On May 25, 2011—with two Commissioners dissenting—the Securities and Exchange Commission (“SEC” or “Commission”) released final rules implementing the new whistleblower program created by The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which was enacted on July 21, 2010.1 While the Dodd-Frank Act sets forth a basic framework for the whistleblower program, Congress left many of the thorny details to the SEC to resolve through rulemaking.2 To that end, the SEC released proposed rules for comment on November 3, 2010.3 Over the next month-and-a-half, more than 1,000 organizations and individuals—including blue chip companies, trade associations, whistleblower advocates, academics, and others—commented on the Proposed Rules.4 Many of the comment letters voiced concerns that the whistleblower program would undermine existing corporate compliance programs by permitting whistleblowers to bypass internal reporting mechanisms and providing whistleblowers with too much protection from adverse employment actions.
As discussed below, while the SEC made some modest revisions to the Proposed Rules, the Commission’s basic approach remained unchanged. Now that these issues have been resolved, compliance personnel should closely reexamine the adequacy of their existing compliance programs through the lens of the Dodd-Frank Act’s whistleblower program. In addition to discussing aspects of the whistleblower program, this article highlights several core areas that compliance personnel should focus on as they begin that process.
Overview of the Dodd-Frank Act’s Whistleblower Provision
Among other things, the Dodd-Frank Act authorizes substantial cash rewards and provides strong job protections to whistleblowers who voluntarily provide the SEC with information leading to the successful prosecution of securities law violations. Under the Dodd-Frank Act, the SEC is required to pay whistleblowers cash rewards of between 10 and 30 percent of any monetary sanctions in excess of $1,000,000 that the government, as a result of the whistleblower’s assistance, recovers through either civil or criminal proceedings, based on a violation of the securities laws by private or public companies.5
Specifically, the whistleblower program applies to monetary sanctions recovered by the SEC, the Department of Justice, self-regulatory organizations, state attorneys general, and other specified regulators.6 In order to qualify for such rewards, whistleblowers must provide the SEC with “original information,” which (i) must be “derived from the independent knowledge or analysis of a whistleblower;” (ii) cannot be “known to the Commission from any other source;” and (iii) cannot be “exclusively derived from an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media.”7
Because whistleblowers were eligible for rewards as soon as the Dodd-Frank Act was enacted (even though the implementing rules had not yet been adopted), within two months of its enactment, the SEC was already reporting a substantial increase in the number of “high quality” tips that it had received.8 Voicing her support for the Final Rules, SEC Chairman Mary Schapiro stated that “[f]or an agency with limited resources like the SEC, I believe it is critical to be able to leverage the resources of people who may have first-hand information about potential violations of the securities laws….”9 Indeed, the federal government is increasingly relying on the promise of substantial cash bounties to encourage would-be whistleblowers to report possible misconduct. For example, the Internal Revenue Service recently paid a whistleblower $4.5 million for reporting that a Fortune 500 company owed significant unpaid taxes.10 Substantial whistleblower awards are certain to garner media attention, which will increase public awareness about whistleblower programs and likely encourage more would-be whistleblowers to step forward.
