Millicom International Cellular, the Luxembourg-incorporated telecoms group behind the Tigo brand in Latin America, has agreed a two-year deferred prosecution agreement (DPA) with the US Department of Justice (DOJ) to resolve a long-running foreign bribery investigation tied to its Guatemalan business. The matter was resolved through its Guatemalan subsidiary, Comunicaciones Celulares S.A. (doing business as TIGO Guatemala), which paid a $60m criminal penalty and around $58.2m in forfeiture, totalling just over $118m.
It is a case compliance teams should read carefully, not because the fact pattern is unusual, but because it highlights three realities that keep catching organisations out:
- joint venture risk does not disappear when “local partners” have operational control
- regulators can reopen matters if new evidence surfaces
- strong remediation can materially reduce penalties, but it is not a substitute for effective controls upfront
What happened?
According to DOJ, between 2012 and 2018 TIGO Guatemala engaged in a widespread bribery scheme, described as involving monthly cash payments to Guatemalan members of Congress (or members of their security teams) in exchange for support for legislation that benefited the company. DOJ also alleges that some cash used for bribes came from laundered narcotrafficking proceeds.
The company’s public statement says Millicom voluntarily reported alleged improper payments to US authorities in 2015, but that it lacked operational control at the time, attributing the misconduct to a local partner. DOJ’s press release adds an important detail: during the first phase of the investigation, the then-Guatemalan shareholder used its operational control to block access to information and prevent meaningful remediation, and the DOJ closed that initial phase in 2018.
DOJ then says it obtained new evidence from other sources, reopened the investigation in 2020, and ultimately resolved the matter via a two-year DPA (shorter than the traditional three-year term).
The resolution, in plain terms
Under the DPA, TIGO Guatemala:
- paid a $60m criminal penalty
- agreed $58,198,343 in administrative forfeiture (estimated benefits derived from the improper payments)
- agreed to continue cooperating with DOJ and to report on remediation and compliance enhancements during the DPA term
Millicom’s announcement also states DOJ did not require a corporate monitor, and that the fine reflected the maximum discount available under DOJ policy (a 50% reduction off the bottom end of the applicable Sentencing Guidelines range), citing extensive cooperation and remediation.
Why this matters for compliance teams
1) Joint ventures are not a compliance “shield”
A familiar defence appears in many cross-border corruption investigations: the parent company claims the problem sat with a local partner that controlled the operation.
Sometimes that is factually true. It is also operationally irrelevant if your name, your capital, your board oversight, and your US or UK nexus keep you in scope.
The lesson is not “never do JVs”. It is that JV governance needs to be designed as if you will one day need to prove, with documents, that you had:
- visibility over transactions and third parties
- control over high-risk spend
- audit rights, data access, and the ability to compel cooperation
- a genuine ability to stop the bleeding, fast
In regulated sectors like telecoms, where legislative and licensing decisions can directly affect revenue, your exposure to “government touchpoints” is structural. If you cannot oversee how those touchpoints are handled, you have a built-in bribery risk.
2) “Closed” does not always mean finished
DOJ’s account is explicit: the investigation was closed in 2018, then reopened in 2020 after new evidence emerged, including information indicating the conduct continued and involved narcotrafficking proceeds.
That is a practical reminder for organisations that treat a paused inquiry as a resolved one. If the underlying risk is still present, or if your controls have not materially changed, the problem can come back, and it can come back worse.
3) Remediation can change outcomes, but it has to be credible
DOJ lists a long set of remediation steps post-2021, after Millicom acquired full ownership and control, including terminations, changes in management and compliance staffing, enhanced third-party onboarding and monitoring, data analytics, controls testing, restrictions around ephemeral messaging, and an extensive training campaign.
You do not need an 800% compliance headcount increase to take the point. What DOJ is signalling is that it rewards organisations that can demonstrate:
- a root cause analysis (what failed, why, and how you fixed it)
- specific controls, tested for effectiveness
- accountability, including consequences for misconduct
- ongoing monitoring that produces evidence, not just policies
Five practical lessons to apply now
1) Map your “government touchpoints” and treat them as a control environment
Create a simple inventory of where your organisation interacts with government officials or state-linked entities, including:
- licensing, inspections, permits, and renewals
- customs and tax interactions
- legislative or regulatory engagement
- public procurement, tenders, and contract variations
- enforcement actions, investigations, or disputes
Then align controls to each touchpoint, rather than relying on generic anti-bribery language.
2) Remove cash vulnerability and “off-book” risk
The allegations here involve repeated cash payments. Cash is not inherently corrupt, but it is inherently hard to evidence and easy to misuse.
If your business still relies on cash or cash-like instruments in high-risk markets, you need tighter guardrails:
- documented business rationale
- thresholds and approvals
- dual sign-off and segregation of duties
- reconciliations and periodic sampling
- third-party verification where feasible
3) Build JV and acquisition agreements that force compliance access
If you do business via JVs or minority stakes, bake in compliance rights from day one:
- contractual audit rights and access to books and records
- rights to conduct investigations and forensic reviews
- requirements for partner cooperation with regulators
- immediate suspension rights for high-risk third parties
- clear exit options if corruption risk becomes unmanageable
This is not “legal overreach”. It is an operational survival tool.
4) Treat third parties as the frontline, not an afterthought
Most bribery risk is outsourced. The controls need to reflect that:
- risk-tier third parties (who touches government, who handles permits, who pays fees)
- enforce a standard onboarding pack (beneficial ownership, references, sanctions checks, adverse media, scope of work)
- monitor payments for red flags (round sums, unusual urgency, weak invoices, split payments, high commissions)
- review and re-approve periodically, not once
5) Get serious about evidence: training, monitoring, reporting
If enforcement is moving quickly, you need to be able to prove what you did, not simply state what your policy says.
That means:
- targeted training for high-risk roles (sales, government-facing teams, finance, procurement)
- a usable speak-up channel, plus a clear non-retaliation stance
- tracking of policy breaches and investigations
- documented remedial actions, with timelines and owners
