On April 22, 2015, the U.S. Securities and Exchange Commission (SEC) announced that it had awarded $1.4 million–$1.6 million to a compliance officer-turned-whistleblower who aided the SEC in an enforcement action against the officer’s employer. This marks the second time an employee with an internal audit or compliance function—who does not typically qualify under whistleblower rules—received an award under the SEC’s whistleblower program dictated by the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Under SEC rules, disclosures of misconduct by those whose principal duties are related to compliance or internal auditing do not qualify as “original information” eligible for whistleblower status (see 17 C.F.R. 240.21F-4). The SEC does not believe employees in such quasi-investigative roles obtain such information as a result of “independent knowledge or independent analysis” [17 C.F.R. 240.21F-4(b)(1)]. However, the SEC has carved out three exceptions to this general rule. The first exception provides awards to compliance and audit staff when the employee “has a reasonable basis to believe that the disclosure of the information to the Commission is necessary to prevent the [company] from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors” [17 C.F.R. 240.21F-4(b)(v)(A)]. The second exception involves instances when the whistleblower believes that the company “is engaging in conduct that will impede an investigation of the misconduct” 17 [C.F.R. 240.21F-4(b)(v)(B)]. The third exception allows for whistleblower awards after more than120 days have passed since the employee disclosed allegations to the audit committee, chief legal officer, chief compliance officer or supervisor [17 C.F.R. 240.21F-4(b)(v)(C)]. Awards can range 10–30 percent of the judgment that the SEC collects. 

The latest award to a compliance officer fell under the impending harm exception. Andrew Ceresney, Director of the Division of Enforcement, stated, “This compliance officer reported misconduct after responsible management at the entity became aware of potentially impending harm to investors and failed to take steps to prevent it.” Under this exception, there was no requirement to wait 120 days to report to the SEC and qualify for an award.

The SEC’s first whistleblower award given to an employee performing audit and compliance functions was doled out in August 2014. It totaled $300,000 and concerned a company that had failed to respond to allegations of misconduct within the 120-day period. At the time, the SEC made the following statement: “This particular whistleblower award recipient reported concerns of wrongdoing to appropriate personnel within the company, including a supervisor…When the company took no action on the information within 120 days, the whistleblower reported the same information to the SEC.” 

These significant payouts—and the likelihood of more to come—highlight the need for company management to establish systems used to respond promptly to concerns from compliance and internal audit personnel. The 120-day period is not a substantial amount time to investigate and respond to an inquiry, and the impending harm exception has no specified time limit. Accordingly, allegations of misconduct warrant immediate attention under either exception. Specific individuals should be tasked with monitoring all incoming traffic from compliance officers and internal auditors. And internal systems should (i) generate reports on the timing of receipt; (ii) send reminders to supervisors on need to respond by relevant deadlines; and (iii) send documentation to the information source that the matter is being addressed (to reduce the likelihood that a potential whistleblower might assert that no response was given by the company).