The whistleblower program is one of the many new enforcement tools at the SEC’s disposal. On June 17, 2011, for example, the SEC announced a new rule delegating authority to the Director of the Enforcement Division to issue witness immunity orders, under which the SEC can compel testimony from witnesses who assert their privilege against self-incrimination. Such orders will likely become increasingly common in the future, particularly for individuals who have significant knowledge about securities law violations, despite only playing a minor role in the misconduct.11
The Final Rules Do Not Require Whistleblowers to Internally Report Possible Securities Law Violations
Under the Final Rules, whistleblowers are not required to report possible securities law violations through internal reporting mechanisms prior to reporting to the SEC.12 The SEC ultimately adopted (with some modifications) the approach set forth in the Proposed Rules.13 Nevertheless, as discussed below, the SEC included a number of provisions in the Final Rules designed to encourage whistleblowers to rely, in the first instance, on internal reporting mechanisms. For example, whether whistleblowers rely on internal reporting procedures will be a factor that the SEC considers in determining award amounts (within the 10%-30% range). In addition, as discussed below, the Final Rules allow whistleblowers who internally report to maintain their “place in line” so long as they report the possible securities law violation to the SEC within 120 days. Finally, if a whistleblower’s employer self-reports a securities law violation to the SEC based on information that it received from a whistleblower, the SEC will give that whistleblower “credit” for the total universe of information that the company reports (and not just the information that the whistleblower provided).1
The extent to which whistleblowers should be required to exhaust internal reporting mechanisms before contacting the SEC was a hotly contested issue. The comment letters show a clear division between business interests, that favored an internal reporting requirement, and whistleblower advocates, that did not. For example, General Electric, Google, Honeywell, JPMorgan Chase, Microsoft, and Northrop Grumman jointly wrote that permitting whistleblowers to bypass internal reporting mechanisms would “weaken internal corporate compliance programs and inhibit the efforts of responsible entities to investigate and remediate potential compliance violations.”15 The American Bar Association’s Committee on Federal Regulation of Securities similarly argued that “whistleblowers who are company employees should be required to demonstrate that they have made a good faith attempt to use the range of internal reporting mechanisms a company has put into place to enable the reporting of such complaints, up to and including reporting to the company’s audit committee.”16
In contrast, the Project on Government Oversight (“POGO”) expressed concern “that the SEC’s proposed rules might be overly deferential to the internal compliance programs that were established at many firms in the aftermath of Enron and after the passage of the Sarbanes-Oxley Act.”17 Similarly, the National Whistleblowers Center (“NWC”) submitted a report examining historical experience with the whistleblower provisions in the False Claims Act that concluded that the “existence of a qui tam or whistleblower rewards program has no negative impact whatsoever on the willingness of employees to utilize internal corporate compliance programs or report potential violations to their managers.”18 Other commenters also expressed concern that internal control systems may be ill-suited to adequately uncover and report certain types of misconduct. For example, the Auditing Standards Committee of the Auditing Section of the American Accounting Association wrote that “there are cases of securities violations for which internal control systems are not designed to prevent, detect, or correct and….[f]orcing whistleblowers to use a specific private system administered by the organization suspected of the wrongdoing would severely limit the effectiveness of the program.”19
In explaining the Staff’s recommendation not to require internal reporting, Director of Enforcement Robert Khuzami stressed four points. First, he stated that there is no empirical data supporting the view (expressed by many commenters) that a permissive internal reporting rule would undermine internal compliance programs. Second, he predicted that most companies, as good corporate citizens, would continue to maintain robust internal compliance programs whether or not whistleblowers are required to report internally. Third, he noted that Congress drafted the whistleblower provisions to increase the number of reports being made to the SEC, and that requiring internal reporting could discourage certain employees from reporting possible securities law violations. Finally, he stated that nothing in the Dodd-Frank Act itself requires internal reporting, and that creating such a requirement would impede the discovery of many common schemes, including boiler room operations and Ponzi schemes, where an entire entity is corrupt.20
Although the Final Rules seek to encourage whistleblowers to internally report possible securities law violations (as discussed above), some whistleblowers may still be inclined to report possible violations directly to the SEC. For example, whistleblowers may be leery of discussing possible securities law violations with anyone but a government employee out of fear of getting “scooped” and losing out on a bounty even though the Final Rules attempt to address that concern through the 120-day “look back period.” Similarly, even though whistleblowers are protected from employer retaliation under the Dodd-Frank Act, employees are nonetheless likely to be concerned about retaliation and may believe that any such claims will be taken more seriously if they have a “record” of having contacted the SEC. Whistleblowers are also likely to fear more subtle forms of retaliation, such as being ostracized by their employers and co-workers and stripped of their substantive job responsibilities. Despite these obstacles, companies can effectively encourage would-be whistleblowers to internally report possible securities law violations. While employers are legally prohibited from impeding employee reports to the SEC,21 companies can and should actively promote internal reporting mechanisms as a viable (and, in some cases, superior) alternative.
