Intelligence Briefings

WE DON'T UNDERSTAND OUR OWN SUPPLY CHAINS

1/30/2026

We’ve Spent 30 Years Building Supply Chains We Don’t Understand

When American companies started offshoring production in the 1990s, they knew their suppliers. Someone from corporate flew to Shenzhen, toured the facility, met the owners, kicked the tires. The relationship mattered because switching costs were high.

That’s not how it works anymore. Your supplier has suppliers. Those suppliers have suppliers. Nobody’s flying to Shenzhen to meet anybody. You’re three layers removed from the people actually making your components, and you’ve got about as much visibility into their operations as you do into my bank account. This worked fine when the global system was stable, borders were open, and everyone played by roughly the same rules.

That world is over.

The New Risk Environment

Adversaries typically don’t announce themselves. They present as legitimate until the moment they’re not. Supply chain fraud works the same way.

The Chinese manufacturer who’s been your tier-two supplier for five years just got added to the Entity List because they’re supplying the PLA. You didn’t know because nobody told you, and you didn’t ask because you were buying from a distributor who was buying from them. Congratulations, you just violated export controls. The penalty is not a strongly worded letter.

Or: Your “Italian” leather supplier is actually a Chinese company that runs goods through a warehouse in Milan to dodge tariffs and get the “Made in Italy” label. Customs figures it out during an audit. Now you’re looking at back duties, penalties, and possibly criminal referral.

Or: Your contract manufacturer in Vietnam turns out to be owned by a shell company in the Caymans that’s actually controlled by Russian nationals currently under sanctions. Your payment just funded something you really didn’t want to fund, and Treasury wants to have a conversation.

Why This Wasn’t Your Problem Before (But Is Now)

For 30 years, globalization meant more trade, fewer restrictions, and everybody making money. Compliance was a checkbox. Due diligence was “did they send us a W-9?” The world changed. We just haven’t changed with it.

Sanctions lists used to be North Korea, Iran, and some drug cartels. Now they include Russian oligarchs, Chinese military companies, Uyghur forced labor, and entities in a dozen countries you probably do business with. The lists update constantly. OFAC added 300 entities last quarter. Are you checking your suppliers against those lists? Monthly? Weekly? If your answer is “our accounting software does that automatically,” you’re trusting a lot to a system that doesn’t understand shell companies, beneficial ownership, or the seventeen different ways a sanctioned entity can hide behind a legitimate-looking corporate structure.

What Supply Chain Fraud Actually Looks Like

Here’s what it doesn’t look like: a guy in a ski mask swapping your components for counterfeits. Here’s what it does look like. A vendor using falsified country-of-origin documents to avoid tariffs. Components sourced from sanctioned entities three layers removed from your direct supplier. Financial statements showing healthy operations while the company’s actually insolvent, and you find out when they disappear mid-order. Bribery of your procurement staff to steer contracts to specific vendors. Kickback schemes where your “preferred vendor” is paying your purchasing manager. Quality certifications that were bought, not earned. “Factories” that are actually just trading companies brokering from whoever’s cheapest that week. The common thread: everything looks legitimate on paper until you actually verify it.

If you’re a Fortune 500 company, you’ve got a compliance department, a supply chain risk team, and probably a consultant on retainer. You’re not immune, but you’ve got resources. If you’re doing $5 million to $50 million in revenue, you’ve got Linda in accounting who’s “handling compliance stuff.” Linda’s great at her job but she’s not a fraud examiner, and she’s not paid to be one. This is the gap and the risk that small to mid sized companies are up against even more so today, in the world of geoeconomics where sanctions appear over night and business is now political.... (go watch my Davos videos...or better yet go watch all of the panels yourself).

Anyway, the issue is that you’re big enough to have complex supply chains and serious regulatory exposure. You’re not big enough to have dedicated staff to manage it. So it doesn’t get managed. In the very near future, if it hasn't happened already, your insurance carrier is going to start to ask questions about supply chain due diligence. Your auditor’s going to be raising eyebrows about your vendor verification process. Your attorney’s going to be telling you the regulatory environment is tightening. They’re all right.

So...What Actually Protects You?

It’s not software. Software is great at processing data you feed it. It’s terrible at finding data that’s been deliberately hidden.

It’s not checklists. Checklists work when you’re preventing honest mistakes. They don’t work when someone’s actively trying to deceive you.

What works is having someone who knows how fraud actually works look at your supply chain with skeptical eyes and ask questions that assume deception is possible.
What works is having someone who specializes in DUE DILIGENCE check out your vendors.

But in the very least here are some basic questions to ask new vendors before you sign: Who actually owns this company? Not who they say owns it, but who actually owns it through all the shell companies and holding structures. Are they on any sanctions lists? Are their owners? Are their suppliers? Are their financial statements real? Have you verified with their bank, or are you trusting a PDF they sent? Have you confirmed the facility exists and is actually producing what they claim?

About existing vendors you’ve worked with for years: Has ownership changed? Companies get sold, often to entities that don’t announce themselves. Are they still financially stable? A lot can change in three years. Are they still sourcing from the same places, or have they shifted to cheaper suppliers you don’t know about? Do they still meet the compliance standards they certified to when you signed the contract?

The reality is most companies can’t answer these questions about their top 20 suppliers, let alone their full vendor base.

The compliance violation costs are published: OFAC penalties average $250,000 for first-time violations. Customs fraud penalties can run to millions. Forced labor violations carry criminal liability.

The real costs are harder to quantify. The product recall when you discover your components don’t meet the specs your supplier certified. The production shutdown when your single-source vendor turns out to be insolvent and disappears. The insurance claim denial when your carrier discovers you didn’t do the due diligence your policy required. The customer you lose when they ask about your supply chain ethics and you can’t actually answer.

And then there’s the cost nobody talks about: the opportunity cost of signing with the wrong vendor when the right one was available. You could’ve had a reliable partner. Instead you’ve got a lawsuit.

I’ve spent the last year watching deglobalization accelerate, sanctions lists expand, and regulatory enforcement tighten. The companies getting hammered aren’t the ones who were trying to cheat. They’re the ones who assumed their vendors were legitimate because nobody had told them otherwise. You can’t eliminate supply chain risk. But you can stop operating blind.

If you’re in the mid-market and your vendor due diligence consists of “they sent us their W-9 and their prices are good,” you’re operating with the same controls as the company that just engaged my fraud investigation services to figure out where their money went in an asset misappropriation matter.

The lesson is cheaper if you learn it before you need an investigator. I would rather do your due diligence than your fraud investigation.

-Amanda

Archives

Categories