Today — over a month after their scheduled release date — the Securities and Exchange Commission met and adopted in a 3-2 vote the much-anticipated final rules implementing the new whistleblower program established as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank” or the “Act”) enacted in July 2010.1 In adopting the final rules, the SEC “gave a nod” in the direction of providing incentives for individuals to report possible violations of the securities laws first to their employers, rather than — or before — reporting to the SEC. However, the final rules continue to provide substantial financial incentives for individuals to report directly to the SEC and bypass a company’s internal compliance process. The new rules will take effect sixty days after their publication in the Federal Register.
The SEC released and sought comment on proposed implementing rules in November 2010.2 According to the SEC, the proposed rules attempted to balance the agency’s desire to maximize the submission of high-quality tips with an acknowledgement that the whistleblower program should not (1) undermine companies’ existing compliance, legal, audit, and similar processes already in place to prevent and resolve misconduct, or (2) invite submissions from compliance personnel or other individuals responsible for preventing and reporting misconduct. Over the last several months, the SEC received more than 240 comment letters and approximately 1,300 letters regarding the proposed rules.
Many commentators believed that the proposed rules did not go far enough in requiring or promoting whistleblowers’ use of companies’ internal compliance systems. Others argued that mandating internal reporting would dissuade whistleblowers from coming forward. While the SEC acknowledged that internal compliance programs were vital to the prevention and detection of securities violations, the final rules allow whistleblowers to report concerns directly to the SEC, without the need to alert the company of those concerns.
Addressing this point at today’s meeting, SEC Chairman Mary Schapiro explained that “incentivizing — rather than requiring — internal reporting is more likely to encourage a strong internal compliance culture.” She believes the “final recommendations strikes the correct balance — a balance between encouraging whistleblowers to pursue the route of internal compliance when appropriate — while providing them the option of hearing directly to the SEC.”
KEY CHANGES TO THE WHISTLEBLOWER INCENTIVE PROVISIONS AND RULES
Dodd-Frank amended the Securities Exchange Act of 1934 by adding Section 21F: Securities Whistleblower Incentives and Protection, which requires the SEC to pay a bounty to one or more whistleblowers who voluntarily provide original information that results in the successful prosecution of a federal court or administrative action in which the SEC obtains monetary sanctions over $1 million. Whistleblowers who provide information must receive a bounty of between ten and thirty percent of the monetary sanctions. The bounty can be based on amounts collected in both SEC and “related actions,” which include judicial or administrative actions brought by the U.S. Department of Justice, a state attorney general in a criminal case, a self-regulatory organization, or other government agency. This “bounty” payment to individuals has been widely viewed, and criticized, as a significant incentive for individuals to report possible securities law violations directly to the SEC, thereby ignoring internal compliance policies and procedures.
Incentivizing Internal Reporting. In introducing the final rules, Chairman Schapiro explained that the Commission understood the concerns expressed about companies’ internal compliance programs, and stated that, as a result of those concerns, the final rules expand the incentives for whistleblowers to report possible violations of the federal securities laws internally. In an effort to accommodate companies’ interests, the Chairman explained that the final rules provide the following new incentives:
- When determining the size of a bounty, the SEC may pay larger awards to whistleblowers who report a possible violation through internal compliance processes before providing information to the SEC, and smaller awards to whistleblowers who obstruct or interfere with internal compliance policies and reporting procedures;
- Whistleblowers can receive a bounty for reporting information internally when the company subsequently self-reports the possible violation discovered as a result of whistleblowers’ internally reported information; whistleblowers would then be given credit by the SEC for all of the information self-reported to the SEC by the company; and
- Whistleblower reports to the SEC relate back to the date whistleblowers reported a possible violation internally, as long as the whistleblowers contact the SEC within 120 days of the internal report (this grace period was 90 days under the proposed rules)
Not all of the Commissioners were in agreement, however. In dissenting to the rules, Commissioner Troy Paredes commented at the meeting that he “do[es] not think that the final rule[s] adequately preserve the important role that corporate compliance programs serve in ensuring that the law is complied with and that other misbehavior is deterred.”
Expanding Whistleblower Eligibility. The final rules allow more whistleblowers to qualify for bounties. For example, whistleblowers can now collect a bounty for information provided to the SEC even after the government begins an investigation and requests information from the whistleblower’s employer. Only if the government requests information directly from the whistleblower or anyone representing the whistleblower will the whistleblower be deemed ineligible for a bounty. In addition, while virtually any state authority’s request for information from whistleblowers would have disqualified them from collecting a bounty under the old rules, the new rules provide that only a request from state attorneys general or securities regulators would serve as a disqualification if made in connection with an investigation, inspection, or examination.
