Applying a Western compliance framework can obscure the tell-tale signs of fraud and corruption in Gulf Cooperation Council markets. Majid Mumtaz, an internal audit and governance leader in the GCC, explores these challenges through the lens of four cases spanning more than a decade that reveal why controls in place weren’t calibrated for gulf cultural, economic and political norms.
Over the past decade, four Western multinationals paid a combined total exceeding $5 billion to resolve FCPA violations connected to Gulf Cooperation Council (GCC) markets. In each case, a compliance program was operational. Due diligence files were complete. Audit committees received clean reports. The controls ran and certified as compliant what was not actually compliant.
The standard explanation is that the companies evaded their controls. The more accurate explanation, supported by the enforcement record, is that the controls were not designed for the commercial environment they were applied to. Each failure maps to a specific feature of GCC commercial architecture that has no equivalent in the Western markets where these frameworks were built. Until compliance professionals understand those features, they will continue running thermometers to measure wind speed.
Why GCC commercial architecture is structurally different
Before examining the enforcement cases, three features of Persian Gulf commercial architecture require context because they are the source of the calibration gap. Not because they are inherently corrupt, but because they make corrupt and legitimate transactions look identical to a Western compliance framework.
Mandated intermediary structures. Commercial agency laws across the GCC require foreign companies to engage local agents, sponsors or distributors for most categories of commercial activity. The intermediary is not optional. It is a legal requirement. When a foreign company pays a local agent 15% of a government contract value, that payment is on its face completely legitimate, and it is the same structure a corrupt payment would use. There is no external marker that distinguishes them.
Wasta as commercial credential. Wasta, the system of personal relationships and reciprocal obligation, is not a deviation from how GCC business works. It is the infrastructure of it. Personal connection to government decision-makers is a genuine commercial credential in this market. A well-connected family office representative or a royal-circle adviser provides real, legal commercial value through their networks. The corrupt version of that arrangement is structurally identical. A due diligence check that finds a ruling family-connected agent has found exactly what companies hire in these markets. It cannot distinguish that from a corrupt arrangement because the distinction is not in the structure. It is in what moves inside it.
State-owned entity (SOE) dominance. The GCC economy is predominantly state-owned. Major telecoms, utilities, energy companies, infrastructure authorities and financial institutions are government entities. Under the FCPA, their employees are foreign officials. This means that in GCC markets, almost every significant commercial relationship is simultaneously a government relationship. A consultant who facilitates access to a state telecoms operator is, by definition, facilitating access to a foreign official. Yet the invoice reads “market development services.” A compliance program calibrated for markets with a clear public-private distinction cannot function in a market where that distinction is structurally absent.
Four cases where the calibration failed
Case A: The agent whose credential was the problem (defense sector, gulf state, 2024)
A US defense contractor appointed a local commercial agent to pursue government defense contracts in a gulf state. The agent’s primary credential was his proximity to the country’s ruling circles, which is precisely what made him commercially valuable in this market. The company paid over $30 million in success fees.
The compliance function completed third-party due diligence: registered entity, valid trade license, no adverse record. Green status.
The GCC nuance the control missed: In this market, proximity to the ruling family is the commercial credential. Due diligence that confirms a well-connected agent has confirmed exactly what the market requires. The control had no tool to ask the next question: Is the agent’s fee justified by documented commercial work, or is it justified entirely by access that required a payment the fee is concealing?
Internal warnings about the lack of technical substance were raised and dismissed because the relationship was viewed as “commercial necessity,” a phrase that in GCC contexts is often the accurate description of how business works and simultaneously the language through which corrupt arrangements are rationalized. The controls had no mechanism to distinguish between the two uses of that phrase.
Discovery came not from internal audit but from new leadership conducting post-acquisition integration reviews. The company resolved the matter for $950 million.
Case B: The legitimate intermediary with a parallel function (oil and gas services, Saudi Arabia and Kuwait, 2021)
A UK-listed oil services company engaged a gulf-based commercial agent to facilitate contracts with national oil companies across the region. The agent was not a shell company. It had a genuine regional office, real staff, documented client relationships and a track record of commercial work across multiple gulf states. Due diligence found a commercially credible, regionally established entity. The relationship was approved.
The GCC nuance the control missed: The agent maintained two parallel functions. The first was legitimate commercial facilitation: introductions, relationship management, bid support. The second was a systematic payments network routing funds to officials at national oil companies in exchange for contract awards. Both functions operated through the same corporate structure, the same personnel and the same commercial relationships. Due diligence that verified commercial legitimacy verified the cover for the parallel function. It had no mechanism to detect the parallel function itself.
This failure is specific to GCC commercial architecture. In a market where genuine intermediary value is delivered through personal relationships with government officials, a corrupt intermediary is not structurally distinguishable from a legitimate one. The legitimate track provides real cover because it is real.
The scheme was exposed when internal communications were obtained by investigative journalists, triggering a UK Serious Fraud Office investigation. The oil services company paid £77 million to resolve the matter. The agent’s principal also pleaded guilty to multiple counts of bribery.
