Audrey Harris, partner and co-chair of Mayer Brown’s global anti-corruption & FCPA practice, talks all things anti-corruption – from Jay Clayton’s critique of regulators’ lackluster enforcement to the next frontier of compliance.
CCI: Tell us about your background. How did you get your start in compliance?
Audrey Harris: After Georgetown Law, I spent my associate and early partner years at an international law firm during the boom of white-collar – and particularly FCPA – enforcement. My original plan to leave firm practice at three years to become an Assistant United States Attorney was quickly pushed aside in favor of the incredible work and fantastic matters I was absorbed in.
I was living and breathing international corporate investigations and defense work, which involved immersion inside companies, their systems, people and processes – and building, or enhancing companies’ compliance programs.
We had to figure out what happened, how it happened, why it happened and how to make sure it didn’t continue to happen into the future.
While the enforcement guidance is increasingly emphasizing the importance of compliance culture and effective programs in charging decisions and resolutions, evidencing that a company “gets it” has always been a basic and necessary condition to any resolution with U.S. enforcement.
Based on these experiences, I actually said I would never take a Chief Compliance Officer job. I used to think it was a no-win role. Compliance can so easily slip to the extremes of business capture or “Dr. No.”
However, in 2015, I saw an opportunity – the right time, the right company and the right challenge – that made me eat my words.
It was the right time in the global business and enforcement landscape – especially with the rise of reputational risk and the importance of ethics and integrity. I saw the opportunity to make a case that ethics & compliance is not just a cost-center, but that it can be risk mitigation and enable responsible value generation.
Good companies, with good culture and programs, can not only mitigate risk, but enable responsible value generation across their stakeholders. It was the right company, with executive leadership and a board that I think had great proactive vision and commitment to next-level external engagement and social license to operate.
Commitments to transparency and safety align well with, and can be leveraged for, ethics and compliance efforts. It was the right challenge and structure for me. I had a number of theories about what was needed to have rapid growth in a program, and the company was very supportive.
These theories are why, for example, I came to the role with a self-imposed tenure term limit in mind.
Ethics & compliance practitioners should be three things: guides, problem-solvers and gatekeepers.
The investment in the first two roles provides the visibility and credibility to be the last when you need to be. I found out that if you have these three things (right time, right company and right structure), it can be one of the best jobs you’ll ever have.
CCI: Having the benefit of lengthy experience in private practice and as a Chief Compliance Officer, you have a valuable perspective. From your vantage point, how has the profession evolved over time?
AH: It’s a relatively new and rapidly evolving multidisciplinary field. With the right people in the right structure, it can have one of the largest fields of vision of any function across a company. That level of cross-disciplinary visibility can be a unique value to companies willing to embrace it.
Pre-SOX, outside of highly regulated industries, you traditionally had legal and internal audit functions. You may not have had “compliance.” Compliance started as a hybrid: lawyer and accountant skills. Over the last few years, especially with the rise of the discussion of ethics, culture and the #MeToo movement, compliance started pulling a strong element of human resources (HR).
Then, with so many compliance functions being asked to take on privacy, state secrets and GDPR and to deal with e-discovery in internal investigations, we are seeing a strong pull to technology. And now, with an increasing focus on ESG and corporate responsibility, you see environmental and social/community risks and skill sets entering into compliance teams and underlying mandates.
I think we are seeing compliance-focused career paths and compliance-specific education, but I also hope we don’t lose that interdisciplinary nature; it’s a true and unique advantage.
Our challenge will be to find those “common denominator” principles of integrity and responsibility and the simple control frameworks that span across subject matters.
The next frontier of compliance will be taking diverse backgrounds and subject matters and connecting them using common principles and mission while also tailoring to specific risks and business models.
CCI: What’s your take on the state of anti-corruption compliance globally today? How are firms in the U.S. and abroad impacted by the current varying degrees of bribery corruption and enforcement? And, otherwise, what are some of the biggest regulatory hurdles organizations face related to the FCPA?
AH: It’s moving to more global programs and enforcement. Generally, we are seeing enhanced local legal regimes, enforcement and cooperation across borders. There are three advantages for corporations:
- It is much easier if everyone is playing by the same rules. For example, none of the companies can pay that gratuity or hire a relative of a government official – not just the U.S. company or U.S. issuer.
- It makes it easier to resist improper requests on the ground and to be able to show local players, “hey, it’s not just a violation of U.S. or U.K. law, it’s actually a violation of your own law.”