Audit Committee Members, Legal and Compliance Personnel, and Human Relations Professionals Should Take This Opportunity to Reexamine Their Corporate Whistleblower Policies and Make Sure That Employees are Aware of Their Internal Reporting Options
Following the collapse of Enron and WorldCom in the late 1990s, Congress passed and the president signed the Sarbanes-Oxley Act (“SOX”). Among other things, SOX required audit committees of public companies to establish procedures to allow employees to raise concerns about accounting or auditing issues on a confidential basis. As a result, internal reporting procedures are now a common aspect of corporate compliance programs. However, because SOX focused on a relatively narrow area—financial reporting—companies should reexamine the adequacy of their internal reporting functions in light of the Dodd-Frank Act’s much broader coverage of all securities law violations. For example, while certain violations of the Foreign Corrupt Practices Act (“FCPA”) may not necessarily implicate SOX (e.g., an issuer paying bribes to a foreign government official), such violations fall within the scope of the Dodd-Frank Act’s whistleblower provisions.22 Accordingly, compliance policies should, among other things, establish a process for reporting any possible impropriety to designated compliance personnel (and not just conduct relating to financial reporting). Because some employees may feel uncomfortable directly reporting possible misconduct to management or compliance personnel (particularly at smaller companies, where management/compliance personnel may know the suspected violator), many companies have developed procedures to facilitate anonymous reports. To that end, an increasing number of companies are relying on external vendors to accept (typically through toll-free hotlines) and process reports.
Of course, corporate compliance programs have little value unless employees are alerted to their existence and believe them to be credible. In addition to training all new employees, companies should provide current employees with periodic “refresher” courses to emphasize key policies. With respect to corporate whistleblower policies, companies should actively promote the internal reporting options that are available to employees. For example, companies might promote internal reporting options by posting promotional materials in break rooms and on internal intranet sites. The more committed companies appear to be (and are), the more likely it is that employees will feel comfortable using internal reporting mechanisms.
Companies Should Welcome Internal Reports by Whistleblowers and, to the Extent Possible, Communicate That the Company is Responding Appropriately to Their Allegations
In our experience, some whistleblowers have limited visibility into corporate processes and become genuinely concerned about something they observe in isolation that would not at all be troubling if the whistleblower had more facts and could see the broader corporate context. Having raised the concern internally, these isolated whistleblowers may remain unduly troubled, absent some feedback from the company. While companies need to be sensitive about sharing detailed information about ongoing internal investigations with whistleblowers, companies should weigh the feasibility of implementing a process to keep whistleblowers (even those that choose to remain anonymous) informed about the status of any internal investigations into the reported conduct in order to demonstrate their commitment to following up on such reports. Otherwise, whistleblowers have no way to know whether their complaints are being taken seriously, and may erroneously assume they are being ignored.
In addition to interviewing whistleblowers and asking for their suggestions about how their reports should be investigated (who should be interviewed, where responsive documents are maintained, etc.), companies should consider reinterviewing whistleblowers as they learn new facts. Reinterviewing whistleblowers and generally referencing new facts in the questioning can send a strong signal to whistleblowers that their reports are being taken seriously and are being actively investigated. Of course, in order to maintain the integrity of internal investigations and preserve any applicable privileges (including the attorney-client privilege), companies should not share detailed information about internal investigations with whistleblowers. For example, companies should not specifically identify other personnel with whom they are speaking or detail what other witnesses have said.
Another way for companies to demonstrate, both to whistleblowers and to regulators, that they take reported misconduct seriously is by specifically promoting corresponding compliance activities. For example, if an employee internally reports possible violations of the FCPA, the company (in addition to conducting an appropriate internal investigation) should consider upgrading its procedures, retraining its employees about FCPA compliance, and rolling out an internal campaign to promote FCPA awareness and compliance.
Whistleblowers Have 120 Days From When They Internally Report to File a Report With the SEC
Putting aside situations where a company has an affirmative duty to disclose or provide a specific notice to a regulator or trading market, the question of whether and when to voluntarily self-report possible securities law violations has always been a nuanced and complicated decision.23 While companies previously had the opportunity to conduct a thorough investigation and consider whether to self-report largely on their own timelines, the Final Rules dramatically limit the window of time that companies have to complete that process. Companies may choose to self-report for a variety of reasons. For example, cooperation credit in government investigations and/or leniency at sentencing can create strong incentives to self-report.24 In addition, companies may want to demonstrate that they are good corporate citizens. On the other hand, self-reporting is not always the right answer.
To encourage would-be whistleblowers to internally report possible securities law violations, the SEC initially proposed giving whistleblowers a 90-day “look back period” to file a report with the SEC while maintaining their “place in line.”25 In response to strong criticism that 90 days was too little time to conduct an adequate internal investigation and decide whether to self-report, the SEC ultimately adopted a 120-day “look back period” in the Final Rules.26 The Committee on Federal Regulation of Securities, for example, wrote that “[i]mposing a 90-day deadline may make it more likely that the companies would find themselves reporting the status of investigations, rather than the conclusions, which may not be in the best interests of the company and its shareholders.”27 However, certain commenters, like the Auditing Standards Committee noted that “[a] defined time frame, perhaps 90 days, would encourage those in charge to prioritize and expedite the investigation.”28 In the end, the Commission concluded 120 days set the right middle ground.
