Security Intelligence

Anti-Corruption Compliance Fieldwork Security | CloseProtectionHire

Q: "What personal security risks do anti-corruption compliance teams face during fieldwork?"

"Anti-corruption compliance officers and due diligence investigators face a specific risk profile that combines the general elevated security environment of P1 cities with the specific adversarial dynamic created by investigating or assessing parties who have a direct interest in the outcome. Transparency International CPI 2024 (Corruption Perceptions Index) rates Somalia (11), Venezuela (13), Syria (13), and South Sudan (13) at the lowest end; P1 cities Lagos (Nigeria, CPI 32), Bogota (Colombia, CPI 41), Manila (Philippines, CPI 34), Nairobi (Kenya, CPI 31), Karachi (Pakistan, CPI 29), and Jakarta (Indonesia, CPI 34) all fall in the range where corruption of public officials, including law enforcement, is a genuine risk to investigators. Control Risks Corporate Compliance 2025 identifies three investigator-specific risk categories: targeted obstruction by the investigation subject through law enforcement or regulatory contacts; physical intimidation of local staff or local interview subjects; and, in markets with organised crime penetration of the public sector, escalation from administrative obstruction to physical threat. The TRACE Bribery Risk Matrix 2024 provides a country-level assessment of commercial bribery risk, regulatory enforcement risk, and civil society and press freedom -- the latter two being particularly relevant to the operating environment for compliance investigators."

Q: "What are the UK and US legal frameworks that drive anti-corruption compliance fieldwork?"

"The Bribery Act 2010 (UK) and the Foreign Corrupt Practices Act (FCPA, 15 U.S.C. ss.78dd-1 to 78dd-3, 1977) are the two primary instruments driving corporate anti-corruption compliance programmes that require fieldwork in P1 markets. The Bribery Act 2010 s.7 creates a corporate offence of failure to prevent bribery, with a statutory defence of having in place 'adequate procedures' designed to prevent bribery. The Ministry of Justice Guidance on the Bribery Act 2010 identifies six principles for adequate procedures: proportionate procedures, top-level commitment, risk assessment, due diligence, communication, and monitoring and review. Fieldwork is required to satisfy the due diligence and risk assessment principles for high-risk markets. The FCPA prohibits US issuers and domestic concerns from paying bribes to foreign officials and requires accurate books and records; DOJ Criminal Division Guidance on the Evaluation of Corporate Compliance Programs (2023 revised edition) expects demonstrated evidence-gathering processes including documented interviews and third-party vetting. The OECD Anti-Bribery Convention 1997 -- ratified by 44 states including the UK and US -- requires state parties to criminalise the bribery of foreign public officials, creating the legal basis for enforcement actions that target companies whose compliance programmes were inadequate."

Q: "What happened to the Mintz Group in Beijing and what are the security implications?"

"In March 2023, five Chinese national staff of US corporate intelligence firm Mintz Group were detained by authorities in Beijing during a raid on the company's office. The detentions were reported to be under suspicion of 'conducting operations without permission' -- a formulation that remained unspecified. The timing preceded, by approximately four months, the revision of the Counter-Espionage Law that came into effect in July 2023. The revised law expanded the definition of espionage to include transferring 'data relating to national security and interests,' a phrase broad enough to potentially encompass due diligence activities involving Chinese entities, state-adjacent companies, or sectors designated as sensitive by PRC authorities. The security implications are direct: any compliance due diligence activity in China that involves in-person interviews, document collection, or data gathering on Chinese entities should be assessed against the question of whether the activity could be characterised under the revised law. The recommended approach -- reflected in updated guidance from Control Risks, Kroll, and international law firms operating in China -- is to maximise remote evidence collection, use local counsel as intermediaries rather than direct investigators where fieldwork is necessary, ensure that no single local national employee is the sole custodian of sensitive findings, and encrypt all findings before transmission to headquarters."

Q: "How should compliance investigators protect evidence and sources during P1 city fieldwork?"

