2026年5月28日

Key Takeaways from Mayer Brown’s Chief Compliance Officer Roundtable

作者:

On May 8, 2026, Mayer Brown hosted its Chief Compliance Officer Roundtable at The St. Regis Washington, DC. The event was led by partners Raj De, who serves on Mayer Brown’s global Management Committee and leads the firm’s Cybersecurity & Data Privacy and National Security practices, and Ken Wainstein, who chairs the firm’s Global Investigations & White Collar Defense practice.

The roundtable brought together chief compliance officers and senior legal leaders from multinational companies across a range of industries, including financial services, insurance, chemicals, aerospace and defense, hospitality, energy, industrials, telecommunications, and technology. The program was designed to foster candid, peer-to-peer dialogue on the compliance challenges facing global organizations and to provide a forum for participants to exchange practical approaches to rapidly evolving regulatory, enforcement, and business risks.

Across six sessions, participants discussed trade compliance, technology and supply chain security, federal contracting enforcement, cross-border compliance trends, cybersecurity and data privacy, and artificial intelligence (AI) governance. Several themes emerged throughout the day: regulators are increasingly using national security authorities to shape corporate behavior; compliance teams are being asked to manage overlapping and sometimes conflicting legal regimes; and technology, data analytics, and AI are becoming both compliance risks and compliance tools.

The following are key takeaways from the roundtable discussions.

Trade Compliance: Export Controls, Sanctions, Tariffs, and Customs

The opening session focused on the current landscape for sanctions, export controls, tariffs, customs enforcement, and reviews by the Committee on Foreign Investment in the United States (CFIUS). Participants discussed how regulators continue to expand their toolkits while pursuing priorities tied to national security, foreign policy, supply chain resilience, and US technological competitiveness.

A recurring theme was the need for compliance programs to be agile enough to respond to changes in tariff, sanctions, and export control priorities across administrations. Participants noted that shifts in trade and customs policy and enforcement have put enormous stress on in-house trade compliance teams. They also addressed how changes in administration priorities have impacted designations, licensing policy, and enforcement focus can raise practical questions about when to update internal controls, how to communicate changes to the business, and how to account for collateral considerations such as insurance coverage, contractual rights, and counterparty risk.

The group also discussed how compliance leaders can position trade compliance as a business enabler rather than solely as a control function. Participants exchanged views on organizational design, with several noting the advantages of housing trade compliance within the legal function or having it report directly to senior management. Placing trade compliance under legal can strengthen privilege protections, improve coordination with other regulatory and enforcement-related work, and signal to the organization that compliance carries legal and reputational weight. Reporting directly to senior leadership can elevate the function’s strategic profile and ensure it receives adequate resources. By contrast, embedding trade compliance within procurement or another commercial function may create the perception that compliance is subordinate to deal-making or cost considerations, and may limit the function’s independence and visibility with the board and executive leadership.

Technology, Data, and Supply Chain Security

The second session examined the growing use of technology and supply chain restrictions as national security tools.

Participants discussed how China has responded to US actions with its own export controls. Blacklists and restricted-party lists serve as compliance signals, though they do not always align neatly across regulatory regimes. The Federal Communications Commission (FCC) Covered List received particular attention, especially its expansion to foreign-produced routers. Participants observed that keeping pace with new restrictions is difficult when Commerce, FCC, Federal Acquisition Security Council (FASC), and other agencies operate overlapping frameworks, and the group discussed framing these challenges as a strategic business risk rather than a compliance exercise alone.

On the practical side, attendees noted that supplier certifications alone are no longer sufficient for many regulatory requirements. Affirmative due diligence, contractual protections, auditing, and recordkeeping have become essential. Connecting these efforts across verticals—know-your-customer (KYC) requirements, audits, vendor assessments—remains a challenge, as does managing the reputational risks tied to country-specific operations.

Another important theme was the allocation of decision-making responsibility between legal, compliance, and the business. The group exchanged views on how legal and reputational risks are assessed differently depending on geography and customer base, and at what point the business (as opposed to legal) must own decisions involving country-specific operations or sensitive supply chain exposure.

Federal Contracting and False Claims Act Enforcement

The third session focused on the False Claims Act, which imposes liability on anyone who knowingly submits false information for payment from the government. Qui tam whistleblower actions remain a major enforcement driver—fiscal year 2025 saw roughly 1,700 cases, the vast majority filed as qui tam actions, with 38% of recoveries coming from declined cases. Healthcare and defense continue to dominate FCA recoveries.

Participants examined how diversity, equity, and inclusion (DEI) related executive orders have introduced new enforcement risks. Through the Civil Rights Fraud Initiative, the Department of Justice is now pursuing FCA actions against federal funding recipients that violate civil rights laws through DEI programs. The IBM settlement in April 2026—the first FCA resolution of this kind—signals where this enforcement effort is headed. The group discussed challenges posed by Federal Acquisition Regulation (FAR) 52.222–90, including the “reasonably knowable” standard for reporting of subcontractor violations. Participants shared strategies to leverage AI for due diligence work to improve supplier monitoring beyond manual website reviews.

The group also addressed the Trade Fraud Task Force, a joint Department of Justice and Department of Homeland Security initiative launched in August 2025. Participants noted that data-driven lead generation, expanded whistleblower incentives, and reverse False Claims Act theories are increasing the risk profile for companies with customs, tariff, and import compliance exposure. The reverse False Claims Act theory, which reaches companies that avoid paying the government, has already yielded a settlement of approximately $54 million, and expanding whistleblower incentives in this space heighten the risk profile for noncompliant organizations.