For a narrow group of potential whistleblowers, however, 120 days is the beginning point, not a time limit. While the Final Rules maintain the exclusions set forth in the Proposed Rules relating to officers, directors, compliance personnel, auditors, and attorneys acting as whistleblowers, they create a significant new exception that Commissioner Kathleen Casey described as the “exception that utterly swallows the rule.”29 Under the Final Rules, any such individuals can become a whistleblower after “[a]t least 120 days have elapsed since [the whistleblower] provided the information to the relevant entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or [the whistleblower’s] supervisor, or since [the whistleblower] received the information, if [he or she] received it under circumstances indicating that the entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or [his or her] supervisor was already aware of the information.”30 In addition, any such individuals can also act as whistleblowers if they have “a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors.”31 Finally, any such individuals can also act as a whistleblower if he or she “has a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct.”32 This exception further underscores the importance of maintaining robust whistleblower policies and actively investigating allegations of possible wrongdoing.33
Companies Should Develop Protocols to Investigate Whistleblower Tips
Despite the SEC’s decision to increase the “look back period” from 90 to 120 days, companies will still need to investigate whistleblower tips on an expedited timeline. Accordingly, as part of their general crisis management planning, companies should adopt effective systems to log, keep track of, and investigate reports within the 120-day “look back period.” Companies, for example, may want to “map” the review process and designate personnel to be responsible for each step of the process. Companies will also need to elevate concerns to senior management, and as appropriate, to the audit committee or full board of directors, on an accelerated basis in order to leave enough time for those parties to make a well-informed decision about whether to self-report and/or take other corrective action.
Companies should also review internal processes for issuing “document holds” to relevant personnel to preserve documents (including electronic communications) relating to whistleblower reports. Moreover, given the prevalence of electronic communications in today’s environment (and the important role that emails and other forms of electronic communication tools play in most internal and government investigations), companies should consider developing review platforms to facilitate the review of whistleblower reports. Reviewing relevant emails is one of the first steps in any whistleblower investigation. Moreover, persons tasked with investigating whistleblower reports should have no connection with the factual allegations in the report. Finally, companies should consider when to engage outside counsel and/or experts (such as information technology experts and/or forensic accounting experts) to help investigate whistleblower reports. In addition to lending companies a wealth of investigative experience, communications between the company and external counsel may be better protected from disclosure than similar communications with internal counsel in certain jurisdictions.34
Whistleblowers are Broadly Protected From Employer Retaliation
The anti-retaliation provision under the Dodd-Frank Act prohibits an employer from discharging or otherwise discriminating against a person because of his or her whistleblower status.35 The Final Rules make clear that the anti-retaliation provision even protects whistleblowers who report “possible” securities law violations when the alleged conduct ultimately proves to be lawful or when no government action follows the tip.36 Moreover, retaliation under the provision is punishable by, among other things, reinstatement, double back pay with interest, and reasonable attorney’s fees.37
Many commenters expressed concern about the broad scope of the Dodd-Frank Act’s anti-retaliation provision, and were fearful that it would overly restrict employers from making employment decisions unrelated to an employee’s status as a whistleblower. The Committee on Federal Regulation of Securities, for example, predicted that the Dodd-Frank Act’s anti-retaliation provision would invite frivolous claims by employees looking for a “shield that could prevent companies from terminating or otherwise changing the[ir] employment status….”38 The U.S. Chamber of Commerce similarly cautioned that “the whistleblower program should not be implemented in a way that inhibits companies from taking appropriate employment or other action against internal wrongdoers.”39
In contrast, POGO welcomed a broad anti-retaliation provision and supported the SEC’s proposal to define a whistleblower “as an individual who, alone or jointly with others, provides the Commission with information relating to a potential violation of the securities laws.”40 In the Proposed Rules, the SEC explained that it used the term “potential violation” to highlight the anti-retaliation provision’s applicability to whistleblowers who are ultimately found not to be eligible for a bounty.41 The District of Columbia Bar Association presciently (as discussed below) recommended “expanding the anti-retaliation protections to whistleblowers who report to persons with legal, compliance, audit, supervisory or governance responsibilities for the entity”—since the anti-retaliation provision, as proposed, expressly applies only to whistleblowers who provide information to the SEC.42
