On May 25, the SEC issued a new Regulation 21F under the Exchange Act to implement the whistleblower directive under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Section 922 of Dodd-Frank added Section 21F to the Exchange Act to establish a program for incentivizing individuals to act as whistleblowers regarding violations of the federal securities laws. The SEC adopted the controversial new regulation after considering more than 240 comment letters on its rule proposal and over the dissenting votes of two of the five Commissioners. Under its whistleblower program, the SEC is authorized to pay awards of between 10% and 30% of the amount recovered to individuals who voluntarily provide the SEC with original information about a possible violation of the federal securities laws that leads to an enforcement action resulting in monetary sanctions exceeding $1 million. The SEC's Office of the Whistleblower will administer the program. Regulation 21F will be effective on August 12, 2011 and is described in Release No. 34-64545.

Overview

Regulation 21F, which consists of 17 separate rules codified as Rules 21F-1 through 21F-17, supplements the requirement in the Sarbanes-Oxley Act that all public companies (including foreign private issuers) establish whistleblower programs. To qualify for an award under the regulation, an individual will have to:

  • Satisfy specified eligibility standards;
  • Comply with the requirements that the individual's submission to the SEC
    • be made "voluntarily,"
    • include "original information" derived from the individual's "independent knowledge or independent analysis,"
    • relate to a "possible violation" of the federal securities laws, and
    • "lead to" successful SEC enforcement proceedings in which the SEC obtains monetary sanctions exceeding $1 million; and
  • Provide the information in accordance with the procedures specified in the regulation.

The regulation also contains provisions to protect whistleblowers from retaliation for their actions regardless of whether they qualify for an award.

Key provisions of the final regulation

Among the most noteworthy provisions, the final whistleblower rules:

  • Incentivize, but do not require, whistleblowers to report internally. The new rules retain the most contentious feature of the rule proposal in not requiring whistleblowers to report first through their companies' internal compliance systems in order to be eligible for an award under the SEC's program. Recognizing the importance of company compliance programs, however, the SEC provides three incentives in the rules for employees to report information internally in the first instance. First, in determining the percentage of the recovery to award an individual, the SEC will consider as a positive factor whether the whistleblower participated in internal compliance systems by, for example, first reporting the information to the company. Second, the SEC will give credit in the award process to a whistleblower not just for the information the individual provided internally, but also for any other information the company uncovered and reported to the SEC as a result of an internal investigation prompted in whole or in part by the whistleblower's report. Third, in evaluating the timeliness of a submission, the SEC will consider the whistleblower as having reported to the SEC on the date on which the individual reported internally so long as the whistleblower files a form reporting the information to the SEC within 120 days thereafter. Further, the SEC emphasized in the adopting release that, in most cases, the Enforcement Division will ask companies to investigate whistleblower complaints initially submitted to the SEC.
  • Narrow the categories of individuals treated as not having "independent knowledge" or "independent analysis." The final rules narrow the categories of individuals who are potentially ineligible for a whistleblower award when they obtain information about a possible securities-law violation through the company's compliance processes. Any such information obtained by a company's directors, officers and employees with principal responsibility for compliance or internal audit functions generally will not be considered to have resulted from their independent knowledge or analysis. This exclusion, however, will not preclude a whistleblower submission if any such individual reasonably believes that the information relates to conduct that is likely to cause substantial injury to the company or to investors, or that the company is engaging in conduct that would impede an investigation of the misconduct, or if the company has taken 120 days or more to investigate a whistleblower's complaint. Moreover, the SEC will accept a whistleblower claim from a non-officer supervisor who performs some compliance functions.
  • Allow an audit firm's employees to qualify as whistleblowers in some circumstances. The final regulation retains the proposed exclusion of information obtained by auditors and other third-party service providers during the course of their work for the company. Audit firm employees, however, will be entitled to make a whistleblower submission about their firm's failure to comply with auditing standards or Section 10A of the Exchange Act, which requires prompt notification of illegal conduct to management, directors, and/or the SEC. Further, audit firm employees may report to the SEC information they obtain during audits or quarterly reviews of their clients where they reasonably believe that the information is likely to cause significant injury to the financial interest or property of the audit client or investors or that the client is impeding an investigation of possible wrongdoing even if the submission does not contain an allegation of audit firm wrongdoing.
  • Authorize SEC staff communications with control group whistleblowers. The new rules authorize the SEC staff to communicate directly with a whistleblower without first seeking the consent of counsel to an entity, even if the whistleblower is an officer or director or other member of the control group of an entity.
  • Authorize the SEC to file actions charging retaliation. The SEC stated in the adopting release that it construes Dodd-Frank as having authorized the SEC to protect whistleblowers from retaliation for their actions regardless of whether they qualify for an award, and that it intends to use this authority by bringing enforcement actions against those who engage in retaliatory conduct.