"Evidence and source protection in P1 city compliance fieldwork requires the same disciplines as hostile-environment journalism and conflict-zone investigation, adapted for a corporate legal context. Kroll Due Diligence 2024 recommends: encrypted transmission of findings from the field -- no emailing of unencrypted interview notes or document scans from local networks; device security aligned with NCSC overseas travel guidance (clean devices for high-surveillance markets, no full client data on travel devices, AES-256 encryption, power-down rather than sleep at border crossings); source separation (interview subjects should not be identified in field notes by their real names until the notes are transmitted to a secure server -- use assigned reference numbers); meeting security (interviews in neutral locations, not in the subject's office or a hotel lobby with open sightlines, no use of hotel business centre computers); and check-in protocol (a named headquarters contact, check-in at departure and arrival for all field meetings, defined escalation procedure if a check-in is missed). The TRACE Bribery Risk Matrix 2024 provides a per-country assessment that identifies the specific government sectors most commonly associated with bribery risk -- this is the starting point for identifying the specific areas of investigation that create the greatest adversarial exposure."

Q: "What are the indicators that a compliance investigation may have been compromised?"

"Indicators that a compliance investigation has been compromised -- that the subject is aware of the investigation or has access to information about its scope or personnel -- include: unexpected changes in behaviour by the subject (increased documentation destruction, unusual data access patterns, personnel changes that remove key witnesses) that coincide with the investigation start; contact by the subject or the subject's legal representatives with the investigation team before any formal disclosure has been made; approaches to investigation staff by unknown third parties presenting as potential intermediaries; and, in P1 markets, interactions with local law enforcement that suggest the subject has made contact with police. Control Risks 2025 notes that in markets with high CPI scores, a subject aware of a compliance investigation may use law enforcement contacts to delay, obstruct, or expose the investigation team -- creating a legal risk for investigators in addition to the security risk. The appropriate response to a potential compromise is to review the circle of knowledge around the investigation immediately, assess whether any digital systems have been accessed by unauthorised parties, and consider whether the investigation scope or methodology needs to change. Where evidence of tampering with a witness or obstruction of a legal process is identified, legal advice on the reporting obligations should be obtained promptly."

Security guide for anti-corruption compliance teams conducting due diligence fieldwork in high-risk markets. Covers Bribery Act 2010, FCPA, Mintz Group detention, TI CPI 2024, and P1 city investigation security.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

Anti-corruption compliance fieldwork sits at the intersection of corporate legal obligation, personal security risk, and geopolitical exposure. Compliance teams conducting due diligence in high-risk markets are not simply verifying financial statements and checking reference lists. They are collecting evidence in environments where the subjects of their inquiries have significant motivation, and often significant resources, to prevent that evidence from being gathered.

The Bribery Act 2010 (UK) and the Foreign Corrupt Practices Act (US) both require organisations to demonstrate that their anti-corruption compliance programmes are active and documented. In practice, this means fieldwork – interviews, document review, on-site observation – conducted in the markets where the corruption risk is highest. Those markets are, by definition, the ones where compliance investigators face the most difficult operating environment.

The Legal Obligation for Fieldwork

The Bribery Act 2010, s.7 creates a corporate offence of failure to prevent bribery. The offence is committed when an associated person of the organisation bribes another person intending to obtain or retain business for the organisation. There is no requirement for the company to have known about or authorised the bribe – the offence is strict liability with a single defence: the organisation had in place adequate procedures designed to prevent the bribery.

The Ministry of Justice Guidance on the Bribery Act 2010 specifies six principles for adequate procedures, including risk assessment and due diligence. The due diligence principle requires proportionate, risk-based procedures to be applied to persons who perform services for or on behalf of the organisation – particularly in markets where bribery risk is elevated. In practice, this means that for any third-party relationship in a market with a Transparency International CPI score below approximately 40-50, documented due diligence is a component of the adequate procedures defence.

The FCPA applies to US issuers, domestic concerns, and any persons acting within US territory. Its books and records provisions require accurate documentation of transactions. The DOJ Criminal Division Guidance on the Evaluation of Corporate Compliance Programs (2023 edition) assesses whether a company’s compliance programme is effective by asking: is it designed to detect the particular types of misconduct most likely to occur in the company’s business? That standard requires demonstrated, evidence-based risk assessment of specific markets – not a generic policy statement.