- It makes it easier when looking at investments or merger and acquisition strategies when the U.S. or U.K. issuers aren’t the only ones looking to conduct anti-corruption due diligence, for example.
But watch out for the unintended consequences; the risk is in the uncertainty and differences between laws and enforcement regimes. Some regimes outlaw facilitating payments; some don’t. In these areas, global companies can compensate by adopting the higher standard.
However, where the laws conflict or remain uncertain, it can cause challenges. For example:
- Differing rules on hiring and limits or prohibitions on hosting and entertainment.
- Enforcement policy uncertainty or differences around voluntary disclosure credit, cooperation credit or privilege recognition.
- Blocking statutes and differing data privacy laws.
It is a tough needle to thread, and companies need a coordinated legal approach, but with local knowledge, which means its more than an FCPA practice, it’s a global anti-corruption practice, and even more now, a corporate risk or corporate responsibility practice.
Anti-corruption attorneys are still coordinating out of D.C., but need to be well-placed around the globe.
CCI: SEC Chairman Jay Clayton recently criticized regulatory authorities globally for doing a poor job of enforcing anti-corruption laws. How would you advise multinationals to move forward in light of these remarks? What measures do you suspect Chairman Clayton will consider to encourage other countries to ramp up enforcement?
AH: The Chairman’s statement was a standard message: Create a level playing field for international business. This is consistent with the FCPA enforcement message for years.
I think the key question is timing – why he’s making the statement now, when we have seen both new, non-U.S. legislation and increased enforcement coordination. I can’t imagine other countries are keen to see the U.S. lead enforcement against companies headquartered within their borders, nor can it be enjoyable to get criticized by the OECD report.
So we see new legislation and more cooperation between authorities – even non-U.S. authorities initiating the investigations and the U.S. crediting foreign penalties.
One of the countries you don’t see cooperating as much with U.S. enforcement is China. In addition, the DOJ’s 2018 China Initiative specifically calls out to “identify FCPA cases involving Chinese companies that compete with American businesses.”
One way to read the Chairman’s statement may be more about recognizing that non-U.S. regulated entities (particularly non-U.S. issuer Chinese companies) may be able to go into more difficult places in the world (including parts of Africa) and do business, where perhaps the compliance standards and risk tolerances of a U.S. issuer may prevent it.
However, the U.S. should want to incentivize good companies with compliance standards and programs to invest in difficult parts of the world and bring their compliance culture with them.
When taken in that context, Chairman Clayton’s words may be a nod to the potential vacuum that could be created (and potential U.S. issuers’ frustration with it) and a bit of shaming to local authorities that allow it.
CCI: A couple of noteworthy FCPA enforcement actions and settlements have been in the news recently – WalMart and Microsoft chief among them. What are the key takeaways for compliance practitioners from these actions?
AH: In the historic absence of corporate trials and case law in the FCPA, every enforcement resolution is a message. Each one can, and will, be the subject of pages and pages of commentary.
One thing I think I can say overall is that the resolutions, taken along with the recent U.S., SFO and French guidance (among others), make it clear just how pivotal compliance programs are to the investigation and defense of a matter. The program status at the time of the conduct, as well as the program’s vitality and maturity trend prior to resolution, is critical.
The defense strategy has now moved to the company’s action prior to conduct. In evaluating corporate prosecutions, authorities will pressure-test the question:
“Was it really just the individual failing the company, or did the company also fail its individuals?”
The once go-to strategy of calling the former government lawyer after the problem has arisen to do the investigation and talk to their former buddies in the government is becoming less and less effective as a stand-alone proposition.
As an anti-corruption lawyer, you have to be able to understand and “speak fluent prosecutor,” but if you don’t understand the business model, risk touchpoints and how to apply a fit-for-purpose program to company culture and systems, your client’s road to resolution will be longer and more costly.
Audrey Harris is a partner and co-chair of Mayer Brown’s Global Anti-Corruption & FCPA practice. Audrey regularly appears before enforcement authorities and has extensive experience in designing, executing and presenting internal investigations before multinational corporations, the U.S. Department of Justice (DOJ), Securities & Exchange Commission (SEC), Department of Treasury Office of Foreign Assets Control (OFAC), Department of Defense and Multilateral Development Banks (MBDs). Previously, Audrey served as the first-ever Chief Compliance Officer for global resources company BHP, where she led a global ethics & compliance function, providing expertise in anti-corruption, trade sanctions, export controls, competition, ethics & investigations, state & commercial secrets and market conduct compliance, with a team of professionals and attorneys across four continents.