New whistleblower rules

Eligibility standards

  • Definition of whistleblower. Rule 21F-2(a) defines an eligible whistleblower as any natural person who alone, or jointly with others, provides information to the SEC in a manner prescribed by the new rules and who possesses a reasonable belief that the information relates to "a possible violation of the federal securities laws (including any rules or regulations thereunder) that has occurred, is ongoing, or is about to occur." No corporation or other entity may qualify for an award under the SEC's program, which solely addresses possible violations of the federal securities laws and not violations of U.S. state laws or foreign law. A "possible violation" of the federal securities laws does not mean a probable or likely violation, but rather only a "facially plausible relationship to some securities law violation."
  • Ineligible persons. The following individuals are not eligible to receive awards:
    • Individuals who are, or were at the time they acquired the information submitted to the SEC, members, officers or employees of the SEC, the Department of Justice, or any other law enforcement organization, an appropriate regulatory agency, the Public Company Accounting Oversight Board (PCAOB), a self-regulatory organization (SRO), or a foreign government (or agency or instrumentality thereof) or any other foreign financial regulatory authority
    • Individuals convicted of a criminal violation related to an SEC enforcement action or a related action for which the person otherwise would be eligible to receive an award
    • Individuals who obtained the information provided to the SEC through an audit of a company's financial statements where providing the information would be contrary to Section 10A of the Exchange Act, or persons who obtained the information from any such individual involved in an audit unless (1) the individual involved in the audit is not excluded from providing the information under an exception or (2) the information is about possible violations of the federal securities laws involving that individual; and
    • Any individual who is a spouse, parent, child, or sibling of a member or employee of the SEC, or who resides in the same household as an SEC member or employee.

Also ineligible to receive awards is any whistleblower who:

  • Refuses to continue to cooperate with the SEC by failing to provide information or testimony or to sign a confidentiality agreement covering any non-public information that the SEC provides to the whistleblower; or
  • Knowingly and willingly makes false statements or representations in the whistleblower's submission or other dealings with the SEC or other authorities.

In addition, as described below, other persons may be disqualified from consideration for an award on the basis that they are not considered to have submitted information "voluntarily" or are not considered to have submitted "original information."

Voluntary submission

A submission of information by a whistleblower to the SEC will satisfy the requirement that it be made "voluntarily" only if:

  • The whistleblower does not have a duty to report to the SEC violations of the type covered by the submission as a result of a pre-existing legal duty, a contract with the SEC or with another law enforcement agency, or a duty arising under any judicial or administrative order; and
  • The submission is made before the whistleblower (or any person representing the whistleblower) receives a formal or informal "request, inquiry or demand" relating to the subject matter of the submission from the SEC, the PCAOB, any SRO, Congress, any other authority of the federal government, or a state attorney general or state securities regulatory authority.

The voluntary nature of the submission will not be negated by requests for information made to the individual during an internal investigation by the company or by requests, inquiries, or demands to the individual's employer made by the agencies, authorities, or other organizations referred to above.

Original information

Applicable standards. Information about a possible violation of the federal securities laws not already known by the SEC will be considered "original" if it is derived from an individual's "independent knowledge or independent analysis." Knowledge of a possible violation will be considered independent if it is not obtained from publicly available sources. Analysis of a possible violation will be considered independent where it involves an individual's examination and evaluation, either alone or with others, of information that may be publicly available but reveals information not generally known or available to the public.

Exclusions. Information generally will be considered not to have been derived from independent knowledge or analysis, and therefore may not constitute the basis for a whistleblower submission, if an individual obtained the information in one of the following eight ways:

  1. Through communications subject to the attorney-client privilege;
  2. If the individual is a lawyer, through the legal representation of a client where the lawyer seeks a personal benefit by making a whistleblower submission;
  3. If the individual is an officer, director, trustee, or partner of an entity, through information provided by another person about possible misconduct or through information obtained in connection with the entity's oversight processes regarding possible violations of law;
  4. If the individual is an employee whose principal duties involve compliance or internal audit responsibilities, as a result of performance of these duties;
  5. If the individual is employed by or otherwise associated with a firm retained to conduct an inquiry or investigation into possible violations of law, as a result of that engagement;
  6. If the individual is employed by or otherwise associated with a public accounting firm, through an audit or similar engagement required of an independent public accountant under the federal securities laws where the information relates to a violation by the engagement client or its directors, officers, or other employees;
  7. By a means or in a manner determined by a U.S. court to have violated federal or state criminal law; or
  8. From another individual who first learned the information in one of the seven ways enumerated above, unless (a) the other individual is not excluded from providing the information under an exception or (b) the information is about possible violations of the federal securities laws involving the other individual.  

