Today, with two Commissioners dissenting, the SEC adopted final rules implementing the new whistleblower program created last July by the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). The rules are a game-changer for corporate compliance programs and for the officers and directors who oversee whistleblower procedures. The 305-page adopting release will be analyzed in the days, weeks and months ahead, but it is already apparent from statements made today by Chairman Mary Schapiro, Director of Enforcement Robert Khuzami, head of the SEC’s new Office of the Whistleblower, Sean McKessy and others that the SEC intends the new rules to:

  • Incentivize individual whistleblowers to voluntarily report suspected securities law violations to the SEC by paying a reward of 10-30% of monetary sanctions over $1 million obtained after an investigation advanced by the tip;
  • Encourage (but not require) whistleblowers to first report the suspected violation internally to their employers by:
    • allowing the whistleblower to “get credit” for the internal reporting date and qualify for a reward if either the company or the individual reports the suspected violation within 120 days of the internal tip;
    • awarding “credit” for anything else the company reports to the SEC following up on the tip, even if additional violations were unrelated to the tip; and
    • confirming that a whistleblower’s voluntary participation in an internal compliance program will be a factor considered in increasing the amount of the reward;
  • Expand the circumstances when lawyers, auditors and internal compliance personnel may claim a reward for blowing the whistle on their companies apparently allowing these professionals to become whistleblowers if there is a risk of substantial financial harm from continued violations – a threshold that dissenting Commissioner Casey described as the “exception that swallows the rule”); and
  • Incentivize companies to avoid retaliation against whistleblowers by clarifying that even if a tip relates to only a possible securities law violation, rather than an actual one, and even if no government enforcement action follows the tip, retaliation would be punishable by harsh penalties.

We expect the SEC is anxious to demonstrate the success of the Dodd-Frank Act’s new program, which the Staff today confirmed has already increased the quality and quantity of tips. Tangible incentives for whistleblowers have already been realized in the qui tam context pursuant to the civil False Claims Act (“FCA”), as well as in other contexts, such as earlier this year when the Internal Revenue Service paid a whistleblower $4.5 million for reporting a large unpaid tax liability of a Fortune 500 financial services company [1]. Substantial SEC whistleblower awards are certain to garner media attention, which will increase public awareness about whistleblower programs and likely encourage more would-be whistleblowers to step forward.

While the new SEC rules add a new path to monetary awards for whistleblowers who claim to have knowledge of wrongdoing within their companies, there are important distinctions between the SEC’s whistleblower scheme and the whistleblower enforcement mechanism under the civil False Claims Act. Many of those differences were previewed by the Firm in a prior FraudMail Alert. See FraudMail Alert No. 10-12-08. Chief among those differences is the fact that SEC whistleblowers are not empowered to proceed with the claims on their own if the SEC chooses not to pursue the allegations. Moreover, an enforcement action must include a minimum threshold monetary sanction before the SEC whistleblower can receive any percentage reward and, unlike the FCA, the SEC rules do not provide for the whistleblower to recover attorney’s fees from either the SEC or the target company. Even so, the SEC rules appear destined to be plagued by many of the interpretation disputes that have fostered hundreds of federal court decisions in the FCA arena. In particular, the final rules rely on terms such as “original information” and “independent knowledge” in defining eligibility for an award. Although litigation is limited to a circuit court review of the SEC’s discretionary decision in making an award, use of these terms is almost certain to engender such appeals by would-be whistleblowers deemed ineligible for an award.

So what should companies do now as a result of these new rules?

Audit committee members, legal and compliance personnel and human relations professionals should take this opportunity to reexamine their corporate whistleblower policies and make sure that employees are aware of their internal reporting options. In this post Sarbanes-Oxley Act era, internal reporting functions are now a common facet of corporate compliance programs. This is a good time to reexamine those policies and how they are used within the company to confirm, among other things, that the policies:

  • establish an effective system to
    • facilitate prompt communication with any whistleblower to learn the nature and scope of his or her concerns,
    • track internal tips,
    • trigger immediate and appropriate investigation by individuals not connected to the underlying events,
    • require prompt reports to senior management and/or the company’s board of directors as appropriate,
    • set time periods and responsible internal parties for each step, and
    • ensure prompt evaluation of what, if any, remediation is appropriate and whether to self-report; and
  • incentivize the type of conduct the company wants to promote, including the internal reporting of all securities law violations without limitation;
  • facilitate anonymous reporting, to an outside service or an inside ombudsman, via a hotline or otherwise;
  • contain a procedure for keeping whistleblowers appropriately informed, where possible, of steps the company takes to respond to the tip;
  • confirm that no action may be taken to impede a whistleblower from communicating directly with the SEC staff about a potential securities law violation;
  • prohibit retaliation against whistleblowers; and
  • provide all employees with regular training and accessible notices promoting the internal reporting options that are available to them.

The system should be tested or audited periodically to evaluate whether it is operating as anticipated, and to determine what, if any, modifications or enhancements are necessary.

Legal departments may benefit from developing a short list of targeted projects to facilitate prompt responses in the future. Among the potential projects could be:

  • reviewing and confirming corporate capacity for quickly retrieving documents and securing legal holds;
  • developing a crisis management plan identifying the likely participants in a prompt response to a whistleblower tip (such as information technology, legal, compliance and human relations personnel, as well as business heads, senior officers, directors and a short list of potential outside counsel); and
  • considering carefully any employee confidentiality agreement that is currently being drafted and halting any pending enforcement of existing confidentiality agreements, pending a review of the agreements and circumstances against the scope of the new rules to avoid taking any action that might be deemed to “impede a whistleblower from communicating directly with the Commission staff about a potential securities law violation”[2].

In sum, the new whistleblower rules underscore the importance of companies revisiting their internal reporting requirements to ensure that appropriate and credible measures are in place for a person to report wrongful conduct, without fear of retaliation. They also raise the bar on the SEC itself – the agency’s ability to separate quality tips from well-intended but uninformed tips and from malicious diversions will be tested in the coming years.