The Securities and Exchange Commission has issued final rules implementing the whistleblower bounty program enacted by Congress in the Dodd-Frank Wall Street Reform and Consumer Protection Act.
The SEC’s whistleblower rules, issued May 25 and summed up here, increase the risk that a broad range of employees, former employees and advisers will report concerns about corporate activities directly to the SEC rather than work through established corporate compliance programs.
In addition, even when whistleblowers choose initially to report their concerns to corporate compliance officials, the rules provide for a modest four-month window before whistleblowers must report to the SEC or risk loss of a claim to a bounty.
Understanding the new whistleblower provisions and adjusting to the new environment is vital for all companies seeking to minimize the risks and potential costs of whistleblower activities. Companies should take a close look at existing areas of exposure in conjunction with evaluation of their current compliance programs to assess whether any adjustments are necessary.
After a brief summary of certain key aspects of the whistleblower provisions, this alert outlines some practical steps to consider in responding to the new age of the whistleblower.
Age of the whistleblower: what you need to know
Dodd-Frank enacted the whistleblower provisions in Section 21F of the Securities Exchange Act. The law directs the SEC to pay awards to whistleblowers who voluntarily provide the SEC with original information about a violation of the securities laws that leads to the successful enforcement of an action brought by the SEC (in either one or more proceedings or combined with other government actions) that results in monetary sanctions exceeding $1 million. The law provides for significant awards to whistleblowers of between 10 percent and 30 percent of the monetary sanctions. Sanctions for the purposes of the award include disgorgement, prejudgment interest and penalties
While the statute provided a basic framework, the SEC’s new implementing rules fill in important gaps as follows:
Who can receive an award as a whistleblower?
Individuals who voluntarily provide information about possible federal securities law violations that has occurred, is ongoing or is about occur are eligible for awards. “Voluntary” means that the information is provided before any SEC information request (or investigative requests by certain other regulators) is made to the individual (as opposed to the company where the individual works).
While generally excluded, under certain circumstances even corporate officers, directors, compliance personnel, lawyers (in-house as well as outside) and auditors may be eligible to receive awards.
What information qualifies for an award?
Only “original” information qualifies for an award and the information must lead to at least one successful SEC enforcement action. That action or that action combined with other actions (which can include actions by certain other regulators and law enforcement authorities) must result in the collection of $1 million or more in sanctions.
“Original” information is generally information from the whistleblower’s independent knowledge or analysis which is not known to the SEC and which is provided to the SEC after July 21, 2010 (Dodd Frank’s enactment date). Independent knowledge is information not taken from public sources. In contrast, independent analysis can be based on publicly available information.
Must a whistleblower first report internally to corporate compliance?
No. There are, however, some incentives to encourage whistleblowers to do so. First, making a report to the corporation can increase the amount of any award if the corporation self-reports and the other award criteria are met. Second, the whistleblower remains eligible for an award if he or she reports first to the corporation and reports to the SEC within 120 days after the report to the corporation. Third, the whistleblower’s assistance in the corporation’s investigation can increase any award. Finally, a whistleblower’s interference with a corporate investigation may reduce any award.
May the SEC communicate directly with whistleblowers who are directors, officers or employees of a company represented by counsel?
Yes, such contacts are deemed “authorized by law.”
Do whistleblowers who have confidentiality agreements violate those agreements by providing information to the SEC?
No. And, a corporation seeking to enforce such an agreement against a whistleblower with respect to information provided to the SEC violates the rules.
Can a SEC whistleblower sue if the SEC chooses not to do so?
No, unlike qui tam whistleblowers under the False Claims Act, SEC whistleblowers have no private cause of action.
Can a company discipline a whistleblower?
No, even if the whistleblower is wrong. The anti-retaliation provisions are broad and protect a whistleblower who has a reasonable belief that the information he or she provides relates to a possible securities law violation or certain other federal law violations. The protections apply even if the whistleblower does not receive an award. The rules also incorporate the whistleblower protections enacted pursuant to Sarbanes-Oxley. And, employers may not require employees to waive anti-retaliation protections.
Get ready – here they come
It is likely that at least some whistleblowers will report directly to the SEC regardless of whether they first choose to report through internal corporate processes. The risks posed by such reports are impossible to eliminate. Nonetheless, there are practical steps companies should consider to address such risk.
(a) Check internal controls, especially around corporate functions where misconduct is more likely to occur. While FCPA compliance is one common area of concern, companies should consider their operations more broadly to assess where misconduct risks exist and whether controls are in place to prevent, detect and remediate any misconduct. Simply put, the more a company is able to prevent violations, the less there is for a whistleblower to report.
(b) Evaluate existing internal reporting systems to ensure that:
(i) internal reporting systems such as hotlines are working effectively 24/7 and preserving anonymity
(ii) appropriate personnel are monitoring and responding to reported information promptly, preferably through an independent third-party service in the first instance
(iii) internal reporting systems are well publicized through town hall meetings, posters, emails, department and team meetings. Companies should “saturate the market” and publicize examples of helpful whistleblower reports
(iv) employees understand that the hotline is a place to go for assistance, not just to report misconduct; consider rebranding the hotline as a “helpline”
(v) there is prompt communication with senior management, the audit committee or the full board of directors as necessary
(vi) effective communication exists where someone reports concerns and is not anonymous, including communications from appropriate personnel to ensure that person that the company is responding to his or her concerns seriously and communications that inform that person what steps the company is taken or has taken to address the concerns
(vii) the company is able to investigate all whistleblower allegations promptly
(c) Provide incentives to encourage employees to use internal company reporting processes first. Such incentives could include:
(i) incorporation of demonstrated ethics and compliance into the review process so that employees understand that the company will reward their participation in internal processes during reviews, and
(ii) company recognition and thanks to employees who use internal processes and who enable the company to address issues, regardless of size. Companies must let those who raise concerns know that their focus on compliance is valued
(d) Develop a plan to respond to reported information in no more than 120 days.
The rules allow whistleblowers to report internally and wait no more than 120 days to report to the SEC. In addition, certain otherwise excluded executives may also qualify for whistleblower rewards if they have received a whistleblower report internally, provided that information to more senior personnel, waited at least 120 days and then report to the SEC. Companies who are able to respond effectively within 120 days to reports of misconduct and who have effective communication with the reporting individual, may be able to resolve any issues and eliminate the incentive to report to the SEC. The plan should include:
(i) ensuring that the company can quickly preserve and retrieve relevant documents
(ii) identifying appropriate contacts in and outside of the company to address the issues. Contact information should include off-hours contacts for individuals such as audit committee and other board members, company officers and department managers, inside and outside counsel; the company’s auditors, IT and human resource personnel. Public relations and insurance contacts may also be useful
(iii) ensuring that investigations are directed by a member of the legal department to protect the attorney-client privilege and to facilitate adherence to whistleblower protection rules
(e) Develop, implement and publicize a strong anti-retaliation policy:
(i) train all managers, and company officers on non-retaliation and how to handle whistleblower complaints and repeat the training periodically. Include instructions on listening carefully, taking complaints seriously, treating whistleblowers with respect and insuring that all staff understand the importance of promptly and completely addressing a complaint
(ii) ensure that corporate confidentiality agreements do no state or imply that the employee might violate the agreement by reporting information to the SEC (or other government agencies as provided in Sarbanes-Oxley)
Whistleblower risks are here to stay. Careful analysis of areas of exposure and effective planning now will reduce the potential impact of whistleblowers in the future.
For more information on the implications of these rules, please contact: