The most dangerous compliance mistake in 2025 is assuming that fewer enforcement actions mean less exposure. FCPA risk is driven by business operations and control weaknesses, not enforcement statistics. The 2025 enforcement landscape underscores why compliance programs must remain vigilant—even in a slower year.

Third parties remain the dominant risk

Agents, distributors, consultants, and local intermediaries continue to generate the majority of FCPA exposure. Declinations and DPAs in 2025 again traced misconduct to third-party relationships at the local operating level. Risk-tiering, contract controls, payment testing, and continuous monitoring remain essential.

State-owned enterprises are still high-risk

Commercial dealings with state-owned or state-controlled entities continue to trigger FCPA exposure. Licensing, procurement, customs, logistics, and government-adjacent customers remain core risk areas. Compliance programs must continue to map government touchpoints and apply heightened controls.

Books-and-records risk has not diminished

Even where DOJ narrows anti-bribery priorities, accounting controls and recordkeeping remain enforcement tools. Vague descriptions, unsupported rebates, marketing expenses, or intercompany adjustments still create exposure. Weak accounting controls are often the mechanism that turns misconduct into an enforcement case.

Gifts, travel, and hospitality remain early warning signals

DOJ may deprioritize minor courtesy cases, but hospitality remains one of the most reliable leading indicators of problematic relationships. Weak controls here eliminate early detection and allow risk to mature undetected.

The Liberty Mutual declination is a reminder that DOJ continues to reward timely self-disclosure, disciplined investigations, and remediation. Programs must be capable of quickly identifying issues and escalating credible findings.

FCPA investigations routinely take years. A quiet enforcement year often reflects cases still under investigation—not risk eliminated. Whistleblower tips, audit findings, M&A due diligence, and foreign enforcement cooperation ensure that today’s control failures become tomorrow’s cases.

2025 did not create a lower-risk world. It created a more selective enforcement environment, where cases are fewer but more consequential. In that environment, weak controls, poor documentation, and unmanaged third-party risk are more—not less—likely to be framed as deliberate misconduct.