ensures that institutions get immediate visibility into emerging risks, organized by relevance, filtered by risk type, and available for automated screening.
Beneficial Ownership Intelligence
The second critical layer of risk intelligence is beneficial ownership data. Ownership records are often stored in fragmented, closed registries. In some cases, accessing them requires in-person retrieval of physical documents. Yet without visibility into ownership structures, institutions risk missing links to sanctioned entities and cartel-affiliated individuals. Needless to say, in jurisdictions like Mexico, it’s notoriously difficult to obtain.
Under U.S. sanctions law, two core questions determine exposure:
Ownership or interest test: Does a sanctioned cartel member, directly or indirectly, own or control the entity?
Benefit test: Even without ownership, will the cartel benefit from the transaction in any way (for example: goods, services, financing, or technology)?
If the answer to either question is yes—even through multiple layers—the US entity may be in violation. Proximity doesn’t matter. Benefit does.
Bridging the Gap with Data-Driven Ownership Insights
Solutions like Castellum.AI help compliance teams close this visibility gap without deploying people on the ground. Here’s how we do it:
Licensed ownership data: Castellum.AI sources high-quality, frequently updated ownership records from trusted partners.
Cross-referenced risk intelligence: Ownership data is automatically connected to sanctions lists and adverse media sources.
For example: If a Mexican company lists Juan Alberto as an owner and Juan Alberto appears on the SDN list, Castellum.AI identifies that link. This real-time connection between public ownership records and global risk databases allows institutions to detect indirect exposure that traditional systems often miss.
Moreover, we don’t stop at a single layer of ownership. If the ownership chain spans a Mexican company, an investment vehicle in Spain, and a fertilizer company in Belarus, we’ll show the entire structure—no matter how many degrees of separation are involved.
This level of transparency closes the gap between what’s public and knowable, giving your institution the visibility needed to identify hidden risk and meet regulatory expectations.
Why Real-Time Screening and Audit Trails Matter
In today’s enforcement environment, compliance leaders must be able to prove that they had the right controls in place at the moment of the transaction. This is your best defense against both regulatory penalties and civil litigation. Real-time screening tools provide: immediate risk visibility, a defensible audit trail, and the evidence that your institution took proactive steps to prevent material support to illicit groups.
What leading institutions are doing
Major US financial institutions are already responding to recent designation changes in several ways, such as:
Blocking more Mexico-related transactions
Expanding enforcement logic across banks as well as originators and beneficiaries
Implementing real-time cartel exposure triggers and risk-based screening parameters as part of standard screening protocols
This is no longer just about regulatory compliance. The civil, criminal, and reputational stakes are rising, and institutions that fail to act risk far more than fines.