The OECD Anti-Bribery Convention 1997 created the legal basis for enforcement cooperation between the UK, US, Germany, France, Switzerland, and 40 other state parties. An enforcement action in one jurisdiction can draw on evidence gathered by authorities in another. For corporate compliance teams, this means that a well-documented due diligence programme is not just protection against domestic enforcement – it is also the defence in a multi-jurisdictional investigation.

Market Risk Assessment: TI CPI and TRACE

Transparency International’s Corruption Perceptions Index (CPI) 2024 provides a baseline for identifying the markets where compliance fieldwork carries the highest adversarial risk. A CPI score below 40 (on a 0-100 scale where 100 is very clean) indicates that public sector corruption is perceived as widespread. P1 city scores: Nigeria 32, Pakistan 29, Kenya 31, the Philippines 34, Indonesia 34, Thailand 35, Russia 26, Bogota/Colombia 41, Mexico City/Mexico 31, Mumbai/India 39.

The TRACE Bribery Risk Matrix 2024 provides a more granular assessment that identifies specific sectors within each market where bribery is most concentrated – typically customs/border services, procurement, and regulatory licensing. For compliance investigators, the TRACE sector-specific data identifies which parts of a counterparty’s business relationships carry the highest investigation priority and the highest adversarial exposure if the investigation becomes apparent.

The Mintz Group Detention: PRC-Market Framework

In March 2023, five Chinese national staff of US corporate intelligence firm Mintz Group were detained during a Beijing office raid. The Counter-Espionage Law revised in July 2023 expanded the definition of espionage to include transferring documents, data, or materials relating to national security and national interests – a phrase broad enough to encompass due diligence activities involving Chinese entities in designated sensitive sectors.

Control Risks, Kroll, and international law firms operating in China updated their PRC-market frameworks following this development. The current approach for PRC-market compliance investigations:

Maximise remote evidence collection: public records, satellite imagery, open-source corporate registry data, and UK/US litigation records are accessible without PRC-side presence
Use PRC-licensed law firms as intermediaries for any local inquiries, rather than corporate investigators directly
Ensure that local national staff are not sole custodians of sensitive findings and that all findings are encrypted before storage
Apply clean device protocols (per NCSC/FBI/CISA 2023 joint advisory) for any travel to China by compliance personnel
Obtain legal advice from PRC-qualified counsel before any fieldwork step that involves contacting a Chinese public official, a state-adjacent entity, or a party in a designated sensitive sector

Field Security Protocol

For P1 city compliance fieldwork outside China, the security protocol has five components:

Device security. Travel devices should contain only the minimum data required for the specific fieldwork – not the full investigation file. Full-disk encryption (AES-256), a strong passphrase (not biometric at border crossings), and remote wipe capability are baseline requirements. Field notes should be stored encrypted and transmitted to a secure headquarters server, not held locally on the travel device for the duration of the trip.

Meeting security. Interviews with local contacts, potential witnesses, or intermediaries should take place in neutral locations – not in the subject’s office or in a hotel lobby with open sightlines. Hotel business centre computers should not be used for any investigation-related work. Where possible, use mobile data (local SIM) rather than hotel Wi-Fi for any field communications.

Source separation. Interview subjects should not be identified by name in field notes that travel on the investigator’s device. Reference codes, cross-referenced against an identifier file held at headquarters, protect witnesses if the device is examined or seized.

Check-in protocol. A named headquarters contact should be briefed on the field schedule. Check-in at departure and arrival for each interview location. Define the escalation procedure for a missed check-in before the trip begins.

Legal exposure assessment. Before conducting any interview or document collection in a P1 city, obtain legal advice on whether the specific activity is lawful under local law. In markets with Counter-Espionage Law analogues – China, Russia, Vietnam, Belarus – the definition of permissible information gathering may be significantly narrower than in the UK or EU.

For the broader framework of security due diligence for business partnerships, see the related article on security due diligence for business partnerships. For the specific risks facing corporate investigators in high-risk markets, see security for whistleblowers and corporate investigators.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, threat assessment, and corporate security across the UK and internationally.