The final rules further broadened the criteria for “information” that qualifies whistleblowers for a bounty by including information that causes the SEC to reopen closed investigations or pursue a new line of inquiry in existing investigations. Also, whistleblowers who report information regarding an ongoing investigation that is “critical” to its success may also be eligible for a bounty. The final rules also clarify that information need only relate to a “possible” violation of the federal securities laws that “has occurred, is ongoing, or is about to occur.” Commissioner Paredes expressed concern that allowing whistleblowers to “merely . . . allege that a violation is ‘possible’ to enjoy the prospect of an outsize bounty risks spurring an excessive flow of lower-quality tips to the Commission.”
Finally, the rules create new exceptions for attorneys, auditors, and internal compliance and similar personnel to receive bounties as whistleblowers. Attorneys, for example, can now qualify as whistleblowers where disclosure of information learned in connection with the legal representation of a client is otherwise waived or if disclosure is permissible pursuant to the SEC’s attorney conduct rules, applicable state statutes, or local bar rules. Auditors and internal compliance and similar personnel can now qualify as whistleblowers when they have a “reasonable basis to believe” that (1) disclosure is necessary to prevent their company from engaging in conduct “likely to cause substantial injury to the financial interest or property of the [company] or investors”; (2) the company is engaging in conduct that will impede an investigation of the misconduct; or (3) at least 120 days have elapsed since information was provided to the company’s audit committee, chief legal officer, chief compliance officer, or similar responsible persons or governance bodies.
KEY CHANGES TO THE WHISTLEBLOWER PROTECTION PROVISIONS AND RULES
In addition to the incentive provisions, Dodd-Frank significantly enhances whistleblower protections. The Act prohibits employers from discharging, demoting, suspending, threatening, harassing, or otherwise discriminating against whistleblowers who provide information to enforcement authorities. Dodd-Frank also creates a private right of action for employees who experience retaliation as a result of “any lawful act done by the whistleblower  (i) in providing information to the [SEC] in accordance with [the incentive provisions]; (ii) in initiating, testifying in, or assisting in any investigation or judicial or administrative action of the [SEC] based upon or related to such information; or (iii) in making disclosures that are required or protected” under the Sarbanes-Oxley Act, the Exchange Act, and “any other law, rule, or regulation subject to the jurisdiction of the [SEC].”
The final rules make clear that the availability of whistleblower protections does not depend on an ultimate adjudication, finding, or conclusion that the concerns identified by the whistleblower constitute a violation of the securities laws. Indeed, the anti-retaliation protections are available to whistleblowers who possess a “reasonable belief that the information [they are] providing relates to a possible securities law violation . . . that has occurred, is ongoing, or is about to occur.” Commissioner Elisse Walter commented on the importance of “encourage[ing] potential sources of information to come forward” and stated that to do so the final rules must “assure those who fear for their jobs, their livelihood and their families’ welfare that they have an avenue to come directly to the government.”
IMPLICATIONS AND NEXT STEPS FOR COMPANIES
In her remarks today, Chairman Schapiro noted the “impact” of the Dodd-Frank whistleblower program to date and how tips “have saved [the SEC] weeks of investigation time.” In addition to receiving a “high volume of tips and complaints,” she said that “the quality of the tips [the SEC has] received has been better since [Dodd-Frank] became law” and that she “expect[s] this trend to continue.” The SEC also noted that it has fully staffed its new Whistleblower Office in the Division of Enforcement, and has had its $450 million Investor Protection Fund fully funded to begin paying whistleblowers. As a result, the SEC appears ready to aggressively pursue this new initiative.
There is little doubt that the new whistleblower program will result in increased SEC enforcement activity. But it is likely that the program, especially as now structured, will also cause an uptick in tips and complaints being provided to companies’ internal compliance programs and hotlines. As a result, companies should review and update their compliance and ethics programs to ensure their programs allow them to identify, investigate, and handle possible misconduct quickly and effectively. In investigating or reviewing whistleblower tips or concerns, companies should be aware that their actions, both before and after the information is received, may well be reviewed by the SEC with the benefit of hindsight. As a result, a plan of action for dealing with tips or concerns must be well-designed and effective.
Companies should also reinforce the message to employees that adherence to the securities laws is a consistent and core value, and that concerns will be taken seriously. Experience with other statutes suggests that whistleblowers are often employees who raised concerns internally and felt that issues were not adequately addressed by their employers.
When an SEC investigation is instituted, a company is often in for a long and difficult period. Understanding how to deal with whistleblowers and the concerns they raise can minimize the disruption and expense that begins when the SEC enforcement division comes calling.