Data analytics and AI featured prominently throughout the session. Attendees discussed how companies are wrestling with deploying these tools internally while anticipating regulatory scrutiny, and they exchanged views on priority use cases for AI in compliance, piloting strategies, and broader data governance.

2026 Trends in Cross-Border Compliance

The fourth session covered a range of cross-border compliance developments, including sanctions, export controls, anti-money laundering, anti-corruption, immigration enforcement, and workforce mobility planning. The Democratic People’s Republic of Korea (DPRK) remote worker threat received particular attention, with attendees noting it can pull companies into sanctions territory and demands heightened vigilance over contractor-provided labor.

Immigration enforcement was another focus. Participants discussed how the January 20 executive orders and the One Big Beautiful Bill Act have sharpened focus on worksite enforcement, beginning with Notices of Inspection and I-9 audits. With regard to H-1B visa enforcement, participants discussed the wage-based lottery, the new $100,000 per worker fee, Fraud Detection and National Security (FDNS) site visits, and the Department of Labor (DOL)’s Project Firewall, all of which are creating new compliance pressure.

Participants also discussed Foreign Corrupt Practices Act (FCPA) enforcement trends and the intersection with KYC obligations around business partners. The designation of cartels as Foreign Terrorist Organizations—with a primary operational focus on Mexico, now expanding to El Salvador, Ecuador, and Brazil—creates new exposure.

Throughout the session, participants emphasized the value of tailored, risk-based training. Rather than relying solely on broad annual training modules, companies are increasingly adopting targeted training for employees in higher-risk roles, as tailored modules can help prevent inadvertent violations.

Cybersecurity and Data Privacy

The fifth session explored cybersecurity regulation and data privacy law, two domains that attendees observed are rapidly converging. The California Consumer Privacy Act (CCPA)’s new cybersecurity audit regulations represent a first: detailed cybersecurity audit requirements attached to a state privacy law. The group discussed strategies for dealing with the particularly challenging aspects of the law, including the broad definition of information systems, inclusion of systems that process employee and business-to-business (B2B) data, and application to connected devices.

International data protection developments also featured prominently. Participants discussed continuing issues involving the General Data Protection Regulation (GDPR), and the proliferation of GDPR-like frameworks outside the European Union. Attendees discussed the merits of defaulting to the GDPR as a compliance baseline and the merits of each in a consumer-facing and B2B context.

The group also discussed where cybersecurity responsibility sits within an organization, and the tradeoffs for each approach. The group discussed the importance of ensuring that cybersecurity, privacy, legal, compliance, and business stakeholders have clear roles and escalation paths, particularly as regulatory expectations around “reasonable security” continue to evolve.

AI-related cyber threats were another major topic. Participants discussed how threat actors are using AI to scale phishing, social engineering, vulnerability discovery, and other attacks. At the same time, companies are evaluating AI-enabled defensive tools. The discussion highlighted that evolving threat capabilities may influence what regulators, customers, and counterparties view as reasonable cybersecurity safeguards.

Artificial Intelligence: Governance, Bias, and Security Challenges

The roundtable’s final discussion turned to AI governance. Building AI governance frameworks that can withstand rapid innovation is no small task, especially given business pressure to deploy new tools quickly. The group discussed core components of an effective AI governance program and how to properly leverage existing risk management processes that companies have already adopted utilizing recognized risk frameworks, such as the International Organization for Standardization (ISO) 42001 and the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF).

The group also observed lessons to be learned from the evolution of cybersecurity compliance, noting that many organizations are well positioned to adapt existing control frameworks, risk committees, vendor review processes, and incident response procedures to address AI-specific risks.

Internal AI use was a significant focus. Participants discussed how some companies are treating violations of internal AI policies as a distinct compliance matter, separate from traditional IT Acceptable Use policies. The group shared common friction points and solutions around AI transcription tools and the tension between encouraging adoption of AI tools while preserving legal privilege protections.

The session closed on a forward-looking note. Several organizations are already using AI to triage governance decisions, applying risk-scoring to prioritize the review queue and allocate compliance resources more efficiently. As AI becomes embedded across the enterprise, governance structures will need to evolve from project-specific oversight to enterprise-wide integration.

Key Themes

Several cross-cutting themes emerged from the roundtable.

First, national security considerations are now central to many areas of corporate compliance, including trade, technology, supply chain, data, immigration, and anti-money laundering. Compliance leaders should expect continued overlap among legal regimes that historically were managed separately.
Second, regulators are increasingly relying on data analytics, whistleblowers, certifications, and interagency coordination to identify potential violations. Companies should evaluate whether their own compliance programs are sufficiently data-driven, and whether they can substantiate the accuracy of certifications, supplier representations, and government-facing statements.
Third, compliance functions are being asked to help the business make risk-informed decisions in areas where the law, enforcement expectations, and reputational considerations may not align perfectly. Clear escalation pathways, documented decision-making, and defined ownership are critical.
Fourth, AI is changing both the risk environment and the compliance toolkit. Companies are confronting AI-enabled threats, AI-related regulatory expectations, and employee use of AI tools, while also exploring how AI can improve due diligence, monitoring, and governance. Effective AI governance will require practical controls that enable innovation while preserving accountability.
Finally, the roundtable reinforced that compliance professionals are operating in an environment where regulatory change, geopolitical risk, technological disruption, and enforcement creativity are converging. For multinational organizations, the challenge is not only to keep pace with new legal requirements, but also to build compliance programs that are integrated, risk-based, and resilient.