Case C: The official hidden inside the contract (telecoms infrastructure, gulf state, 2019 and 2023)
A European telecoms equipment company secured infrastructure contracts with state-owned operators across multiple gulf markets. Payments were channeled through locally engaged consultants under commercial service agreements. Vendor files were complete. Invoices matched purchase orders. The compliance review found nothing to flag.
The GCC nuance the control missed: In GCC telecoms markets, every major operator is a state-owned entity. The consultants engaged to facilitate access to these operators were, by the FCPA’s own definition, intermediaries with government officials. But the contracts described them as “market development” and “technical advisory” consultants, categories that exist in every market and trigger no suspicion on their own. The control verified the structure. It never asked whether the work described in the invoices was actually performed. In a market where the line between commercial consulting and government facilitation is structurally blurred, that question was the only relevant one.
The fabrication of deliverables went undetected for years until a whistleblower provided an internal email explicitly describing an official’s involvement in a contract award. A secondary enforcement action followed in 2023 when the company was found to have concealed further materials during the monitorship period.
Combined penalties exceeded $1.25 billion.
Case D: 17 years of normal (power infrastructure, gulf state utility, 2014)
A European infrastructure company maintained a network of local consultants across gulf markets to facilitate contracts with state-owned utilities. Consultant engagements were reviewed, renewed and certified annually by the compliance function. For 17 years.
The GCC nuance the control missed: In gulf infrastructure markets, the relationship between a foreign contractor and a state utility is not a series of discrete transactions. It is an ongoing, multi-decade partnership maintained through a continuous relationship infrastructure: consultant networks, hospitality, personal introductions, facilitation of approvals. Every serious infrastructure company operating in these markets maintained equivalent structures. The legitimate and the corrupt versions were operationally identical. Annual compliance reviews that confirmed the consultants were registered and the contracts were signed had no mechanism to test whether the underlying relationship infrastructure involved payments to officials, because the relationship infrastructure itself was indistinguishable from standard practice.
The scheme was not discovered by internal audit. US authorities built the case by charging individual executives first, using evidence from investigations in other jurisdictions. Corporate cooperation followed individual indictments. A pending acquisition by a larger company created additional pressure to resolve.
The settlement exceeded $770 million, still one of the largest FCPA criminal fines.
The nuance that connects all four cases
Each of these cases failed at the same point. The compliance control tested the commercial structure and found it legitimate because, in GCC markets, it was legitimate. The agent was real. The consultants were registered. The contracts existed. The relationship was commercially standard.
What the control never tested was the substance inside the structure: whether the agent’s fee was justified by documented work or by access payments moving inside a sub-arrangement; whether the consultant’s invoice corresponded to work that was actually performed; whether the relationship infrastructure was creating value the company could document or value it could not.
In Western markets, this distinction is easier to draw because there is a baseline. A compliance officer knows what a legitimate consultant engagement looks like in their jurisdiction. They can identify a deviation. In GCC markets, most Western compliance programs have never built that baseline. They cannot identify a deviation from a norm they have never mapped.
The result is compliance certification that reflects procedural adherence, not actual risk coverage. In all four cases above, the compliance program worked as designed. The problem is the design was wrong for the market.
What a GCC-calibrated control framework requires
Three adjustments address the structural gap.
- Substance review, not structure review. For every intermediary, consultant or advisor engaged in markets with significant government interface, due diligence must require documented evidence of commercial deliverables that justify the fee. Access, introductions and facilitation of government meetings are not commercially documentable deliverables under the FCPA regardless of how they are invoiced. If the substance of the relationship is access, the arrangement requires escalation, not a green status.
- Escalation authority independent of revenue leadership. Case B illustrates the precise failure mode: Compliance flagged the concern; the business overrode it. In GCC deal contexts, where relationship logic and commercial pressure both favor proceeding, a compliance function whose escalation path runs through senior management has no authority. Independent escalation to the audit committee or board on GCC government-facing transactions specifically is a structural requirement, not a preference.
- Upstream horizon review, not transaction-triggered review. In GCC procurement, the decisive influence occurs before the formal process: which companies are invited to tender, which specifications are written, which evaluation criteria are applied. A compliance review triggered by a contract award is auditing the outcome of a decision that was made 18 months earlier in a majlis, at an iftar or through an intermediary whose engagement predated the RFP by two years. Effective controls require a horizon-level review of which government relationships are being cultivated, what value is being exchanged and what procurement decisions are expected to follow.
With FCPA enforcement resuming at the DOJ following the 2025 pause, compliance professionals operating in GCC markets are not facing a new risk. They are facing a documented risk that four major enforcement actions have already priced. The calibration problem is not technical. It is a failure to understand that a control framework built for one commercial environment cannot be deployed in a structurally different one without first mapping the difference.
Majid Mumtaz is a CIA, ACA and FCCA with 20 years of internal audit and governance experience across the GCC. He has served as director of internal audit and audit committee secretary at Kitopi, a cloud-kitchen technology company, and as group director of internal audit and audit committee secretary at Al-Faisaliah Group, a holding company in Saudi Arabia. He advises boards and C-suites on governance and audit transformation across the UAE and KSA. 
