The risks in the previous two sections — internal process breakdowns and vendor-resident failures — share a common characteristic: something goes wrong, money is lost or misdirected, and the harm is primarily financial. Regulatory, compliance, and legal risks operate differently. Here, a payment can be made correctly in every operational sense — properly authorized, accurately recorded, delivered to the intended recipient — and still expose the organization to penalties, criminal liability, reputational damage or legal action. The transaction itself, or the circumstances surrounding it, is the problem.
This distinction matters for how organizations approach compliance risk in their disbursement programs. Financial controls are designed to prevent loss. Compliance controls are designed to prevent the organization from doing something it is legally prohibited from doing, or from failing to do something it is legally required to do. The consequences of getting it wrong are not measured in the amount of a fraudulent payment — they are measured in regulatory fines, debarment, criminal prosecution and, in some cases, personal liability for the individuals involved.
It also matters that these risks are not static. The regulatory environment governing cross-border payments, sanctions compliance, anti-bribery enforcement and record-keeping obligations is subject to continuous change — new designations, revised guidance, amended regulations and evolving enforcement priorities that can alter the compliance landscape without changing the underlying transaction type. A disbursement program that treated regulatory compliance as a one-time implementation project rather than an ongoing operational function is a program that has been falling behind from the day it was completed.
The four risk areas in this section span different legal frameworks and different operational triggers, but they share this fundamental characteristic: the liability they create is not the result of fraud or error in the conventional sense. It is the result of operating a payment function in a complex legal environment without adequate visibility into the obligations that environment imposes.
OFAC and Sanctions Compliance
The Office of Foreign Assets Control administers and enforces economic and trade sanctions programs on behalf of the United States government. For organizations that make payments — which is to say, essentially all organizations — OFAC compliance means ensuring that no disbursement flows to a sanctioned party: a designated individual, entity, government or geographic region appearing on OFAC's Specially Designated Nationals list or subject to a country-based sanctions program.
The scope of this obligation is broader than most finance teams appreciate. OFAC sanctions apply to all U.S. persons and entities, including their foreign branches, and to transactions that touch the U.S. financial system — which includes virtually any dollar-denominated transaction regardless of where it originates. The prohibited party may be a vendor, a beneficial owner of a vendor, an intermediary in a payment chain. It is not sufficient to know that the payee itself is not sanctioned if the vendor is owned or controlled by a sanctioned party.
The penalties for OFAC violations are severe and operate on a strict liability basis for civil violations — meaning intent is not required for a civil penalty to attach. An organization that makes a payment to a sanctioned party because it failed to screen adequately is civilly liable regardless of whether it knew the party was sanctioned. Criminal liability requires knowledge or intent, but civil liability does not. OFAC's penalty ranges are substantial, and egregious violations — particularly those involving significant amounts, repeated occurrences or apparent disregard for compliance — can result in penalties that far exceed the value of the underlying transactions.
For most commercial organizations, the practical compliance requirement centers on screening.
For most commercial organizations, the practical compliance requirement centers on screening. Vendor onboarding should include screening of the vendor name, beneficial ownership, and key individuals against OFAC lists, and that screening should be repeated periodically and triggered by changes in vendor information.
In environments where payment volumes are high, automated screening tools integrated into the AP workflow are the standard approach — but the quality of those tools, the frequency of their list updates, and the rigor with which potential matches are investigated all determine whether the screening program provides genuine protection or merely the appearance of compliance.
It is worth noting that OFAC's SDN list is not the only sanctions list relevant to U.S. organizations. For organizations operating internationally, sector-specific sanctions, country-specific restrictions and the lists administered by the EU, UK and UN create a multi-layered compliance environment. Sanctions programs also change frequently — new designations occur regularly, and a vendor who was not sanctioned at onboarding may be designated at any subsequent point. This is why regular rescreening, not just onboarding screening, is a compliance requirement rather than a best practice.
Foreign Corrupt Practices Act and Anti-Bribery Exposure
The Foreign Corrupt Practices Act prohibits U.S. persons and companies — and foreign companies listed on U.S. exchanges — from making payments to foreign government officials to obtain or retain business. The statute has two main components: anti-bribery provisions that prohibit the corrupt payments themselves, and accounting provisions that require accurate books and records and adequate internal controls. Both components are directly relevant to disbursement operations.
