On Wednesday, April 22nd, the Securities and Exchange Commission announced that it had awarded approximately $1.5 million to a whistleblower who had served as a compliance officer of the company about which he blew the whistle. According to the SEC’s press release, the whistleblower “had a reasonable basis to believe that disclosure to the SEC was necessary to prevent imminent misconduct from causing substantial financial harm to the company or investors.” The SEC’s press release also stated that the whistleblower reported the company’s misconduct to the SEC only “after responsible management at the entity became aware of potentially impending harm to investors and failed to take steps to prevent it.”
According to the SEC’s press release, this is the second time that a “compliance professional” has been provided a whistleblower reward under the Dodd-Frank Act. In the first instance, which the SEC announced in August of last year, the SEC’s press release specifically stated that the compliance employee “reported wrongdoing to the SEC [only] after the company failed to take action when the employee reported it internally” and that the employee waited 120 days between reporting the issue internally and contacting the SEC. Indeed, in that press release, the Chief of the SEC’s Office of the Whistleblower stated that compliance professionals “may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information [the whistleblower] first reported internally.”
Absent from yesterday’s SEC press release is any mention that the compliance officer first sought to address the issue through the company’s internal compliance processes, or even reported the issue up the company’s compliance chain, before reporting it to the SEC. Yesterday’s announcement, therefore, is arguably the first time that the SEC has expressly utilized Rule 21F-4(b)(v)(A), the so-called “first exception” to Rule 21F-4(b)(4)(iii)’s general exclusion of compliance personnel from whistleblower award eligibility. Under that exception, a compliance employee is eligible for an award if the employee had “a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors.”
This award highlights several interrelated aspects that make Rule 21F-4(b)(v)(A) significantly fuzzier than the other two exceptions to the SEC’s baseline rule that a company’s compliance employees are ineligible to receive a Dodd-Frank whistleblower award. First, whether the reported conduct is “likely” to cause “substantial injury” to investors is not guided by any bright-line or concrete regulatory standards. Accordingly, the SEC has significant discretion to read the exception broadly. Second, the exception allows the SEC to provide a compliance employee with a Dodd-Frank award even if the SEC concludes that the whistleblower’s immediate report was not necessary to prevent substantial injury to investors; under the plain language of the exception, the SEC needs only to find that the employee had a “reasonable basis” to think that an immediate report was necessary to prevent such injury. This effectively adds a second layer of ambiguity, and therefore potential elasticity, to the exception. Third, because of the SEC’s whistleblower confidentiality and anonymity rules, it is unlikely that a company could ever lodge, let alone succeed on, a challenge to the compliance-employee-turned-whistleblower’s argument that he/she satisfied the Rule 21F-4(b)(v)(A) exception. Therefore, determination of whether a compliance employee satisfies the exception is, for all practical purposes, solely within the discretion of the SEC. The net result is that, in the absence of some contrary signals from the SEC, a compliance employee might simply assume that the agency will read the exception incredibly broadly, causing him or her to become more inclined to report issues immediately to the SEC rather than first allowing his or her company’s compliance department a fair crack at remediation.
Because yesterday’s SEC press release does not provide factual details about the company involved, the misconduct at issue, or the potential injury to which the misconduct exposed investors, it is unclear how broadly the SEC is prepared to interpret the Rule 21F-4(b)(v)(A) exception. If this lack of clarity lingers, it may have negative consequences that the SEC does not intend. For example, it may increase the risk that compliance employees will too often choose to eschew their companies’ internal compliance processes in favor of an immediate report to the SEC, a result that would both impair companies’ critical ability to self-remediate and unduly burden the SEC. This possibility is especially salient given recent speeches by SEC and DOJ officials suggesting that compliance officers could face personal liability if they fail to effectively prevent and remediate company misconduct; compliance employees could view an immediate whistleblower report to the SEC as an expedient way to immunize themselves from potential personal liability.
In the near future, the SEC hopefully will provide more guidance — either through informal guidance statements, formal rulemaking, or administrative adjudications — about how the Rule 21F-4(b)(v)(A) exception will be interpreted and applied in practice. Regardless, companies concerned about Rule 21F-4(b)(v)(A) would be well served to ensure that their internal compliance procedures expressly empower their compliance departments to investigate and remediate on an expedited basis misconduct that runs a likely risk of causing imminent, substantial injury to the company or its investors.