Summary

Key takeaways

TI CPI 2024 scores below 40 indicate markets where compliance fieldwork carries specific adversarial risk

Transparency International's Corruption Perceptions Index measures perceived corruption in the public sector. Countries scoring below 40 -- which includes Nigeria (32), Pakistan (29), the Philippines (34), and Kenya (31) -- indicate environments where corruption of law enforcement and regulatory bodies is sufficiently common that investigators cannot rely on official processes for protection. This does not prevent fieldwork; it means that the fieldwork methodology must account for the adversarial use of official channels by investigation subjects.

The Bribery Act 2010 s.7 adequate procedures defence requires documented due diligence

The corporate offence of failure to prevent bribery has no intent requirement -- if a bribe is paid by an associated person, the corporate offence is committed unless the company can demonstrate adequate procedures. Documented due diligence -- including fieldwork-sourced evidence about third parties in high-risk markets -- is a core component of the adequate procedures defence. Compliance fieldwork is not a discretionary investment; it is the evidentiary foundation of the defence that protects the company from corporate criminal liability.

Clean device discipline for China and Russia fieldwork is non-negotiable

The FBI/NCSC/CISA joint advisory of January 2023 confirmed that PRC state actors conduct targeted device intrusion against corporate visitors. For compliance investigators travelling to China or Russia with sensitive investigation materials, the minimum security protocol is a dedicated clean travel device, no corporate network connection on the travel device, and encrypted storage for any field notes. The Counter-Espionage Law 2023 creates a specific additional risk: device examination by Chinese authorities at border crossings may be characterised as lawful security inspection under the revised law.

Witness security planning must happen before first contact in high-risk markets

In markets where the investigation subject has resources and motivation to intimidate witnesses, making contact with a potential witness without first assessing the security implications of doing so can put that person at risk. Kroll's framework for P1 city compliance fieldwork requires a pre-contact security assessment for each interview subject: what is their exposure to the investigation subject? What are their existing vulnerabilities? Can the interview be conducted remotely? What support can be offered if threats emerge after contact is made?

Source separation in field notes protects witnesses if notes are compromised

Interview notes that identify witnesses by name, in plaintext, on a device that travels through P1 city airports and border crossings, represent an unacceptable risk to those witnesses if the device is seized. Using reference codes for interview subjects in field notes -- cross-referenced against a separately encrypted identifier file that never leaves headquarters -- limits the consequence of any single point of compromise.

FAQ

Frequently Asked Questions

Anti-corruption compliance officers and due diligence investigators face a specific risk profile that combines the general elevated security environment of P1 cities with the specific adversarial dynamic created by investigating or assessing parties who have a direct interest in the outcome. Transparency International CPI 2024 (Corruption Perceptions Index) rates Somalia (11), Venezuela (13), Syria (13), and South Sudan (13) at the lowest end; P1 cities Lagos (Nigeria, CPI 32), Bogota (Colombia, CPI 41), Manila (Philippines, CPI 34), Nairobi (Kenya, CPI 31), Karachi (Pakistan, CPI 29), and Jakarta (Indonesia, CPI 34) all fall in the range where corruption of public officials, including law enforcement, is a genuine risk to investigators. Control Risks Corporate Compliance 2025 identifies three investigator-specific risk categories: targeted obstruction by the investigation subject through law enforcement or regulatory contacts; physical intimidation of local staff or local interview subjects; and, in markets with organised crime penetration of the public sector, escalation from administrative obstruction to physical threat. The TRACE Bribery Risk Matrix 2024 provides a country-level assessment of commercial bribery risk, regulatory enforcement risk, and civil society and press freedom – the latter two being particularly relevant to the operating environment for compliance investigators.