In dismissing suggestions to carve out exceptions for disciplinary actions taken against employees independent of their whistleblower status, the SEC highlighted that “[b]y its terms, the statute only prohibits adverse employment actions that are taken “because of” any lawful act by the whistleblower to provide information….”43 The SEC similarly declined to require that whistleblower reports relate to a “material” violation of the securities law. On that issue, the SEC wrote that “it is preferable for individuals to provide us [the SEC] with any information they possess about possible securities violations (irrespective of whether it appears to relate to a material violation) and for us to evaluate whether the information warrants action.”44
Although anti-retaliation policies are standard components of most corporate compliance programs, compliance personnel should ensure that their anti-retaliation policies are compliant with the Dodd-Frank Act’s broad anti-retaliation prohibition. As a threshold matter, unlike Section 806 of SOX, which prohibits public companies from retaliating against whistleblowers, the Dodd-Frank Act’s anti-retaliation provision applies to all employers (whether publicly held or private). As such, private companies, which were previously outside the scope of SOX, need to carefully examine the adequacy of their internal compliance infrastructure (including their anti-retaliation policies and confidentiality restrictions) in light of the Dodd-Frank Act.
Although the Dodd-Frank Act is less than one year old, courts are already beginning to interpret its parameters. For example, a recent Southern District of New York decision, Markey v. J.P. Morgan Chase & Co., et. al., 10 Civ. 3824 (S.D.N.Y. Jan. 14, 2011), which concerned Section 806 of SOX, suggests that the Dodd-Frank Act’s anti-retaliation provision may protect employees who blow the whistle on third parties, including clients of their employer. In that case, a former vice president at a large investment bank was allegedly terminated after telling her supervisor about her belief that a client was engaged in illegal conduct. Although the court dismissed the employee’s retaliation claim (with leave to replead), it rejected the employer’s argument that the whistleblowing was not protected by Section 806. After reviewing SOX’s legislative history, the court concluded that Section 806 should be read broadly to protect employees who blow the whistle on third-parties.
In another recent decision, Egan v. TradingScreen, Inc., et. al., 10 Civ. 8202 (S.D.N.Y. May 4, 2011), a court in the Southern District of New York held that the Dodd-Frank Act’s anti-retaliation provision does not necessarily protect whistleblowers who rely on internal reporting mechanisms, but do not subsequently make a report to the SEC. In Egan, the plaintiff, a senior executive at TradingScreen, learned that the chief executive officer was misusing corporate assets for the benefit of another company that he owned. The plaintiff subsequently reported the chief executive officer’s alleged misconduct to TradingScreen’s president, who notified the company’s independent directors. The plaintiff alleged that he was then terminated for reporting that conduct. Although the Court dismissed the plaintiff’s retaliation claim (with leave to replead), it left open the possibility that the plaintiff’s conduct would be entitled to protection under the Dodd-Frank Act if the law firm retained by TradingScreen’s independent board members reported the complained of conduct to the SEC.
In light of the uncertainty regarding the Dodd-Frank Act’s anti-retaliation provision, companies should carefully reevaluate their current compliance policies to ensure that they comply with the Dodd-Frank Act. In addition, companies should continually highlight their commitment to not retaliate against whistleblowers through employee training programs and related training materials.
The new whistleblower rules underscore the importance of companies revisiting their internal reporting requirements to ensure that sufficient measures are in place for a person to report wrongful conduct, without fear of retaliation. Having a strong internal reporting system in place may encourage individuals to utilize internal reporting mechanisms prior to reporting to the SEC. Companies may also want to consider adopting their own incentive programs to encourage individuals to remain vigilant and attentive to wrongful conduct. Nevertheless, just as compliance personnel are beginning to get a handle on the Final Rules, Congress has already held a hearing about amendments to the Dodd-Frank Act’s whistleblower provision. During that hearing, Representative Michael Grimm of New York introduced a proposed bill that would, among other things, require whistleblowers to first report possible securities law violations internally.45 In any case, as the scope and protections of the new whistleblower program are tested in the coming years, companies should be prepared to handle what may turn out to be an influx of tips as a result of its implementation.