The SEC stated that it adopted exclusions 3, 4, 5, and 6 above relating to information obtained by company officers, compliance, audit, and investigative personnel, and audit firm employees in order to prevent the whistleblower rules from undermining the proper operation of internal compliance systems. Any of these individuals, however, may submit a whistleblower claim notwithstanding the exclusions if:

  • The individual has a reasonable basis to believe that disclosure of the information to the SEC is necessary to prevent conduct by the relevant entity that is likely to cause substantial injury to the financial interest or property of the entity or investors; or
  • The individual has a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct; or
  • At least 120 days have elapsed since the individual (1) provided information to the relevant entity's audit committee or chief legal officer or chief compliance officer or to the individual's supervisor, or (2) received the information under circumstances indicating that the entity's audit committee or chief legal officer or chief compliance officer, or the individual's supervisor, was aware of the information.

In these situations, therefore, the company will promptly have to determine whether any reported misconduct is ongoing and presents a substantial risk to it or to investors and, even where it does not identify such a risk, determine if and when to report the information to the SEC within 120 days after the information was reported internally.

Successful SEC enforcement action

To receive an award under the regulation, the whistleblower must supply original information that "leads to" a successful enforcement proceeding in which the SEC obtains monetary sanctions exceeding $1 million. The SEC will consider that a whistleblower's original information has led to a successful SEC enforcement action in any of the following three circumstances:

  1. The information reported to the SEC was sufficiently specific, credible, and timely to cause the SEC staff to commence an examination, open an investigation, reopen an investigation that had been closed, or inquire concerning different conduct as part of a current examination or investigation, and the SEC brought a successful action based in whole or in part on conduct that was the subject of the information.
  2. The information reported to the SEC was related to conduct already under examination or investigation by the SEC, Congress, any other authority of the federal government, a state attorney general or state securities regulatory authority, an SRO, or the PCAOB, and the information "significantly contributed" to the success of the action.
  3. The information was reported through an entity's internal whistleblower, legal or compliance procedures before or at the same time as it was reported to the SEC, the entity later provided to the SEC the information or the results of its audit or investigation initiated in whole or in part in response to the information reported to the entity, the information satisfies the standard indicated in paragraph 1 or 2 above, and the whistleblower reported the same information to the SEC within 120 days after reporting the information internally.  

Original information provided to another law enforcement agency that in turn provides the information to the SEC and causes it to bring a successful enforcement action also can entitle a whistleblower to an award. The SEC noted, however, that it will not award double payments in situations where the whistleblower was paid a bounty in a parallel CFTC action that is also covered by Dodd-Frank.

Calculation of awards

The new rules clarify that the calculation of the $1 million award threshold may be based on sanctions recovered in two or more related enforcement actions involving the "same nucleus of operative facts." Awards to more than one whistleblower in connection with the same action or related action will be subject to a single 10% award floor and 30% award cap. The calculation of the monetary sanctions will include penalties, disgorgement, and interest paid to the SEC by the entity and its representatives. An award to an audit firm employee could include amounts paid as sanctions both by the audit firm and its representatives and by the audit client and the client's representatives.

Although the new rules do not prohibit culpable individuals from receiving awards, the rules identify the culpability of the whistleblower as a negative factor in determining entitlement to an award. In addition, the rules exclude from the monetary recovery used to calculate the award any amount paid by a culpable whistleblower to the SEC and any sanction paid by the entity whose liability is based substantially on the whistleblower's conduct.

The SEC enumerates in Rule 21F-6 other positive and negative factors that it will consider in determining the amount of any award. Of particular note, the rule states that "participation in internal compliance systems," including first reporting the misconduct internally, is one of four positive factors, and that "interference with internal compliance and reporting systems" is one of three negative factors, the SEC will consider in determining the percentage of any monetary recovery to award a whistleblower. The SEC also indicated that an internal whistleblower may be in a position to obtain a larger award compared with one who reports the same information to the SEC in the first instance, because the internal whistleblower will receive credit under the rule not just for the information reported internally but for all information which the entity obtains during the course of its internal investigation and, in turn, reports to the SEC, even if the additional information does not result from the whistleblower's internal report.