The anti-bribery provisions create liability not only for direct payments to foreign officials but for payments made through intermediaries — agents, consultants, distributors, joint venture partners — when the organization knew or should have known that the payment would be passed along as a bribe. This is the mechanism through which disbursement creates FCPA exposure: a legitimate-looking payment to a third party that is actually a conduit for corrupt payments to a government official. The paying organization's liability does not depend on whether it knew with certainty that the funds would be used corruptly — it depends on whether it exercised adequate due diligence to detect and prevent the risk.
The accounting provisions create a separate and, in some respects, more operationally significant obligation. FCPA requires that companies maintain books and records that accurately and fairly reflect transactions, and that they devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded as management authorizes them and that access to assets is permitted only in accordance with management authorization. These requirements apply to the entire financial operation, not just to international transactions — and the SEC has pursued accounting provision violations in cases that did not involve any underlying bribery, where the issue was simply inadequate internal controls or books and records that did not accurately reflect what occurred.
For disbursement operations, the FCPA compliance framework focuses primarily on third-party due diligence and payment structure.
For disbursement operations, the FCPA compliance framework focuses primarily on third-party due diligence and payment structure. Payments to agents, consultants, and intermediaries in high-risk jurisdictions — particularly where the relationship involves government contracts, licensing, or regulatory approvals — require enhanced scrutiny. Red flags include: third parties who cannot explain their business activities or relationships, payment structures that involve cash or routing through unrelated accounts, requests to split payments or pay to different entities than those contracted, and fees that are disproportionate to identifiable services rendered.
The internal controls requirements mean that FCPA compliance is not separable from the broader internal control environment. An organization with inadequate AP controls, poor segregation of duties, or weak master vendor file governance is an organization with FCPA accounting provision exposure, independent of whether any corrupt payments have been made. Enforcement history confirms that the SEC treats internal control deficiencies seriously even when the underlying bribery allegation is resolved separately.
Cross-Border and Currency Risk
Cross-border payments introduce a category of risk that is operational, financial and regulatory simultaneously — and that is often underestimated by organizations whose primary experience is with domestic disbursements. The risks are distinct enough to separate, but in practice they interact in ways that require a coherent framework rather than isolated responses.
The operational dimension involves the mechanics of international payment: correspondent banking relationships, SWIFT routing, local payment system requirements in the destination country, documentation requirements that vary by jurisdiction, and the intermediary institutions that handle funds between the originating bank and the recipient. A payment that appears straightforward at the initiating end may encounter holds, rejections, or delays based on compliance screening at correspondent banks, local regulatory requirements or documentation deficiencies that weren't apparent when the payment was authorized. The result is payment failure, delayed settlement, or funds held pending additional documentation — all of which create operational disruption and potential vendor relationship damage.
The financial dimension is currency risk. For organizations that make payments in foreign currencies, exchange rate movements between commitment and settlement create P&L exposure that can materially affect the cost of goods and services denominated in foreign currency. This risk is most acute for large transactions, long-dated commitments, and currencies with significant volatility — but even routine procurement denominated in foreign currency creates cumulative exposure that can be significant in aggregate. The disbursement function's role here is primarily in ensuring that currency exposure is visible to the people responsible for managing it, that payment timing decisions account for currency risk where relevant, and that hedging arrangements, where they exist, are properly executed at the payment level.
The regulatory dimension involves the compliance requirements that attach specifically to cross-border transactions. Currency reporting requirements — including FinCEN's CTR and FBAR obligations and their foreign equivalents — apply based on transaction thresholds and account relationships that the disbursement function needs to track.
Foreign tax withholding obligations may apply to payments made to non-U.S. vendors for services with a U.S. nexus, creating obligations parallel to the domestic backup withholding requirements discussed elsewhere. Import and export regulations may restrict certain payments or require licenses for transactions in controlled categories. And the beneficial ownership and transparency requirements of the destination country's banking system may impose documentation requirements that the organization's AP function is not equipped to handle without advance preparation.
Transfer pricing is a related consideration for multinational organizations making intercompany payments. While intercompany disbursements are often managed separately from third-party AP, they pass through the same payment infrastructure and create their own regulatory obligations — documentation requirements, arm's-length pricing standards, and reporting obligations in multiple jurisdictions that interact with the disbursement record-keeping function.
