On May 25, 2011, the Securities and Exchange Commission (Commission) adopted final rules to implement the whistleblower provisions of the Dodd-Frank Act. The rules become effective 60 days after publication in the Federal Register. Whistleblower activity has already intensified since the passage of the Dodd-Frank Act and given the economic incentives available through the new rules, that trend is likely to continue. Hence, a comprehensive, accessible and responsive internal compliance and reporting program is increasingly important. The following summary highlights several requirements and limitations contained in the rules that companies should note as they review their existing compliance programs.

Eligible Whistleblowers

To be eligible for an award under the final rules, an individual (not an entity) must voluntarily provide the Commission with original information that leads to a successful enforcement of a federal court or administrative action by the Commission in which monetary sanctions of over $1 million are imposed.

Voluntary Disclosures

To qualify as voluntary the information must be submitted before the Commission or another law enforcement agency initiates a request, inquiry or demand on related subject matter to the individual offering the report or his or her representative. The Commission’s goal is to reward individuals who come forward early – not those who wait to be approached by investigators.

Original Information

The information provided to the Commission may relate to a possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur, but not to violations of state or foreign laws.

To be original the information must be disclosed to the Commission after July 21, 2010 (the date enactment of Dodd-Frank); and derived from the whistleblower’s “independent knowledge” or “independent analysis.”

The following information is not considered original:

  • Information already known to the Commission from another source (unless the whistleblower provided the information to that source)
  • Information exclusively derived from allegations in a hearing, governmental report, audit or investigation, or from the news media (unless the whistleblower is the source of such information)
  • Information obtained by individuals, such as officers, directors, lawyers or auditors, learning the information in the course of satisfying their obligation to conduct internal investigations

However, information learned from internal investigations may qualify as original information if disclosure is not prohibited by attorney-client privilege and if the whistleblower:

  • reasonably believes disclosure is necessary to prevent the company from engaging in conduct likely to cause substantial injury to its financial interest or property or its investors;
  • reasonably believes the company is engaging in conduct that will impede an investigation of the misconduct; or
  • reported the information to the company’s compliance personnel at least 120 days earlier (or the company’s compliance personnel were aware of the information).

Successful Enforcement

Information leads to successful enforcement when:

  • it is specific, credible and timely enough to cause the staff to begin an examination, open a new investigation, reopen a closed investigation or inquire about different conduct in an existing examination or investigation, and the Commission’s successful judicial or administrative action is based in whole or in part on the conduct identified in whistleblower’s information; or
  • it relates to conduct already under investigation by the Commission, Congress, any federal authority, a state Attorney General or securities regulatory authority, self-regulatory organization, or the PCAOB, and significantly contributes to the success of the action; or
  • it is provided by the whistleblower to the company at the same time or before submission to the Commission and the company conducts an investigation and discloses information to the Commission to satisfy either of the criteria above.

Amount of Award

Dodd-Frank mandates that total whistleblower bounties must be at least 10 percent (but no more than 30 percent) of the total sanctions collected. Determination concerning the specific award is left to the Commission, which may consider the following factors:

  • significance of the information provided
  • assistance provided by the whistleblower
  • law enforcement's interest in making a whistleblower award
  • participation by the whistleblower in internal compliance systems
  • culpability of the whistleblower
  • any unreasonable reporting delay by the whistleblower
  • interference with internal compliance and reporting systems by the whistleblower

Anti-Retaliation Protections

Under Dodd-Frank, whistleblowers may bring a private cause of action against an employer that fires the whistleblower because of whistleblowing activity. Such anti-retaliation protections apply whether or not the whistleblower actually qualifies for an award, so long as the whistleblower reasonably believes the information provided to the Commission is related to a possible securities law violation.

What This Means to You

As already noted, the recent increase in whistleblower activity is likely to continue despite incentives contained in the final rules to encourage internal reporting. For instance:

  • whistleblowers who first report internally may receive an award even if the employer is the first to report the same information to the Commission; and
  • the Commission may consider a whistleblower’s participation in or interference with the internal compliance process in determining the amount of the award.

In light of the potential size of awards, the anti-retaliation protections and the availability of anonymous, confidential disclosure, we expect individuals will often bypass internal reporting and go straight to the Commission’s whistleblowing program. In fact, Rep. Michael Grimm and several industry groups support amending Dodd-Frank to require whistleblowers to first report violations to an internal compliance program. Companies should assess their internal compliance controls and procedures to ensure that they are robust programs designed to receive and promptly respond to anonymous concerns, encourage internal reporting and prohibit retaliatory actions.