Procedural requirements

To obtain an award under the whistleblower program, an individual initially will have to submit the information regarding the potential violation to the SEC online according to instructions on the SEC's website, or on Form TCR (Tip, Complaint or Referral) by mail or fax. In this submission, the whistleblower will have to declare, under penalty of perjury, that the information submitted is true and correct to the best of the whistleblower's knowledge and belief. The whistleblower's attorney may submit the information on behalf of the whistleblower if the latter wishes to provide the information anonymously. Finally, to complete the process, the whistleblower will need to file Form WB-APP by mail or fax formally applying for an award. The SEC and the Department of Justice have made it clear that persons who intentionally submit false information to the SEC under the whistleblower program will be subject to prosecution.

Protections against retaliation

The regulation incorporates by reference the provisions of Dodd-Frank (now included in Section 21F(h)(1) of the Exchange Act) that provide protection for whistleblowers against retaliation for their whistleblower activities and indicates that the SEC will enforce this provision. The SEC noted that internal whistleblowers are not protected by the regulation against retaliation unless, with few exceptions, they are employed at public companies covered by the Sarbanes-Oxley Act. This is consistent with a recent federal district court ruling construing Dodd-Frank's anti-retaliation provision as not applying to a private company accused of retaliating against an internal whistleblower.

Whistleblower communications with SEC

The new rules prohibit any action to impede a whistleblower's communications with the SEC. For example, a company could not seek to enforce a confidentiality agreement with an employee to prevent the employee from disclosing to the SEC information relating to a possible securities-law violation, except to the extent the information is protected by attorney-client privilege or obtained during a legal representation.

Commentary

Many commenters on the rule proposal expressed concern that the bounties available under the SEC's whistleblower program will spawn a multitude of unsupportable complaints to the SEC that they will have to use scarce corporate resources to investigate. Some companies also voiced the worry that the regulation likely will have a negative impact on their internal compliance programs by establishing the SEC as an alternative outlet for complaints these programs were designed to handle. They noted in particular the possibility that corporate employees might bypass their company's internal compliance program to seek a reward under the regulation.

It remains to be seen whether the incentives for internal reporting built into the new rules will motivate whistleblowers to report internally rather than directly to the SEC. Whistleblowers cannot be sure that reporting internally will result in an equal bounty or, if they are employed by a company not subject to the Sarbanes-Oxley Act, that they will be protected from retaliation when making an internal report.

Companies should take action to promote compliance with the new rules and to enhance the chances that the SEC will refer any whistleblower matters to them for investigation. As part of this undertaking, a company may wish to:

  • Review the company's code of conduct to address any potential inconsistencies with the whistleblower rules, such as provisions for possible disciplinary action in the event employees do not report all violations of law in the first instance to the company.
  • Conduct a comprehensive review of all existing whistleblower and compliance programs, including any up-the-line financial reporting process, to confirm that they are effective and result in timely reports of possible violations of law to management and to the audit or other oversight committee.
  • Enhance communication and training efforts regarding internal whistleblower and compliance programs to ensure a proper understanding of the importance of the programs and to reinforce a culture of compliance.
  • Ensure that the company can demonstrate to the SEC its ability to conduct a thorough and fair internal investigation, such as by being able to present written guidelines for conducting an investigation and maintaining records regarding the timeliness of, and conclusions reached in, prior investigations.
  • Train officers and other supervisors with respect to the anti-retaliation provisions of the rules.
  • Ensure that document destruction procedures are suspended upon learning the identity of a whistleblower so that all employment-related documents regarding the individual are retained for at least the ten-year period during which a retaliation claim may be made by the employee.  

Any review process should address in particular the types of securities-law violations that historically have resulted in sanctions in excess of $1 million, including:

  • Payments involving foreign officials in violation of the Foreign Corrupt Practices Act;
  • Accounting irregularities that result in material misstatements of the company's financial results contained in periodic reports; and
  • Misleading or false statements in the company's periodic filings or other statements to investors.  

Financial services companies such as investment advisers and broker-dealers should focus on areas of high risk identified by their risk assessment programs.

Employees of any entity that can violate the federal securities laws, including foreign issuers in many situations, are eligible whistleblowers under the new rules. In this regard, Section 929P(b) of Dodd-Frank authorizes the SEC to investigate certain conduct in the United States that affects foreign investors or certain conduct occurring outside the United States that has foreseeable and substantial effects within the United States.