Does your company respond to all internal concerns immediately, investigate them thoroughly and remediate them with unmatchable speed? What if the concern comes from an officer, director, lawyer, compliance professional, internal auditor, or an outside accountant? Do you assume you have time because, after all, it is the informant’s “job” to identify and remedy non-compliance? Or do you jump on the concern regardless of who raises it, launching and concluding your investigation and implementing remedial action within 120 days?
The Security and Exchange Commission's recent Dodd-Frank bounty award of half a million dollars to a former company officer who waited the requisite 120-day period tells companies they must act immediately no matter who raises or learns of the concern. This is the SEC’s first award to an officer who was not the individual raising the concern internally, and shows that individuals with compliance-related jobs and other “bystanders” are fully able to report matters to the SEC and collect awards. Act now on every concern, the SEC is saying, unless you would prefer to outsource your investigation to them.
The SEC’s March 2, 2015 press release1 is also a clarion call to anyone observing corporate fraud. In this and other recent public statements, the SEC reaffirms that no matter who you are or how you learned of the fraud, you are encouraged to come forward and you will be heard. For every employer the message is equally clear: your internal complaint system should do no less.
Whether you are a public or private entity, the time is now to develop a reliable investigation system that welcomes internal concerns and promptly and capably addresses them. And that includes concerns raised by individuals who oversee and implement the company’s compliance function.
Most companies know that Dodd-Frank’s bounty program offers significant rewards to whistleblowers who voluntarily provide original information about a possible violation of securities laws or regulations to the SEC, where that information leads to a successful SEC enforcement action totaling more than $1 million dollars. But when the SEC finalized its regulations to implement the bounty program, it included exceptions that prohibited awards to certain individuals whose roles customarily give them information about company fraud and misconduct.
Relevant here, those prohibitions included situations where the potential SEC whistleblower was “an officer, director, trustee, or partner of an entity and another person informed you of allegations of misconduct, or you learned the information in connection with the entity’s processes for identifying, reporting, and addressing possible violations of law.” 17 CFR § 240.21F-4 (b)(4)(iii)(A) (emphasis supplied). Awards were also prohibited to individuals whose principal duties involve compliance or internal audit responsibilities, public accountants retained to perform the company’s audit, and firms retained to investigate violations of law.
The SEC’s regulations, however, included “exceptions to the exceptions,” which are central to the recent award. Each of the exceptions vanishes where the SEC whistleblower—as the SEC press release puts it—“reports the information to the SEC more than 120 days after other responsible compliance personnel possessed the information and failed to adequately address the issue.” The SEC informant need not be the one who raised the concern inside the company to the company’s legal or compliance function; he or she may simply have “received the information” if it was received under circumstances indicating that the entity's audit committee, chief legal officer, chief compliance officer (or their equivalents), or the informant’s supervisor was already aware of the information.
What this means is that company “bystanders” who observe an ongoing ineffective or delayed investigation of securities-related concerns may become whistleblowers entitled to a bounty, even where they learn of the information in their capacity as one who identifies or oversees compliance concerns.2 As Littler previously explained in a recent article,3 the SEC has also focused its viewfinder on other company compliance-related agreements and procedures (confidentiality agreements, separation agreements, codes of conduct, policies) that may dissuade individuals from communicating with the SEC. Taken together, the SEC’s messages should give every company more than enough reason to develop effective internal reporting mechanisms that promptly address internal concerns without fear of retaliation.
What action is necessary to satisfy the SEC that a company “adequately” addressed an issue within 120 days will be a case-by-case determination. One decision every company must face is whether to self-report an issue or complaint to the SEC. Having sufficient information to make that informed decision will also require an effective and timely investigation.
Recommendations for Employers
Given the SEC’s increased focus on this area, it is recommended that employers work with knowledgeable counsel to review and upgrade their internal investigation systems to promptly and effectively address all internal concerns. At a minimum, employers should:
- Review and upgrade their internal investigation system to ensure they immediately process, promptly and effectively investigate, and expeditiously resolve all concerns reported through any of the company’s internal channels (the company’s hotline and “in-person” channels such as human resources, legal and management).
- Develop investigation guidelines and train investigation personnel. Conducting effective and lawful investigations is not a luxury for an organization; it is imperative. Well-designed investigation guidelines will better ensure that all important legal and compliance issues are identified, tracked, investigated in an appropriate and timely manner, and resolved.
- Develop escalation procedures that adequately inform oversight personnel of significant risks. An effective communication system to the stakeholders of the employer's compliance program means that the right level of personnel, including regulators like the SEC when appropriate, are receiving the right information at the right time. It also means that individuals who have no legitimate need to know about matters are not inadvertently provided such confidential information.
- Update and socialize the importance of “speak-up” and anti-retaliation policies to encourage internal reporting.
- Review compliance-related documents, confidentiality agreements, separation agreements, and employment agreements to ensure that these documents do not contain messages dissuading employees from communicating with federal agencies.