The practical implication for financial operations leaders is that cross-border payment programs require more than payment mechanics. They require a compliance framework that maps the regulatory requirements attaching to each payment corridor, a documentation infrastructure capable of supporting those requirements, and currency risk visibility that connects payment operations to treasury and FX management.
Record Retention and Audit Trail Risk
The previous three risk areas in this section involve specific legal prohibitions — payments to sanctioned parties, corrupt payments to officials, payments that violate cross-border regulations. Record retention and audit trail risk is different in character: it involves the failure to maintain adequate documentation of transactions that may have been entirely legitimate, in ways that impair the organization's ability to demonstrate their legitimacy when required to do so.
This distinction matters because record retention failures don't create regulatory liability on their own in most cases — what they create is evidentiary vulnerability. An organization under audit, regulatory investigation, or litigation that cannot produce adequate documentation of its disbursements is an organization that cannot defend itself. The absence of records does not prove that something improper occurred, but it removes the ability to prove that something proper did — a significant disadvantage in any adversarial proceeding and a circumstance that regulators and auditors are structurally inclined to view unfavorably.
The legal framework governing disbursement record retention is not a single statute. It is a layered set of obligations: IRS requirements for tax documentation, SEC requirements for public companies, industry-specific regulations in financial services and government contracting, state law requirements, and contractual obligations with customers and counterparties that may require documentation preservation beyond statutory minimums. The retention periods vary by document type and jurisdiction — some tax records must be kept seven years, some government contract documentation considerably longer — and the format requirements are evolving as digital records become the primary medium.
The audit trail function is distinct from but related to record retention. An audit trail is the chronological record of what happened in a transaction: who initiated it, who approved it, when it was processed, what system actions accompanied it, and what documentation supported each step. A complete audit trail allows an investigator, auditor or regulator to reconstruct the full history of a payment and verify that appropriate controls were applied. An incomplete or manipulable audit trail is a control failure regardless of whether the underlying transactions were legitimate — because it means the organization cannot demonstrate that its controls functioned, even if they did.
System-generated audit logs are generally more reliable than manual documentation, but they introduce their own requirements.
The risks in this area have become more operationally complex as disbursement environments have become more automated. System-generated audit logs are generally more reliable than manual documentation, but they introduce their own requirements: logs must be immutable or protected against modification, retained for appropriate periods, and capable of being produced in accessible formats when required. ERP and AP system implementations that do not adequately configure audit logging, or that allow administrative users to modify or delete records without a secondary log of those modifications, create audit trail gaps that may not be discovered until they become consequential.
Document management practices outside the core accounting system create additional exposure. Email communications that are part of the approval and authorization record for significant transactions, contract documents that establish the basis for payment obligations, vendor correspondence that supports banking detail changes — all of these are part of the disbursement record in a functional sense, and all of them may be subject to legal hold obligations in litigation or investigation. Organizations that treat disbursement record retention as a question only of what the accounting system retains are ignoring a substantial portion of the documentary record.
The practical control framework involves a formal record retention policy that maps document types to retention requirements, a document management infrastructure capable of enforcing those requirements, audit logging configured and protected in all systems through which disbursements are processed, and legal hold procedures that can be activated quickly when litigation or investigation is anticipated. Periodic testing of the organization's ability to produce required documentation — not just its theoretical ability to do so under the retention policy — is a practice that internal audit should include in the disbursement control review cycle.
Compliance as an Operational Function
The common thread running through these four risk areas is that regulatory and legal compliance cannot be treated as a peripheral function that sits alongside the disbursement process. It must be embedded in it. Sanctions screening that happens only at onboarding, anti-bribery due diligence that operates on a different timeline from vendor onboarding, cross-border compliance requirements that are handled by a different team than the one processing the payments, record retention policies that exist in a policy document but are not reflected in system configuration — all of these represent the same structural gap: compliance that exists on paper but not in practice.
The organizations that manage regulatory risk well in their disbursement functions are those that have mapped the compliance obligations that attach to their specific payment activities, built the controls to meet those obligations into the operational process rather than around it, and maintained the monitoring and testing infrastructure to verify that those controls are functioning as designed. That is a more demanding standard than policy compliance alone — but it is the standard that regulators, auditors and courts apply when something goes wrong.
Written by