The Securities and Exchange Commission ("SEC") has recently adopted rules implementing the whistleblower provisions of the Dodd-Frank Act. The new rules direct the SEC to pay awards to whistleblowers who voluntarily provide original information leading to the recovery of monetary sanctions exceeding $1 million.
The most contentious part of the rules is their likely impact on internal compliance programs. The business community has expressed concern that the rules will undercut the reporting requirements of corporate compliance programs. Notwithstanding this concern, the SEC has decided against requiring whistleblowers to report internally. Instead, it has determined whistleblowers are in the best position to know which reporting avenue to pursue.
As a result of the newly established bounty program, companies should be prepared for a flood of complaints. Below is a summary of key concepts under the new rules.
Defining a Whistleblower
The rules define a whistleblower as a person who provides to the SEC information relating to a possible violation of the securities laws that has occurred, is ongoing or is about to occur. A whistleblower must be an individual; companies are not eligible.
To be considered for an award, the rules require a whistleblower to do the following:
- Act voluntarily
- A submission is deemed voluntary if a whistleblower or a representative provides information to the government, a self-regulatory organization or the Public Company Accounting Oversight Board before the issuance of a request, inquiry or demand for such information.
- Provide original information
- Original information must (i) be based upon the whistleblower's independent knowledge or independent analysis, (ii) not be already known to the SEC and (iii) not be derived exclusively from certain public sources.
Original information does not include:
- information obtained through attorney-client privileged communications or obtained through a whistleblower's legal representation of a client; and
- information obtained by individuals, including officers, directors, trustees and partners: (i) in connection with a company's internal compliance program, (ii) involved in a company's internal audit functions, (iii) conducting investigations into possible violations of law, or (iv) associated with public accounting firms who learn of a violation while performing audit procedures required by federal securities laws. The rules create a limited exception to this requirement for individuals acting in compliance or governance roles in cases where there is likely to be no independent disclosure.
- Provide sufficient information leading to a successful enforcement action
- Information can be deemed to have led to a successful enforcement action if it is sufficiently specific, credible and timely to cause the SEC to open a new examination or investigation, reopen a closed investigation, or enhance prosecution in an existing examination or investigation.
- Facilitate a recovery totaling more than $1 million
- The rules permit aggregation of multiple SEC cases arising out of a common nucleus of operative facts as a single action to meet this requirement.
Whistleblower Protection from Retaliation
Under the rules, it is unlawful for anyone to interfere with a whistleblower's efforts to communicate with the SEC, including threatening to enforce a confidentiality agreement. In addition, the rules do not require an actual violation or the successful receipt of an award for the anti-retaliation protections of the Dodd-Frank Act to apply. In an attempt to deter both bad-faith and frivolous reports, the SEC has imposed a "reasonable belief" standard that requires an employee to hold a subjectively genuine belief that the information demonstrates a possible violation and that this belief is one a similarly situated employee might reasonably possess.
No Internal Reporting Required
The new rules present challenges to established internal compliance programs because they do not require whistleblowers to first report internally before turning to the SEC. However, the SEC has attempted to incentivize utilization of internal compliance programs in three ways:
- The rules make a whistleblower eligible for an award if the whistleblower reports internally and the company informs the SEC about the violations. This works as an incentive because if the company reports, the SEC attributes to the whistleblower all of the information provided, not just the information reported by the whistleblower. This increases the amount of information provided by the whistleblower and will likely increase the award amount.
- The rules allow the SEC to increase the award for whistleblowers who first report internally. The criteria for determining the amount of the award, which ranges between 10 percent and 30 percent of the penalties collected, provide that (i) a whistleblower's voluntary participation in a company's internal compliance program is a factor that can increase the amount of the award, and (ii) a whistleblower's interference with internal compliance and reporting is a factor that can decrease the amount of an award.
- The whistleblower has 120 days to report to the SEC after first reporting internally. If the company does not report the information, a whistleblower reporting to the SEC within this time frame will still be eligible for an award.
Companies need to recognize that compliance risks are not caused by whistleblowers. Instead, they are generated by weak compliance programs that fail to identify, assess and control risks before violations are discovered by whistleblowers or regulators. Therefore, companies must make compliance risk assessments an integral part of compliance programs.
Further, an essential part of an effective compliance program is a process that encourages employees to report possible compliance violations without fear of retaliation. In fact, companies should find creative ways to reward employees who come forward with a good-faith belief that compliance violations are occurring. In the end, the quality of internal programs will impact a whistleblower's decision to report to the company as opposed to the SEC first.