The Bribery Act 2010 (UK) and the Foreign Corrupt Practices Act (FCPA, 15 U.S.C. ss.78dd-1 to 78dd-3, 1977) are the two primary instruments driving corporate anti-corruption compliance programmes that require fieldwork in P1 markets. The Bribery Act 2010 s.7 creates a corporate offence of failure to prevent bribery, with a statutory defence of having in place ‘adequate procedures’ designed to prevent bribery. The Ministry of Justice Guidance on the Bribery Act 2010 identifies six principles for adequate procedures: proportionate procedures, top-level commitment, risk assessment, due diligence, communication, and monitoring and review. Fieldwork is required to satisfy the due diligence and risk assessment principles for high-risk markets. The FCPA prohibits US issuers and domestic concerns from paying bribes to foreign officials and requires accurate books and records; DOJ Criminal Division Guidance on the Evaluation of Corporate Compliance Programs (2023 revised edition) expects demonstrated evidence-gathering processes including documented interviews and third-party vetting. The OECD Anti-Bribery Convention 1997 – ratified by 44 states including the UK and US – requires state parties to criminalise the bribery of foreign public officials, creating the legal basis for enforcement actions that target companies whose compliance programmes were inadequate.

In March 2023, five Chinese national staff of US corporate intelligence firm Mintz Group were detained by authorities in Beijing during a raid on the company’s office. The detentions were reported to be under suspicion of ‘conducting operations without permission’ – a formulation that remained unspecified. The timing preceded, by approximately four months, the revision of the Counter-Espionage Law that came into effect in July 2023. The revised law expanded the definition of espionage to include transferring ‘data relating to national security and interests,’ a phrase broad enough to potentially encompass due diligence activities involving Chinese entities, state-adjacent companies, or sectors designated as sensitive by PRC authorities. The security implications are direct: any compliance due diligence activity in China that involves in-person interviews, document collection, or data gathering on Chinese entities should be assessed against the question of whether the activity could be characterised under the revised law. The recommended approach – reflected in updated guidance from Control Risks, Kroll, and international law firms operating in China – is to maximise remote evidence collection, use local counsel as intermediaries rather than direct investigators where fieldwork is necessary, ensure that no single local national employee is the sole custodian of sensitive findings, and encrypt all findings before transmission to headquarters.

Evidence and source protection in P1 city compliance fieldwork requires the same disciplines as hostile-environment journalism and conflict-zone investigation, adapted for a corporate legal context. Kroll Due Diligence 2024 recommends: encrypted transmission of findings from the field – no emailing of unencrypted interview notes or document scans from local networks; device security aligned with NCSC overseas travel guidance (clean devices for high-surveillance markets, no full client data on travel devices, AES-256 encryption, power-down rather than sleep at border crossings); source separation (interview subjects should not be identified in field notes by their real names until the notes are transmitted to a secure server – use assigned reference numbers); meeting security (interviews in neutral locations, not in the subject’s office or a hotel lobby with open sightlines, no use of hotel business centre computers); and check-in protocol (a named headquarters contact, check-in at departure and arrival for all field meetings, defined escalation procedure if a check-in is missed). The TRACE Bribery Risk Matrix 2024 provides a per-country assessment that identifies the specific government sectors most commonly associated with bribery risk – this is the starting point for identifying the specific areas of investigation that create the greatest adversarial exposure.

Indicators that a compliance investigation has been compromised – that the subject is aware of the investigation or has access to information about its scope or personnel – include: unexpected changes in behaviour by the subject (increased documentation destruction, unusual data access patterns, personnel changes that remove key witnesses) that coincide with the investigation start; contact by the subject or the subject’s legal representatives with the investigation team before any formal disclosure has been made; approaches to investigation staff by unknown third parties presenting as potential intermediaries; and, in P1 markets, interactions with local law enforcement that suggest the subject has made contact with police. Control Risks 2025 notes that in markets with high CPI scores, a subject aware of a compliance investigation may use law enforcement contacts to delay, obstruct, or expose the investigation team – creating a legal risk for investigators in addition to the security risk. The appropriate response to a potential compromise is to review the circle of knowledge around the investigation immediately, assess whether any digital systems have been accessed by unauthorised parties, and consider whether the investigation scope or methodology needs to change. Where evidence of tampering with a witness or obstruction of a legal process is identified, legal advice on the reporting obligations should be obtained promptly.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.